Scanners & runtime agents
Static, dependency, secret, and configuration scanners run during sandbox execution alongside runtime agents. Toggle them in dashboard configuration or .infiniview.yml.
Scanners
Each scanner runs against the cloned repo in the sandbox. Coverage is tracked per-tool: skipped scanners, missing credentials, and degraded execution show up in the run’s trust score.
Static analysis
Source-level rule engines run against the cloned repo without execution.
Semgrep
ESLint Security
Bandit
gosec
Brakeman
SpotBugs
PHPStan
Bearer
njsscan
SonarQube
Dependency audit
Manifest- and lockfile-driven CVE detection across language ecosystems.
npm audit
pip-audit
cargo-audit
OSV Scanner
Safety
Grype
Retire.js
Snyk Open Source
Secrets detection
Pattern and entropy detection for committed credentials.
Gitleaks
detect-secrets
TruffleHog
Configuration & IaC
Cloud-native and container manifest checks.
Trivy
Checkov
tfsec
Hadolint
kube-linter
Runtime agents
Runtime agents probe the running app inside the sandbox. They’re opt-in per scan and share the run’s wall-clock and per-agent timeouts.
API Fuzzer
Malformed HTTP input testing
Injection Tester
SQL, NoSQL, and OS injection payloads
UI Crawler
Automated navigation and element discovery
SSRF Prober
Server-side request forgery checks
CORS Tester
Cross-origin policy testing
Session Tester
Session management weaknesses
Crypto Auditor
Cryptographic implementation review
Auth Attacker
LLM-guided authentication attacks
Business Logic Prober
LLM-guided flow abuse testing
Prompt Injection Tester
AI endpoint prompt injection testing
File Upload Tester
Upload vulnerability checks
Rate Limit Tester
Brute-force and throttling checks