Quickstart

This page walks from "I have nothing" to "I am looking at findings from my own repository" in about ten minutes. You will need:

• A repository hosted on Forgejo, GitHub, GitLab, or Bitbucket.
• A browser.
• For private repositories: a personal access token with read scope on the repository.

1. Create your account

Open https://patchwire.app/register and fill in:

Field	What to put
Organisation name	Display name. Shown on the dashboard.
Organisation slug	URL-safe identifier — letters, digits, hyphens. Cannot be changed later — pick a permanent name.
Email	Your sign-in address.
Password	At least 8 characters.

The slug becomes part of every URL inside the app and every webhook endpoint, so something like acme or my-team is better than me-test-1.

When you click Create account, the API does three things atomically:

1. Creates the organisation row.
2. Creates your user record with role admin.
3. Issues a JWT (24 h lifetime) and stores it in your browser's localStorage.

You land on /dashboard already signed in.

2. Register your first project

A project in Patchwire is a single repository you want to scan.

1. From the dashboard or /projects, click + New Project.
2. Fill in:
   • Slug: matches the repo name conventionally, e.g. web for acme/web.
   • Name: human-friendly display name.
   • Repo URL: the HTTPS clone URL. Patchwire pre-fills this into "Scan now" later.
   • Default branch: defaults to main.
3. If your repo is private, expand "Private repository?" and paste an access token. See Private repositories for per-provider details.
4. Click Create.

3. Run your first scan

Two paths trigger a scan: pushing a commit (webhook) or clicking the button (manual).

Manual scan

1. Open the project page.
2. Click + Scan now.
3. The clone URL and branch are pre-filled from the project. Confirm and submit.
4. The scan row appears with status pending → running → completed. A typical 1k-file repo finishes in ~60 seconds.

Webhook-triggered scan

The far better workflow — every push to your default branch fires a scan automatically.

See Webhooks for the per-provider setup.

4. Review findings

When a scan completes:

• Findings count appears on the scan row, broken down by severity.
• Click into the scan to see each finding with its scanner (semgrep or gitleaks), the file path, line number, and the rule description.
• Click Export PDF for a printable, paginated report — useful for handing to a non-technical reviewer or attaching to a ticket.

5. Where to go next

• Core concepts — what an "org," "project," "scan," and "finding" actually are in the data model.
• Webhooks — automatic scans on push.
• Private repositories — secure access tokens for non-public repos.
• API reference — every endpoint, with example requests.