Frequently asked questions
How does Pencheff fit with existing security tools?
Pencheff produces DAST, SCA/SBOM, host vulnerability assessment, proxy, fuzzer, continuous scanning, and ASM outputs that can complement existing security tools. Teams with existing security platforms can run Pencheff alongside them; exports via signed webhook / Splunk HEC integrate cleanly.
Third-party product names are used only for identification. Pencheff is not affiliated with, endorsed by, or sponsored by those owners.
Does it scan production safely?
Yes, with a few caveats:
quickandcicdprofiles are explicitly non-destructive — no SQLi data extraction, no fuzzer, no exploit chains.standard/deepprofiles send active exploit payloads; only run them against systems you own or have written authorisation to test.- Rate-limiting is enforced by default (10 req/s); tune down via
MAX_REQUESTS_PER_SECONDwhen targeting production systems.
Does Pencheff scan desktop applications?
Not today. Pencheff’s scanners cover web (DAST), source code
(SAST via Semgrep / Bandit / gosec / Brakeman / ESLint, SCA via GHSA),
and infrastructure (containers,
Dockerfiles, Kubernetes, Terraform, Helm, CloudFormation). There is no
built-in scanner for compiled desktop binaries (.exe, .app, .dmg,
.msi, .deb, .rpm), Electron asar bundles, or native ELF / Mach-O
files.
If desktop coverage matters for your engagement, the realistic options:
- SBOM + CVE the binary: pipe it through
syftto extract an SBOM, thengrypefor CVE matching. Both happily accept.deb/.rpm/.tar.gzarchives and many native binaries. - Electron:
electronegativityfinds nodeIntegration / contextIsolation / IPC misuse in the bundled asar. - Code signing & entitlements:
codesign -dvvv,security cms -Don macOS;signtool verifyon Windows.
If you’d like one of these wrapped as a first-class scanner with the
same Finding model as everything else, open an issue
or contact us about a Team plan.
How does it compare to AI-assisted code review?
Pencheff is a runtime pentest tool — it exercises live web applications, network services, and running containers. Static code review tools are complementary; run Pencheff against the deployed artifact, not the source.
Can I run it air-gapped?
Yes. All the native scan modules (injection, auth, authz, IaC rules,
passive scan, fuzzer) work offline. The CVE feed uses OSV.dev over the
internet; once cached to ~/.pencheff/cve_cache.db, subsequent scans
are offline. Refresh with refresh_cve_feed when you’re back online.
How much does hosted SaaS cost?
Pencheff is in open beta. The Free tier has every feature unlocked
at $0 — DAST, SAST (Semgrep + Bandit + gosec + Brakeman + ESLint +
tree-sitter), IaC, container scanning, compliance reporting, the lot.
Pro (coming soon) adds automated remediation that fixes what it
finds: a fix-PR pipeline, DAST exploitation that verifies impact, and
a SAST auto-patcher driven by Semgrep autofix + LLM patch synthesis.
Team is
for organisations needing unlimited scale, SSO, dedicated support, and
custom deployment — see pencheff.com/#pricing
or email [email protected].
The CLI and MCP plugin are MIT-licensed and free for any use.
My scan is taking too long
- Use a lighter profile (
quickorcicdinstead ofdeep). - Narrow
scope/ widenexclude_paths. - Cap
max_pagesin the profile. - For SCA, use
annotate_reachability=Falseto skip the source grep.
Where are credentials stored?
- CLI: in-process only;
MaskedSecret-wrapped so they never leak to logs orrepr. - SaaS: Fernet-encrypted blobs in Postgres; the encryption key is
in env (
FERNET_KEY) and never written to disk in plaintext. - Custom modules: whatever you write — we recommend
MaskedSecretfor anything sensitive.
How do I report a vulnerability in Pencheff itself?
Email [email protected]. We respond within 24 hours. All
disclosures are triaged publicly in our
security advisory
feed once patched.