Pre-Push Development Environment Security
Ship Fast. Ship Secure. DevGuard Catches Risk Before Push.
Pentesterra DevGuard performs a comprehensive security audit of your development environment before code reaches production - supply chain vulnerabilities, exposed secrets, AI toolchain risks, and cryptographic weaknesses, all detected locally and analyzed in the cloud.
No source code uploaded. No resident agents. Privacy-first by design.
See DevGuard in Action
Watch how DevGuard protects your development environment in real-time.
How to Use DevGuard
Step-by-step guide to getting started with DevGuard.
How Pentesterra DevGuard Works
Security analysis before your code even reaches the repository.
Developer runs DevGuard locally
The CLI or IDE plugin starts a full local project security analysis.
Local secure telemetry collection
DevGuard collects only required security telemetry - no source code and no raw secrets are sent.
Pentesterra cloud analysis
Pentesterra correlates risks, analyzes dependencies and AI toolchains, and builds an actionable security score.
Results everywhere
Results are available across CLI, VS Code/Cursor/Windsurf plugins, and the Pentesterra Web Portal.
Privacy-First Security
DevGuard is designed to work without requiring source code transfer.
Pentesterra DevGuard masks sensitive data and keeps only a short key prefix so developers can quickly locate the source in code. The client is fully transparent and can be reviewed by users.
AI Writes Code Faster Than Security Can Review It
Modern development moves fast. Security often arrives too late.
- AI-generated code ships with vulnerable dependencies
- Hardcoded secrets reach remote repositories
- Malicious packages enter supply chains through typosquats
- MCP and AI IDE tools introduce novel attack vectors
- Crypto misconfigurations bypass standard reviews
- Peer dependency conflicts cause silent runtime crashes
- Deprecated APIs in packages break on framework upgrades
- LLM gateway keys exposed in agent configuration files
- PHP and CMS platforms deployed with insecure defaults
- Business logic flaws go undetected until exploitation
- Every dependency mapped to CVE/KEV before push
- Secrets detected and masked - never transmitted
- Known malicious packages blocked at development stage
- AI toolchain configurations validated against threat intel
- LLM-assisted crypto analysis with compliance mapping
- Peer dependency conflicts flagged with semver analysis
- Deprecated APIs detected across all npm dependencies
- LLM gateway keys and insecure agentic patterns surfaced
- Go, PHP, and CMS misconfigurations caught before deploy
- Logic vulnerabilities detected from structural metadata alone
Three Steps. Zero Friction.
From install to actionable findings in under two minutes.
Install & Initialize
Single command install via pip. Initialize your project with pentestera-devguard init - links your local environment to the Pentesterra cloud console.
Local Collection
A thin local collector inventories dependencies, secrets, configurations, IDE extensions, AI toolchains, and credential surfaces. Only redacted metadata leaves your machine.
Cloud Analysis & Actionable Results
Pentesterra's cloud engine runs a 3-pass analysis - CPE matching, advisory correlation, and LLM-powered contextual assessment. Results available in CLI, IDE sidebar, and web console.
Security for the Modern Developer Environment
Modern attacks increasingly target development environments, not only production systems. DevGuard protects IDE extensions, AI coding toolchains, MCP servers, development runtimes, and local secrets before code reaches your repository or CI/CD.
33 Risk Modules. One Unified Scan.
DevGuard covers the modern development surface - from package lockfiles and AI IDE configurations to Go, PHP, CMS platforms, and LLM integration security.
Supply Chain & Dependency Analysis
15 lockfile parsers across npm, PyPI, Go, Rust, Ruby, PHP, Java, .NET, Swift, and Dart. Every dependency mapped against CVE, KEV, and exploit availability databases.
Secrets & Credential Detection
Pattern-based detection for AWS keys, OAuth tokens, JWT secrets, private keys, database credentials, and more. Privacy-first: only metadata and masked fingerprints are transmitted.
AI Toolchain & MCP Risk
Detects malicious MCP server configurations, suspicious AI IDE plugin patterns, and known exfiltration vectors across Cursor, Windsurf, VS Code, JetBrains, and more.
Known Malicious Packages
Cross-referenced against a curated database of 50+ confirmed malicious packages - supply chain attacks, protestware, typosquats, and dependency confusion vectors.
Cloud & Credential Surface
Inspects AWS, GCP, Azure, Terraform, and Kubernetes configurations. Detects SSH key exposure, Docker registry auth tokens, and OS credential stores across platforms.
Crypto & TLS Weakness Analysis
Detects deprecated TLS/SSL versions, weak ciphers, broken hash algorithms, insecure key sizes, and deprecated crypto libraries. LLM-powered contextual analysis reduces false positives.
Peer Dependency Conflicts
Parses peerDependencies from every installed npm package and validates against actual versions. Catches React 19 incompatibilities, missing required peers, and major version mismatches before they cause runtime crashes.
Deprecated API Detection
Scans dependency entry points for removed React 19 lifecycle methods (UNSAFE_componentWillMount), legacy ReactDOM.render, deprecated Node.js Buffer constructors, and obsolete built-in modules - before they break in production.
Business Process Detection
Automatically identifies business processes from structural metadata — package names, directory paths, env vars, ORM class names, OpenAPI paths. No source code transmitted. Outputs BP-IDs (BP-PAY-001, BP-AUTH-001...) with regulatory scope mapping (PCI-DSS, GDPR, HIPAA, SOX).
Logic Risk Detection
Detects 7 classes of application logic vulnerabilities: Missing Authorization, IDOR, Bypassable Workflow, Unverified State Transitions, Privileged Op Exposed, Race Conditions, Mass Assignment. Composite risk scoring 0–10.
Endpoint & Auth Map
Extracts HTTP routes with authentication/authorization status from FastAPI, Flask, Django, Express, NestJS, Next.js, Rails, Spring. Identifies unprotected sensitive endpoints without transmitting source code.
Data Asset Classification
Field-level ORM model extraction across 10+ ORMs (SQLAlchemy, Django, Prisma, TypeORM, Sequelize, Mongoose, GORM, ActiveRecord). Classifies data assets: financial, identity, PII, health, credential. Maps regulatory scope automatically.
Business Impact Report
9-section structured report linking attack vectors to business processes. Executive summary, compliance impact (PCI-DSS/GDPR/HIPAA/SOX), prioritized remediation plan sorted by severity and effort. Integrates with Pentesterra attack chain analysis.
SAST Lite — Static Analysis
Regex-based static analysis across Python and JavaScript/TypeScript source files. Detects SQL injection, XSS, command injection, SSRF, insecure deserialization, prototype pollution, and prompt injection. Privacy-first: only file path, line number, and a short snippet hash are transmitted — no source code sent.
Automation Platform Risk
Detects insecure configurations in n8n, Zapier, Make, and IFTTT workflows. Identifies dangerous execution nodes (Execute Command, Code Node), missing authentication on webhook triggers, unencrypted workflow storage, and CVE-mapped versions of automation platforms.
AI Agent Configuration Risk
Scans agent frameworks for dangerous tool exposure (ShellTool, BashTool, PythonREPLTool), unsafe prompt construction patterns, persistent memory storage risks, and unvalidated input flows in Python, TypeScript, and YAML agent definitions.
Vector DB Exposure
Identifies exposed vector database credentials and unauthenticated endpoints. Detects API keys for Pinecone, Weaviate, Qdrant, and OpenSearch in source files and environment configs. Flags Docker Compose services exposing ChromaDB, Qdrant, and Weaviate without authentication.
IDE Plugin Threat Intelligence
Cross-references your installed VS Code, Cursor, Windsurf, JetBrains, and Zed extensions against a threat intelligence database of malicious and typosquatted extensions. Detects AI agent plugins with excessive permissions and extensions reported in security advisories.
Go Security
Detects Go-specific security issues: InsecureSkipVerify in TLS configs, pprof profiler endpoints exposed without auth, math/rand used for security operations, SQL injection via fmt.Sprintf, HTTP servers without TLS. Full route enumeration for Gin, Echo, Chi, Fiber, and net/http.
PHP & CMS Security
Analyzes PHP.ini settings, Laravel .env files, and dangerous function usage (eval, exec, shell_exec, unserialize with user input). CMS coverage: WordPress plugin inventory, debug mode, xmlrpc.php exposure; Drupal, Joomla, Magento 2, and PrestaShop configuration risks.
LLM Integration & Prompt Injection Risk
Detects LLM gateway API key exposure (LiteLLM, OpenRouter, Portkey, Helicone), insecure agentic loops (while-true + LLM call without guards), LLM output piped to exec/subprocess (RCE chain), missing guardrails library, and multi-agent trust boundary violations where agent output is used as trusted tool input.
Broad Ecosystem Coverage
Dependency parsing, IDE inventory, and runtime detection across modern stacks.
33 Scan Modules
15 lockfile parsers (npm, pip, Go, Rust, Ruby, PHP, Maven, NuGet, Swift, Dart), SAST Lite, Go & PHP & CMS security, LLM integration risk, AI agent configs, vector DB exposure, automation platform risk, and crypto weakness analysis - all in one unified scan.
9 IDE Families
VS Code, Cursor, Windsurf, JetBrains family, Zed, Neovim, Claude Code, Continue.dev, Cline - extension inventory with version tracking and advisory matching.
40+ Framework Signatures
WordPress, Django, Laravel, Next.js, Rails, Angular, React, Vue, Express, Flask, Spring - automatic detection with version CVE correlation.
Advisory Intelligence
Continuous feed from GitHub Advisory Database, OSV.dev, and VS Code Marketplace - enriched with LLM-classified security news from 6 industry sources.
Thin Agent. Powerful Cloud Engine.
DevGuard follows a strict thin-agent philosophy. The local CLI performs only data collection and privacy redaction. All intelligence - CVE mapping, advisory correlation, LLM analysis, risk scoring - runs in Pentesterra's controlled cloud infrastructure.
- No intellectual property leaves your machine unredacted
- Secret values are never transmitted - only type, path, and masked fingerprint
- Payload inspection available via
--dry-runbefore any data is sent - 3-pass analysis engine: CPE lookup, advisory matching, LLM contextual fallback
- Re-analysis on new CVE data without rescanning
- API key authentication with bcrypt hashing and prefix-based resolution
What Sets DevGuard Apart
Not another dependency scanner. A development environment security platform.
Privacy-First
No source code upload. Only metadata and redacted findings leave the developer machine.
IDE-Native
VS Code, Cursor, Windsurf extensions with sidebar integration, scan-on-push hooks, and inline results.
Re-Analysis
When new CVEs are published, previously scanned projects are automatically re-evaluated - no rescan needed.
Pre-Push Gate
Git hook blocks push on critical findings. Configurable thresholds. CI/CD mode with exit codes.
How DevGuard Compares
| Capability | Pentesterra DevGuard | GitHub Advanced Security | Snyk / SCA Tools | IDE Security Plugins |
|---|---|---|---|---|
| Pre-push local project analysis | ✓ | ✕ | ✕ | partial |
| Dependency vulnerability detection | ✓ | ✓ | ✓ | partial |
| Malicious package detection | ✓ | ✕ | partial | ✕ |
| Secrets detection before commit | ✓ | partial | partial | partial |
| Source code sent to cloud | ✕ | partial | partial | partial |
| IDE extensions security audit | ✓ | ✕ | ✕ | ✕ |
| AI / MCP toolchain analysis | ✓ | ✕ | ✕ | ✕ |
| Development environment security checks | ✓ | ✕ | partial | ✕ |
| Automatic risk re-analysis for new CVEs | ✓ | partial | partial | ✕ |
| Independent of Git hosting platform | ✓ | ✕ | partial | ✓ |
| SAST without source code upload | ✓ | ✕ | ✕ | partial |
| Go / PHP / CMS platform security checks | ✓ | ✕ | partial | ✕ |
| LLM integration & prompt injection risks | ✓ | ✕ | ✕ | ✕ |
| Business logic vulnerability detection | ✓ | ✕ | ✕ | ✕ |
Integrated Into Your Workflow
CLI, IDE extension, and CI/CD - three surfaces, one consistent security posture.
Command Line
pip install, single-command scan. Supports --ci mode with configurable exit codes for pipeline integration. Local reports, dry-run inspection, and branch-aware scanning.
VS Code / Cursor / Windsurf
Native extension with sidebar panels - project status, last scan results, risk gauge. Scan-on-push file watcher and one-click pre-push hook installation.
Web Console
Full dashboard with project overview, scan history, findings grouped by risk category, severity trends, and API key management. Part of the Pentesterra platform.
Pre-Push Security Gate
DevGuard installs a git pre-push hook that runs a full security scan before code leaves your machine. Configurable severity thresholds - block on critical, high, or medium findings. CI/CD mode returns structured exit codes for pipeline enforcement. Bypass available with git push --no-verify when needed.
Built for Modern Development Teams
AI-Era Developers
Cursor · Windsurf · Copilot · Cloud IDE
AI generates code fast - DevGuard validates its security posture before commit. MCP configurations, AI extensions, and generated dependencies all covered.
Startups & Small Teams
Developers without dedicated security
Free tier available. Zero infrastructure overhead. pip install and scan - enterprise-grade security intelligence without enterprise complexity.
DevSecOps & Security Teams
Security Engineers · AppSec · Platform Teams
Enforce pre-push policies, track supply chain risk across projects, and feed findings into the full Pentesterra vulnerability management pipeline.
From Development to Full-Cycle Security
DevGuard is your entry point into the Pentesterra platform.
DevGuard
Pre-push security audit. Supply chain, secrets, AI toolchain, and crypto risk - caught before code leaves the developer machine.
Web & API Pentest
Authenticated and unauthenticated testing of deployed applications. Evidence-based exploit validation with verification workflows.
Full-Cycle Platform
Network assessment, attack chain analysis, compliance mapping, and continuous verification - one platform covering the entire security lifecycle.
Tier 2 · Vibe Coding Pro - Extended Dev Security
Attack Chain Analysis
DevGuard findings feed directly into Pentesterra's Attack Chain engine. The platform correlates supply chain risks, exposed secrets, misconfigured containers, and vulnerable runtimes with network and web pentest data to compute realistic multi-step attack paths - showing exactly how an attacker could pivot from a compromised dependency to full infrastructure access.
The output is a ranked list of attack chains with severity scores, affected assets, compliance gaps, and an AI-generated executive narrative - giving security teams and management a clear picture of exploitability before a real attacker finds it.
Who DevGuard Is Built For
AI-Driven Development
Projects built with Cursor, Copilot, or other AI tools need fast security feedback before deployment.
Startup Teams
Fast-moving teams can run security checks without maintaining a full DevSecOps pipeline.
Internal Development Environments
DevGuard helps secure internal services and development infrastructure.
Modern attacks target developers, not just production systems.
Pentesterra DevGuard detects security risks in the development environment before they reach your repository or your users.