Patchlynx Documentation
Integration guides, API reference, and a technical explanation of how the reachability engine works. Start with the Quickstart to get your first PR check running in under 5 minutes.
Quickstart
Live in 5 minutes
API Reference
REST + webhooks
CI/CD Guide
GitHub Actions, Jenkins…
Reachability Engine
How analysis works
How Patchlynx fits into your workflow
Patchlynx is a GitHub App (with GitLab and Bitbucket support) that runs a reachability analysis on every pull request. Installation is under 5 minutes; no changes to your build scripts are required.
At a high level the pipeline is:
- A PR is opened or updated on a connected repository.
- Patchlynx receives a webhook and fetches the lockfile diff.
- The reachability engine builds a dependency graph and traces call paths from your entry points to CVE-affected functions.
- A PR check is posted with verdict, severity, and call chain evidence.
No source code is transmitted to Patchlynx servers. We receive your lockfile, package manifests, and call-site metadata (function names and import paths). Raw source code stays in your infrastructure. Analysis runs in an ephemeral sandbox that is destroyed within 60 seconds of scan completion. See the security page for full architecture details.
Supported environments
| Category | Supported |
|---|---|
| Languages | JavaScript/TypeScript, Python, Go, Rust, Java |
| Package managers | npm, Yarn, pnpm, pip, Poetry, Go modules, Cargo, Maven/Gradle |
| VCS integrations | GitHub, GitLab, Bitbucket |
| CI systems | GitHub Actions, CircleCI, Jenkins, Azure DevOps, Buildkite |