86/100 G Gitleaks for secret scanning in repositories Scan repositories and working trees for leaked secrets before agents commit or open PRs. jsonsarifcsv verified Actively maintained $ brew install gitleaks
84/100 T Trivy for dependency, container, IaC, and SBOM scanning Scan code, containers, dependencies, Kubernetes manifests, and SBOMs with machine-readable reports. jsonsariftable verified Actively maintained $ brew install trivy
82/100 S Semgrep CLI for static analysis and policy checks Run code pattern checks and policy scans with JSON or SARIF output that agents can summarize. jsonsariftext verified Actively maintained $ pipx install semgrep