scan_repository
Run a comprehensive security scan on a repository using multiple parallel scanners to detect vulnerabilities, secrets, and dependency CVEs, and receive a deduplicated severity-ranked report.
Instructions
Run a full security scan on a repository.
Executes the following scanners in parallel:
CodeQL (deep dataflow / taint-analysis SAST, open-source CLI)
Semgrep (5,000+ OWASP/CWE rules)
bandit (Python-specific security linter)
ruff (Python quality + security patterns)
detect-secrets / gitleaks (hardcoded secrets)
osv-scanner / dependabot (dependency CVEs via OSV/GHSA advisory DB)
pip-audit (Python CVEs)
npm-audit (Node.js CVEs)
trivy (Docker image CVEs, misconfigurations, and baked-in secrets — runs when a Dockerfile is found)
Returns a JSON report with deduplicated, severity-ranked findings.
Args: repo_path: Absolute or relative path to the repository to scan. skip_scanners: Optional list of scanner names to skip. Valid values: codeql, semgrep, bandit, ruff, detect-secrets, dependabot, pip-audit, npm-audit, trivy scan_git_history: If True, scan git history for leaked secrets (requires gitleaks to be installed). extra_images: Pre-built Docker image names/tags to scan directly with Trivy. Use when docker build fails in a restricted environment. Example: ["mcr.microsoft.com/playwright:v1.50-noble"]
Returns: JSON string containing the full SecurityReport with all findings, per-scanner metadata, severity counts, and scan duration.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| repo_path | Yes | ||
| skip_scanners | No | ||
| scan_git_history | No | ||
| extra_images | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |