Pre-Push Development Environment Security
Ship Fast. Ship Secure. DevGuard Catches Risk Before Push.
Pentesterra DevGuard performs a comprehensive security audit of your development environment before code reaches production — supply chain vulnerabilities, exposed secrets, AI toolchain risks, and cryptographic weaknesses, all detected locally and analyzed in the cloud.
No source code uploaded. No resident agents. Privacy-first by design.
AI Writes Code Faster Than Security Can Review It
Modern development moves fast. Security often arrives too late.
- AI-generated code ships with vulnerable dependencies
- Hardcoded secrets reach remote repositories
- Malicious packages enter supply chains through typosquats
- MCP and AI IDE tools introduce novel attack vectors
- Crypto misconfigurations bypass standard reviews
- Peer dependency conflicts cause silent runtime crashes
- Deprecated APIs in packages break on framework upgrades
- Every dependency mapped to CVE/KEV before push
- Secrets detected and masked — never transmitted
- Known malicious packages blocked at development stage
- AI toolchain configurations validated against threat intel
- LLM-assisted crypto analysis with compliance mapping
- Peer dependency conflicts flagged with semver analysis
- Deprecated APIs detected across all npm dependencies
Three Steps. Zero Friction.
From install to actionable findings in under two minutes.
Install & Initialize
Single command install via pip. Initialize your project with pentestera-devguard init — links your local environment to the Pentesterra cloud console.
Local Collection
A thin local collector inventories dependencies, secrets, configurations, IDE extensions, AI toolchains, and credential surfaces. Only redacted metadata leaves your machine.
Cloud Analysis & Actionable Results
Pentesterra's cloud engine runs a 3-pass analysis — CPE matching, advisory correlation, and LLM-powered contextual assessment. Results available in CLI, IDE sidebar, and web console.
17 Risk Modules. One Unified Scan.
DevGuard covers the modern development surface — from package lockfiles to AI IDE configurations.
Supply Chain & Dependency Analysis
15 lockfile parsers across npm, PyPI, Go, Rust, Ruby, PHP, Java, .NET, Swift, and Dart. Every dependency mapped against CVE, KEV, and exploit availability databases.
Secrets & Credential Detection
Pattern-based detection for AWS keys, OAuth tokens, JWT secrets, private keys, database credentials, and more. Privacy-first: only metadata and masked fingerprints are transmitted.
AI Toolchain & MCP Risk
Detects malicious MCP server configurations, suspicious AI IDE plugin patterns, and known exfiltration vectors across Cursor, Windsurf, VS Code, JetBrains, and more.
Known Malicious Packages
Cross-referenced against a curated database of 50+ confirmed malicious packages — supply chain attacks, protestware, typosquats, and dependency confusion vectors.
Cloud & Credential Surface
Inspects AWS, GCP, Azure, Terraform, and Kubernetes configurations. Detects SSH key exposure, Docker registry auth tokens, and OS credential stores across platforms.
Crypto & TLS Weakness Analysis
Detects deprecated TLS/SSL versions, weak ciphers, broken hash algorithms, insecure key sizes, and deprecated crypto libraries. LLM-powered contextual analysis reduces false positives.
Peer Dependency Conflicts
Parses peerDependencies from every installed npm package and validates against actual versions. Catches React 19 incompatibilities, missing required peers, and major version mismatches before they cause runtime crashes.
Deprecated API Detection
Scans dependency entry points for removed React 19 lifecycle methods (UNSAFE_componentWillMount), legacy ReactDOM.render, deprecated Node.js Buffer constructors, and obsolete built-in modules — before they break in production.
Broad Ecosystem Coverage
Dependency parsing, IDE inventory, and runtime detection across modern stacks.
17 Scan Modules
15 lockfile parsers (npm, pip, Go, Rust, Ruby, PHP, Maven, NuGet, Swift, Dart), peer dependency conflict detection, deprecated API scanning, and crypto weakness analysis — all in one unified scan.
9 IDE Families
VS Code, Cursor, Windsurf, JetBrains family, Zed, Neovim, Claude Code, Continue.dev, Cline — extension inventory with version tracking and advisory matching.
40+ Framework Signatures
WordPress, Django, Laravel, Next.js, Rails, Angular, React, Vue, Express, Flask, Spring — automatic detection with version CVE correlation.
Advisory Intelligence
Continuous feed from GitHub Advisory Database, OSV.dev, and VS Code Marketplace — enriched with LLM-classified security news from 6 industry sources.
Thin Agent. Powerful Cloud Engine.
DevGuard follows a strict thin-agent philosophy. The local CLI performs only data collection and privacy redaction. All intelligence — CVE mapping, advisory correlation, LLM analysis, risk scoring — runs in Pentesterra's controlled cloud infrastructure.
- No intellectual property leaves your machine unredacted
- Secret values are never transmitted — only type, path, and masked fingerprint
- Payload inspection available via
--dry-runbefore any data is sent - 3-pass analysis engine: CPE lookup, advisory matching, LLM contextual fallback
- Re-analysis on new CVE data without rescanning
- API key authentication with bcrypt hashing and prefix-based resolution
What Sets DevGuard Apart
Not another dependency scanner. A development environment security platform.
Privacy-First
No source code upload. Only metadata and redacted findings leave the developer machine.
IDE-Native
VS Code, Cursor, Windsurf extensions with sidebar integration, scan-on-push hooks, and inline results.
Re-Analysis
When new CVEs are published, previously scanned projects are automatically re-evaluated — no rescan needed.
Pre-Push Gate
Git hook blocks push on critical findings. Configurable thresholds. CI/CD mode with exit codes.
Integrated Into Your Workflow
CLI, IDE extension, and CI/CD — three surfaces, one consistent security posture.
Command Line
pip install, single-command scan. Supports --ci mode with configurable exit codes for pipeline integration. Local reports, dry-run inspection, and branch-aware scanning.
VS Code / Cursor / Windsurf
Native extension with sidebar panels — project status, last scan results, risk gauge. Scan-on-push file watcher and one-click pre-push hook installation.
Web Console
Full dashboard with project overview, scan history, findings grouped by risk category, severity trends, and API key management. Part of the Pentesterra platform.
Pre-Push Security Gate
DevGuard installs a git pre-push hook that runs a full security scan before code leaves your machine. Configurable severity thresholds — block on critical, high, or medium findings. CI/CD mode returns structured exit codes for pipeline enforcement. Bypass available with git push --no-verify when needed.
Built for Modern Development Teams
AI-Era Developers
Cursor · Windsurf · Copilot · Cloud IDE
AI generates code fast — DevGuard validates its security posture before commit. MCP configurations, AI extensions, and generated dependencies all covered.
Startups & Small Teams
Developers without dedicated security
Free tier available. Zero infrastructure overhead. pip install and scan — enterprise-grade security intelligence without enterprise complexity.
DevSecOps & Security Teams
Security Engineers · AppSec · Platform Teams
Enforce pre-push policies, track supply chain risk across projects, and feed findings into the full Pentesterra vulnerability management pipeline.
From Development to Full-Cycle Security
DevGuard is your entry point into the Pentesterra platform.
DevGuard
Pre-push security audit. Supply chain, secrets, AI toolchain, and crypto risk — caught before code leaves the developer machine.
Web & API Pentest
Authenticated and unauthenticated testing of deployed applications. Evidence-based exploit validation with verification workflows.
Full-Cycle Platform
Network assessment, attack chain analysis, compliance mapping, and continuous verification — one platform covering the entire security lifecycle.