Pencheff

Code security · Capabilities

Secrets and malware

gitleaks, YARA indicators, suspicious payloads, backdoor patterns, and evidence metadata.

Repository scanning gives source findings the same operational treatment as runtime findings: scanner provenance, line-level evidence, remediation guidance, SARIF, GitHub annotations, and fix state.

Scanner pipelineSARIF-ready
8coverage areas
5operator steps
4evidence fields
Coverage8
Execution5
Evidence4
Controls4
SemgrepgitleaksSARIFFix PRSBOM

Source findings carry scanner provenance, line evidence, and fix state through the same pipeline.

ScopeCode And Supply Chain
SectionCapabilities
MethodDeterministic-first
OutputUnified evidence
ProfileCode security
01

Coverage

What does Secrets and malware test?

  • gitleaks, YARA indicators, suspicious payloads, backdoor patterns, and evidence metadata.
  • This page is part of Capabilities under Code And Supply Chain.
  • It links back into the broader from live exploits to source-code proof experience.
  • Semgrep OSS packs, Bandit, gosec, Brakeman, ESLint security, tree-sitter rules, and niche-language scaffolds.
  • Secret detection with gitleaks and suspicious-code indicators with YARA-style patterns.
  • GitHub repository connection, webhook-triggered scans, hardlink staging, gitignore-aware filtering, and default-deny controls.
  • SARIF and GitHub check run output so developers see findings where they work.
  • Auto-fix preparation for Semgrep autofix, SCA version bumps, and reviewer-friendly patch synthesis.
02

Execution

How does Pencheff run this?

  • Connect or register a repository and choose a branch, scan profile, and scanner policy.
  • Stage the source safely, fan out language-specific scanners, and capture raw scanner output.
  • Normalize results into repo findings with file, line, rule, severity, scanner, and remediation metadata.
  • Merge code results with SCA, IaC, secrets, and runtime context to reduce duplicate triage.
  • Send annotations, SARIF, reports, fix PRs, or dashboard tasks depending on the workflow.
03

Evidence

What evidence does this produce?

  • File path, line number, rule id, scanner name, confidence, language, and vulnerable snippet context.
  • Suggested fix, fixed-version data when applicable, and status across suppressions or rechecks.
  • GitHub check output, SARIF upload, comments, and links back into the finding record.
  • Cross-finding signals when a code pattern aligns with runtime exploitation.
04

Controls

How is this kept safe to run?

  • Scanner choices are explicit and permissively licensed where used in the repo pipeline.
  • Secrets are handled as findings rather than echoed into broad UI surfaces.
  • CI gates can be tuned by severity, reachability, policy, and target branch.
  • Generated fixes remain reviewer-owned and trace back to original scanner evidence.
01

From the Pencheff docs

gitleaks — secrets

Scanners

Scans the working tree for credential patterns: AWS keys, GCP service accounts, Slack tokens, private SSH keys, generic high-entropy strings. Every match is high severity — the right call is almost always to revoke and rotate.

02

From the Pencheff docs

YARA — malware / backdoor patterns

Scanners

Runs the YARA engine against every file using Pencheff's bundled rule pack at bench/rules/yara/. Targets that actually appear in real source trees:

  • Minimal PHP webshells (eval($_GET[…]) families)
  • Obfuscated JS loaders (eval(atob(…)), Function(decodeURIComponent(…)))
  • Crypto-miner pool configs (stratum+tcp://, xmrig)
  • Python pickle RCE gadgets
  • Classic reverse-shell oneliners

Drop your own *.yar files into bench/rules/yara/ to extend the pack without touching Pencheff code.

?

FAQ

Common questions

How does Pencheff detect hardcoded secrets in a repository?
Pencheff runs gitleaks across the full git history — not just the current HEAD — to find API keys, tokens, passwords, certificates, and private keys that were ever committed, even if they were later deleted.
What types of secrets can Pencheff detect?
Pencheff detects AWS, GCP, and Azure credentials, GitHub tokens, Stripe and Twilio API keys, JWT signing secrets, SSH private keys, TLS certificates, database connection strings, and generic high-entropy strings that match secret patterns.
Can Pencheff detect malware or backdoors in source code?
Yes. Pencheff applies YARA rule sets to detect known malware signatures, obfuscated code, suspicious eval patterns, supply-chain backdoors, and other malicious code indicators in both source files and compiled artefacts.