Fourteen Scanners. Four Domains. One Workbench.

Static Application Security Testing (SAST) covers JavaScript, TypeScript, Python, Go, Java, C#, PHP, Rust, and Ruby with custom rule support for platform-specific patterns. Infrastructure-as-Code scanning covers Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Docker Compose with control mapping built in. Misconfigurations are caught before deployment, not after an assessor finds them. Secret detection goes beyond pattern matching: Vanguard actively validates whether exposed credentials are live and usable against their target services. A dead key in a test file and an active AWS secret in production are different findings. Vanguard treats them that way. Security linting enforces configuration standards across the codebase, including platform-specific rules that generic tools miss.

Every code-level finding enters the same pipeline as runtime and compliance findings. One finding model. One severity taxonomy. One remediation workflow. From the first line of code to the last deployed container, Vanguard applies consistent analysis. At Guardian tier and above, every SAST finding, every secret detection hit, every IaC misconfiguration maps to compliance controls across CMMC, NIST 800-53, FedRAMP, SOC 2, and ISO 27001 simultaneously. The security work developers already do generates the evidence assessors require.

Dependency analysis spans npm, PyPI, Maven, Go modules, Cargo, NuGet, and other package ecosystems. Vanguard generates SBOMs in both CycloneDX and SPDX from the same scan. The dual format is deliberate. SPDX for federal compliance artifacts: it is the NIST-preferred format, and assessors expect it. CycloneDX for operational vulnerability correlation: it has stronger tooling for answering questions like "which running pods contain this CVE." You need both. Vanguard produces both without separate scans or separate tools.

VEX (Vulnerability Exploitability eXchange) documents let you suppress false positives with precision. A vulnerable library that is never called in your deployment context is not the same as one in the hot path. VEX records that determination with structured justification, so assessors see the reasoning, not just the suppression. SLSA build provenance adds cryptographic attestation to every build artifact: proof that the image was built by your CI pipeline, from your source code, through a verifiable chain from commit to container. No attestation gaps. No trust-me assertions. Provenance you can verify independently.

Dynamic Application Security Testing (DAST) runs 10,000+ vulnerability templates against your running endpoints: SQL injection, XSS, SSRF, authentication bypass, header misconfigurations, CORS policy violations, and OWASP Top 10 categories. This covers the attack surface that static analysis cannot see. API security testing scans REST and GraphQL endpoints for broken authentication, excessive data exposure, injection flaws, and misconfigured rate limiting. A hardcoded secret in source code is a SAST finding. An authentication bypass in a running API is a DAST finding. Both are security posture. Both produce evidence.

Container image scanning checks every image against known CVE databases, configuration baselines, and compliance requirements before deployment. Container findings enter the same pipeline as SAST and DAST results. One pipeline means one place to triage, one severity model, and one remediation path. If a base image introduces a critical vulnerability, Vanguard surfaces it alongside the code that depends on it. Fuzz testing exercises edge cases and unexpected inputs that structured tests miss. All runtime findings flow through the same compliance mapping engine, connecting DAST results and container vulnerabilities to controls across every active framework.

STIG scanning runs against any supported OS target: RHEL 7/8/9, Ubuntu 20/22, Windows Server/10/11, Docker Enterprise, Kubernetes, PostgreSQL, MySQL, Oracle, Apache, Nginx, Cisco IOS/NX-OS, Juniper, Palo Alto, and AWS Foundations. Targets can be container images, Outposts, or systems registered in Garrison. Vanguard auto-detects the base OS and selects the best available compliance profile automatically. No manual profile selection. No guessing which STIG applies to which host. SRG scanning covers General Purpose OS, Application Security, Network Device, Web Server, Database, and Container Platform categories. Each SRG result maps directly to DISA requirements with full V-number traceability.

CIS Benchmarks run at Level 1 and Level 2 across operating systems, cloud foundations, container platforms, databases, and web servers. STIG results, SRG results, and CIS Benchmark results all flow through the same finding pipeline. A single host can be scanned against its applicable STIG, its relevant SRG, and the matching CIS Benchmark in one pass. Three compliance perspectives on the same target. One unified view of what needs attention.

Local execution: run from your terminal. The container image never leaves your machine. Scan results upload to the platform for evidence tracking and trend analysis, but your source code and infrastructure stay local. This is the default for developers working on sensitive projects where code cannot leave the workstation. CI/CD execution: GitHub Actions or GitLab CI integration. Only scan results reach the platform. Pipeline gates enforce posture thresholds before code ships. If security posture degrades below your defined threshold, the build fails. No exceptions. No manual overrides unless your policy explicitly allows them.

Sentinel-scheduled execution: ephemeral, tenant-isolated containers run scans on your cadence. No persistent runtime between scans. No shared resources between tenants. Each scan spins up in a clean container, executes, streams results directly to the platform, and terminates. This model covers recurring compliance scans, scheduled DAST against staging environments, and periodic SBOM regeneration. All three models produce identical finding formats. The execution model changes where and when the scan runs. The output, the evidence quality, and the compliance mapping are the same regardless.

Every scanner is built on Chainguard distroless base images. No shell. No package manager. No attack surface beyond the scanner binary itself. The tools that check your security are themselves hardened to the same standard you apply to production workloads. If your policy requires distroless containers in production, the scanners enforcing that policy run in distroless containers too. No hypocrisy in the toolchain.

All scanner images are signed with SBOM and SLSA provenance included. FIPS 140-3 validated cryptography in the base images. Full supply chain integrity: you can verify that every scanner image is exactly what it claims to be, built from the source you expect, through the pipeline you trust. For organizations operating in FedRAMP or CMMC environments, this matters. Your assessor will ask about your toolchain. Vanguard's answer is documented, signed, and independently verifiable.

At Guardian tier and above, the mapping engine activates. Every scan finding flows through a five-strategy cross-reference engine. STIG V-numbers trace to CCIs (Common Control Identifiers). CCIs trace to NIST 800-53 rev5 controls. NIST 800-53 controls trace to CMMC practices, FedRAMP controls, ISO 27001 Annex A controls, and SOC 2 Trust Service Criteria. The chain is deterministic and auditable. No black-box mappings. Every link in the derivation is visible to your assessor.

Five mapping strategies work in sequence. Native control mapping connects STIG findings to CCIs. 800-53 derivation traces CCIs to their parent NIST 800-53 controls. CSF 2.0 bridging links 800-53 controls to NIST CSF subcategories. Published cross-walks map CSF subcategories to ISO 27001, PCI-DSS, and HIPAA. AI-suggested mappings propose additional connections, but they require human confirmation before they count as evidence. A single scan finding can satisfy controls across CMMC, NIST 800-53, FedRAMP, SOC 2, and ISO 27001 simultaneously. Security work becomes compliance evidence. No extra effort. No separate workflow.

SARIF for IDE and CI integration: GitHub, GitLab, and VS Code consume it natively. OSCAL for federal compliance automation: machine-readable, NIST-standard, built for automated assessment workflows. CycloneDX and SPDX for supply chain analysis and vulnerability correlation. Each format serves a specific consumer. Vanguard produces all of them from the same scan data.

JSON and CSV for custom tooling and data pipeline integration. PDF and HTML for human-readable reports that assessors and executives can review without specialized tools. JUnit XML for test framework integration and CI dashboard display. Nine export formats. One scan. Every consumer in your workflow gets findings in the format their tools expect.