Pencheff combines deterministic scanners, AI-guided probes, curated payloads, external tools, and evidence normalization so every signal lands in one remediation workflow.
Code security
Auto-fix PRs
Deterministic patches, branch output, GitHub checks, SARIF, and reviewer-ready remediation.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does Auto-fix PRs test?
- Deterministic patches, branch output, GitHub checks, SARIF, and reviewer-ready remediation.
- This page is part of Capabilities under Code And Supply Chain.
- It links back into the broader from live exploits to source-code proof experience.
- Semgrep OSS packs, Bandit, gosec, Brakeman, ESLint security, tree-sitter rules, and niche-language scaffolds.
- Secret detection with gitleaks and suspicious-code indicators with YARA-style patterns.
- GitHub repository connection, webhook-triggered scans, hardlink staging, gitignore-aware filtering, and default-deny controls.
- SARIF and GitHub check run output so developers see findings where they work.
- Auto-fix preparation for Semgrep autofix, SCA version bumps, and reviewer-friendly patch synthesis.
Execution
How does Pencheff run this?
- Connect or register a repository and choose a branch, scan profile, and scanner policy.
- Stage the source safely, fan out language-specific scanners, and capture raw scanner output.
- Normalize results into repo findings with file, line, rule, severity, scanner, and remediation metadata.
- Merge code results with SCA, IaC, secrets, and runtime context to reduce duplicate triage.
- Send annotations, SARIF, reports, fix PRs, or dashboard tasks depending on the workflow.
Evidence
What evidence does this produce?
- File path, line number, rule id, scanner name, confidence, language, and vulnerable snippet context.
- Suggested fix, fixed-version data when applicable, and status across suppressions or rechecks.
- GitHub check output, SARIF upload, comments, and links back into the finding record.
- Cross-finding signals when a code pattern aligns with runtime exploitation.
Controls
How is this kept safe to run?
- Scanner choices are explicit and permissively licensed where used in the repo pipeline.
- Secrets are handled as findings rather than echoed into broad UI surfaces.
- CI gates can be tuned by severity, reachability, policy, and target branch.
- Generated fixes remain reviewer-owned and trace back to original scanner evidence.
Documentation
Read the full reference.
FAQ
Common questions
- What is an auto-fix pull request in Pencheff?
- An auto-fix PR is a GitHub pull request automatically opened by Pencheff that bumps a vulnerable dependency to the latest patched version, or applies a known-safe code change to fix a SAST finding — ready for your team to review and merge.
- Does auto-fix work for all vulnerability types?
- Auto-fix currently covers dependency version bumps (SCA findings) and a subset of SAST findings where a deterministic fix exists — such as replacing insecure hash functions or removing hardcoded credentials. Complex logic vulnerabilities require manual remediation.
- How does Pencheff integrate with GitHub for auto-fix PRs?
- Pencheff connects to your GitHub organisation via OAuth or GitHub App installation. When a fixable finding is detected, it opens a PR against the default branch with a description of the vulnerability, the fix applied, and a link to the original finding in Pencheff.
Related