Scanners
vlayer includes five specialized scanners, each targeting a specific area of HIPAA compliance.
Scanner Categories
| Scanner | HIPAA Section | What It Checks |
|---|---|---|
| PHI Detection | §164.514 | Protected health information exposure |
| Encryption | §164.312(a)(2)(iv) | Encryption and cryptography standards |
| Audit Logging | §164.312(b) | Audit controls and logging |
| Access Control | §164.312(a)(1) | Authentication and authorization |
| Data Retention | §164.530(j) | Data retention and disposal |
How Scanners Work
Each scanner:
- Analyzes files - Reads source code and configuration files
- Applies patterns - Uses regex and AST analysis to detect issues
- Generates findings - Creates detailed findings with severity and remediation
interface Finding {
category: string;
severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
message: string;
file: string;
line: number;
column?: number;
hipaaReference: string;
remediation?: string;
}
Severity Levels
| Level | Description | Example |
|---|---|---|
| CRITICAL | Immediate security/compliance risk | Hardcoded PHI, no encryption |
| HIGH | Likely compliance violation | Weak hashing, missing auth |
| MEDIUM | Potential issue requiring review | Permissive CORS, missing logs |
| LOW | Best practice recommendation | No retention policy |
Running Specific Scanners
Run only certain scanners:
# Single scanner
vlayer scan . --category phi
# Multiple scanners
vlayer scan . --category phi,encryption,audit
File Types Scanned
By default, vlayer scans:
- JavaScript/TypeScript:
.js,.jsx,.ts,.tsx - Configuration:
.json,.yaml,.yml,.env - Infrastructure:
Dockerfile,docker-compose.yml
Customize with --include and --exclude:
vlayer scan . --include "**/*.py" --exclude "**/test/**"
Extending Scanners
vlayer supports custom rules via YAML configuration. See Custom Rules for details.