Pre-Push Development Environment Security
Pentesterra DevGuard performs a comprehensive security audit of your development environment before code reaches production - supply chain vulnerabilities, exposed secrets, AI toolchain risks, and cryptographic weaknesses, all detected locally and analyzed in the cloud.
No source code uploaded. No resident agents. Privacy-first by design.
Watch how DevGuard protects your development environment in real-time.
Security analysis before your code even reaches the repository.
The CLI or IDE plugin starts a full local project security analysis.
DevGuard collects only required security telemetry - no source code and no raw secrets are sent.
Pentesterra correlates risks, analyzes dependencies and AI toolchains, and builds an actionable security score.
Results are available across CLI, VS Code/Cursor/Windsurf plugins, and the Pentesterra Web Portal.
DevGuard is designed to work without requiring source code transfer.
Pentesterra DevGuard masks sensitive data and keeps only a short key prefix so developers can quickly locate the source in code. The client is fully transparent and can be reviewed by users.
Modern development moves fast. Security often arrives too late.
From install to actionable findings in under two minutes.
Single command install via pip. Initialize your project with pentestera-devguard init - links your local environment to the Pentesterra cloud console.
A thin local collector inventories dependencies, secrets, configurations, IDE extensions, AI toolchains, and credential surfaces. Only redacted metadata leaves your machine.
Pentesterra's cloud engine runs a 3-pass analysis - CPE matching, advisory correlation, and LLM-powered contextual assessment. Results available in CLI, IDE sidebar, and web console.
Modern attacks increasingly target development environments, not only production systems. DevGuard protects IDE extensions, AI coding toolchains, MCP servers, development runtimes, and local secrets before code reaches your repository or CI/CD.
DevGuard covers the modern development surface - from package lockfiles and AI IDE configurations to Go, PHP, CMS platforms, and LLM integration security.
15 lockfile parsers across npm, PyPI, Go, Rust, Ruby, PHP, Java, .NET, Swift, and Dart. Every dependency mapped against CVE, KEV, and exploit availability databases.
Pattern-based detection for AWS keys, OAuth tokens, JWT secrets, private keys, database credentials, and more. Privacy-first: only metadata and masked fingerprints are transmitted.
Detects malicious MCP server configurations, suspicious AI IDE plugin patterns, and known exfiltration vectors across Cursor, Windsurf, VS Code, JetBrains, and more.
Cross-referenced against a curated database of 50+ confirmed malicious packages - supply chain attacks, protestware, typosquats, and dependency confusion vectors.
Inspects AWS, GCP, Azure, Terraform, and Kubernetes configurations. Detects SSH key exposure, Docker registry auth tokens, and OS credential stores across platforms.
Detects deprecated TLS/SSL versions, weak ciphers, broken hash algorithms, insecure key sizes, and deprecated crypto libraries. LLM-powered contextual analysis reduces false positives.
Parses peerDependencies from every installed npm package and validates against actual versions. Catches React 19 incompatibilities, missing required peers, and major version mismatches before they cause runtime crashes.
Scans dependency entry points for removed React 19 lifecycle methods (UNSAFE_componentWillMount), legacy ReactDOM.render, deprecated Node.js Buffer constructors, and obsolete built-in modules - before they break in production.
Automatically identifies business processes from structural metadata - package names, directory paths, env vars, ORM class names, OpenAPI paths. No source code transmitted. Outputs BP-IDs (BP-PAY-001, BP-AUTH-001...) with regulatory scope mapping (PCI-DSS, GDPR, HIPAA, SOX).
Detects 7 classes of application logic vulnerabilities: Missing Authorization, IDOR, Bypassable Workflow, Unverified State Transitions, Privileged Op Exposed, Race Conditions, Mass Assignment. Composite risk scoring 0–10.
Extracts HTTP routes with authentication/authorization status from FastAPI, Flask, Django, Express, NestJS, Next.js, Rails, Spring. Identifies unprotected sensitive endpoints without transmitting source code.
Field-level ORM model extraction across 10+ ORMs (SQLAlchemy, Django, Prisma, TypeORM, Sequelize, Mongoose, GORM, ActiveRecord). Classifies data assets: financial, identity, PII, health, credential. Maps regulatory scope automatically.
9-section structured report linking attack vectors to business processes. Executive summary, compliance impact (PCI-DSS/GDPR/HIPAA/SOX), prioritized remediation plan sorted by severity and effort. Integrates with Pentesterra attack chain analysis.
Regex-based static analysis across Python and JavaScript/TypeScript source files. Detects SQL injection, XSS, command injection, SSRF, insecure deserialization, prototype pollution, and prompt injection. Privacy-first: only file path, line number, and a short snippet hash are transmitted - no source code sent.
Detects insecure configurations in n8n, Zapier, Make, and IFTTT workflows. Identifies dangerous execution nodes (Execute Command, Code Node), missing authentication on webhook triggers, unencrypted workflow storage, and CVE-mapped versions of automation platforms.
Scans agent frameworks for dangerous tool exposure (ShellTool, BashTool, PythonREPLTool), unsafe prompt construction patterns, persistent memory storage risks, and unvalidated input flows in Python, TypeScript, and YAML agent definitions.
Identifies exposed vector database credentials and unauthenticated endpoints. Detects API keys for Pinecone, Weaviate, Qdrant, and OpenSearch in source files and environment configs. Flags Docker Compose services exposing ChromaDB, Qdrant, and Weaviate without authentication.
Cross-references your installed VS Code, Cursor, Windsurf, JetBrains, and Zed extensions against a threat intelligence database of malicious and typosquatted extensions. Detects AI agent plugins with excessive permissions and extensions reported in security advisories.
Detects Go-specific security issues: InsecureSkipVerify in TLS configs, pprof profiler endpoints exposed without auth, math/rand used for security operations, SQL injection via fmt.Sprintf, HTTP servers without TLS. Full route enumeration for Gin, Echo, Chi, Fiber, and net/http.
Analyzes PHP.ini settings, Laravel .env files, and dangerous function usage (eval, exec, shell_exec, unserialize with user input). CMS coverage: WordPress plugin inventory, debug mode, xmlrpc.php exposure; Drupal, Joomla, Magento 2, and PrestaShop configuration risks.
Detects LLM gateway API key exposure (LiteLLM, OpenRouter, Portkey, Helicone), insecure agentic loops (while-true + LLM call without guards), LLM output piped to exec/subprocess (RCE chain), missing guardrails library, and multi-agent trust boundary violations where agent output is used as trusted tool input.
Detects supply-chain persistence and credential harvesting in installed Python packages - the class of attack used in litellm 1.82.8. Three layers: (1) .pth files with executable code in site-packages auto-executed at every Python startup; (2) installed packages reading cloud credential env vars (AWS, GCP, Azure, GitHub, OpenAI) combined with outbound network calls in the same file; (3) subprocess/os.system at module level in __init__.py. Cross-references with .env to confirm active attack surface.
Maps every external service your project connects to: databases, LLMs, queues, object storage, auth providers, monitoring, and automation platforms. Extracted from connection strings, SDK imports, Docker Compose, and config files. Surfaces unencrypted connections, hardcoded credentials in URIs, unauthenticated endpoints, and forgotten services - like Firebase without auth or n8n without an encryption key left from the MVP phase. Available on the free tier in CLI output, IDE plugin sidebar, and web console.
Traces how detected API keys and secrets are actually used in code - and whether they are being exfiltrated. Catches the most dangerous supply-chain attack: a GitHub project that works correctly but routes all LLM SDK calls through an attacker-controlled proxy via a custom base_url, silently collecting your key and every prompt. Also detects credential variables near HTTP calls to unexpected domains, subprocess curl exfiltration, credentials forwarded via webhooks, MCP servers configured with credential env vars, base64-encoded exfiltration, credentials in log statements, and secrets passed to unverified GitHub Actions.
Full API endpoint inventory with authentication coverage analysis across Flask, FastAPI, Django, Express, NestJS, Gin, Echo, and Chi. Detects unprotected routes, auth regressions, and missing authorization. Includes BOLA/IDOR surface detection (OWASP API Top 10 #1) - identifies authenticated endpoints that accept resource IDs without apparent ownership verification. Pre-push route diff blocks commits that introduce unprotected critical endpoints or remove authentication from existing routes.
Detects GraphQL APIs across SDL schema files, Graphene, Strawberry, Apollo, and Nexus codebases. Identifies unauthenticated mutations and sensitive queries, missing authorization decorators on resolvers, and introspection endpoints left open in production. Tracks auth coverage per operation type (query / mutation / subscription) without transmitting any source code.
Dependency parsing, IDE inventory, and runtime detection across modern stacks.
15 lockfile parsers (npm, pip, Go, Rust, Ruby, PHP, Maven, NuGet, Swift, Dart), SAST Lite, Go & PHP & CMS security, LLM integration risk, AI agent configs, vector DB exposure, automation platform risk, service dependency map, credential flow analysis, and crypto weakness analysis - all in one unified scan.
VS Code, Cursor, Windsurf, JetBrains family, Zed, Neovim, Claude Code, Continue.dev, Cline - extension inventory with version tracking and advisory matching.
WordPress, Django, Laravel, Next.js, Rails, Angular, React, Vue, Express, Flask, Spring - automatic detection with version CVE correlation.
Continuous feed from GitHub Advisory Database, OSV.dev, and VS Code Marketplace - enriched with LLM-classified security news from 6 industry sources.
DevGuard follows a strict thin-agent philosophy. The local CLI performs only data collection and privacy redaction. All intelligence - CVE mapping, advisory correlation, LLM analysis, risk scoring - runs in Pentesterra's controlled cloud infrastructure.
--dry-run before any data is sentNot another dependency scanner. A development environment security platform.
No source code upload. Only metadata and redacted findings leave the developer machine.
VS Code, Cursor, Windsurf extensions. Zero-setup: auto-installs CLI on first use, auto-updates, sidebar integration, scan-on-push hooks, and inline results.
When new CVEs are published, previously scanned projects are automatically re-evaluated - no rescan needed.
Git hook blocks push on critical findings. Configurable thresholds. CI/CD mode with exit codes.
| Capability | Pentesterra DevGuard | GitHub Advanced Security | Snyk / SCA Tools | IDE Security Plugins |
|---|---|---|---|---|
| Pre-push local project analysis | ✓ | ✕ | ✕ | partial |
| Dependency vulnerability detection | ✓ | ✓ | ✓ | partial |
| Malicious package detection | ✓ | ✕ | partial | ✕ |
| Secrets detection before commit | ✓ | partial | partial | partial |
| Source code sent to cloud | ✕ | partial | partial | partial |
| IDE extensions security audit | ✓ | ✕ | ✕ | ✕ |
| AI / MCP toolchain analysis | ✓ | ✕ | ✕ | ✕ |
| Development environment security checks | ✓ | ✕ | partial | ✕ |
| Automatic risk re-analysis for new CVEs | ✓ | partial | partial | ✕ |
| Independent of Git hosting platform | ✓ | ✕ | partial | ✓ |
| SAST without source code upload | ✓ | ✕ | ✕ | partial |
| Go / PHP / CMS platform security checks | ✓ | ✕ | partial | ✕ |
| LLM integration & prompt injection risks | ✓ | ✕ | ✕ | ✕ |
| Business logic vulnerability detection | ✓ | ✕ | ✕ | ✕ |
| Python .pth execution hook & installed package credential harvesting | ✓ | ✕ | ✕ | ✕ |
| Credential flow analysis - proxy redirect, exfiltration, MCP exposure | ✓ | ✕ | ✕ | ✕ |
| Service dependency map - all external connections with TLS & protocol risk | ✓ | ✕ | partial | ✕ |
CLI, IDE extension, and CI/CD - three surfaces, one consistent security posture.
The CLI is the core tool. It performs all security analysis and runs standalone in any terminal or CI/CD pipeline.
The IDE extension is zero-setup. On first use it automatically downloads and installs the CLI - no separate pip install required. It adds visual sidebar panels, scan-on-push file watchers, and inline results, and auto-updates itself (from Marketplace or our site). Choose CLI for terminal and CI/CD workflows; choose the extension for IDE integration with automatic updates.
pip install, single-command scan. Supports --ci mode with configurable exit codes for pipeline integration. Local reports, dry-run inspection, and branch-aware scanning.
Native extension with sidebar panels. Auto-installs CLI on first use. Auto-updates from Marketplace or our site. Scan-on-push watcher and one-click pre-push hook installation.
Full dashboard with project overview, scan history, findings grouped by risk category, severity trends, and API key management. Part of the Pentesterra platform.
DevGuard installs a git pre-push hook that runs a full security scan before code leaves your machine. Configurable severity thresholds - block on critical, high, or medium findings. CI/CD mode returns structured exit codes for pipeline enforcement. Bypass available with git push --no-verify when needed.
Cursor · Windsurf · Copilot · Cloud IDE
AI generates code fast - DevGuard validates its security posture before commit. MCP configurations, AI extensions, and generated dependencies all covered.
Developers without dedicated security
Free tier available. Zero infrastructure overhead. pip install and scan - enterprise-grade security intelligence without enterprise complexity.
Security Engineers · AppSec · Platform Teams
Enforce pre-push policies, track supply chain risk across projects, and feed findings into the full Pentesterra vulnerability management pipeline.
DevGuard is your entry point into the Pentesterra platform.
Pre-push security audit. Supply chain, secrets, AI toolchain, and crypto risk - caught before code leaves the developer machine.
Authenticated and unauthenticated testing of deployed applications. Evidence-based exploit validation with verification workflows.
Network assessment, attack chain analysis, compliance mapping, and continuous verification - one platform covering the entire security lifecycle.
Tier 2 · Vibe Coding Pro - Extended Dev Security
DevGuard findings feed directly into Pentesterra's Attack Chain engine. The platform correlates supply chain risks, exposed secrets, misconfigured containers, and vulnerable runtimes with network and web pentest data to compute realistic multi-step attack paths - showing exactly how an attacker could pivot from a compromised dependency to full infrastructure access.
The output is a ranked list of attack chains with severity scores, affected assets, compliance gaps, and an AI-generated executive narrative - giving security teams and management a clear picture of exploitability before a real attacker finds it.
Projects built with Cursor, Copilot, or other AI tools need fast security feedback before deployment.
Fast-moving teams can run security checks without maintaining a full DevSecOps pipeline.
DevGuard helps secure internal services and development infrastructure.
Pentesterra DevGuard detects security risks in the development environment before they reach your repository or your users.
No. DevGuard follows a privacy-first architecture. Only metadata is transmitted: dependency names and versions, masked secret fingerprints (no actual values), misconfiguration patterns, and tech stack hints. Use --dry-run to inspect the exact payload before uploading.
DevGuard scans IDE configuration files for malicious MCP server configs, suspicious AI plugin patterns, and known exfiltration vectors across Cursor, Windsurf, VS Code, and JetBrains. It also detects LLM gateway key exposure, insecure agentic loops, and prompt injection risk patterns.
DevGuard identifies business processes from structural metadata - package names, directory paths, env vars, ORM class names, and API paths. No source code is transmitted. It outputs BP-IDs (e.g. BP-PAY-001, BP-AUTH-001) with regulatory scope mapping to PCI-DSS, GDPR, HIPAA, and SOX.
DevGuard includes automatic re-analysis. When new CVEs are published that match your previously scanned dependencies, your project is re-evaluated against the updated knowledge base - without requiring a new scan.
DevGuard CLI runs in any terminal environment and supports --json output for machine-readable results. Use the pre-push Git hook for local blocking, or integrate the CLI into GitHub Actions, GitLab CI, or any pipeline with configurable exit codes and fail thresholds.
Start with the free tier or talk to us about your environment - network, web, cloud, or on-prem.