Pencheff

Supply chain · Resources

Repo scan

Connect code, run SAST/SCA/IaC, review findings, and produce PR-ready fixes.

SCA and SBOM workflows connect vulnerable components, manifests, package URLs, fixed versions, reachability, EPSS, KEV, SSVC, and license evidence to the same findings and reports as application testing.

Scanner pipelineSARIF-ready
8coverage areas
5operator steps
4evidence fields
Coverage8
Execution5
Evidence4
Controls4
SemgrepgitleaksSARIFFix PRSBOM

Source findings carry scanner provenance, line evidence, and fix state through the same pipeline.

ScopeQuickstarts
SectionResources
MethodDeterministic-first
OutputUnified evidence
ProfileSupply chain
01

Coverage

What does Repo scan test?

  • Connect code, run SAST/SCA/IaC, review findings, and produce PR-ready fixes.
  • This page is part of Resources under Quickstarts.
  • It links back into the broader everything needed to operate pencheff experience.
  • OSV.dev, NVD 2.0, GitHub Advisory Database, RustSec, GoVulnDB, EPSS, CISA KEV, and SSVC enrichment.
  • Manifest support for npm, PyPI, Go modules, Cargo, Ruby, Composer, Maven, OS packages, and container packages.
  • SPDX 2.3 and CycloneDX 1.5 SBOM generation with optional Syft enrichment.
  • Reachability annotation that separates exploited, reachable, present, and unknown risk.
  • License policy checks and deterministic version-bump remediation for eligible dependencies.
02

Execution

How does Pencheff run this?

  • Parse repository manifests, lockfiles, or container package inventories.
  • Resolve packages to advisories, fixed versions, package URLs, and known exploitation signals.
  • Annotate reachability from imports, call paths, runtime evidence, or scanner context.
  • Generate SBOM output and link component rows back to findings.
  • Prioritize remediation by exploitability, reachability, business criticality, and compliance impact.
03

Evidence

What evidence does this produce?

  • Package name, ecosystem, installed version, fixed version, advisory id, CVSS, EPSS, KEV, and SSVC.
  • SBOM component records with PURL, supplier, version, license, and dependency relationships.
  • Reachability state, import evidence, or reason the vulnerable component is currently only present.
  • Audit appendix output for procurement, compliance, and release records.
04

Controls

How is this kept safe to run?

  • Dependency risk is not sorted by CVSS alone; operational signals influence priority.
  • SBOM generation is repeatable and latest-generation output replaces stale records.
  • License and vulnerability policy can be used as release-gate input.
  • Version-bump fixes are deterministic when advisory metadata supports them.
01

From the Pencheff docs

Quickstart — Repo scan

import { Callout, Tabs } from "nextra/components";

Connect a GitHub repository once, scan on every push, get SAST + SCA

  • IaC + secrets findings in the same unified queue as DAST. Six scanners fan out in parallel against a .gitignore-respecting copy of the repo.

1. Connect a repo

PathBest forWhat you get
Pencheff GitHub App (recommended)Private repos, continuous scanningPush webhooks, scoped per-repo permissions, Dependabot alert ingest, no token rotation
Personal Access TokenSingle private repo, no GH AppOne repo per token, manual re-scan
Public URLPublic open-source reposAnonymous clone, manual re-scan

See Connect a repo for the click-by-click flow. Once connected, the repo also auto-mirrors as a Target row with kind: "repo", so it shows up everywhere DAST URLs do.

2. Run it

<Tabs items={["SaaS Dashboard", "CLI", "MCP host"]}> <Tabs.Tab>

  1. Open Repos in the dashboard.
  2. Click Scan now on the row you want to test — or wait for the next push to fire the webhook.
  3. The scan runs in the queue you can also see at /scans. When it finishes, click into it for the unified findings table.

</Tabs.Tab> <Tabs.Tab>

# Trigger a remote re-scan against the connected repo.
curl -X POST -H "Authorization: Bearer $PENCHEFF_API_KEY" \
  "$PENCHEFF_API_BASE/repos/$REPO_ID/scan"

# Then list recent scans for the same repo.
curl -H "Authorization: Bearer $PENCHEFF_API_KEY" \
  "$PENCHEFF_API_BASE/repos/$REPO_ID/scans" | jq

The pencheff-action GitHub Action wraps the URL-scan flow inside a workflow and posts a Markdown summary on the PR diff. Repo scans run automatically on push events when the Pencheff GitHub App is installed.

</Tabs.Tab> <Tabs.Tab>

> Scan the github.com/acme-co/api repo with all default scanners.

The MCP host calls scan_repository — it fans the work out across the SAST pack (Semgrep / Bandit / gosec / Brakeman / ESLint-security / tree-sitter), Trivy (SCA + IaC + container), Checkov, gitleaks, and YARA in parallel. Findings stream back through get_findings.

</Tabs.Tab> </Tabs>

Scanners on every repo scan

ScannerWhat it findsLicense
Semgrep OSS (SAST)Multi-language pattern rules across an explicit OSS pack list (p/owasp-top-ten, p/security-audit, p/cwe-top-25, p/secrets, p/jwt, p/django, p/flask, p/express, p/nodejs, p/golang, p/r2c-security-audit). No --config=auto, no Pro rules. Override via PENCHEFF_SEMGREP_PACKS.LGPL-2.1 (subprocess-only)
Bandit (SAST, Python)Python-specific issues — hard-coded passwords, weak crypto, shell injection, deserialisation.Apache-2.0
gosec (SAST, Go)Go-specific G-rules — sql injection, unsafe rand, weak crypto. Auto-skipped on no-Go trees.Apache-2.0
Brakeman (SAST, Rails)Rails-specific issues — mass assignment, SSL config, Rails-idiomatic command injection. Auto-skipped on non-Rails Ruby.MIT
ESLint-security (SAST, JS/TS)detect-object-injection, detect-eval-with-expression, detect-non-literal-regexp, detect-unsafe-regex, etc. Pinned flat config — ignores any .eslintrc in the target.MIT / Apache-2.0
Tree-sitter pack (SAST, niche)Solidity ships at v0.7 (4 hand-curated rules). Lua / Scala / Dart / Kotlin / Swift / COBOL / Erlang scaffolded — drop a queries.scm + rules.json in.MIT (queries)
Trivy (SCA + IaC + secrets + container)Dependency CVEs, IaC misconfigs (Terraform, K8s, CloudFormation, Helm), embedded secrets, container image issues. Pulls live OSV / NVD / EPSS / KEV data.Apache-2.0
Checkov (IaC)1,000+ policy rules for Terraform, K8s, ARM, Bicep, OpenAPI.Apache-2.0
OSV-Scanner / pip-audit / npm-audit (SCA)Per-package vuln list reconciled with the SCA freshness layer.Apache-2.0 / Apache-2.0 / Artistic-2.0
Detect-Secrets / gitleaks (secrets)Hardcoded API keys, tokens, private keys.Apache-2.0 / MIT

CodeQL was removed in v0.7 — its CLI is not licensed for commercial use on third-party code, and Pencheff scans customer code. The SAST pack above replaces it under permissive licenses only.

Cross-scanner correlation

A correlation service emits cross-references when two scanners flag the same root cause (shared CWE / shared CVE / route-token semantic match) so the unified findings stream collapses duplicates instead of stacking them.

Triggers

  • Webhookspush events from connected GitHub Apps re-scan the affected repo automatically.
  • ManualPOST /repos/{id}/scan from CLI / API / dashboard.
  • CI/CD — the pencheff-scan GitHub Action wraps the scan and posts a Markdown summary on the PR diff.
  • Dependabot ingest — when the GitHub App is installed, Dependabot alerts are pulled in and reconciled against new SCA findings.
<Callout type="info"> **Live CVE data on every SCA scan.** OSV.dev per-package, NVD 2.0 per-CVE (CWE / CPE / NVD-CVSS), EPSS exploit-prediction, and CISA KEV active-exploitation flags. Refreshed automatically when the local cache is stale (defaults: 24 h on OSV / EPSS / KEV, 14 d on NVD). Set any TTL to `0` to force live every scan. </Callout>

Read the result

  • Findings appear in the unified queue keyed (repository_id, scanner, rule_id).
  • Each row carries severity, file_path:line_start, cve (when the scanner is SCA), package@installed_version and the proposed fixed_version if one exists.
  • The DOCX / Markdown / JSON / CSV exporter renders all six scanner outputs into one report.
  • Click View compliance mapping on the assessment page to open the per-scan compliance rollup — the same six frameworks used for URL DAST scans.

Next