An extremely fast vulnerability scanner and SBOM generator, written in Rust.
Aragorn only has a tiny footprint compared to other scanners like Trivy and Syft, and is optimized for speed. It can catalogue a filesystem and generate an SBOM in a few milliseconds.
All source types run the same cataloger registry and the same secret detectors. The difference is how the bytes are obtained.
| Capability | fs |
image |
git |
|---|---|---|---|
| Language dependency manifests/locks | Yes | Yes | Yes |
| OS packages (Debian, Alpine, RPM) | Yes | Yes | Yes |
| Vulnerability scan (local DB) | Yes | Yes | Yes |
| SBOM (CycloneDX, SPDX, table) | Yes | Yes | Yes |
| Secret detection | Yes | Yes | Yes |
Remediation (--fix) |
Yes | No | No |
| Ecosystem | purl type | Sources |
|---|---|---|
| Cargo (Rust) | cargo |
Cargo.lock, Cargo.toml |
| npm (Node) | npm |
package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| PyPI (Python) | pypi |
requirements.txt, poetry.lock, Pipfile.lock, uv.lock |
| Go | golang |
go.mod, go.sum |
| Maven (JVM) | maven |
pom.xml, *.jar/*.war/*.ear (pom.properties), build.gradle, build.gradle.kts, gradle.lockfile |
| NuGet (.NET) | nuget |
*.csproj, *.vbproj, packages.config, packages.lock.json |
| Composer (PHP) | composer |
composer.lock |
| RubyGems | gem |
Gemfile.lock |
| Pub (Dart/Flutter) | pub |
pubspec.lock |
| Swift PM | swift |
Package.resolved |
| Hex (Elixir) | hex |
mix.lock |
| Conan (C/C++) | conan |
conan.lock, conanfile.txt, conanfile.py |
| vcpkg (C/C++) | vcpkg |
vcpkg.json |
| Debian | deb |
var/lib/dpkg/status |
| Alpine | apk |
lib/apk/db/installed |
| RPM | rpm |
rpmdb.sqlite |
The secrets scanner (--scanners secrets, on by default for scan) walks
every readable text file (binaries and files over 5 MB are skipped) and matches
each line against the detectors below. Matched values are redacted in output;
the raw secret is never printed or stored.
| Rule | Detects |
|---|---|
aws-access-key |
AWS access key IDs (AKIA, ASIA, AGPA, …) |
aws-secret-key |
AWS secret access keys in assignments |
github-token |
GitHub PATs (ghp_, gho_, ghu_, ghs_, ghr_) |
github-fine-grained-pat |
GitHub fine-grained PATs (github_pat_) |
gitlab-token |
GitLab personal access tokens (glpat-) |
slack-token |
Slack tokens (xoxb-, xoxa-, xoxp-, xoxr-, xoxs-) |
gcp-service-account |
GCP service-account key JSON ("type":"service_account") |
gcp-api-key |
Google API keys (AIza…) |
azure-storage-key |
Azure storage AccountKey= connection strings |
private-key |
PEM private keys (RSA, EC, DSA, OpenSSH, PGP) |
jwt |
JSON Web Tokens (eyJ…) |
generic-api-key |
Generic api/secret/token assignments (entropy-gated) |
hardcoded-password |
Hardcoded password/passwd/pwd assignments |
The two generic rules apply a Shannon-entropy floor to suppress low-randomness false positives.
cargo install --git https://github.com/aragornsecurity/aragorn.git --branch main# SBOM for the current directory, CycloneDX JSON to stdout
aragorn fs sbom .
# Scan a project for vulnerabilities and secrets (both run by default)
aragorn fs scan ./myapp --severity high
# Vulnerabilities only, fail CI on high/critical findings, emit SARIF
aragorn fs scan ./myapp --scanners vulnerabilities --severity high --format sarif -o results.sarif
# Secrets only, JSON output piped to jq
aragorn fs scan . --scanners secrets --format json
# Scan a remote image
aragorn image scan alpine:3.19 --severity medium
# Clone and scan a remote git repository on its default branch
aragorn git scan https://github.com/myorg/myrepo.git --severity high
# Scan a specific branch over ssh
aragorn git scan git@github.com:myorg/myrepo.git --branch develop
# SBOM for a git repository
aragorn git sbom https://github.com/myorg/myrepo.git --format spdx
# Scan against a specific database file instead of the managed one
aragorn fs scan . --db ./aragorn.db
# SBOM for a local OCI archive as SPDX
aragorn image sbom oci-archive:./image.tar --format spdx
# Scan an image saved with `docker save`
docker save myorg/app:latest -o app.tar
aragorn image scan docker-archive:./app.tar --severity high
# Scan and auto-remediate: bump vulnerable pins to their fixed versions
aragorn fs scan ./myapp --severity high --fix
# Quiet scan, machine-readable, only the exit code matters
aragorn fs scan . --severity critical -q
echo "exit: $?"