Five scanners, one Docker image
Scantis now ships Syft, Gitleaks, and Checkov alongside Trivy and Semgrep — secrets, IaC, and SBOM coverage in every scan.
By Scantis
We started Scantis with Trivy and Semgrep — dependency CVEs and SAST-style code patterns in one command. That covered a lot of ground, but teams kept asking about secrets in repos, Terraform misconfigs, and SBOM output for supply-chain workflows.
Sprint 5 adds three more scanners to the default bundle:
| Scanner | What it finds |
|---|---|
| Syft | CycloneDX SBOM written to .scantis/sbom.cyclonedx.json |
| Gitleaks | Hardcoded tokens, API keys, and other secrets |
| Checkov | Terraform, Kubernetes, Dockerfile, and other IaC issues |
One command, full coverage
docker run --rm -v "$(pwd):/repo:ro" \
ghcr.io/szaranger/security-scanner:latest \
scan /repo --scanners all --format jsonJSON output now includes optional result.sbom metadata (component count and path) when Syft runs, plus merged findings from every scanner.
Pick individual tools when you need them:
# Secrets only
scan /repo --scanners gitleaks
# IaC only (skips gracefully when no Terraform/K8s files are present)
scan /repo --scanners checkovSafe secret reporting
Gitleaks findings are always critical severity and terminal output is redacted — you'll see Secret detected in path/to/file:42 [rule-id] without the matched token.
Try it
Pull the image or build from source:
git clone https://github.com/szaranger/security.git
cd security
pnpm docker:build
pnpm docker:scanSee the full scan product guide for CI examples, JSON shape, and --fail-on thresholds.