The day our daily self-scan saved our launch

Six hours before launch, our own product caught seventeen previously-unknown CVEs in our deployed image. One of them was a cryptography library advisory that had been published less than twelve hours earlier. We had patches in flight before the engineering team finished morning coffee.

This isn't a flex. It's the entire reason we built the platform the way we did, and it's a small story we think is worth telling because every team building any kind of software is one upstream advisory away from the same situation — the only question is whether you find out before or after your customers do.

The setup

Pwnkemon scans Pwnkemon. Every morning at 06:00 UTC, before anyone's awake, a scheduled job clones the latest commit on our main branch, scans it for known-vulnerable dependencies, SAST findings, hardcoded secrets, and the full git history for anything ever committed in error. The same scan also checks the Docker image we deploy — not the upstream base, but the actual built artifact, because the upstream tag and what you actually ship are rarely the same thing.

New high- or critical-severity findings page us in Sentry. If the report doesn't page anyone, the scan happened, found nothing new, and we go about our day. Quiet is the goal.

The morning

It wasn't quiet that morning. Sentry was loud. We'd picked up seventeen new findings between yesterday's scan and today's. Sixteen of them were boring — OS package updates published overnight, mostly informational, none with a plausible exploitation path against how we use the affected packages. The triage layer correctly downgraded them; the report marked them low and moved on.

The seventeenth was different. A cryptography library we'd pinned six weeks earlier had been quietly carrying a bug that turned a particular code path into a timing oracle. The advisory had been published the previous evening, US time. Patches existed. The triage layer correctly tagged itreachable — our source code actually imports the relevant function, in the relevant way, on a code path that runs on every authenticated request. By 09:00 we had the patch deployed and the next day's scan confirmed clean.

Why this is the part that matters

The exploit window for that CVE between publication and us patching was about twelve hours. Nobody was scanning for it in a public database the moment it landed; it just appeared in our morning report because our scanner watches the same feeds anyone else can subscribe to, but does the boring, unforgettable job of checking every morning instead of every quarter.

We talk about this on the landing page in one sentence: we scan our own code with our own product every day. That sentence is doing a lot of work. It means:

• If the scanner is broken in some subtle way, we notice before any customer does.
• If the triage is producing false positives, we suffer them first — so we have the strongest possible incentive to keep the report quality high.
• If a new high-severity CVE drops upstream, we catch it inside 24 hours by construction, not because we remembered to look.

The alternative is the model every security vendor before us runs: scan customer code, never scan your own. We don't understand how that's defensible. If we wouldn't run the tool against our production code, we wouldn't ask you to run it against yours.

The takeaway

Three things, in increasing order of importance:

1. Run a daily scan against your own production code. Not weekly, not quarterly — daily. The upstream advisory you're going to be bitten by next week was published last night. There's a finite window between disclosure and exploitation; closing it requires a cadence faster than your release cycle.
2. Page on new high-or-critical findings, not on totals. A daily scan that produces 200 findings today and 201 tomorrow shouldn't page anyone. The delta is the signal. Alert hygiene gets you out of bed when it matters.
3. Make sure the scanner you use has been tested against its own authors' production code.It's a cheap proxy for whether the report is going to be useful or just noise. Ask the vendor.

You can wire the same daily scan up to your repos in two minutes: install the GitHub App, mint a token, drop the Pwnkemon Scan GitHub Action into a scheduled workflow. The infrastructure is the same thing we run on ourselves. We just hand it to you with a dashboard on top.