Pencheff combines deterministic scanners, AI-guided probes, curated payloads, external tools, and evidence normalization so every signal lands in one remediation workflow.
Infrastructure and assets
Container gates
Images, registries, admission webhooks, Kubernetes policies, and deployment blocking.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does Container gates test?
- Images, registries, admission webhooks, Kubernetes policies, and deployment blocking.
- This page is part of Capabilities under Code And Supply Chain.
- It links back into the broader from live exploits to source-code proof experience.
- Terraform, Kubernetes YAML, Helm, Dockerfiles, CloudFormation, Trivy config, Checkov, tfsec, Kubesec, and Hadolint-style checks.
- Container image vulnerability and misconfiguration scanning with registry and admission-control workflows.
- Attack surface management for subdomains, exposed hosts, cloud edges, certificates, services, and drift.
- Network VA for host CVEs, service misconfiguration, TLS, headers, and authenticated host checks.
- Active Directory, internal network, Android/iOS static analysis, exported component checks, and mobile secret sweeps.
Execution
How does Pencheff run this?
- Register assets directly or discover them through ASM, repository manifests, or infrastructure files.
- Run IaC and container checks before deployment, then pair results with runtime surface discovery.
- Use network and internal checks to identify exposed services, certificate issues, AD paths, or host CVEs.
- Normalize infra findings with source, asset, environment, severity, remediation, and compliance mappings.
- Gate releases, schedule recurring checks, or produce audit bundles for platform and cloud teams.
Evidence
What evidence does this produce?
- Affected resource, manifest path, image reference, package, host, service, port, certificate, or mobile artifact.
- Rule id, scanner provenance, misconfiguration description, exploitability notes, and remediation.
- Cloud, Kubernetes, container, or network context needed by platform owners.
- Compliance mapping for configuration management, technical vulnerability, and supplier controls.
Controls
How is this kept safe to run?
- Registry and admission policies can prevent risky images or manifests from progressing.
- ASM and network checks are scoped to authorized assets and known workspace boundaries.
- Infrastructure findings can be tied back to repos and deployment pipelines for ownership.
- Mobile and internal findings remain in the same evidence and reporting workflow as web findings.
Documentation
Read the full reference.
FAQ
Common questions
- How does Pencheff scan container images for vulnerabilities?
- Pencheff uses Trivy to scan Docker and OCI images for OS-level package CVEs, application dependency CVEs, Dockerfile misconfigurations, and secrets — producing a full SBOM of the image alongside a prioritised vulnerability list.
- What is a Kubernetes admission webhook and how does Pencheff use it?
- A Kubernetes admission webhook is a policy enforcement point that intercepts pod create/update requests before they are committed to the cluster. Pencheff's webhook rejects workloads whose images have critical unpatched CVEs or violate your defined security policies.
- Can Pencheff block CI/CD pipelines when a container image has critical vulnerabilities?
- Yes. Pencheff's CLI can be invoked as a CI/CD step to scan a newly built image and exit non-zero when findings exceed your configured severity threshold — blocking the pipeline before the image reaches a registry or production environment.
Related