Vulnetix

Vulnetix is a unified CLI security scanner that uses Rego to evaluate findings across Software Composition Analysis (SCA), Infrastructure as Code (IaC), containers, secrets, Static Application Security Testing (SAST), license compliance, and SBOM generation for 35+ ecosystems.

Policy-as-code is a first-class concern: detections, severity thresholds, and supply-chain controls (such as --block-malware, --block-unpinned, --version-lag, and --cooldown) are expressed as Rego rules, so organizations can tune or replace the built-in rule set to match their own security posture. Results can be emitted as SARIF, CycloneDX, SPDX, VEX, or token-efficient plain text for use in CI quality gates and AI coding agents.