Quickstart

Connect your first repository and get your first reachability check in under 5 minutes.

Step 1 — Install the GitHub App

Go to your Patchlynx dashboard and click Add repository. You'll be redirected to the GitHub App installation flow. Select the repositories you want Patchlynx to monitor.

For GitLab or Bitbucket, use the Other providers option on the dashboard. The setup flow uses OAuth and requires the repo:read and webhook:write scopes.

Step 2 — Configure entry points

Patchlynx auto-detects entry points from your package.json main field, index.js, or common framework patterns. For custom entry points, add a .patchlynx.yml to your repo root:

.patchlynx.yml

# .patchlynx.yml — optional configuration
version: 1
entry_points:
  - src/server.js
  - src/workers/job-runner.js
ignore_paths:
  - test/**
  - scripts/**
severity_threshold: MODERATE

Step 3 — Open a pull request

Open any PR that modifies a lockfile (e.g. package-lock.json, yarn.lock). Patchlynx will automatically run within seconds and post a check to the PR.

Step 4 — Read the check

The PR check shows:

A verdict: pass (no reachable CVEs), warning (moderate reachable), or block (critical/high reachable).
Per-CVE cards with severity, description, and call chain.
One-click fix PR suggestion (Pro plan).

PR #247 — Patchlynx Check

✔ Patchlynx — reachability analysis complete

✘ CRITICAL CVE-2024-38816 (CVSS 9.8)
  lodash prototype pollution
  Reachable via: src/server.js:142 → lib/utils.js:88 → lodash/merge.js:34
  Fix: upgrade lodash 4.17.20 → 4.17.21

✓ CVE-2023-45133 (HIGH) — not reachable, auto-dismissed
✓ CVE-2023-28155 (MODERATE) — not reachable, auto-dismissed

2 auto-dismissed · 1 critical reachable · PR blocked

Tip: Set the check to "required" in your branch protection rules to prevent merging PRs with critical reachable vulnerabilities.