Code scans

Pwnkemon scans your source code as well as your running infrastructure. Connect a GitHub repository, pick a branch or commit, and we check it for known-vulnerable dependencies, hard-coded secrets, and common SAST patterns — then a triage step deduplicates, calibrates severity, and writes a clean report.

What gets checked

• Python dependencies — via pip-audit. Reads every requirements*.txt and pyproject.tomlin the repo and reports any package with a published CVE in the PyPI advisory database.
• Node dependencies — via npm audit. Requires a package-lock.json or yarn.lock.
• Go, Rust, Java, Ruby, .NET dependencies — via trivy fs. Picks up the ecosystems pip-audit and npm-audit don't cover, plus Dockerfiles and IaC manifests.
• SAST patterns — via semgrep with the default OSS ruleset. Catches SQL-injection sinks, hardcoded secrets, XSS-prone DOM access, weak crypto, command-injection patterns, and a few hundred more across most popular languages.
• Leaked secrets in the working tree — via trivy's secret scanner. AWS keys, Stripe keys, SSH private keys, and similar high-confidence patterns.
• Leaked secrets in the full git history — via gitleaks. Catches credentials that were committed at any point and later “removed” in a follow-up commit but never rotated. Anyone with read access to the repo can still recover them, so they still count as a leak. The finding tells you exactly which commit introduced it.

How the triage works

Raw scanner output is noisy. A typical run on a real repo will produce dozens or hundreds of findings, many of which are false positives or duplicates. After the scanners finish, Pwnkemon hands the raw output to Claude with the repository context and asks it to:

• Deduplicate findings reported by multiple scanners
• Demote or drop findings in dev-only / test-only / vendored code
• Calibrate severity (e.g. a critical CVE in a transitive dev dependency is not “critical” for the user)
• Write a remediation recommendation for each finding

The result is a much shorter, much more actionable list than the bare scanner JSON.

Connecting GitHub

Public repos clone anonymously — no GitHub auth needed. For private repos, install the Pwnkemon GitHub App from the Scans page. The App requests only two read-only permissions:

• Contents: Read — needed to clone the repo.
• Metadata: Read — needed to look up the repo's default branch and commit SHA for the report.

At install time, you choose exactly which repos the App can access — one, several, or all repos in your org. We never store a long-lived access token: each scan mints a fresh 1-hour installation token, uses it, and discards it.

Uninstall any time at github.com/settings/installations, or click Disconnect on the new-scan form.

What we don't do

• We literally cannot write to your repos. The App has read-only permissions; even if our worker container were compromised, GitHub would reject any write attempt.
• We clone full history (single branch) so the git-history secret scan works, then delete the working tree as soon as the scan completes. Your code never sits on our disks beyond the lifetime of one scan.
• To scan on every pull request and post findings as a PR comment, use the Pwnkemon Scan GitHub Action — it uses the same GitHub App + scan path under the hood, with the scan running on our isolated infrastructure rather than your CI runner.

Cost

Code scans charge the standard tier cost in credits, same as any other scan. The scanners themselves are CPU-only and cost us nothing; the only LLM call is the triage pass, which on a typical repo is much cheaper than an agentic network scan.