The Trivy + Grype combo is interesting - in my experience they catch different things, especially on container scanning vs dependencies. You see them disagree much on severity?

Re: the vibe coding angle - the thing I keep running into is that standard scanners are tuned for human-written code patterns. Claude code is structurally different. More verbose, weirdly sparse on the explicit error handling that would normally trigger SAST rules. Auth code especially - it looks textbook correct and passes static analysis fine, but edge cases are where it falls apart. Token validation that works great except for malformed inputs, auth checks that miss specific header combinations, that kind of thing.

The policy engine sounds flexible enough that people could add custom rules for AI-specific patterns? That'd be the killer feature tbh.

I am totally thinking about adding this so you can connect to an API or use self hosted models that run in a container if you have the resources!!!! You are spot on.