How does Pencheff detect hardcoded secrets in a repository?

Pencheff runs gitleaks across the full git history — not just the current HEAD — to find API keys, tokens, passwords, certificates, and private keys that were ever committed, even if they were later deleted.

What types of secrets can Pencheff detect?

Pencheff detects AWS, GCP, and Azure credentials, GitHub tokens, Stripe and Twilio API keys, JWT signing secrets, SSH private keys, TLS certificates, database connection strings, and generic high-entropy strings that match secret patterns.

Can Pencheff detect malware or backdoors in source code?

Yes. Pencheff applies YARA rule sets to detect known malware signatures, obfuscated code, suspicious eval patterns, supply-chain backdoors, and other malicious code indicators in both source files and compiled artefacts.

Code security

Secrets and malware

gitleaks, YARA indicators, suspicious payloads, backdoor patterns, and evidence metadata.

Start free Sign in

ScopeCode And Supply Chain

Pencheff combines deterministic scanners, AI-guided probes, curated payloads, external tools, and evidence normalization so every signal lands in one remediation workflow.

OutputUnified evidence

Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.

MethodDeterministic first

Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.

From the Pencheff docs

gitleaks — secrets

Scanners

/repos/scanners

Scans the working tree for credential patterns: AWS keys, GCP service accounts, Slack tokens, private SSH keys, generic high-entropy strings. Every match is high severity — the right call is almost always to revoke and rotate.

From the Pencheff docs

YARA — malware / backdoor patterns

Scanners

/repos/scanners

Runs the YARA engine against every file using Pencheff's bundled rule pack at bench/rules/yara/. Targets that actually appear in real source trees:

Minimal PHP webshells (eval($_GET[…]) families)
Obfuscated JS loaders (eval(atob(…)), Function(decodeURIComponent(…)))
Crypto-miner pool configs (stratum+tcp://, xmrig)
Python pickle RCE gadgets
Classic reverse-shell oneliners

Drop your own *.yar files into bench/rules/yara/ to extend the pack without touching Pencheff code.

FAQ

Common questions

How does Pencheff detect hardcoded secrets in a repository?: Pencheff runs gitleaks across the full git history — not just the current HEAD — to find API keys, tokens, passwords, certificates, and private keys that were ever committed, even if they were later deleted.
What types of secrets can Pencheff detect?: Pencheff detects AWS, GCP, and Azure credentials, GitHub tokens, Stripe and Twilio API keys, JWT signing secrets, SSH private keys, TLS certificates, database connection strings, and generic high-entropy strings that match secret patterns.
Can Pencheff detect malware or backdoors in source code?: Yes. Pencheff applies YARA rule sets to detect known malware signatures, obfuscated code, suspicious eval patterns, supply-chain backdoors, and other malicious code indicators in both source files and compiled artefacts.

Common questions

Keep exploring Capabilities.