We run the same toolchain you saw in our Research benchmark — Trivy, Semgrep, Gitleaks and npm-audit — on a repository of your choosing and deliver a branded PDF report within 5 business days. Aqua Enterprise scan available as a paid follow-up engagement.
Each tool catches a different class of issue. Together they cover dependency CVEs, source-code patterns, leaked credentials and Node ecosystem advisories.
Lockfile-based dependency CVE scan. Every vulnerable package with installed version and recommended fix.
Pattern-based SAST. SQL injection, hardcoded secrets, unsafe deserialization, dangerous code paths.
Repository-wide secret detection. Committed credentials, API keys, tokens with file:line references.
Node ecosystem advisory check. Direct vs transitive dependencies flagged for clearer triage.
All open-source scans are free. We'll respond within 1 business day and deliver the report within 5.
Thanks — your repository is in our queue. You'll get a confirmation email in your inbox within a minute.
Fill the form above. We capture your repo, contact and scope. If private, you grant us collaborator access.
We verify the repository, confirm the tech stack and queue the scan. You receive a confirmation email with the scheduled run date.
We run Trivy, Semgrep, Gitleaks and npm-audit on the repo. Findings are de-duplicated, triaged by severity and exploit probability.
You get a branded PDF report — per-tool drill-downs, recommended fixes, and a prioritized action list ordered by impact.
Aqua adds Reachability analysis, EPSS exploit-probability scoring, and Direct/Transitive metadata that turns 250+ raw findings into a 20-item action list. See the methodology in our Research benchmark. Available as a paid engagement — check the "I'd also like Aqua" box above or write to sales@hub-sec.com.
Yes. The Trivy, Semgrep, Gitleaks and npm-audit run on your repo is free, including the PDF report. We do this because most teams discover security gaps through it and end up engaging us for the follow-up — Aqua Enterprise scans, remediation work, ongoing scanning. No card required, no auto-conversion to paid.
We clone the repo into an isolated scan environment, run the toolchain, and delete the clone after the report is generated. We retain the JSON output and the PDF report for our records; you can request deletion at any time. We never share your code or findings with third parties.
You invite our scan account as a read-only collaborator. After we submit the form, we email you the exact GitHub username to invite. You can revoke access immediately after the report lands in your inbox.
Trivy and Semgrep cover most modern stacks (Node.js, Python, Java/Spring, Go, Ruby, .NET, Rust, etc.). Gitleaks is language-agnostic. npm-audit is Node-specific. If your stack is unusual (Erlang, Crystal, Zig), tell us in the scope notes — we'll let you know upfront if coverage is limited.
Yes — submit the form once per repo. For 5+ repos or a full org scan, write directly to sales@hub-sec.com and we'll set up a bulk engagement.
Same format as our published benchmark. See the Research page for a live example — yours will be branded for your company, with your repo's findings instead of NodeGoat / juice-shop / WebGoat.