Explore GeekWala Features

Deep dive into GeekWala's powerful security features

🔍 Vulnerability Scan (Anonymous Scanning)

Vulnerability Scan lets you quickly scan dependency files without creating an account, perfect for one-time security assessments or trying out the platform.

How to Use

1. Visit the Vulnerability Scan page
2. Choose upload method: Paste content or Upload file
3. Select the appropriate file type from the dropdown
4. Click "Scan for Vulnerabilities" and wait for results
5. Review findings and consider creating an account to save results

Supported File Formats

Frontend/Backend

• package.json (Node.js/npm)
• package-lock.json, yarn.lock, pnpm-lock.yaml (npm lockfiles)
• requirements.txt (Python/PyPI)
• Pipfile.lock, poetry.lock (Python lockfiles)
• composer.json (PHP/Packagist)
• composer.lock (PHP lockfile)
• pom.xml (Java/Maven)

System Languages

• go.mod (Go modules)
• go.sum (Go lockfile)
• Cargo.toml (Rust/crates.io)
• Cargo.lock (Rust lockfile)
• Gemfile.lock (Ruby/RubyGems)
• packages.lock.json (.NET lockfile)
• *.csproj (.NET/NuGet)

For the most accurate results, upload or import lockfiles whenever possible.

Anonymous Limits

• 10 packages per scan maximum
• 500KB file size limit
• Requires concrete versions (no version ranges)
• Results are temporary (not saved)

📁 Project Management

Projects are the cornerstone of persistent vulnerability monitoring. Each project contains a curated list of dependencies you want to track.

Creating Projects

1. Navigate to Dashboard
2. Click "Create Project" button
3. Enter a descriptive name (e.g., "Production Web App")
4. Add an optional description for context
5. Start adding packages to monitor

Adding Dependencies

You can add packages to your project in multiple ways:

🔢 Manual Entry

Add individual packages by specifying ecosystem, name, and an optional version constraint. Version constraints are saved for context, but scans require a pinned version or a lockfile-resolved version.

📤 File Upload

Upload entire dependency files (package.json, requirements.txt, etc.) to automatically populate your project with all dependencies at once.

🐙 GitHub Integration

Connect your GitHub account to browse repositories and import dependency files directly from your codebase.

⚡ API Integration

Use our REST API to programmatically manage projects and dependencies from your CI/CD pipelines or automation tools.

Plan Limits

Free tier supports 5 projects maximum with 200 packages maximum across all projects. Pro tier offers Unlimited projects, Unlimited packages, plus scheduled scans and email alerts.

See full plan comparison →

⏰ Scheduled ScansPro Only

Scheduled scanning keeps your projects monitored regularly, sending email alerts when scans find new vulnerabilities.

Setting Up Schedules

1. Open a project from your dashboard
2. Click the "Schedule" tab or settings icon
3. Choose scan frequency: Daily, Weekly, or Monthly
4. Select preferred time and timezone
5. Configure notification preferences
6. Save changes to activate scheduling

Schedule Options

📅 Daily

Scan every day at your chosen time. Perfect for active development.

📊 Weekly

Scan weekly on your chosen day. Ideal for stable production systems.

📈 Monthly

Scan monthly on your chosen date. Suitable for legacy or low-risk applications.

Timezone Support

Schedule scans in your local timezone. The system automatically handles daylight saving time transitions to ensure consistent scheduling.

💡 Pro Tip: Schedule scans during off-hours to avoid disrupting your team's workflow. We recommend early morning scans (6-8 AM) for daily monitoring.

🚨 Alerts and Notifications

Stay informed when scans find vulnerabilities with notifications delivered through multiple channels.

Notification Types

📧 Email Alerts

• New vulnerabilities detected
• Scan completion summaries
• Security digests (weekly for Pro, bi-weekly for free users)
• Critical severity alerts (sent when scans complete)

Available to all users - Configure per project

🔔 In-App Notifications

• Dashboard updates when scans complete
• Notification bell with unread count
• Persistent until marked as read
• Quick access to scan results

Available on all plans

Notification Settings

Customize notification preferences per project to avoid alert fatigue:

Email notificationsPro only

In-app notificationsAll plans

Severity filteringPro only

🐙 GitHub Integration

Connect your GitHub repositories to import dependency files directly, with deep search enabled by default for monorepos.

Setup Process

1. Navigate to Integrations → GitHub
2. Click "Connect GitHub Account"
3. Authorize GeekWala with read access
4. Browse your repositories
5. Select repositories and manifest files to import
6. Create new projects or add to existing ones

Permissions Required

OAuth Scopes

• read:user - Access basic profile information
• repo - Read repository contents and metadata

We only read dependency files. No code access or write permissions.

Supported Repositories

✅ Supported

• Public repositories
• Private repositories you own
• Organization repos with access
• Deep search (max depth 5) with grouping by subdirectory
• Lockfiles are prioritized when available

⚠️ Limitations

• Skips common vendor/build directories during deep search
• Re-import after dependency changes to refresh manifests
• Large files (>1MB) may timeout

🏷️ Status Badges

Display real-time security status in your README files, documentation, or dashboards with embeddable SVG badges.

Creating Badges

1. Go to Developers → Badges
2. Select a project to generate a badge for
3. Click "Generate Badge Token"
4. Copy the provided markdown or HTML code
5. Paste into your README or documentation

Badge Example

Markdown

[![Security Status](https://geekwala.com/badge/TOKEN_HERE)](https://geekwala.com/projects/123)

HTML

Badge States

Secure

No vulnerabilities detected

Warning

Low/Medium vulnerabilities found

Critical

High/Critical vulnerabilities detected

🔒 Security Note: Badge tokens are unique and secure. They only reveal vulnerability counts, not specific details. Revoke tokens anytime from your badge settings.

🎯 Threat Intelligence

GeekWala goes beyond basic vulnerability scanning by integrating real-time threat intelligence data to help you prioritize what to fix first.

EPSS Scores

Each vulnerability with a CVE ID shows an EPSS (Exploit Prediction Scoring System) score from FIRST.org, indicating the probability of exploitation within the next 30 days.

>50%

High Risk

Prioritize immediately

10-50%

Moderate Risk

Address soon

<10%

Lower Risk

Monitor and plan

Known Exploited Vulnerabilities (KEV)

Vulnerabilities in CISA's Known Exploited Vulnerabilities catalog are flagged with an animated "Actively Exploited" badge. These represent real-world attacks happening now.

Actively ExploitedTop Priority

KEV-listed vulnerabilities should be your highest priority. Federal agencies are required to remediate these within specific timeframes, and you should too.

Prioritization Strategy

1Fix Actively Exploited vulnerabilities first (KEV catalog)

2Address vulnerabilities with EPSS >50% (high exploitation likelihood)

3Then focus on Critical/High severity with moderate EPSS scores

4Schedule remaining vulnerabilities based on severity and business impact

💡 Pro Tip: EPSS and KEV data are refreshed daily. Run regular scans to stay current on evolving threat intelligence.

📊 Export and ReportingPro Only

Generate detailed reports and export scan data for compliance, analysis, or integration with external tools.

Export Formats

📄 CSV Export

• Spreadsheet-compatible format
• Perfect for analysis in Excel/Google Sheets
• Includes all vulnerability details
• Filterable and sortable data

📋 JSON Export

• Machine-readable format
• API integration friendly
• Structured vulnerability data
• Custom tooling integration

Report Contents

Scan Metadata

Scan ID, timestamp, duration, trigger type

Package Information

Ecosystem, name, version, source file

Vulnerability Details

CVE/GHSA IDs, severity, summary, affected versions

Recommendations

Upgrade paths, fix suggestions, links to advisories

🔗 API Access: Pro users can also export data programmatically using our REST API for automated reporting.

🔄 CI/CD Integration

Integrate GeekWala security scanning into your continuous integration pipeline to catch vulnerabilities before they reach production.

GitHub Actions (Recommended)

The official GeekWala Security Scan action is the fastest way to add vulnerability scanning to your GitHub workflow:

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: GeekWala Security Scan
        uses: Geekwala/security-scan-action@v1
        with:
          api-token: ${{ secrets.GEEKWALA_API_TOKEN }}
          severity-threshold: high       # Fail on high + critical
          fail-on-kev: true              # Fail on known exploited vulns
          epss-threshold: 0.3            # Fail if exploitation probability > 30%

Key Features

Auto-detects lockfiles (package-lock.json, requirements.txt, go.sum, etc.)
Configurable fail gates: severity, EPSS score, CISA KEV status
SARIF output for GitHub Code Scanning integration
Vulnerability suppression via .geekwala-ignore.yml
Multiple output formats: summary, JSON, table
Ready-to-use workflows in the examples repository

For advanced configuration including SARIF integration, ignore files, and all available inputs, see the API Documentation.

Other CI Platforms

For GitLab CI, Jenkins, or other platforms, use the REST API directly:

# Scan a dependency file
curl -sf -X POST "https://geekwala.com/api/v1/vulnerability-scan/run" \
  -H "Authorization: Bearer $GEEKWALA_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"file_name\": \"package-lock.json\", \"content\": $(cat package-lock.json | jq -Rs .)}"

# Parse results
# Response includes: summary, per-package results, EPSS scores, KEV status

💡 Tip: Create a dedicated API token with scan:write ability for CI/CD use. Manage tokens at Developers → API Tokens. See complete examples for ready-to-use workflows.