Module orchestrate 

The multi-repo scan loop (§10, step 4).

Repos are scanned serially (no async in v1). Each repo degrades independently: a missing or unreadable lockfile becomes an Errored RepoOutcome and the run continues — but that gap is what later forces a non-clean exit (§8), since we cannot claim a repo is clean without reading it.

Output here is pre-correlation: every finding carries a single occurrence. Grouping across the fleet happens in correlate (M4).

Structs

GhActionsScan

Everything the GitHub Actions scan path needs. Like the other Tier-C feeders it is toolchain-free only (the matcher reads .github/workflows/*.yml and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a workflow repo is an honest gap.

GoScan

Everything the Go scan path needs, bundled so it threads through the fleet walk as one argument. govulncheck is None when consent/binary are absent, which routes the repo to the toolchain-free Tier-C matcher (or an errored gap); the rest mirror fleetreach_go::GoScanOptions.

HexScan

Everything the Hex scan path needs. Like the other Tier-C feeders it is toolchain-free only (the matcher reads mix.lock and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which an Elixir repo is an honest gap.

JuliaScan

Everything the Julia scan path needs. Like the other Tier-C feeders it is toolchain-free only (the matcher reads Manifest.toml and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a Julia repo is an honest gap.

MavenScan

Everything the Maven scan path needs. Like the other Tier-C feeders it is toolchain-free only (the matcher reads gradle.lockfile/pom.xml and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a Java repo is an honest gap.

NpmScan

Everything the npm scan path needs. npm is toolchain-free only (the Tier-C matcher reads package-lock.json and an OSV mirror, building nothing), so unlike GoScan there is no binary, sandbox, or online mode — just the file://<dir> OSV mirror, absent which an npm repo is an honest gap.

NuGetScan

Everything the NuGet scan path needs. Like the other Tier-C feeders it is toolchain-free only (the matcher reads packages.lock.json and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a .NET repo is an honest gap.

PackagistScan

Everything the Packagist scan path needs. Like npm/PyPI/RubyGems it is toolchain-free only (the Tier-C matcher reads composer.lock and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a PHP repo is an honest gap.

PyPiScan

Everything the PyPI scan path needs. Like npm it is toolchain-free only (the Tier-C matcher reads a Python lockfile and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a PyPI repo is an honest gap.

RubyGemsScan

Everything the RubyGems scan path needs. Like npm/PyPI it is toolchain-free only (the Tier-C matcher reads Gemfile.lock and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a Ruby repo is an honest gap.

ScanData

The aggregated, pre-correlation result of scanning a fleet.

SwiftScan

Everything the Swift scan path needs. Like the other Tier-C feeders it is toolchain-free only (the matcher reads Package.resolved and an OSV mirror, building nothing), so the only input is the file:// OSV mirror, absent which a Swift repo is an honest gap.

Toolchain

An installed toolchain to additionally scan against Collection::Rust.

Functions

discover_lockfiles

Resolve the lockfile(s) for a repo: a single Cargo.lock at the root, or — when glob = true — every Cargo.lock within glob_max_depth of the root.

scan_fleet

Scan every repo in config, plus the toolchain if provided. When host_triple is Some, each finding is additionally annotated (via cargo tree) with whether the package is actually built — see crate::resolve.