Skip to content

Releases: jaurakunal/isitsecure

v0.4.1

Choose a tag to compare

@github-actions github-actions released this 14 Jul 16:58
8c72cda

0.4.1 (2026-07-14)

Documentation

  • document Wave 2 fix→PR flow, new CLI commands, and remediation pipeline (aedbd8f)

v0.4.0

Choose a tag to compare

@github-actions github-actions released this 14 Jul 15:40
35c530a

0.4.0 (2026-07-14)

Features

  • fixes: remote-repo fix → per-category pull requests (#62) (c551f52)
  • fix: git-free fix & verify flow with plain-language results (#50) (adf3f88)
  • remediation: framework-aware remediation for DAST findings (#48) (cd152db)
  • remediation: specific fix guidance for all 18 categories (#47) (f67ade4)
  • remediation: step-by-step walkthroughs for the top-4 fixes (#49) (acb1927)

Bug Fixes

  • fixes: capture uncommitted work in git safety net + add restore round-trip tests (469103d)

Documentation

  • fixes,triage: correct safety-net docstring and surface copy-mode restore (8e5a41b)

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 13 Jul 13:34
b33cde2

0.3.0 (2026-07-13)

Features

  • cli: friendlier first-run — pre-flight checks, human errors, smart mode (ab864d6)
  • cli: lead scan results with launch verdict + plain-English framing (c1b0efa)
  • reporting: add rule-based plain-English framing layer (no LLM) (3732422)
  • reporting: wire plain-English layer into report + HTML output (2f40003)
  • server,ui: surface Wave 1 plain-English layer in the web report (876cb1e)

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 13 Jul 00:22
5efedda

0.2.1 (2026-07-12)

Bug Fixes

  • dast: detect authentication-bypass SQLi via login-path probing (closes #2) (6cef112)

Documentation

  • benchmarks: Juice Shop url-only recall 36% -> 44% after auth-bypass SQLi (855a7c4)

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 12 Jul 19:08
1a75697

0.2.0 (2026-07-12)

Features

  • dast: interactive DOM/reflected XSS oracle (closes #3) (de6e483)

Bug Fixes

  • dast: return DOM XSS findings on timeout instead of discarding them (3c979ad)
  • dast: tighten NoSQL oracle to kill false positives (#5) (f899664)

Documentation

  • benchmarks: document the must-detect regression guard (d8e1150)
  • benchmarks: Juice Shop url-only recall 33% -> 36% after XSS fix (4b8b16a)
  • benchmarks: make OWASP Juice Shop reproducible + correct the numbers (be9af0f)
  • flag NoSQL injection as a known false-positive-prone class (#5) (c334c3e)

Reverts

  • NoSQL oracle tightening — restore prior detection (#5) (f60d7fb)

v0.1.2

Choose a tag to compare

@github-actions github-actions released this 11 Jul 09:20
516fabe

0.1.2 (2026-07-11)

Dependencies

  • Bump actions/checkout from 4 to 7 (#23) (fdb7c75)
  • Bump actions/setup-python from 5 to 6 (#24) (368849d)
  • Bump eslint-config-next from 16.2.6 to 16.2.10 in /ui (#31) (7edb854)
  • Bump github/codeql-action from 3 to 4 (#21) (90bbdd3)
  • Bump googleapis/release-please-action from 4 to 5 (#22) (ea448dc)
  • Update cryptography requirement from >=42.0 to >=49.0.0 (#27) (df22a1c)
  • Update fastapi requirement from >=0.111 to >=0.139.0 (#28) (052e253)
  • Update pytest-cov requirement from >=5.0 to >=7.1.0 (#26) (c7016f9)
  • Update ruff requirement from >=0.5 to >=0.15.21 (#29) (ad83a4a)
  • Update typer requirement from >=0.12 to >=0.26.8 (#25) (db27c0d)

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 11 Jul 09:07
f66057f

0.1.1 (2026-07-11)

Bug Fixes

  • ci: repair slack-notify YAML — multiline strings broke block scalar (955ac67)
  • security: resolve CodeQL alerts — scope analysis to product code (39727f9)

Dependencies

  • deps: Bump @types/node from 20.19.43 to 26.1.1 in /ui (#14) (c2c275d)
  • deps: Bump eslint from 9.39.5 to 10.7.0 in /ui (#16) (4494869)
  • deps: Bump next from 16.2.6 to 16.2.10 in /ui (#15) (528077c)
  • deps: Bump react from 19.2.4 to 19.2.7 in /ui (#13) (027075c)
  • deps: Bump react-dom from 19.2.4 to 19.2.7 in /ui (#17) (a26da11)
  • deps: Update anthropic requirement from >=0.40 to >=0.116.0 (#7) (70707c7)
  • deps: Update google-genai requirement from >=1.0 to >=2.11.0 (#8) (e1aa575)
  • deps: Update playwright requirement from >=1.40 to >=1.61.0 (#6) (71c9d1e)
  • deps: Update pydantic requirement (#12) (ff76243)
  • deps: Update uvicorn requirement from >=0.30 to >=0.51.0 (#9) (451dcbe)
  • launch hygiene — badges, Dependabot, CodeQL (aa8fbf2)
  • release-please: clean v-tags (no component prefix) + manual dispatch (8f36b63)

Documentation

  • add Demo section + VHS tape to render the demo GIF (5b88549)
  • add static terminal-screenshot placeholder (docs/demo.svg) (44cdbff)
  • demo: add reliable banner.tape + note scan.tape's slow-tail caveat (2ae1b9c)

isitsecure v0.1.0 — first public release

Choose a tag to compare

@jaurakunal jaurakunal released this 10 Jul 20:53

First public release — an AI-powered SAST + DAST + LLM security scanner for
modern web apps, run from a single command.

Added

Scanning

  • 40 rule-based scanners by default (44 with --depth deep): SAST, DAST, and
    special DAST scanners, plus optional LLM code review, triage, and AI fixes.
  • SAST → DAST feedback loop: static findings generate targeted live tests.
  • Scan depth (--depth quick|deep, default quick): quick runs the fast
    structural + error-based scanners in seconds; deep adds time-based (blind)
    SQL injection, active XSS, auth-bypass timing, rate-limit bursts, and
    password-reset probes.
  • Live Supabase RLS testing with the anon key in url-only mode: flags tables
    readable/writable without authentication, escalates to CRITICAL when a
    sensitive column (email, etc.) is exposed, and infers anon-INSERT exposure
    from the PostgREST error code.
  • Backend / infrastructure fingerprinting (Cloudflare, Vercel, Netlify, … plus
    Supabase).
  • Snapshot scanners: source-map leak (verified, not just present), mixed
    content, Subresource Integrity, and client-side exposure (Supabase
    service_role keys, internal URLs, unreplaced env placeholders).
  • Endpoint discovery: OpenAPI/Swagger probing, HTML form/link extraction,
    /{id} variant generation, and external API-base probing.
  • Authenticated cross-user IDOR / BOLA with owned-resource-id harvesting
    (--auth-email-b, --auth-password-b, --login-url).
  • Injection: path-parameter injection, broad SQL-error recognition
    (SQLAlchemy / sqlite3 / psycopg), time-based SQLi confirmation, and SSTI.
  • Stored XSS via inject-then-retrieve; allowlist-bypass open-redirect
    detection; OSV.dev dependency scanning.

Experience

  • Live scan narration: every phase and every scanner reports progress (with
    per-item sub-events) as a scrolling log, so long scans never look stuck —
    routed to stderr so piped --output json/sarif stays clean.
  • Auto-generated HTML report led by a plain-English "what this means for you"
    risk summary and action plan.
  • Security badge (SVG), SARIF export for GitHub code scanning, and a local web
    UI (isitsecure launch).
  • Framed, animated welcome banner.

Setup & onboarding

  • One-command installers — install.sh (macOS/Linux) and install.ps1
    (Windows): verify Python 3.11+/git, clone, create a virtual environment,
    install, and run first-time setup.
  • isitsecure setup installs the DAST browser and language servers, with
    --lsp / --check sub-flows; isitsecure launch also offers language-server
    setup. LSP install is cross-platform (pip / npm / Homebrew) with per-OS
    guidance for anything it can't install directly.

Project

  • Repeatable benchmark harness (benchmarks/) with recall + false-positive
    scorecards and a per-instance scorer.
  • CI (GitHub Actions): test gate on Python 3.11 and 3.12.

Security

  • Hardened git clone against argument-injection RCE (scheme allow-list, --
    separator, GIT_ALLOW_PROTOCOL); scrub the GitHub token from git stderr.
  • Contained the AI-fix apply path to the repository (no arbitrary file write).
  • Loopback-only CORS on the web server (no wildcard origins).
  • API-key config file written 0600; credentials no longer replayed on
    cross-origin redirects.
  • Scrubbed leaked private-product identifiers from generic scanner logic.

Fixed

  • Per-resource findings (e.g. per-table RLS) were collapsed by fuzzy
    deduplication — now kept distinct.
  • Confirmed SSTI findings were silently discarded (swallowed NameError).
  • scan --output json produced invalid JSON when piped/redirected (Rich
    word-wrapping mid-string); now written raw so it always parses.
  • Cross-user REST IDOR now runs regardless of crawler-harvested resource ids.