ScopeGuardian is a CLI tool that runs multiple security scanners on your codebase and synchronises findings with DefectDojo. Block your CI/CD pipeline when vulnerabilities exceed your thresholds.
A single CLI that orchestrates multiple scanners, syncs findings, and enforces policies, all in one pipeline step.
Runs KICS (IaC), Grype (SCA), and OpenGrep (SAST) concurrently in two phases, automatically skipping scanners whose prerequisites failed.
Automatically creates and manages engagements per project/branch. Uploads findings, closes stale results, and deduplicates, all hands-free.
Fail the pipeline when finding counts exceed configurable thresholds per severity. Security gates are applied after findings are aggregated and deduplicated across all scanners, making them simpler and more accurate than managing thresholds per tool.
Protected branches get 1-year engagements. Feature branches get 1-week windows. Expired engagements are extended automatically.
Pre-bundled Docker image ships with KICS, OpenGrep, Grype, and Syft already installed. Just mount your code and run.
Configure per-severity thresholds with cumulative evaluation, e.g. fail on 1 critical OR 5+ high findings. Case-insensitive, composable rules.
ScopeGuardian and its entire ecosystem are open source. You own your toolchain, your data, and your pipeline. No proprietary dependencies, no lock-in.
ScopeGuardian orchestrates best-in-class open source security tools, each specialised for a different attack surface.
Infrastructure-as-Code Scanner
Detects security vulnerabilities, compliance issues, and misconfigurations in Terraform, Dockerfile, Kubernetes, Ansible, CloudFormation and more. Findings are tagged with IACST.
Software Composition Analysis
Syft generates an SBOM and Grype scans it for known CVEs. Supports ignoring unfixable states (wont-fix, not-fixed) and resolving transitive Java dependencies. Findings tagged SCA.
Static Application Security Testing
Pattern-based SAST using Semgrep-compatible rules. Findings are enriched with severity from metadata before upload and tagged SAST in DefectDojo.
ScopeGuardian uses a deterministic, two-phase execution model that handles prerequisites, parallel scanning, and result publishing.
CLI flags and config.toml are parsed. Scanners are registered based on which sections exist in the config file.
Syft SBOM generation runs concurrently. This must complete before Grype can execute.
KICS, Grype, and OpenGrep run concurrently. Scanners with failed prerequisites are skipped.
When --sync is set, findings are uploaded to the managed engagement. Stale findings are auto-closed.
When --threshold is set, counts are checked. Fail → exit(-1) to block the pipeline.
Build from source or pull the Docker image. A single TOML config file controls which scanners run and how.
1. Build the binary
go build -o ScopeGuardian .
2. Create your config
# config.toml path = "./my-service" [kics] platform = "Dockerfile" [grype] ignore_states = "not-fixed,unknown" [opengrep]
3. Run the scan
SCAN_DIR=/path/to/repos \ ./ScopeGuardian \ --projectName my-service \ --branch main \ --sync \ --threshold critical=1,high=5 \ ./config.toml
| Flag | Type | Required | Description |
|---|---|---|---|
--projectName | string | yes | Name of the project being scanned. Must match the product name in DefectDojo when --sync is used. |
--branch | string | yes | Branch being scanned. |
--sync | bool | no | Upload scan results to DefectDojo. Requires DD_URL and DD_ACCESS_TOKEN. Default: false. |
--threshold | string | no | Comma-separated severity thresholds that define the security gate. |
-q | bool | no | Quiet mode: suppress all log output. Default: false. |
-o | string | no | Write findings to the specified file. Banner and logs are not included; only the scan findings are written. |
--format | string | no | Output format used when -o is set. Accepted values: json (default), csv, raw (plain table). |
<config-file> | path | yes | Path to the TOML configuration file. |
| Variable | Description |
|---|---|
SCAN_DIR | Base directory for scan operations |
DD_URL | DefectDojo instance base URL |
DD_ACCESS_TOKEN | DefectDojo API v2 token |
The official Docker image bundles ScopeGuardian with all scanner dependencies (KICS, OpenGrep, Grype, and Syft) pre-installed. No manual setup required.
Configure per-severity thresholds. When counts are met or exceeded, ScopeGuardian exits with code -1 blocking the pipeline.
Without --sync, the gate is evaluated against the raw local scan output. When --sync is also provided, the gate uses the deduplicated active findings already stored in DefectDojo ensuring that duplicate or previously-closed findings never cause a false failure.
--threshold critical=1Block the pipeline if even one critical severity finding is detected.
--threshold critical=1,high=5Fail on 1+ critical OR 5+ high findings. All rules must pass for the gate to pass.
--threshold medium=10Count findings of medium severity or higher. Fail if they reach 10.
Post-deduplication evaluation with --sync and --threshold
When both --sync and --thresholdare provided, the gate is evaluated against DefectDojo's deduplicated active findings, not raw scanner output. Duplicate or previously-closed findings never inflate the count.
ScopeGuardian is open source and free to use. ParanoiHack offers optional support plans so your team can move fast with confidence.
Freeforever
Ideal for individual developers and open-source projects. Get access to the full feature set and GitHub issue tracking.
Custom/ month
Designed for teams and small businesses that want priority help, faster response times, and guided onboarding into their CI/CD workflows.
Customcontract
For organisations with strict compliance requirements, dedicated environments, and the need for direct engineering involvement.
All plans include access to the latest open-source releases. Professional & Enterprise pricing is tailored to your team size and requirements.