Scanner Selection Guide

Mayo ASPM supports multiple security scanners. This guide helps you choose the right combination for your stack and maturity level.

---

Available scanners

Scanner	Type	Detects	Speed	Languages
Grype	SCA	Dependency vulnerabilities (CVEs)	Fast	All (package managers)
Trivy	SCA + Container	Dependencies, container images, IaC	Fast	All + Docker, Terraform
Semgrep	SAST	Code-level vulnerabilities, patterns	Medium	30+ languages
Gitleaks	Secret	Hardcoded secrets, API keys, tokens	Fast	All (regex-based)

---

Recommended starting points

Minimal (Week 1)

Start with the fastest, highest-signal scanners:

Scanner	Why
Grype	Quick SCA scan, catches known CVEs in dependencies
Gitleaks	Fast secret detection, catches credential leaks

This gives you immediate visibility into the two most common vulnerability classes with minimal noise.

Standard (Month 1)

Add SAST for code-level issues:

Scanner	Why
Grype	Dependency vulnerabilities
Semgrep	Code patterns, injection flaws, misconfigurations
Gitleaks	Secret detection

Comprehensive (Month 2+)

Full coverage including container scanning:

Scanner	Why
Grype	Dependency vulnerabilities
Trivy	Container image scanning + IaC
Semgrep	SAST
Gitleaks	Secret detection

---

Scanner selection by stack

Node.js / JavaScript

Scanner	Priority	Notes
Grype	High	npm/yarn vulnerabilities are common
Semgrep	High	Good JavaScript/TypeScript rule coverage
Gitleaks	High	API keys often hardcoded in JS projects

Python

Scanner	Priority	Notes
Grype	High	pip/poetry vulnerability detection
Semgrep	High	Excellent Python rule coverage
Gitleaks	Medium	Check for AWS keys, database credentials

Go

Scanner	Priority	Notes
Grype	High	Go module vulnerability detection
Semgrep	Medium	Growing Go rule set
Gitleaks	Medium	Secret detection

Java / Kotlin

Scanner	Priority	Notes
Grype	High	Maven/Gradle dependency scanning
Semgrep	High	Strong Java security rules
Gitleaks	Medium	Secret detection

Container workloads

Scanner	Priority	Notes
Trivy	High	Container image + OS package scanning
Grype	Medium	Redundant with Trivy for some cases
Gitleaks	Medium	Secrets baked into images

---

Scanner performance

Scanner	Typical scan time (per repo)	Resource usage
Grype	10-30 seconds	Low
Trivy	15-60 seconds	Low
Semgrep	30 seconds - 5 minutes	Medium
Gitleaks	5-20 seconds	Low

PR scan performance

For PR scanning, speed matters. Use Grype + Gitleaks for fast feedback (< 30 seconds). Add Semgrep if you can tolerate 1-2 minute scan times.

---

Scanner accuracy

Scanner	True positive rate	False positive rate	Notes
Grype	Very high	Very low	CVE matching is deterministic
Trivy	Very high	Very low	CVE matching is deterministic
Semgrep	High	Low-Medium	Rule-dependent; custom rules may vary
Gitleaks	Medium-High	Medium	Generic patterns can match non-secrets

Managing false positives

• Grype/Trivy: False positives are rare. Usually caused by incorrect version detection.
• Semgrep: Write triage policies to suppress noisy rules. The rule_id is available for targeted suppression.
• Gitleaks: Suppress generic patterns in test fixtures. Use triage policies to filter by file path.

---

Combining scanners

SCA overlap: Grype vs. Trivy

Both detect dependency vulnerabilities. Key differences:

Feature	Grype	Trivy
Package manager scanning	Yes	Yes
Container image scanning	No	Yes
IaC scanning	No	Yes
OS package scanning	No	Yes
Vulnerability database	Grype DB	Trivy DB (NVD + vendor advisories)

Recommendation: Use Grype for fast SCA scanning. Add Trivy when you need container or IaC scanning.

---

Configuring scanners per project

Different projects may need different scanner configurations:

1. Navigate to the project settings.
2. Under Scan Configuration, select which scanners to enable.
3. Configure scanner-specific options (e.g., Semgrep rule sets).

---

Next steps

• Scanner comparison table — detailed feature comparison
• Supported languages — language coverage per scanner
• PR scanning strategy — scanner selection for PR gates