Panguard Scan
Run comprehensive security audits with a single command. Scan your infrastructure, analyze code, check remote targets, and generate machine-readable reports for CI/CD pipelines.
Quick Start
panguard scan
panguard scan --deep
panguard scan --json
Scan Types
Quick Scan
~60sDefault mode. Runs the fastest checks — open ports, password policies, environment discovery — and returns a risk score within a minute.
panguard scan
Deep Scan
Enables every scanner engine: CVE lookup, shared folder enumeration, scheduled task analysis, and full SSL certificate validation. Takes longer but leaves no stone unturned.
panguard scan --deep
Remote Scan
Scan a remote host by domain name or IP address. Checks externally visible attack surface without requiring agent installation on the target.
panguard scan --target example.com
Code Scan (SAST)
BetaStatic application security testing for your source code. Detects vulnerabilities, hardcoded secrets, and insecure patterns.
panguard scan code --dir .
Understanding Results
Risk Score
Every scan produces a risk score from 0 to 100. The score is calculated from the number and severity of findings, weighted by impact. Lower is better.
Severity Levels
| Severity | Meaning | Action |
|---|---|---|
| Critical | Actively exploitable vulnerability | Fix immediately |
| High | Significant security weakness | Fix within 24 hours |
| Medium | Potential risk under certain conditions | Schedule a fix |
| Low | Minor hardening recommendation | Fix when convenient |
Sample Output
$ panguard scan
PANGUARD SCAN REPORT
=====================
Host: workstation-01
OS: macOS 15.2 (Darwin)
Risk Score: 34/100
Grade: B
Duration: 48s
FINDINGS:
[HIGH] Open port 3306 (MySQL) exposed to 0.0.0.0
Bind MySQL to 127.0.0.1 or use firewall rules
[MEDIUM] SSL certificate expires in 12 days
Renew certificate for *.example.com
[MEDIUM] Password policy: no complexity requirement
Enable minimum 12-char passwords with mixed case
[LOW] SSH allows password authentication
Switch to key-based authentication
SUMMARY: 1 high, 2 medium, 1 low — Grade BWhat Gets Scanned
Panguard Scan runs seven independent scanner modules. Each module focuses on a specific attack surface and contributes findings to the final risk score.
| Module | What It Checks | Mode |
|---|---|---|
| Password Policies | Complexity rules, expiration, lockout thresholds, reuse limits | Quick + Deep |
| Open Ports | TCP/UDP listeners, unexpected services, binding scope (0.0.0.0 vs 127.0.0.1) | Quick + Deep |
| SSL Certificates | Expiry dates, weak ciphers, chain validity, revocation status | Quick + Deep |
| Scheduled Tasks | Cron jobs, launchd plists, systemd timers running as root or with write-world paths | Deep only |
| Shared Folders | SMB/NFS shares, permission misconfiguration, guest access, world-readable exports | Deep only |
| Environment Discovery | OS version, installed software, missing patches, EOL detection | Quick + Deep |
| CVE Lookup | Matches installed packages against NVD/MITRE CVE databases for known vulnerabilities | Deep only |
JSON Output for Automation
Add the --json flag to any scan command to get structured output suitable for parsing, dashboards, and CI/CD pipeline gates.
panguard scan --json > report.json
Sample JSON Structure
{
"version": "1.0",
"host": "workstation-01",
"os": "macOS 15.2",
"scanType": "quick",
"riskScore": 34,
"grade": "B",
"duration": "48s",
"summary": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 1,
"total": 4
},
"findings": [
{
"id": "PORT-001",
"severity": "high",
"title": "Open port 3306 (MySQL) exposed to 0.0.0.0",
"module": "open-ports",
"remediation": "Bind MySQL to 127.0.0.1 or use firewall rules",
"references": ["CIS-benchmark-5.4"]
}
],
"modules": [
{ "name": "password-policies", "status": "pass", "findings": 1 },
{ "name": "open-ports", "status": "fail", "findings": 1 },
{ "name": "ssl-certificates", "status": "warn", "findings": 1 },
{ "name": "environment-discovery", "status": "pass", "findings": 1 }
]
}CI/CD Integration
Use the exit code and JSON output to gate deployments. Panguard exits with code 1 when critical or high findings are present.
- name: Security Scan
run: |
panguard scan --json > scan-report.json
SCORE=$(jq '.riskScore' scan-report.json)
if [ "$SCORE" -gt 60 ]; then
echo "Risk score $SCORE exceeds threshold (60). Blocking deploy."
jq '.findings[] | " [\(.severity)] \(.title)"' scan-report.json
exit 1
fiRemote Scanning
Use the --target flag to scan a remote host by domain name or IP address. No agent installation is required on the target — Panguard probes the externally visible attack surface.
panguard scan --target example.com
panguard scan --target 192.168.1.100
What Remote Scan Checks
Open Ports
TCP port scan of common service ports (22, 80, 443, 3306, 5432, 8080, etc.) with service fingerprinting.
SSL / TLS
Certificate validity, expiration, cipher strength, protocol version, and chain-of-trust verification.
HTTP Headers
Security headers analysis: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
DNS Records
SPF, DKIM, DMARC validation. Detects dangling CNAMEs and zone transfer misconfigurations.
Code Scanning (SAST)
BetaPanguard includes a built-in static application security testing engine. Point it at any source directory to detect vulnerabilities, insecure patterns, and leaked secrets before they reach production.
panguard scan code --dir .
panguard scan code --dir ./my-app --json
How It Works
Semgrep Integration
When Semgrep is installed locally, Panguard delegates to it for deep pattern-based analysis across 30+ languages. If Semgrep is not available, Panguard falls back to its own built-in rule engine.
Built-in Patterns
Even without Semgrep, Panguard scans for SQL injection, command injection, path traversal, insecure deserialization, and XSS vulnerabilities using its own regex-based engine.
Secrets Detection
Scans all files for hardcoded API keys, AWS credentials, private keys, database connection strings, and tokens. Supports detection of 40+ secret formats including GitHub, Stripe, and cloud provider patterns.
Sample Output
$ panguard scan code --dir ./my-app
PANGUARD CODE SCAN
===================
Directory: ./my-app
Files: 142 scanned (38 skipped)
Engine: semgrep + built-in
Duration: 6.2s
FINDINGS:
[CRITICAL] SQL injection in db/queries.py:47
Use parameterized queries instead of string concatenation
[HIGH] Hardcoded AWS access key in config/settings.py:12
Move to environment variable or secrets manager
[MEDIUM] Missing CSRF protection on POST /api/update
Add CSRF token validation middleware
[LOW] Console.log left in production code (3 instances)
Remove debug logging before deploy
SUMMARY: 1 critical, 1 high, 1 medium, 1 lowStart Scanning
Install Panguard and run your first security scan in under a minute. The Open source with unlimited local scans. MIT licensed.
curl -fsSL https://get.panguard.ai | bash && panguard scan