Pepper SAST documentation
AI-powered static application security testing (SAST) for your organization. This guide covers installation, day-to-day usage, and every settings screen in the web UI.
What Pepper does
Pepper scans source code for security issues using multiple engines: pattern-based and LLM-assisted SAST, secret detection, software composition analysis (SCA), infrastructure-as-code checks, and optional zero-day-style logic analysis. Results appear as findings with severity, remediation guidance, compliance mapping, and optional GitHub fix pull requests.
Architecture (high level)
- Web app — Next.js UI and REST API (
npm run dev) - Worker — BullMQ consumer that clones/uploads code, runs scanners, evaluates build gates (
npm run worker) - PostgreSQL — Organizations, projects, scans, findings, settings
- Redis — Job queue
- MinIO — Scan artifacts and uploaded archives
- LLM — Ollama (local) or OpenAI-compatible APIs (OpenRouter, Azure, etc.)
Main navigation (sidebar)
| Menu item | Route | Purpose |
|---|---|---|
| Dashboard | /dashboard | Org overview, stats, quick actions |
| New Scan | /scans/new | Start a scan from Git URL, upload, or SVN |
| Projects | /projects | Projects, grades, finding counts |
| Repositories | /repositories | GitHub OAuth, import or manual repo URL |
Settings (sidebar section)
| Setting | Route | Documentation |
|---|---|---|
| LLM Config | /settings/llm | LLM config |
| Policies | /settings/policies | Security policies |
| Build Gates | /settings/build-gates | Build gates |
| Team | /settings/team | Team & roles |
| Integrations | /settings/integrations | GitHub, webhooks, CI |
Scan types
| Type | What runs |
|---|---|
FULL | SAST (pattern or LLM), SCA, secrets, IaC, zero-day (if LLM SAST enabled) |
SAST_ONLY | Static analysis only |
SCA_ONLY | Dependency / supply-chain only |
SECRETS_ONLY | Secret scanning only |
INCREMENTAL | Reserved for delta scans (limited support) |
Source types
| Source | How it works |
|---|---|
GIT_CLONE | Clone from HTTPS URL; optional token or org GitHub OAuth token for private repos |
UPLOAD | Zip/tar archive uploaded to MinIO and extracted on the worker |
SVN_CHECKOUT | Subversion checkout (requires svn on worker) |
WEBHOOK | Triggered by GitHub/GitLab push or MR events |
Documentation map
Feature FAQ
The twelve capabilities of Pepper — SBOM, SAST, SCA, DAST, container scanning, code signing, pre-commit hook, integrations, AI features, compliance, audit log, trends — with deep links into the rest of the docs.
Getting started
Install dependencies, configure .env, seed database, run app + worker, first login.
How to use Pepper
Projects, scans, findings, GitHub repositories, open fix PR, compliance export, notifications.
Deployment
Docker quickstart, manual install, database schema lifecycle
(npm run db:setup), worker scaling, optional binaries
(Trivy, cosign), air-gapped operation, troubleshooting.
CI/CD recipes
Copy-paste GitHub Actions, GitLab CI, and Jenkins templates that fail builds on policy breach, upload SBOMs, and sign them with cosign.
API reference
Every REST endpoint: scans, artifacts, findings, integrations, API keys, audit log, trends, pre-commit, IDE.
Settings reference
Every settings screen: fields, behavior, and API endpoints.
Environment variables
Complete .env reference for local and Docker deployments.
npx serve docs in the repo root.