Real scanner orchestration

Scanner Coverage

Status is honest: green only where a real check can run. External scanners show tool_missing with an install hint until installed.

enabled

Direct-manifest scanning via OSV API. Install OSV-Scanner for lockfile/transitive coverage.

OSV APImedium confidence

Install OSV-Scanner: https://google.github.io/osv-scanner/installation/

enabled

Lightweight built-in regex detector (low confidence). Install Gitleaks for authoritative scanning.

patchpilot-secrets-litelow confidence

Install Gitleaks: https://github.com/gitleaks/gitleaks#installing

tool_missing

Semgrep not installed.

semgrephigh confidence

Install Semgrep: https://semgrep.dev/docs/getting-started/

tool_missing

Trivy not installed.

trivyhigh confidence

Install Trivy: https://aquasecurity.github.io/trivy/latest/getting-started/installation/

enabled

Built-in static workflow hardening rules.

patchpilot-ci-hardeningmedium confidence

enabled

Built-in Codex/MCP/GitHub Actions config risk checks.

patchpilot-agent-configmedium confidence

enabled

Lifecycle-script + heuristic checks only. Set PATCHPILOT_MALICIOUS_PACKAGES_DIR for authoritative malicious-package matching.

patchpilot-quarantinelow confidence

Set PATCHPILOT_MALICIOUS_PACKAGES_DIR to an OpenSSF malicious-packages data directory.

not_configured

License scanning needs Trivy.

trivymedium confidence

Install Trivy: https://aquasecurity.github.io/trivy/latest/getting-started/installation/

disabled

SBOM generation needs Syft or Trivy.

syfthigh confidence

Install Syft: https://github.com/anchore/syft#installation

External tools

Tool	Category	Status	Command	Version
OSV-Scanner (lockfile SCA)	sca	tool_missing	osv-scanner	·
Gitleaks (secret scanner)	secret	tool_missing	gitleaks	·
Semgrep (SAST)	sast	tool_missing	semgrep	·
Trivy (fs/IaC/license/SBOM)	container	tool_missing	trivy	·
Syft (SBOM)	sbom	disabled	syft	·