Scanner Reference

HarborGuard runs six scanners as peers, not as alternatives. Each owns a category of finding; their outputs are deduplicated by (cve, package, version) for vulnerabilities, with the engines that reported each finding preserved in a sources array. This page documents what each engine uniquely contributes and where its results show up.

Engine identifiers

The scanners field in POST /api/scans accepts these values:

"trivy" | "grype" | "syft" | "dockle" | "osv" | "dive"

At least one must be supplied. There is no implicit default.

Trivy

Owns: broad OS package vulns (Alpine, Debian, Ubuntu, RHEL, Amazon Linux, Wolfi, etc.) and application dependencies (npm, pip, Go modules, Cargo, Gemfile, Maven, Composer, Pipenv, Poetry).

Why it is in the suite: widest single-engine coverage. Trivy's vulnerability DB updates frequently and covers more distributions than any individual peer.

Where it lands: Findings tab, with sources containing "trivy". Misconfiguration findings (e.g. Dockerfile lints) also land in Findings if you enabled them.

Grype

Owns: the same vulnerability surface as Trivy, but with a different matcher.

Why it is in the suite: Grype's matching heuristics catch CVEs Trivy misses on edge-case version strings (and vice versa). When both agree, you get high-confidence corroboration. When only one flags, you get a triage signal.

Where it lands: Findings tab, with "grype" in sources. CVEs co-reported with Trivy collapse to a single row.

Syft

Owns: the SBOM. No vulnerability matching - just the package inventory.

Why it is in the suite: every other engine works off some package list. Syft produces a canonical, exportable one. Used internally to seed the package index for new-CVE alerting on already-scanned images.

Where it lands: Packages tab. Exportable as CycloneDX JSON or SPDX JSON from the scan detail page.

Dockle

Owns: image-configuration misconfigurations aligned to the CIS Docker Benchmark and Dockerfile best practices - running as root, world-writable files, missing USER directive, leaked secrets in env vars, missing HEALTHCHECK, suspicious ADD usage.

Why it is in the suite: the only engine that audits how the image is built rather than what is in it. Catches issues no CVE feed will ever flag.

Where it lands: Findings tab as a separate Misconfiguration category. These are scored by Dockle's severity (FATAL/WARN/INFO) mapped to HarborGuard severities.

OSV-Scanner

Owns: language-ecosystem advisories from the OSV.dev database (npm, PyPI, RubyGems, Go, crates.io, Maven, Packagist, Pub, NuGet).

Why it is in the suite: OSV is the upstream source for many ecosystem-specific advisories that take time to land in NVD. OSV-Scanner often flags an advisory hours-to-days before Trivy or Grype's DB picks it up.

Where it lands: Findings tab, with "osv" in sources. GHSA IDs are preserved alongside CVE IDs.

Dive

Owns: layer-level efficiency analysis - per-layer file inventory, wasted-space calculation, image-efficiency score.

Why it is in the suite: the only engine that gives you layers. Useful for tracking down which layer introduced a vulnerable package, identifying bloated base images, and trimming attack surface.

Where it lands: Layers tab. No CVEs - this engine is purely structural.

Cross-engine dedup

When the same CVE is reported by multiple vulnerability engines (Trivy, Grype, OSV) for the same (package, version), the ingestion layer collapses them into one finding. Only the sources array grows:

{
  "cve": "CVE-2023-50387",
  "package": "bind9",
  "version": "9.16.42",
  "severity": "HIGH",
  "fixedVersion": "9.16.46",
  "sources": ["trivy", "grype"]
}

If the engines disagree on severity, HarborGuard takes the maximum. If they disagree on fixed version, the lowest non-empty fixed version wins (the conservative answer).

Dockle (misconfigs) and Dive (layers) never collide with the vulnerability engines - they live in different result categories.

Choosing a scanner set

Single-engine scans are valid; the dedup machinery just becomes a no-op.