QuickstartOverview

Quickstart

The shortest path from “I just installed Pencheff” to “I have a real finding in front of me” — one page per scan kind. Pick whichever asset class matches what you’re hardening today; every page finishes in under 10 minutes.

What you need first

  • The Pencheff CLI (pip install pencheff) or an account on app.pencheff.com or an MCP-capable IDE (Cursor, Continue, Cline, Zed). All three drive the same engine.
  • For URL scans — written authorization to test the target. The CLI and API both reject scans without a consent_payload.
  • For LLM scans — an API key for the model under test, plus an optional moderation key (e.g. OpenAI Moderation) for the judge step.
  • For repo scans — a GitHub App install, a fine-grained PAT, or a public GitHub URL.

Three depths, one shape

Every quickstart page uses the same three profiles — quick, standard, deep. The legacy specialised profiles (engage, compliance, api-only, cicd, sca, iac, supply-chain, network-va, hackme, compliance-full) still resolve at the runner for back-compat, but the dashboard, the docs, and the new scenarios all speak the three-tier vocabulary.

TierURL scanLLM scanRepo scan
quick~5 min — recon + top-severity probes25 payloads, ~2 minAll scanners, fast rules only
standard~20-40 min — full OWASP Top 1075 payloads, ~5 minAll scanners + IaC + secrets
deep60+ min — auto-engagement + chains + threat model250 payloads, 15-60 minAll scanners + extended rule packs

Once you have a finding, Compliance mapping is the same flow for every target kind.

Going further

When you outgrow the rapid path, switch to the Tutorials section. Each tutorial walks an end-to-end scenario (auth-gated app, SPA crawl, CI gating, model drift A/B, audit-ready compliance bundle) and finishes with a runnable artefact you can ship to a customer.