The scanners
semgrep, gitleaks, trivy, bearer, lighthouse… The reference OSS stack, packaged and curated for a readable PDF.
semgrep, gitleaks, trivy, bearer, lighthouse… The reference OSS stack, packaged and curated for a readable PDF.
Enabling everything produces a 200-page report buried in style warnings that hide the real vulnerabilities. Hykaro groups scanners into three profiles you activate per project.
The core, non-disableable, on all tiers.
semgrep (OWASP, CWE Top 25, AI-coded patterns)gitleaks, trufflehognpm-audit, pip-audit, composer audit, cargo audittrivy, checkov, hadolinteslint-plugin-security, dangerouslySetInnerHTML detectionRGAA 4.1 + WCAG 2.1 AA + EAA coverage. pa11y, lighthouse, custom WCAG rules. Generates a numeric score, screen by screen, with annotated screenshots. A strong selling point in markets where accessibility compliance deadlines are approaching.
phpstan, eslint, tsc, knip, madge, depcheck. Capped at low severity so it never pollutes your security KPIs. Enable it when you want a code-quality audit beyond security.
The scanners are OSS. The moat is curation: false positives filtered out, automatic stack cookbooks, findings organized to be read, not just generated.