Detect vulnerabilities. Apply fixes with confidence.
Debuggix runs 9 security engines against your codebase, correlates results to eliminate noise, and generates verified patches you can review before merging.
π Start Free β No Credit Card β
- Overview
- How It Works
- The 9 Security Engines
- Features
- Architecture
- API Reference
- Webhooks
- Slack Integration
- Pricing
- Privacy & Security
- Roadmap
- Tech Stack
Debuggix is a security platform that finds vulnerabilities in your code AND generates working fixes β not just a list of problems. It orchestrates 9 open-source security scanners in parallel, correlates their results to eliminate duplicates and false positives, then uses AI to generate production-ready code patches.
Why Debuggix? Traditional security tools dump a list of 500 vulnerabilities and say "good luck." You spend hours manually fixing each one. 67% of security fixes take over 4 hours. Debuggix both finds AND fixes, turning hours of manual patching into a 60-second review.
- Connect β Paste any GitHub repository URL or upload a ZIP file
- Scan β 9 specialized engines run in parallel across your codebase
- Review β View findings with confidence scores, source attribution, and AI explanations
- Fix β AI generates working code patches with diffs. Review, copy, or merge.
| Engine | Category | What It Detects | Coverage |
|---|---|---|---|
| Semgrep | Static Analysis | SQL injection, XSS, path traversal, code vulnerabilities | Python, JS, Go, Java, Ruby, PHP, Terraform |
| Gitleaks | Secret Detection | Hardcoded API keys, tokens, passwords, credentials | All file types |
| TruffleHog | Secret Detection | Secrets buried in git commit history | Git history |
| Trivy | Dependency Scanning | Known CVEs in packages and container images | pip, npm, Docker, apt, yum, gem |
| Bandit | Static Analysis | Python-specific security issues | Python |
| ESLint | Static Analysis | JavaScript/TypeScript security linting | .js, .ts, .jsx, .tsx |
| Hadolint | Configuration | Dockerfile misconfigurations and best practices | Dockerfiles |
| Checkov | Configuration | Infrastructure-as-Code misconfigurations | Terraform, K8s, CloudFormation, Helm |
| OSV-Scanner | Dependency Scanning | Open source vulnerability database | 10+ ecosystems |
All engines run in parallel. Results are merged, deduplicated, and AI-verified.
For every vulnerability, Debuggix generates a working code fix using multiple LLM providers (Google Gemini, DeepSeek, OpenAI, OpenRouter) with automatic fallback. Each fix includes:
- Diff view β See exactly what changed
- Explanation β Understand why the fix works
- Confidence score β Know how reliable the fix is
- Impact assessment β Understand the severity of the issue
An AI chat interface that understands your entire codebase. Ask questions like:
- "Where are the most critical vulnerabilities?"
- "Explain the authentication flow"
- "Show me all hardcoded credentials"
- "What dependency issues exist?"
The Copilot reads your actual source files and references scan findings. Responses include file paths, line numbers, and code snippets. Context is cached for faster follow-up questions. A flush button lets you clear cached context at any time.
Every finding receives an AI confidence score (0-100%). Higher scores mean higher likelihood of being a real vulnerability. Mark findings as confirmed or false positive to filter results.
- OAuth Login β Sign up with your GitHub account
- Private Repos β Scan private repositories using your GitHub token
- One-Click PR β Create a Pull Request with all AI-generated fixes applied
- github.dev & Codespaces β Open files directly in browser-based editors
- Shareable Reports β Generate a public URL with no code exposed
- README Badge β Add a security status badge to your repository:
[](https://debuggix.space)- Shared Scans β Share scan results with team members
- Comments β Discuss individual findings
- Custom Rules β Add custom Semgrep detection rules (Pro+)
Users β Frontend (React, Render)
β
Backend API (FastAPI, Render)
β
Redis (Upstash) β Celery Worker (DigitalOcean Droplet)
β
9 Security Engines (Semgrep, Gitleaks, Trivy, etc.)
β
AI Fix Generation (Multi-LLM with fallback)
β
PostgreSQL (Render)
- User submits a GitHub URL or ZIP file
- Backend creates a scan record and dispatches a Celery task via Redis
- Celery worker clones the repository with
--depth 1 --single-branchfor speed - 9 security engines run in parallel with configurable timeouts
- Vendor directories, test files, and node_modules are excluded automatically
- Results are merged, deduplicated, and scored
- AI noise filtering removes false positives and low-confidence findings
- Findings are saved to PostgreSQL with metadata
- Source code is immediately deleted from the worker
- User views results with confidence scores and AI-generated fixes
Request β Google Gemini (free, 1000/day)
β fails
β DeepSeek ($0.14/1M tokens)
β fails
β OpenAI
β fails
β OpenRouter (free models as backup)
- Vendor directories, test files, and cache directories are excluded
- Files larger than 500KB are skipped
- Git clone uses
--depth 1 --single-branch - Celery workers run with configurable concurrency
- Trivy database is cached on the worker
- AI chat context is cached per scan session (1-hour TTL)
https://ai-debugger-backend-eah5.onrender.com
All API requests require a JWT token:
Authorization: Bearer <your_jwt_token>
Obtain a token via the login endpoint.
- Free tier: 10 requests/minute
- Pro tier: 60 requests/minute
- Pro+ tier: 120 requests/minute
Register
POST /api/v1/auth/register
Content-Type: application/json
{
"email": "user@example.com",
"password": "secure_password",
"name": "Your Name",
"plan": "free"
}Login
POST /api/v1/auth/login
Content-Type: application/json
{
"email": "user@example.com",
"password": "secure_password"
}
Response: { "access_token": "jwt...", "token_type": "bearer", "user": {...} }GitHub OAuth Login
GET /api/v1/auth/github/login
β Redirects to GitHub for authentication
β Returns JWT token after callbackLogout
POST /api/v1/auth/logout
Authorization: Bearer <token>Trigger a GitHub Scan
POST /api/v1/scan/github
Authorization: Bearer <token>
Content-Type: application/json
{
"repo_url": "https://github.com/user/repo",
"name": "Optional scan name"
}
Response: { "id": "scan-uuid", "name": "repo", "status": "pending" }Trigger a ZIP Upload Scan
POST /api/v1/scan/zip
Authorization: Bearer <token>
Content-Type: multipart/form-data
file: your_code.zip
name: Optional name
Response: { "id": "scan-uuid", "name": "filename", "status": "pending" }List All Scans
GET /api/v1/scan/?page=1&limit=50
Authorization: Bearer <token>
Response: {
"scans": [
{
"id": "uuid",
"name": "my-repo",
"repo_url": "https://github.com/user/repo",
"status": "completed",
"findings_count": 15,
"critical_count": 2,
"high_count": 5,
"created_at": "2026-04-30T12:00:00Z",
"completed_at": "2026-04-30T12:01:15Z"
}
],
"total": 42,
"page": 1,
"total_pages": 1
}Get Scan Results
GET /api/v1/scan/{scan_id}
Authorization: Bearer <token>
Response: {
"scan": {
"id": "uuid",
"name": "my-repo",
"repo_url": "https://github.com/user/repo",
"status": "completed",
"findings_count": 15,
"critical_count": 2,
"high_count": 5,
"medium_count": 6,
"low_count": 2
},
"findings": [
{
"id": "finding-id",
"tool": "semgrep",
"severity": "critical",
"file_path": "src/auth.js",
"line_number": 42,
"message": "SQL injection vulnerability detected",
"code_snippet": "query = 'SELECT * FROM users WHERE id=' + userId",
"ai_confidence": 92,
"ai_fix": {
"fixed_code": "query = 'SELECT * FROM users WHERE id=?'",
"explanation": "Use parameterized queries to prevent SQL injection"
}
}
],
"summary": {
"total": 15,
"critical": 2,
"high": 5,
"medium": 6,
"low": 2
}
}Delete a Scan
DELETE /api/v1/scan/{scan_id}
Authorization: Bearer <token>
Response: { "message": "Scan deleted" }Create Fix Pull Request
POST /api/v1/scan/{scan_id}/create-fix-pr
Authorization: Bearer <token>
Response: {
"success": true,
"pr_url": "https://github.com/user/repo/pull/42",
"message": "Fix PR created successfully"
}Public Scan Report
GET /api/v1/scan/public/{scan_id}
Response: {
"scan": {
"id": "abc12345",
"name": "my-repo",
"repo_url": "https://github.com/user/repo",
"scanned_at": "2026-04-30T12:00:00Z",
"duration_seconds": 75.3,
"lines_scanned": 15000
},
"summary": {
"total": 15,
"by_severity": { "critical": 2, "high": 5, "medium": 6, "low": 2 },
"risk_level": "HIGH"
},
"findings": [...], // No code snippets exposed
"engines_used": ["Semgrep", "Gitleaks", "Trivy", "Bandit", "ESLint", "Hadolint", "Checkov", "OSV-Scanner", "TruffleHog"]
}Security Badge
GET /api/v1/scan/badge/{username}/{repo}
Response: SVG badge image showing security status
Statuses: "secure", "X critical", "X high", "not scanned"Generate AI Fix for a Finding
POST /api/v1/ai/fix
Authorization: Bearer <token>
Content-Type: application/json
{
"code_snippet": "query = 'SELECT * FROM users WHERE id=' + userId",
"error_message": "SQL injection detected",
"language": "javascript",
"file_path": "/src/auth.js"
}
Response: {
"success": true,
"fixed_code": "query = 'SELECT * FROM users WHERE id=?'",
"explanation": "Parameterized queries prevent SQL injection by separating SQL logic from data.",
"model": "gemini-2.0-flash",
"provider": "gemini"
}Explain Code
POST /api/v1/ai/explain
Authorization: Bearer <token>
Content-Type: application/json
{
"code_snippet": "const result = await db.query('SELECT * FROM users');",
"question": "Is this query safe?",
"language": "javascript"
}
Response: { "success": true, "explanation": "This query is safe because..." }Code Review
POST /api/v1/ai/review
Authorization: Bearer <token>
Content-Type: application/json
{
"code_snippet": "function processUser(input) { eval(input); }",
"language": "javascript"
}
Response: { "success": true, "issues": [{ "severity": "critical", "message": "eval() is dangerous..." }] }Improve Code
POST /api/v1/ai/improve
Authorization: Bearer <token>
Content-Type: application/json
{
"code_snippet": "for (let i = 0; i < arr.length; i++) { console.log(arr[i]); }",
"language": "javascript"
}
Response: { "success": true, "improved_code": "arr.forEach(item => console.log(item));", "changes": ["..." ] }Security Copilot (Streaming)
POST /api/v1/ai/copilot/stream
Authorization: Bearer <token>
Content-Type: application/json
{
"scan_id": "scan-uuid",
"question": "Where are all the SQL queries in this codebase?",
"chat_history": []
}
Response: Server-Sent Events stream
Events: status, progress, finding, completeFlush Copilot Cache
POST /api/v1/ai/copilot/cache/flush
Authorization: Bearer <token>
Content-Type: application/json
{ "scan_id": "scan-uuid" }
Response: { "message": "Chat context flushed. Next query will re-analyze the codebase." }AI Service Status
GET /api/v1/ai/status
Authorization: Bearer <token>
Response: {
"available": true,
"provider": "gemini",
"model": "gemini-2.0-flash",
"user_has_access": true,
"user_tier": "pro_plus",
"copilot_enabled": true
}Webhooks allow you to receive real-time notifications about scan events. Configure them in your Dashboard β Settings β Webhooks.
| Event | Trigger | Payload |
|---|---|---|
scan.started |
A scan begins processing | scan_id, repo_url, timestamp |
scan.completed |
A scan finishes successfully | scan_id, findings_count, critical_count, high_count, timestamp |
scan.failed |
A scan encounters an error | scan_id, error_message, timestamp |
finding.critical |
A critical vulnerability is found | scan_id, finding_id, severity, message, file_path |
finding.high |
A high-severity vulnerability is found | scan_id, finding_id, severity, message, file_path |
Generate a Webhook URL
POST /api/v1/integrations/webhooks/generate
Authorization: Bearer <token>
Content-Type: application/json
{
"events": ["scan.completed", "finding.critical", "finding.high"]
}
Response: {
"webhook_url": "https://ai-debugger-backend-eah5.onrender.com/api/v1/webhooks/receive/abc12345",
"secret": "generated_secret_key_here",
"events": ["scan.completed", "finding.critical", "finding.high"],
"message": "Webhook generated. Copy your secret now - it won't be shown again!"
}Update Webhook Events
PUT /api/v1/integrations/webhooks/events
Authorization: Bearer <token>
Content-Type: application/json
{
"events": ["scan.started", "scan.completed", "scan.failed"]
}
Response: { "events": [...], "message": "Webhook events updated" }Test Webhook
POST /api/v1/integrations/webhooks/test
Authorization: Bearer <token>
Response: { "message": "Test webhook sent successfully" }Revoke Webhook
DELETE /api/v1/integrations/webhooks/revoke
Authorization: Bearer <token>
Response: { "message": "Webhook revoked" }Get Webhook Status
GET /api/v1/integrations/webhooks
Authorization: Bearer <token>
Response: {
"url": "https://ai-debugger-backend-eah5.onrender.com/api/v1/webhooks/receive/abc12345",
"secret": "***hidden***",
"events": ["scan.completed", "finding.critical"]
}When a scan completes, your endpoint receives:
{
"event": "scan.completed",
"scan_id": "c6c1c371-9d26-4010-9867-e9a63114203a",
"scan_name": "my-repo",
"repo_url": "https://github.com/user/repo",
"findings_count": 15,
"critical_count": 2,
"high_count": 5,
"medium_count": 6,
"low_count": 2,
"timestamp": "2026-04-30T12:01:15Z"
}Each webhook request includes an X-Debuggix-Signature header. Verify it using your webhook secret:
import hmac
import hashlib
def verify_webhook(payload: bytes, signature: str, secret: str) -> bool:
expected = hmac.new(
secret.encode(),
payload,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(expected, signature)const crypto = require('crypto');
function verifyWebhook(payload, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}Send scan notifications directly to a Slack channel. Requires Pro+ plan.
Connect Slack
GET /api/v1/integrations/slack/auth
Authorization: Bearer <token>
β Redirects to Slack OAuth
β Saves webhook URL after authorizationDisconnect Slack
POST /api/v1/integrations/slack/disconnect
Authorization: Bearer <token>
Response: { "message": "Slack disconnected" }Send Test Notification
POST /api/v1/integrations/slack/test
Authorization: Bearer <token>
Response: { "message": "Test notification sent" }| Plan | Price | Scans | Key Features |
|---|---|---|---|
| Free | $0 forever | 10 public scans/month | All 9 engines, basic detection, community support |
| Pro | $29/month | 100 private scans/month | AI-powered fixes, GitHub PR integration, email support |
| Pro+ | $50/month | 500 private scans/month | Security Copilot, API access, 3 team seats, Slack integration, webhooks, custom rules |
All plans include a free trial. No credit card required for the free tier.
- Zero retention: Your source code is processed and immediately deleted after scanning
- No training on your code: We never use your code to train AI models
- End-to-end encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Open-source engines: All 9 scanners are open-source and independently auditable
- Your data is yours: Export or delete your data at any time
- Phase 1: Multi-Scanner Orchestration & Web Dashboard
- Phase 2: AI-Powered Fix Generation
- Phase 3: Team Collaboration & Shared Scans
- Phase 4: GitHub, Slack & Webhook Integrations
- Phase 5: Public Reports & Security Badges
- Phase 6: VS Code Extension (Q2 2026)
- Phase 7: Self-Hosted Enterprise Edition (Q3 2026)
- Phase 8: Native CI/CD Integration (GitHub Actions, GitLab CI)
| Layer | Technology |
|---|---|
| Backend | FastAPI (Python) |
| Frontend | React + TypeScript + Tailwind CSS |
| Database | PostgreSQL |
| Queue | Redis + Celery |
| AI | Google Gemini, DeepSeek, OpenAI, OpenRouter (auto-fallback) |
| Hosting | Render (API), DigitalOcean (Workers) |
| Security Tools | Semgrep, Gitleaks, Trivy, Bandit, ESLint, Hadolint, Checkov, OSV-Scanner, TruffleHog |
Debuggix is a sovereign product. No VCs. No data selling. No bloated enterprise features you don't need. Just one developer who cares about making the web more secure.
- β Star this repo to support the project
- π Found a bug? Open an issue
- π§ Enterprise inquiries: luckydiety@gmail.com
- π Website: debuggix.space
Debuggix is proprietary software. This repository serves as public documentation and the community hub. AI-generated fixes are suggestions β always review code before merging.
The best time to secure your code was yesterday. The second best time is now.
Try Debuggix Free β