Skip to main content
Panguard Scan includes 10 specialized scanners, each targeting a different attack surface. All scanners run concurrently for maximum speed. Quick mode runs the first 7; full mode adds SSL, Scheduled Tasks, and Shared Folders.

Scanner Reference

1. Discovery Scanner

Collects foundational system information used by all other scanners.
FieldDetails
AvailabilityQuick + Full
Data collectedOS distro, version, kernel, architecture, hostname
OutputSystemDiscovery object consumed by downstream scanners

2. CVE Checker

Checks the system’s operating system and installed packages against known CVE databases.
FieldDetails
AvailabilityQuick + Full
Detection methodOS version fingerprinting, package version comparison
Severity mappingCVSS score mapped to CRITICAL / HIGH / MEDIUM / LOW
OutputList of matched CVEs with remediation advice

3. SAST (Static Application Security Testing)

Scans source code directories for security vulnerabilities.
FieldDetails
AvailabilityVia panguard scan code subcommand
LanguagesJavaScript, TypeScript, Python, PHP, Ruby, Java, Go
DetectionsSQL injection, XSS, command injection, path traversal, insecure deserialization
OutputFindings with file path, line number, and remediation
panguard scan code --dir ./my-project

4. Secrets Checker

Scans files for hardcoded secrets, API keys, tokens, and credentials.
FieldDetails
AvailabilityVia panguard scan code subcommand
Detection patternsAWS keys, GitHub tokens, private keys, database URLs, JWT secrets, generic high-entropy strings
False-positive reductionIgnores test files, examples, and known placeholder values

5. Password Policy Auditor

Evaluates the system’s password policy configuration.
FieldDetails
AvailabilityQuick + Full
ChecksMinimum password length, complexity requirements, expiration policy, account lockout policy
PlatformsLinux (PAM), macOS (pwpolicy), Windows (net accounts)

6. Scheduled Tasks Scanner

Audits cron jobs and scheduled tasks for suspicious entries.
FieldDetails
AvailabilityFull mode only
DetectionsDownload commands (curl, wget), reverse shells, base64-encoded payloads, unusual execution paths, non-standard scheduling times
Sources/etc/crontab, user crontabs, /etc/cron.d/, systemd timers (Linux); launchd plists (macOS); Task Scheduler (Windows)

7. Open Ports Scanner

Identifies all listening network ports and flags high-risk services.
FieldDetails
AvailabilityQuick + Full
Detection methodnetstat / ss / lsof output parsing
High-risk portsSSH (22), FTP (21), Telnet (23), MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), Elasticsearch (9200)
Risk factorsBinding to 0.0.0.0, running without TLS, default port for sensitive services

8. Shared Folders Scanner

Checks file-sharing configurations for overly permissive access.
FieldDetails
AvailabilityFull mode only
ChecksSMB/CIFS shares, NFS exports, public folder permissions
DetectionsAnonymous access enabled, world-readable sensitive directories, guest access without authentication

9. SSL/TLS Certificate Checker

Validates SSL/TLS certificates found on the system.
FieldDetails
AvailabilityFull mode only
ChecksExpiration date, self-signed status, key strength (minimum 2048-bit RSA or 256-bit ECDSA), certificate chain completeness, deprecated protocols (SSLv3, TLS 1.0, TLS 1.1)
SourcesSystem certificate stores, common certificate paths, running HTTPS services

10. Compliance Mapping

Maps all findings from other scanners to compliance framework controls.
FieldDetails
AvailabilityQuick + Full
FrameworksISO 27001, SOC 2, Taiwan Cyber Security Act (TCSA)
OutputEach finding annotated with applicable compliance control references

Scanner Execution Order

All scanners run concurrently using Promise.all for maximum speed. The Discovery scanner’s output is available to all other scanners as shared context. 
Discovery ──┐
CVE ────────┤
Ports ──────┤
Password ───┤  ──> Aggregate ──> Risk Score ──> Report
Firewall ───┤
Security ───┤
SSL ────────┤ (full only)
Tasks ──────┤ (full only)
Shares ─────┘ (full only)
Compliance ─── (post-processing)