░▒▓█ SECGATE · COVERAGE MATRIX █▓▒░
Which scanner covers which category — and where the gaps are.
SecGate orchestrates five scanners spanning five categories. No single scanner covers all categories; the bundle is the product.
flowchart LR
SEC[SecGate]
SEC --> SEM[Semgrep<br/>SAST]
SEC --> GIT[Gitleaks<br/>Secrets]
SEC --> NPM[npm audit<br/>SCA - Node only]
SEC --> OSV[osv-scanner<br/>SCA - polyglot]
SEC --> TRIV[Trivy<br/>IaC + License + Image]
| Category | Scanner | Notes |
|---|---|---|
| SAST (static code analysis) | Semgrep | Rule-based. Uses Semgrep's default OSS ruleset. Languages: Python, JS/TS, Go, Java, Ruby, PHP, C/C++, Rust, Scala, Kotlin, Swift. |
| SCA — Node (dependency CVE) | npm audit | Runs only when package.json is present. Uses npm's advisory DB via GitHub. |
| SCA — polyglot (multi-ecosystem CVE) | osv-scanner | npm, PyPI, Go modules, Cargo, Maven, RubyGems, Packagist, NuGet, Pub. Uses OSV.dev advisory DB. Overlaps with npm audit for Node — both run. |
| Secrets (credentials in code/history) | Gitleaks | Scans working tree by default. Extends to git history when .git/ present. Redacts match bodies in output. |
| IaC misconfiguration | Trivy (fs mode) |
Terraform, CloudFormation, Kubernetes manifests, Dockerfile, Helm, Ansible. Uses Trivy's default policy bundle. |
| License | Trivy (fs mode) |
Detects package licenses and flags restricted (copyleft) licenses per Trivy defaults. |
| Container base image | Trivy (image mode) |
Discovers FROM images in Dockerfiles and scans those base images. Skips scratch. First run may download Trivy's vulnerability DB and image metadata. |
| DAST (runtime testing) | Not covered — out of scope for a CI gate. | |
| Cloud posture (CSPM) | Not covered — use cloud-native tools. |
Some categories have deliberate overlap for defense in depth:
- Node dependencies — both
npm auditandosv-scannerrun. They pull from different advisory sources (GitHub Advisories vs OSV.dev). Findings are surfaced separately per scanner in the report; deduplication by CVE ID is planned but not yet implemented. - Dockerfile — Semgrep has Dockerfile rules; Trivy scans Dockerfile for misconfig, and SecGate separately asks Trivy to scan discovered base images. Different lenses (code smell vs policy vs base-image CVEs), all kept.
Honesty matters. These are known limits of the current bundle.
SecGate scans base images referenced by Dockerfiles, but it does not build the
application image and scan the resulting final artifact. If your Dockerfile
installs packages during build, those final-layer packages are outside
SecGate's current coverage. Run trivy image <your-built-tag> directly for
full image-layer scanning.
We ship Semgrep's OSS default ruleset only. Semgrep Pro / Semgrep Registry paid rulesets are not invoked. Organizations with custom Semgrep rules can pass them via environment or future config (#32).
Trivy reports licenses; SecGate does not fail the build on license findings today. Severity for license hits maps to LOW/MEDIUM depending on Trivy's classification. Enterprise policy (allowlist/blocklist) is future work.
No analysis of pre-built binaries (JAR internals, Go binary SBOM extraction). osv-scanner covers lockfiles, not compiled artifacts.
Gitleaks history scanning depends on the repo being cloned with full history. CI defaults to shallow clones — document fetch-depth: 0 for full coverage.
Coverage tracks Semgrep's OSS ruleset. Newer or niche languages may have thin rule coverage.
- You need runtime / DAST / production monitoring — use Snyk Runtime, Aikido, or dedicated DAST.
- You need SOC 2 evidence automation — SecGate produces reports but is not a compliance platform.
- You need a managed vulnerability DB with triage workflow — SecGate is a gate, not a ticketing system.
- You need zero-dependency scanning — SecGate requires the upstream scanner binaries to be installed.
The bundle is deliberately small (see ADR-0001). New scanners must:
- Cover a category SecGate lacks, or materially improve existing coverage.
- Be open source and free to use commercially.
- Output stable JSON for parsing.
- Not require a cloud account or API key for default operation.
Open an issue with the proposal before opening a PR.
See also: threat-model.md, tuning.md, comparison.md.