Pencheff

Supply chain · Resources

URL scan

Create a target, choose profile, run DAST, review evidence, and export reports.

SCA and SBOM workflows connect vulnerable components, manifests, package URLs, fixed versions, reachability, EPSS, KEV, SSVC, and license evidence to the same findings and reports as application testing.

Attack coverageverified
8coverage areas
5operator steps
4evidence fields
Coverage8
Execution5
Evidence4
Controls4
ReconCrawlActive probeOASTVerify

Bars track the four sections on this page, scaled to the coverage retained from the nav source.

ScopeQuickstarts
SectionResources
MethodDeterministic-first
OutputUnified evidence
ProfileSupply chain
01

Coverage

What does URL scan test?

  • Create a target, choose profile, run DAST, review evidence, and export reports.
  • This page is part of Resources under Quickstarts.
  • It links back into the broader everything needed to operate pencheff experience.
  • OSV.dev, NVD 2.0, GitHub Advisory Database, RustSec, GoVulnDB, EPSS, CISA KEV, and SSVC enrichment.
  • Manifest support for npm, PyPI, Go modules, Cargo, Ruby, Composer, Maven, OS packages, and container packages.
  • SPDX 2.3 and CycloneDX 1.5 SBOM generation with optional Syft enrichment.
  • Reachability annotation that separates exploited, reachable, present, and unknown risk.
  • License policy checks and deterministic version-bump remediation for eligible dependencies.
02

Execution

How does Pencheff run this?

  • Parse repository manifests, lockfiles, or container package inventories.
  • Resolve packages to advisories, fixed versions, package URLs, and known exploitation signals.
  • Annotate reachability from imports, call paths, runtime evidence, or scanner context.
  • Generate SBOM output and link component rows back to findings.
  • Prioritize remediation by exploitability, reachability, business criticality, and compliance impact.
03

Evidence

What evidence does this produce?

  • Package name, ecosystem, installed version, fixed version, advisory id, CVSS, EPSS, KEV, and SSVC.
  • SBOM component records with PURL, supplier, version, license, and dependency relationships.
  • Reachability state, import evidence, or reason the vulnerable component is currently only present.
  • Audit appendix output for procurement, compliance, and release records.
04

Controls

How is this kept safe to run?

  • Dependency risk is not sorted by CVSS alone; operational signals influence priority.
  • SBOM generation is repeatable and latest-generation output replaces stale records.
  • License and vulnerability policy can be used as release-gate input.
  • Version-bump fixes are deterministic when advisory metadata supports them.
01

From the Pencheff docs

Quickstart — URL scan

import { Callout, Tabs } from "nextra/components";

Point Pencheff at a live URL and get a verified, exploit-first assessment with OWASP Top 10 mapping in 5-40 minutes depending on the profile. The same engine drives the SaaS dashboard, the CLI, and the MCP tools — pick whichever surface matches your workflow.

<Callout type="warning"> **Authorization is mandatory.** Every scan API call carries a `consent_payload`. Run only against systems you own or have written permission to test. Pencheff will refuse to scan otherwise. </Callout>

1. Pick a target

ScenarioWhat to point atProfile to start with
Public marketing sitehttps://acme.comquick
Production web apphttps://app.acme.comstandard
API behind a tokenhttps://api.acme.com/v1standard (with auth header)
Stage / pre-prod, exhaustive sweephttps://stage.acme.comdeep
Single-page app / SPAhttps://app.acme.comstandard (Playwright crawl auto-engages)

2. Run it

<Tabs items={["SaaS Dashboard", "CLI", "MCP host"]}> <Tabs.Tab>

  1. Open app.pencheff.com, sign in, click Register target.
  2. Paste the URL, optionally add credentials, scope, and exclude paths.
  3. Pick a profile (standard is the default balanced run).
  4. Click Start scan — you’ll be redirected to a live progress page. Stages stream over SSE.
  5. When it finishes, browse findings by severity, OWASP category, or compliance framework.

</Tabs.Tab> <Tabs.Tab>

# 5-10 minute fast pass — fail the build on any HIGH+ finding.
pencheff scan \
  --target https://example.com \
  --profile quick \
  --fail-on high \
  --format json,docx \
  --output ./reports/

# 20-40 minute balanced run — the documented default.
pencheff scan \
  --target https://example.com \
  --profile standard \
  --output ./reports/

# 60+ minute deep run — auto-creates an engagement, persists a
# DREAD threat model, and runs the full attack-chain phase.
pencheff scan \
  --target https://example.com \
  --profile deep \
  --save-history \
  --output ./reports/

# Authenticated scan — credentials never leave the local machine.
pencheff scan \
  --target https://app.example.com \
  --profile standard \
  --username [email protected] \
  --password "$APP_PASSWORD"

</Tabs.Tab> <Tabs.Tab>

> Pentest https://juice-shop.herokuapp.com — standard profile

I'll run a full standard scan now.

The MCP host fans the request out across the canonical tool order:

  1. pentest_init — new session
  2. check_dependencies — see which external tools are detected
  3. recon_passiverecon_activerecon_api_discovery
  4. scan_wafpayload_generate
  5. scan_injectiontest_endpoint (manual exploitation)
  6. scan_client_sidescan_authscan_authzscan_advanced
  7. exploit_chain_suggesttest_chain
  8. generate_report and the chosen exporter

</Tabs.Tab> </Tabs>

3. Read the result

  • Findings appear in the unified queue with severity, CVSS v3.1 + v4.0, OWASP category, and compliance fan-out.
  • Every finding flagged by a scanner is followed up by test_endpoint — the report contains only true_positive rows by default.
  • deep profiles attach a STRIDE / DREAD threat model and a compliance rollup to the scan.
  • The DOCX report carries an executive summary, the findings register, the compliance appendix, and (for deep) the threat model.

Common gotchas

  • Cloudflare / WAF returns 403. Add the WAF’s session cookie via the dashboard’s Headers row on the target. scan_waf will detect and tag the WAF; payloads adapt automatically.
  • SPA returns a blank shell. Use standard or deep — both trigger the Playwright crawler. quick only runs the fast HTTP crawler.
  • Rate-limited target. Use the dashboard’s Throttle card on the target to cap requests-per-second; the engine slows every dispatcher.
  • Auth flow is not OIDC. Record a login macro once via the dashboard’s Authentication card; the macro attaches to the target and replays on every scan.

Next