Introduction
Patchwire is a self-hosted vulnerability management platform designed for small teams that want continuous code-level security scanning without renting a SaaS.
You connect a repository, Patchwire clones it, runs Semgrep (SAST) and Gitleaks (secret detection), deduplicates the findings, persists them per-tenant, and emits a styled PDF report. Webhooks from Forgejo, GitHub, GitLab, and Bitbucket trigger scans automatically; private repositories are supported via per-project access tokens encrypted at rest.
What it does
| Capability | How it works |
|---|---|
| SAST scanning | Semgrep with the default ruleset on every push. |
| Secrets detection | Gitleaks scans the cloned tree. Findings deduplicated against the SAST output. |
| Per-tenant isolation | Every row carries org_id; queries always filter by it. JWTs are scoped to one organisation. |
| Webhook intake | HMAC-verified pushes from four providers, mapped to organisation/project via the repository's owner/name path. |
| Private repo cloning | Per-project HTTPS PAT, AES-256-GCM encrypted, decrypted only inside the scan task. |
| Reports | Per-scan severity rollup; PDF export rendered with @react-pdf/renderer. |
What it isn't
- Not a runtime security platform. Patchwire reads source code; it does not instrument running applications, monitor traffic, or scan containers.
- Not an SCA replacement. Dependency-vulnerability matching against a CVE database is on the roadmap; today it's purely SAST + secrets.
- Not Auth0. The auth model is simple: per-organisation JWT, no SSO, no SAML. Pairs well with a single team that wants to ship.
Architecture in one paragraph
A Rust API (Axum + SQLx, single binary) is the only stateful component besides Postgres. The frontend is a Next.js 14 SPA at patchwire.app; documentation is the VitePress site you are reading. Scans run in-process inside the API pod via tokio::spawn — fast enough to return a webhook 200 within the provider's 10-second deadline, slow enough that we'll move them to a queue when we hit our first concurrency wall. Everything ships as Docker images served from a private Forgejo registry, deployed onto k3s with sealed-secrets and cert-manager.
When to use Patchwire
- You run a small team (1–10 engineers) on your own infrastructure.
- You need a paper trail of "this scan ran, these findings were flagged, here's the PDF" for compliance or contracts.
- You want a tool you can rebuild from source without surprises — every scan path, every credential, every storage decision is in one repository.
When to look elsewhere
- You need pre-merge IDE-level findings across a 200-engineer organisation.
- You require enterprise SSO, SAML, audit log streaming.
- Your code is in a repo type Patchwire doesn't yet integrate with (e.g. SVN, Mercurial, Azure DevOps Server).
Next
Continue to the Quickstart to register a tenant and run your first scan, or jump to Core concepts for the data model.