Pencheff
PricingDocs ↗Sign inOpen an account

Supply chain

Repo scan

Connect code, run SAST/SCA/IaC, review findings, and produce PR-ready fixes.

Start freeSign in
ScopeQuickstarts

Jump into setup guides, feature references, reporting conventions, API documentation, methodology pages, and workflow-specific playbooks.

OutputUnified evidence

Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.

MethodDeterministic first

Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.

Coverage

What does Repo scan test?

  • Connect code, run SAST/SCA/IaC, review findings, and produce PR-ready fixes.
  • This page is part of Resources under Quickstarts.
  • It links back into the broader everything needed to operate pencheff experience.
  • OSV.dev, NVD 2.0, GitHub Advisory Database, RustSec, GoVulnDB, EPSS, CISA KEV, and SSVC enrichment.
  • Manifest support for npm, PyPI, Go modules, Cargo, Ruby, Composer, Maven, OS packages, and container packages.
  • SPDX 2.3 and CycloneDX 1.5 SBOM generation with optional Syft enrichment.
  • Reachability annotation that separates exploited, reachable, present, and unknown risk.
  • License policy checks and deterministic version-bump remediation for eligible dependencies.

Execution

How does Pencheff run this?

  • Parse repository manifests, lockfiles, or container package inventories.
  • Resolve packages to advisories, fixed versions, package URLs, and known exploitation signals.
  • Annotate reachability from imports, call paths, runtime evidence, or scanner context.
  • Generate SBOM output and link component rows back to findings.
  • Prioritize remediation by exploitability, reachability, business criticality, and compliance impact.

Evidence

What evidence does this produce?

  • Package name, ecosystem, installed version, fixed version, advisory id, CVSS, EPSS, KEV, and SSVC.
  • SBOM component records with PURL, supplier, version, license, and dependency relationships.
  • Reachability state, import evidence, or reason the vulnerable component is currently only present.
  • Audit appendix output for procurement, compliance, and release records.

Controls

How is this kept safe to run?

  • Dependency risk is not sorted by CVSS alone; operational signals influence priority.
  • SBOM generation is repeatable and latest-generation output replaces stale records.
  • License and vulnerability policy can be used as release-gate input.
  • Version-bump fixes are deterministic when advisory metadata supports them.

Documentation

Read the full reference.

Related

Keep exploring Resources.

Docs, references, and playbooksResources overviewFeatured actionOpen documentationFeaturedMethodologyFeaturedAPI referenceFeaturedIssued reportsFeaturedFindings registerQuickstartsURL scanQuickstartsLLM red team