Security scanning

Percher scans every image it builds for known vulnerabilities (CVEs), and keeps watching your live apps after they ship, so a CVE disclosed next week still reaches you. Findings live in your app's Security tab, sorted by how much they matter:

• Red: a critical vulnerability with a fix available that is reachable from the internet. Worth handling soon.
• Yellow: a fixable issue that isn't critical or isn't internet-reachable. Update when you're ready.
• Green: informational, or no fix released yet. Nothing to do.

Each finding names the CVE, the affected component, and where it lives in your image (the exact binary or node_modules path), so you can tell whether it's your dependency or a build tool you can drop. A common surprise: a stdlib finding is usually a Go binary like esbuild bundled into node_modules by your toolchain, not a server component.

Percher only emails you about red findings, the ones genuinely worth acting on. Lower-severity findings stay in the dashboard, not your inbox. The email carries the fix version and a ready-to-paste prompt for your AI assistant, so the upgrade and redeploy are one step.

CVEs in the base image and language runtime Percher chose for you are handled centrally by Percher. They're never counted against your app, never block your deploy, and never land in your inbox.

To clear a finding, upgrade the affected dependency and redeploy. The next scan confirms it's gone and the finding resolves automatically.