unpwnddocs
Open app

Connect your first repository

getting startedUpdated Jul 2026

unpwnd audits a repository by cloning it read-only, then turning a swarm of agents loose to find vulnerabilities and prove each one. Here's how to connect the first repo and kick off that first audit.

unpwnd only ever reads your code. Clones are shallow and ephemeral — they live in memory for the length of a scan and are discarded when it finishes. Nothing is written back to your repo, and no source is retained.

Before you start

You'll need a GitHub account with admin access to the repository you want to audit — installing a GitHub App is an admin-level action. A repo of any size works; unpwnd scales the swarm to fit.

Install the GitHub App

From the dashboard, open Import repository and choose Connect GitHub. GitHub walks you through installing the unpwnd app on your account or organization.

  1. Open the dashboard
    Sign in at unpwnd.com and press Import repo in the top bar.
  2. Install the GitHub App
    Choose the account or organization that owns the repository.
  3. Pick which repos to grant
    Grant a single repo or all of them — you can change this any time on GitHub.

Grant read-only access

unpwnd requests the narrowest scope that still lets it clone: read-only contents. It never asks for write access, and it can't push, open pull requests, or change settings. Revoke it whenever you like from your GitHub installed apps.

What happens next

The moment a repo is connected, unpwnd dispatches its first full audit. Findings stream in as agents prove them — you don't wait for the whole run to finish to see the first result.

first audit · acme/checkout-apiLIVE

clone acme/checkout-api read-only · shallow · ephemeral
cloned — 1,204 files, 86k LOC
swarm dispatched — 12 agents walking the code graph
traced CRITICAL SQL injection routes/pay.ts:88 → db/query.ts:14
traced HIGH SSRF lib/fetch.ts:31
auditing… findings appear in the dashboard as they're proven

When the run settles, open Read your first audit to learn how to read a finding, follow its source → sink trace, and copy the paste-ready fix.