Scantis
← Blog

Introducing Scantis

One Docker image for dependency, SAST, secret, IaC, and SBOM scans — locally, in CI, or with an optional hosted dashboard.

By Scantis

Security scanning shouldn't require a platform signup before you can run your first scan.

Scantis bundles Trivy (dependencies and CVEs), Semgrep (code patterns), Syft (SBOM), Gitleaks (secrets), and Checkov (IaC) into a single Docker image. Mount any repo, get a report in the terminal or JSON, and optionally fail CI when findings hit your severity threshold.

Scan in one command

docker run --rm -v "$(pwd):/repo:ro" \
  ghcr.io/szaranger/security-scanner:latest \
  scan /repo --scanners all --format json --fail-on high

No Node, pnpm, or separate scanner installs on the runner — just Docker.

What you get

  • Five scanners by default — dependencies, SAST, secrets, infrastructure, and SBOM in one pass
  • CI-friendly output — JSON for pipelines, --fail-on for gating merges
  • Redacted secrets — Gitleaks findings never expose raw tokens in terminal output
  • Optional AI summaries — remediation guidance when OPENAI_API_KEY is set
  • Optional platform — sign in at app.scantis.com for scan history and GitHub PR comments

What's next

We're focused on making the open-source scanner reliable and fast. The hosted dashboard is optional — use the Docker image alone, or connect it when you need a team workflow.

Read the scan product guide to get started, or pull the image and scan your repo today.