Skip to Content
FAQ

FAQ

Is Vouch a penetration test?

No. Vouch is an automated Static Application Security Testing (SAST) tool combined with secret scanning. It analyzes your source code but does not actively attack running infrastructure (DAST). It’s optimized to catch the 20% of “vibe-fails” that cause 80% of real-world security incidents in indie-founder projects.

Which languages and frameworks are supported?

Our static analysis engine supports virtually all modern languages and frameworks: JavaScript, TypeScript, Python, Go, React, Next.js, FastAPI, Supabase SQL migrations, and more.

Does it work with private repositories?

Yes. Vouch is designed specifically for private GitHub repositories. The GitHub App requires read-only access — see Security & Privacy for details.

What happens to my code after a scan?

Your code is analyzed in-memory and deleted immediately after the scan completes. We store only finding metadata (file name, line number, severity) — never raw source code. We do not use your code to train AI models.

How is Vouch different from Snyk?

Snyk and SonarQube are built for enterprise teams and CVE databases. They require significant setup and generate alert volumes that often lead to alert fatigue for solo developers. Vouch is built for the solo dev: one clear 0–100 score, AI-translated findings in plain English, and copy-paste ready code fixes.

Can I use Vouch in CI/CD?

Yes, two ways:

  1. GitHub App acts as an automatic status check on every pull request. If Vouch detects a critical vulnerability (score below 50), the check fails. Configure GitHub Branch Protection Rules to block merges on a failing Vouch check.
  2. Public API — call POST /scan-repo-url from any CI step (GitHub Actions, GitLab CI, CircleCI, etc.) and use the result to gate deployments. See the API Reference for details and examples.

Is there an API I can call directly?

Yes — the public Scan API lets you trigger any scan from your own scripts or pipelines. Generate an API key in the Developer Portal and POST a GitHub URL. Full spec: API Reference. One key, one HTTP call, the same engine that backs the GitHub App.

Can I store my GitHub Personal Access Token in my Vouch account?

No — by design. Storing PATs without enterprise-grade encryption-at-rest would be reckless: a leaked database backup would compromise every linked GitHub account. Use the Vouch GitHub App instead (one-click install, 1-hour scoped tokens fetched on demand) — or pass github_token per request if you really need a PAT for an ad-hoc scan.

What’s the difference between Core Scans and Deep Auto-Fixes?

Core Scans run the full Semgrep + Gitleaks + dependency-audit + AI Hunter + Validator pipeline and produce your Vouch Score and findings list. Deep Auto-Fixes are AI-generated code patches for individual findings — these consume more compute and are metered separately per tier. See Pricing for the monthly limits per plan.

Last updated on
PricingChangelog