vulnscanner/
├── .github/
│ ├── workflows/
│ │ ├── test.yml # Run tests on PR/push
│ │ ├── scan.yml # Demo scan on test repos
│ │ └── release.yml # Build and publish releases
│ └── ISSUE_TEMPLATE/
├── vulnscanner/
│ ├── __init__.py
│ ├── cli/
│ │ ├── __init__.py
│ │ ├── main.py # CLI entry point
│ │ ├── commands.py # Command definitions
│ │ └── options.py # CLI options/flags
│ ├── core/
│ │ ├── __init__.py
│ │ ├── engine.py # Orchestration engine
│ │ ├── repo.py # Repository handler
│ │ ├── database.py # Database abstraction
│ │ ├── config.py # Configuration management
│ │ ├── plugin_manager.py # Plugin system
│ │ ├── models.py # Data models
│ │ └── utils.py # Shared utilities
│ ├── modules/
│ │ ├── __init__.py
│ │ ├── tech_detect.py # Technology detection
│ │ ├── sbom.py # SBOM generation
│ │ ├── cve_matcher.py # CVE matching engine
│ │ ├── secrets.py # Secrets scanner
│ │ ├── endpoints.py # Endpoint extractor
│ │ └── sast/
│ │ ├── __init__.py
│ │ ├── base.py # SAST base classes
│ │ ├── js_scanner.py # JavaScript AST scanner
│ │ ├── python_scanner.py
│ │ ├── patterns.py # Pattern definitions
│ │ └── rules/ # Rule definitions
│ │ ├── javascript.yaml
│ │ ├── python.yaml
│ │ └── generic.yaml
│ ├── reporters/
│ │ ├── __init__.py
│ │ ├── base.py # Reporter base class
│ │ ├── json_reporter.py # JSON output
│ │ ├── sarif_reporter.py # SARIF output
│ │ ├── html_reporter.py # HTML reports
│ │ └── templates/ # HTML templates
│ │ └── report.html
│ ├── plugins/
│ │ ├── __init__.py
│ │ ├── base.py # Plugin base class
│ │ └── examples/
│ │ ├── license_checker.py
│ │ └── docker_scanner.py
│ └── advisories/
│ ├── __init__.py
│ ├── fetcher.py # Advisory fetcher
│ ├── cache.py # Advisory cache
│ └── sources/
│ ├── nvd.py # NVD API client
│ ├── github.py # GitHub Advisory DB
│ └── osv.py # OSV.dev client
├── tests/
│ ├── __init__.py
│ ├── conftest.py # Pytest configuration
│ ├── unit/
│ │ ├── test_engine.py
│ │ ├── test_repo.py
│ │ ├── test_tech_detect.py
│ │ ├── test_cve_matcher.py
│ │ ├── test_secrets.py
│ │ └── test_js_scanner.py
│ ├── integration/
│ │ ├── test_full_scan.py
│ │ ├── test_plugin_system.py
│ │ └── test_reporters.py
│ └── fixtures/
│ ├── vulnerable_app/ # Test repository
│ │ ├── package.json
│ │ ├── .env
│ │ └── src/
│ └── advisories/ # Test advisory data
├── plugins/ # User plugins directory
│ └── README.md
├── config/
│ ├── default.yaml # Default configuration
│ └── patterns/ # Pattern definitions
│ ├── secrets.yaml
│ └── pii.yaml
├── scripts/
│ ├── update_advisories.py # Advisory update script
│ ├── setup_db.py # Database setup
│ └── benchmark.py # Performance testing
├── docs/
│ ├── API.md # API documentation
│ ├── PLUGINS.md # Plugin development guide
│ ├── CONFIGURATION.md # Configuration guide
│ └── CONTRIBUTING.md # Contribution guidelines
├── Dockerfile
├── docker-compose.yml
├── requirements.txt # Python dependencies
├── requirements-dev.txt # Development dependencies
├── setup.py # Package setup
├── pyproject.toml # Modern Python packaging
├── .gitignore
├── .dockerignore
├── .vulnignore # Default suppression file
├── LICENSE # MIT License
├── README.md # Main documentation
├── CHANGELOG.md # Version history
└── Makefile # Build automation
Core application code organized by functionality.
Command-line interface implementation using Click framework.
Core engine and shared components used across modules.
Individual scanning modules for different vulnerability types.
Static Application Security Testing implementation with language-specific scanners.
Output formatters for different report types.
Plugin system implementation and bundled example plugins.
Vulnerability advisory data management and API clients.
Comprehensive test suite with unit, integration, and fixture data.
User-installable plugins directory (separate from core plugins).
Configuration files and pattern definitions.
Utility scripts for maintenance and setup.
Technical documentation and guides.