Security workbench for modern teams

BreachScope

Own security work from the first local scan to the release gate. BreachScope brings code, dependencies, SaaS posture, runtime evidence, triage, policy, and customer-owned integrations into one calm workflow.

Start scanningRead the guide

10

ecosystems

SARIF

CI output

VEX

advisories

SCIM

identity

Risk operations

Production portfolio

live

0

critical SLA

14

open highs

98%

policy pass

criticalJWT none algorithm accepted
highPublic preview secret exposure
mediumPackage missing integrity hash
criticalService role key detected
lowUnknown package license

CI gate

passing
SARIF uploaded
SBOM generated
OpenVEX exported
Baseline enforced
breachscope sandbox

$ breachscope scan --mode deep --breach --bug

detecting ecosystems: npm, PyPI, Go, Maven

policy loaded: release-gate.yml

supply-chain score: 78/100

critical: service_role key in client bundle

critical: exploitable JWT bypass confirmed

writing results.sarif, bom.cdx.json, openvex.json

completed in 42s - 19 findings - 2 critical

Projects
Policies
Integrations
Audit logs

Platform coverage

Built like a security program, not a single scanner.

BreachScope covers prevention, detection, triage, evidence export, identity, runtime monitoring, and CI enforcement. The CLI stays fast for local use, while the dashboard keeps teams aligned around ownership, policy, and audit history.

01

Policy-as-code gates

Fail pull requests on severity thresholds, finding budgets, blocked packages, denied categories, and expiring suppressions.

baselinesbudgetsapprovals
02

Supply-chain intelligence

OSV matching across ten ecosystems plus OpenSSF, deps.dev, maintainer concentration, deprecation, license, and lifecycle-script risk signals.

OSVOpenSSFdeps.dev
03

Evidence exports

Export SARIF for code scanning, CycloneDX or SPDX SBOMs, OpenVEX advisories, JSON evidence, and fix-suggestion briefs.

SARIFSBOMOpenVEX
04

Scoped automation

Dashboard API keys support least-privilege scopes for scan upload, config read, secret read, and settings write workflows.

scopesauditCI
05

Attack arena

The sandbox command builds an isolated container, hardens Docker flags, and runs active exploit probes with CI failure support.

DockerTraceesandbox
06

Runtime monitoring

Linux environments can stream Tracee eBPF events into JSONL for investigation alongside static and dynamic findings.

eBPFTraceeJSONL
07

Identity and audit

SCIM user lifecycle endpoints, SAML metadata, IdP-ready ACS fail-closed behavior, and project-level audit logs are in the platform.

SCIMSAMLaudit logs
08

Customer-owned integrations

Bring your own Slack, Teams, PagerDuty, Jira, Linear, and webhook credentials. BreachScope supplies routing, testing, and audit history.

SlackJiraPagerDuty
09

Multi-language context

Dependency, code, and project context collection understands JavaScript, Python, Go, Rust, Ruby, Java, PHP, .NET, Elixir, and Dart.

10 ecosystemsproject contextlockfiles

Operating model

A security workflow that fits around your stack.

BreachScope provides the scan engine, dashboard, policy layer, evidence exports, and routing framework. Your team decides which providers to connect, which keys to save, and which findings leave the platform.

From scan to owner

One finding model across CLI, CI, dashboard, and integrations.

01

Scan

02

Policy

03

Evidence

04

Route

Data boundary

Public pages stay public. Work data stays behind auth.

Public docs and policiesdefined
Private dashboard routesdefined
Scoped API keysdefined
Encrypted provider keysdefined

Local-first scans

Developers can scan without connecting a dashboard. Login adds scan history, triage, policies, and evidence workflows.

Bring your own providers

Teams connect their own GitHub, Slack, Jira, Linear, PagerDuty, OpenAI, Firecrawl, and cloud accounts when they need them.

Private by default

Robots can read public docs and legal pages. Dashboard, API, login, and CLI auth routes stay private and crawler-blocked.

Evidence you can move

SARIF, CycloneDX, SPDX, OpenVEX, JSON, and fix briefs keep release reviews portable across existing systems.

10

package ecosystems

OSV-aware scanning

4

governance exports

SARIF, SBOM, VEX, JSON

5

notification targets

Slack, Teams, PagerDuty, Jira, Linear

0

audit vulnerabilities

npm moderate+

Operational fit

Designed for the workflows security teams already run.

Local developer scans, CI enforcement, release evidence, ticket routing, and audit-ready triage all share the same finding model.

AppSec01

Pull request gate

Run breachscope scan --ci --policy release-gate.yml and upload SARIF to code scanning.

severity budgetnew findings onlybaseline diff
Platform02

Release evidence

Generate CycloneDX, SPDX, OpenVEX, and a fix-suggestion brief from the same JSON scan artifact.

SBOMOpenVEXfix plan
Security operations03

Incident routing

Send critical findings to PagerDuty and engineering work queues while preserving audit history per project.

PagerDutyJiraaudit logs

Deploy the workflow

Ship security checks without changing how developers work.

Install the CLI, connect it to the dashboard, and use generated CI workflows to enforce policy, export artifacts, and route findings with your own provider accounts.

Open dashboardRead setup guide
npm install -g breachscope
1

Install the CLI

npm install -g breachscope
2

Authenticate once

breachscope login
3

Run a release gate

breachscope scan --ci --policy release-gate.yml --output sarif --file breachscope.sarif
4

Export release evidence

breachscope sbom --output cyclonedx --file bom.cdx.json

For zero-install scans, run npx breachscope scan. Docker is required only for sandbox attack runs.