Scanners & runtime testing | Infiniview Docs

Capabilities

Each scan run draws from five capabilities. Coverage and skip reasons are reported per-tool, so the trust panel always tells you what actually ran.

Code review

Reviews changed code for correctness, maintainability, and security-sensitive logic.

Security analysis

Combines static analysis, dependency audits, secret detection, and configuration review across the scanners listed below.

Runtime verification

Confirms high-confidence findings against the running app when a safe test target is available. Verified findings receive a verified flag and weigh more heavily in trust.

Browser interaction testing

Exercises reachable user flows in a sandboxed browser and records evidence for broken or risky behavior.

Evidence packages

Collects reproducible context, affected locations, and remediation guidance for confirmed issues. See Findings & evidence.

Scanners

Twenty-five scanners cover four families. Default-enabled tools run automatically when the repo contains files they can analyze. Opt-in tools are available but disabled by default — usually because they overlap a default scanner or require external credentials.

Note

Coverage is tracked per-tool. Skipped scanners and missing credentials show up in the run’s trust panel — they don’t silently degrade the result.

Static analysis

Source-level rule engines run against the cloned repo without execution.

Semgrep

Multi-language static analysis with custom rules.

id: semgrep

ESLint Security

JavaScript and TypeScript security rules.

id: eslint-security

Bandit

Python security linter.

id: bandit

gosec

Go security analyzer.

id: gosec

Brakeman

Ruby on Rails security scanner.

id: brakeman

SpotBugs

Java static analysis for bugs and vulnerabilities.

id: spotbugs

PHPStan

PHP static analyzer with security rules.

id: phpstan

Bearer

Code security scanner for sensitive data flows.

id: bearer

njsscan

Node.js semantic security scanner.

id: njsscan

SonarQube

opt-in

Static code analysis via SonarScanner and SonarQube.

Opt-in. Requires an external SonarQube service and credentials.

id: sonarqube

Dependency audit

Manifest- and lockfile-driven CVE detection across language ecosystems.

npm audit

Node.js dependency vulnerability scan.

id: npm-audit

pip-audit

Python dependency vulnerability scan.

id: pip-audit

cargo-audit

Rust dependency vulnerability scan.

id: cargo-audit

OSV Scanner

Open Source Vulnerabilities database scanner.

id: osv-scanner

Safety

opt-in

Python dependency safety checker.

Opt-in. Overlaps pip-audit for default Python dependency coverage.

id: safety

Grype

opt-in

Container and filesystem vulnerability scanner.

Opt-in. Overlaps Trivy and OSV; memory-heavy.

id: grype

Retire.js

opt-in

JavaScript library vulnerability scanner.

Opt-in. Overlaps npm audit and OSV for default JavaScript coverage.

id: retire

Snyk Open Source

opt-in

Snyk dependency vulnerability scanning.

Opt-in. Requires SNYK_TOKEN.

id: snyk-open-source

Secrets detection

Pattern and entropy detection for committed credentials.

Gitleaks

Detect hardcoded secrets in git history.

id: gitleaks

detect-secrets

Yelp’s secret detection tool.

id: detect-secrets

TruffleHog

High-entropy and verified secret detection.

id: trufflehog

Configuration & IaC

Cloud-native and container manifest checks.

Trivy

Misconfiguration and vulnerability scanner.

id: trivy

Checkov

Infrastructure-as-code security scanner.

id: checkov

tfsec

opt-in

Terraform security scanner.

Opt-in. Superseded by Trivy’s Terraform/IaC coverage.

id: tfsec

Hadolint

Dockerfile linter and security checker.

id: hadolint

kube-linter

Kubernetes manifest linting for security gaps.

id: kube-linter

Runtime testing

Runtime verification and browser interaction testing run inside the sandbox after the repo builds. They probe the app for reachable issues — input handling, auth surfaces, session management, request forgery, file uploads, and rate limits — and attach replay artifacts to any finding they confirm.

Specific runtime agents are listed in the Security dashboard so you can toggle them per-account; opt into them with the runtime configuration in .infiniview.yml or the dashboard. Runtime testing only fires for browser-based web apps the sandbox can build and serve — see Unsupported apps.

Enabling and disabling tools

Two surfaces, one snapshot:

Dashboard — Security configuration sets your defaults. Saved values become the base for every new scan.
Repo — .infiniview.yml at the repo root overrides those defaults for any scan triggered from that branch. See Configuration.

Repo config wins for overlapping fields. The merged result is frozen onto the run at trigger time, so editing settings mid-scan only affects later runs.