Continuous security scanning

Find vulnerabilities before attackers do.

PennScan orchestrates seven open-source scanners behind one pipeline — dedupes their findings, prioritizes by exploitability, and ships AI-written fixes straight into your CI.

Sign inCreate free account
Built onowasp-zapnucleiniktotrivysemgrepburp-enterprise+3 more

Key features

Seven scanners, one pipeline

ZAP, Nuclei, Nikto, Trivy, Semgrep, Burp Enterprise, and your own rules — orchestrated with dedupe, baselines, and historical trendlines out of the box.

AI analysis devs actually read

Findings grouped by root cause, ranked by exploitability, and shipped with concrete fix steps — not "severity: high". Triage actions propagate to your next scan.

Authorized targets only

Allowlist + denylist + rate limiting enforced at the engine. Every scan proves authorization before a single packet ships. Logged, signed, auditable.

Event-driven by default

Trigger on every PR via GitHub webhooks, on a cron, or on demand from the CLI. Gate merges on new HIGH/CRITICAL findings through a single status check.

Multi-project isolation

Per-project allowlists, findings, API keys, and quotas. Scan twenty services without cross-contamination or shared-blast risk.

Self-hostable engine

The Pennscan engine runs anywhere Python runs. Air-gapped docker-compose overlay included. Bring your own rules and your own scanners — no vendor lock-in.

From zero to gated merges in three steps

  1. Allowlist your target

    Paste a URL or repo and prove you own it. The engine refuses to scan anything not on the signed allowlist — no accidental third-party traffic, no legal exposure.

  2. Scan on your trigger

    Every PR, every deploy, a nightly cron, or on-demand from the CLI. Ten scanners run in parallel; findings are deduped and ranked by exploitability before they ever reach your inbox.

  3. Gate the merge

    A single GitHub status check fails the PR on new HIGH/CRITICAL findings. AI-written fix steps ship in the PR comment. Triage once — decisions propagate to every future scan.

CI integration example

Drop-in GitHub Action — gate your PRs on real signal
# .github/workflows/pennscan.yml
name: pennscan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: pennscan/scan-action@v1
        with:
          project: my-api
          target: ${{ env.STAGING_URL }}
          fail-on: HIGH,CRITICAL  # block the PR

Launch pricing

While we validate — Pro and Enterprise are $1/mo. Upgrade any time.

Free
$0 / mo
  • 100 scans / month
  • 20 AI analyses
  • 3 projects
  • 30-day retention
Pro · launch
$1 / mo
  • 2,000 scans
  • 500 AI analyses
  • 25 projects
  • 180-day retention
  • Priority support
Enterprise · launch
$1 / mo
  • 100k scans
  • 20k AI analyses
  • Unlimited projects
  • 10-year retention
  • SSO + dedicated support

Questions we get a lot

Is this legal to run against my sites?

Yes — PennScan only scans targets you've explicitly allowlisted inside your project. Every run proves authorization before a single packet ships, and the allowlist is signed and auditable. Running against third-party targets without authorization is blocked at the engine, not just the UI.

Which scanners are included?

ZAP, Nuclei, Nikto, Trivy, Semgrep, Burp Enterprise, and a set of in-house rules — ten tools total. Findings are deduped across tools and ranked by exploitability, so you don't get ten copies of the same TLS warning.

Can I self-host the engine?

Yes. The engine is plain Python and ships with an air-gapped docker-compose overlay. Bring your own rules, your own scanners, and your own infrastructure — the hosted platform is a convenience, not a lock-in.

How is this different from Snyk, Dependabot, or Semgrep Cloud?

Those focus on a single surface (SCA, supply chain, SAST). PennScan orchestrates DAST + SAST + container + config in one pass, correlates findings across tools, and gates merges on a single status check. Semgrep and Trivy are part of our pipeline, not a competitor.

What happens if a scan finds a vulnerability in production?

Nothing exploitative. The scanners run non-destructive profiles by default; HIGH/CRITICAL findings trigger a webhook (Slack, GitHub, PagerDuty, or your SIEM) and can gate the next merge. We never attempt exploitation against production without an explicit `exploit=true` flag on a scoped target.

How long are findings retained?

30 days on Free, 180 days on Pro, 10 years on Enterprise. You can export findings as JSON or SARIF at any time; retention governs how long we keep them queryable in-platform.

Does it integrate with my CI?

A drop-in GitHub Action, a GitLab CI template, and a plain CLI for everything else. Fail on any severity threshold, post a PR comment with the delta since last scan, and gate the merge with a single status check.

Is the free tier really free?

Yes — no credit card, 100 scans/month and 20 AI analyses, 3 projects. Enough to evaluate PennScan against a real app end-to-end. If you hit the cap mid-month, scans queue rather than fail.

Ship faster without shipping CVEs.

Start scanning in five minutes. No credit card for the free tier.

Create free accountSign in