Most scanners ship a fixed probe library. This one ships the probes and a closed loop that proposes new probe variants, measures them against sandbox benchmarks, and signs off on every improvement. Three separate judges (known-vulns stopgap → LLM judge → eventual human reviewer) keep each other honest; a confabulation caught during development is what made the 3-judge architecture a hard design decision.
No customer scan is affected by anything on this tab. Experiments stay internal until Step 8 (promotion gate) wires them into the customer probe dispatcher. This surface is for internal review and the "provably self-improving" story.
Experiments
—
across all generations
Benchmarks
—
sandbox targets
LLM-judged
—
vs stopgap
Top score
—
best variant so far
Score by generation
Line per probe family · best variant's score per generation · higher is better (TP per runtime-second, severity-weighted).
Recent experiments
Re-runs the LLM judge over historical rows. POST /api/garl/upgrade.
Gen
Family
Status
Score
Runtime
Verdict
Judged by
When
Loading…
Benchmark targets
Loading…
One-time GitHub credential
Paste a GitHub Personal Access Token to scan a private repo right now.
The token is sealed with your tenant encryption key, stored in KV with a hard
time-to-live, and auto-purged when it expires. Production deployments should
install the Glacis GitHub App for ongoing access — see the
setup guide.
This page is for one-time evaluation scans only.
Don't have a PAT yet? Generate one in 30 seconds →
Two flavours of PAT work — pick whichever your org policy allows. Fine-grained is recommended.
Confirm repo scope is checked, set expiration, generate, paste below
Classic PATs grant access to all repos the user can see — prefer fine-grained where possible.
What Glacis does with the token: reads dependency manifests (package.json, requirements.txt, go.mod, etc.) to enumerate vulnerable packages. Read-only on Contents is sufficient. No write, no PR, no clone.
● AES-256-GCM at rest · key derived from your tenant secret · KV native TTL · audit-logged on every use
Active token
Expires
Stored at
Any dependency-scan probe run by this tenant will use this token automatically.
On expiry the cipher in KV is purged by Cloudflare and scans fall back to the GitHub App
(if installed) or skip with a clear log line.
Loading…
How this maps to production
A long-lived PAT scoped to a single human is a poor fit for multi-tenant production: token compromise has unbounded blast radius, audit trails attribute every action to a single account, and rate limits cap at 5,000/hr per user across all customers. The GitHub App path issues per-installation tokens that auto-expire every hour, scope to repos the customer chose, and audit as "Glacis Scanner". Use this paste-PAT page for one-shot evaluation and dev work; install the App for everything that matters.
Register a scan target
Register the apex domain (e.g. glacis.io). Subdomains are catalogued automatically when you upload the Cloudflare DNS zone export — no need to register each one separately.
Lowercase only, no protocol or path. We'll issue a DNS TXT challenge for ownership.
Registered
Add this DNS TXT record at your DNS provider — each field is click-to-copy:
Name
TypeTXT
Content
TTLAuto / 300
DNS propagation usually takes < 60 seconds. Click Verify now once the record resolves; you can also Skip and verify from the targets list later.
Start a scan
Pick a registered target — or type a domain to scan ad-hoc. Preset toggles the family set below.