Skip to content

Scanner Reference

Mayo ASPM includes five built-in security scanners covering static analysis (SAST), software composition analysis (SCA), and secrets detection. This reference provides detailed information about each scanner to help you choose the right tool for your needs.

Scanner Overview

Scanner Category Detection Focus Output Format Avg. Scan Time
OpenGrep SAST Code vulnerabilities, injection, insecure patterns JSON (SARIF-compatible) 30s - 3 min
Semgrep SAST Code vulnerabilities, custom rules, anti-patterns SARIF / JSON 45s - 5 min
Trivy SCA Dependency CVEs, license issues, misconfigurations JSON 15s - 2 min
Grype SCA Dependency CVEs, SBOM-based vulnerability matching JSON 10s - 1 min
Gitleaks Secrets API keys, tokens, passwords, certificates JSON 5s - 30s

OpenGrep (SAST)

OpenGrep is an open-source static analysis engine that detects security vulnerabilities by matching code patterns against a comprehensive rule database.

What It Detects

  • SQL injection, NoSQL injection, LDAP injection
  • Cross-site scripting (XSS) — reflected, stored, DOM-based
  • Command injection and code injection
  • Path traversal and file inclusion
  • Insecure cryptographic usage (weak algorithms, hardcoded keys)
  • Authentication and authorization bypasses
  • Server-side request forgery (SSRF)
  • Insecure deserialization
  • XML external entity (XXE) attacks

Language Support

Language Coverage
JavaScript / TypeScript Excellent
Python Excellent
Java Excellent
Go Very Good
Ruby Very Good
PHP Very Good
C / C++ Good
C# / .NET Good
Rust Good
Kotlin Good
Swift Moderate
Scala Moderate

Rule Sets

Rule Set Rules Description
Default ~2,500 Balanced coverage across all categories
OWASP Top 10 ~800 Focused on the OWASP Top 10 vulnerability classes
Security Audit ~4,000 Comprehensive — includes informational and best-practice rules

Typical Scan Times

Repository Size Typical Duration
Small (< 10K LOC) 15 - 30 seconds
Medium (10K - 100K LOC) 30 seconds - 2 minutes
Large (100K - 500K LOC) 2 - 5 minutes
Monorepo (500K+ LOC) 5 - 15 minutes

Semgrep (SAST)

Semgrep is a fast, lightweight static analysis tool that uses pattern-matching syntax to find security issues. It excels at custom rules and framework-specific checks.

What It Detects

  • All categories covered by OpenGrep (OWASP Top 10 and beyond)
  • Framework-specific vulnerabilities (React, Django, Spring, Express, etc.)
  • Security anti-patterns and misconfigurations
  • Type-aware taint tracking for data flow analysis
  • Custom patterns defined by your organization

Language Support

Language Coverage
JavaScript / TypeScript Excellent
Python Excellent
Java Excellent
Go Excellent
Ruby Very Good
PHP Very Good
Kotlin Very Good
Rust Good
C# / .NET Good
Swift Moderate

Rule Sets

Rule Set Rules Description
Default ~3,000 Semgrep's curated community rule set
OWASP Top 10 ~600 OWASP-aligned subset
Security Audit ~5,000+ Full rule database including experimental rules

Typical Scan Times

Repository Size Typical Duration
Small (< 10K LOC) 20 - 45 seconds
Medium (10K - 100K LOC) 45 seconds - 3 minutes
Large (100K - 500K LOC) 3 - 8 minutes
Monorepo (500K+ LOC) 8 - 20 minutes

OpenGrep vs. Semgrep Comparison

Since both are SAST scanners, you may wonder which to use. Here is a detailed comparison:

Aspect OpenGrep Semgrep
Speed Faster on large repos Slightly slower but more thorough
Rule count ~2,500 default ~3,000 default
Custom rules Supported Excellent — Semgrep's rule syntax is more expressive
Framework awareness Basic Strong — framework-specific rules for popular frameworks
Taint tracking Pattern-based Data flow-aware taint analysis
False positive rate Low-moderate Low — taint tracking reduces noise
Best for Broad, fast scans across many languages Deep analysis of specific frameworks and custom patterns

Recommendation

Use OpenGrep for scheduled nightly scans when you want broad, fast coverage. Use Semgrep for targeted deep dives, especially when working with specific frameworks (React, Django, Spring). For maximum coverage, run both and let Mayo ASPM deduplicate overlapping findings.

Trivy (SCA)

Trivy is a comprehensive vulnerability scanner for software dependencies, container images, and infrastructure-as-code. In Mayo ASPM, it focuses on dependency scanning.

What It Detects

  • Known CVEs in direct and transitive dependencies
  • Outdated packages with available security patches
  • License compliance issues (GPL, AGPL, etc.)
  • Misconfigured infrastructure-as-code files (Terraform, CloudFormation)

Supported Package Ecosystems

Ecosystem Manifest Files
npm package-lock.json, package.json
pip requirements.txt, Pipfile.lock, poetry.lock
Go go.sum, go.mod
Maven pom.xml
Gradle build.gradle, gradle.lockfile
Cargo Cargo.lock
Composer composer.lock
NuGet packages.lock.json, .csproj
Bundler Gemfile.lock
CocoaPods Podfile.lock

Typical Scan Times

Repository Size Typical Duration
Single manifest 5 - 15 seconds
Multiple manifests 15 - 45 seconds
Monorepo with many manifests 45 seconds - 3 minutes

Grype (SCA)

Grype is a vulnerability scanner focused on matching software dependencies against CVE databases. It provides fast, accurate dependency scanning with minimal false positives.

What It Detects

  • Known CVEs in direct and transitive dependencies
  • SBOM-based vulnerability matching
  • Fixed version information (which version resolves the CVE)

Supported Package Ecosystems

Ecosystem Manifest Files
npm package-lock.json, package.json
pip requirements.txt, setup.py
Go go.sum
Maven pom.xml
Cargo Cargo.lock
Bundler Gemfile.lock
NuGet packages.lock.json

Trivy vs. Grype

Aspect Trivy Grype
Speed Slightly slower Faster on most repos
Ecosystem coverage Broader (10+ ecosystems) Focused (7 ecosystems)
License scanning Yes No
IaC scanning Yes No
CVE database Multiple sources (NVD, GitHub Advisory, vendor DBs) Anchore vulnerability DB
False positive rate Low Very low
Best for Comprehensive dependency analysis Fast, focused CVE detection

Gitleaks (Secrets)

Gitleaks scans repository files for hardcoded secrets, credentials, and sensitive data that should never be committed to version control.

What It Detects

Category Examples
Cloud provider keys AWS access keys, GCP service account keys, Azure credentials
API keys Stripe, Twilio, SendGrid, Slack, GitHub tokens
Database credentials Connection strings with passwords, Redis URLs
Private keys RSA, DSA, EC private keys, PEM certificates
OAuth tokens Access tokens, refresh tokens, client secrets
Generic secrets High-entropy strings matching credential patterns

Rule Sets

Rule Set Patterns Description
Default ~150 Standard secret patterns with high confidence
Extended ~250 Adds generic high-entropy string detection — may produce more false positives

Typical Scan Times

Repository Size Typical Duration
Small (< 1K files) 3 - 10 seconds
Medium (1K - 10K files) 10 - 30 seconds
Large (10K+ files) 30 seconds - 2 minutes

Secrets in Git History

Gitleaks scans the current file tree at the specified branch. It does not scan the full git history by default. If you suspect secrets were committed in past commits, consider a full history scan using the API with the scan_history: true option.

Choosing the Right Scanner

Scenario Recommended Scanner(s)
Broad security assessment of a new repo OpenGrep + Trivy + Gitleaks
Deep analysis of a specific framework Semgrep
Checking dependencies before a release Trivy or Grype
Verifying no secrets are committed Gitleaks
Nightly continuous monitoring OpenGrep + Trivy + Gitleaks
PR scanning (shift-left) OpenGrep or Semgrep (SAST)
License compliance audit Trivy

Next Steps