Run web, API, code, dependency, cloud, AI, and internal-network assessments from one queue with unified findings, evidence, remediation, and audit output.
Code security
SAST and secrets
Semgrep, Bandit, gosec, Brakeman, ESLint security, tree-sitter rules, and gitleaks.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does SAST and secrets test?
- Semgrep, Bandit, gosec, Brakeman, ESLint security, tree-sitter rules, and gitleaks.
- This page is part of Platform under Security Surfaces.
- It links back into the broader a complete adversarial security platform experience.
- Semgrep OSS packs, Bandit, gosec, Brakeman, ESLint security, tree-sitter rules, and niche-language scaffolds.
- Secret detection with gitleaks and suspicious-code indicators with YARA-style patterns.
- GitHub repository connection, webhook-triggered scans, hardlink staging, gitignore-aware filtering, and default-deny controls.
- SARIF and GitHub check run output so developers see findings where they work.
- Auto-fix preparation for Semgrep autofix, SCA version bumps, and reviewer-friendly patch synthesis.
Execution
How does Pencheff run this?
- Connect or register a repository and choose a branch, scan profile, and scanner policy.
- Stage the source safely, fan out language-specific scanners, and capture raw scanner output.
- Normalize results into repo findings with file, line, rule, severity, scanner, and remediation metadata.
- Merge code results with SCA, IaC, secrets, and runtime context to reduce duplicate triage.
- Send annotations, SARIF, reports, fix PRs, or dashboard tasks depending on the workflow.
Evidence
What evidence does this produce?
- File path, line number, rule id, scanner name, confidence, language, and vulnerable snippet context.
- Suggested fix, fixed-version data when applicable, and status across suppressions or rechecks.
- GitHub check output, SARIF upload, comments, and links back into the finding record.
- Cross-finding signals when a code pattern aligns with runtime exploitation.
Controls
How is this kept safe to run?
- Scanner choices are explicit and permissively licensed where used in the repo pipeline.
- Secrets are handled as findings rather than echoed into broad UI surfaces.
- CI gates can be tuned by severity, reachability, policy, and target branch.
- Generated fixes remain reviewer-owned and trace back to original scanner evidence.
Documentation
Read the full reference.
References
Authoritative sources
FAQ
Common questions
- What is SAST and why does it matter?
- SAST (Static Application Security Testing) analyses source code, bytecode, or binaries without executing the application. It finds injection flaws, hardcoded secrets, insecure library use, and logic errors earlier in the development cycle than DAST.
- Which programming languages does Pencheff SAST support?
- Pencheff runs CodeQL, Semgrep, Bandit (Python), gosec (Go), Brakeman (Ruby on Rails), ESLint security rules (JavaScript/TypeScript), and a tree-sitter pack for additional languages including Rust, PHP, and Java.
- How does Pencheff find hardcoded secrets in code?
- Pencheff runs gitleaks over the full git history and working tree, detecting API keys, tokens, passwords, and private keys across all commits — not just the current HEAD. YARA rules additionally flag malware patterns and backdoors.
- Does SAST replace DAST, or do they complement each other?
- They complement each other. SAST finds flaws in code that may not be reachable at runtime, while DAST finds runtime vulnerabilities that may not be apparent from reading the source. Pencheff combines both into a unified findings stream with de-duplication.
Related