Releases: jaurakunal/isitsecure
Releases · jaurakunal/isitsecure
Release list
v0.4.1
v0.4.0
0.4.0 (2026-07-14)
Features
- fixes: remote-repo fix → per-category pull requests (#62) (c551f52)
- fix: git-free fix & verify flow with plain-language results (#50) (adf3f88)
- remediation: framework-aware remediation for DAST findings (#48) (cd152db)
- remediation: specific fix guidance for all 18 categories (#47) (f67ade4)
- remediation: step-by-step walkthroughs for the top-4 fixes (#49) (acb1927)
Bug Fixes
- fixes: capture uncommitted work in git safety net + add restore round-trip tests (469103d)
Documentation
- fixes,triage: correct safety-net docstring and surface copy-mode restore (8e5a41b)
v0.3.0
0.3.0 (2026-07-13)
Features
- cli: friendlier first-run — pre-flight checks, human errors, smart mode (ab864d6)
- cli: lead scan results with launch verdict + plain-English framing (c1b0efa)
- reporting: add rule-based plain-English framing layer (no LLM) (3732422)
- reporting: wire plain-English layer into report + HTML output (2f40003)
- server,ui: surface Wave 1 plain-English layer in the web report (876cb1e)
v0.2.1
v0.2.0
0.2.0 (2026-07-12)
Features
Bug Fixes
- dast: return DOM XSS findings on timeout instead of discarding them (3c979ad)
- dast: tighten NoSQL oracle to kill false positives (#5) (f899664)
Documentation
- benchmarks: document the must-detect regression guard (d8e1150)
- benchmarks: Juice Shop url-only recall 33% -> 36% after XSS fix (4b8b16a)
- benchmarks: make OWASP Juice Shop reproducible + correct the numbers (be9af0f)
- flag NoSQL injection as a known false-positive-prone class (#5) (c334c3e)
Reverts
v0.1.2
0.1.2 (2026-07-11)
Dependencies
- Bump actions/checkout from 4 to 7 (#23) (fdb7c75)
- Bump actions/setup-python from 5 to 6 (#24) (368849d)
- Bump eslint-config-next from 16.2.6 to 16.2.10 in /ui (#31) (7edb854)
- Bump github/codeql-action from 3 to 4 (#21) (90bbdd3)
- Bump googleapis/release-please-action from 4 to 5 (#22) (ea448dc)
- Update cryptography requirement from >=42.0 to >=49.0.0 (#27) (df22a1c)
- Update fastapi requirement from >=0.111 to >=0.139.0 (#28) (052e253)
- Update pytest-cov requirement from >=5.0 to >=7.1.0 (#26) (c7016f9)
- Update ruff requirement from >=0.5 to >=0.15.21 (#29) (ad83a4a)
- Update typer requirement from >=0.12 to >=0.26.8 (#25) (db27c0d)
v0.1.1
0.1.1 (2026-07-11)
Bug Fixes
- ci: repair slack-notify YAML — multiline strings broke block scalar (955ac67)
- security: resolve CodeQL alerts — scope analysis to product code (39727f9)
Dependencies
- deps: Bump @types/node from 20.19.43 to 26.1.1 in /ui (#14) (c2c275d)
- deps: Bump eslint from 9.39.5 to 10.7.0 in /ui (#16) (4494869)
- deps: Bump next from 16.2.6 to 16.2.10 in /ui (#15) (528077c)
- deps: Bump react from 19.2.4 to 19.2.7 in /ui (#13) (027075c)
- deps: Bump react-dom from 19.2.4 to 19.2.7 in /ui (#17) (a26da11)
- deps: Update anthropic requirement from >=0.40 to >=0.116.0 (#7) (70707c7)
- deps: Update google-genai requirement from >=1.0 to >=2.11.0 (#8) (e1aa575)
- deps: Update playwright requirement from >=1.40 to >=1.61.0 (#6) (71c9d1e)
- deps: Update pydantic requirement (#12) (ff76243)
- deps: Update uvicorn requirement from >=0.30 to >=0.51.0 (#9) (451dcbe)
- launch hygiene — badges, Dependabot, CodeQL (aa8fbf2)
- release-please: clean v-tags (no component prefix) + manual dispatch (8f36b63)
Documentation
isitsecure v0.1.0 — first public release
First public release — an AI-powered SAST + DAST + LLM security scanner for
modern web apps, run from a single command.
Added
Scanning
- 40 rule-based scanners by default (44 with
--depth deep): SAST, DAST, and
special DAST scanners, plus optional LLM code review, triage, and AI fixes. - SAST → DAST feedback loop: static findings generate targeted live tests.
- Scan depth (
--depth quick|deep, defaultquick): quick runs the fast
structural + error-based scanners in seconds; deep adds time-based (blind)
SQL injection, active XSS, auth-bypass timing, rate-limit bursts, and
password-reset probes. - Live Supabase RLS testing with the anon key in url-only mode: flags tables
readable/writable without authentication, escalates to CRITICAL when a
sensitive column (email, etc.) is exposed, and infers anon-INSERT exposure
from the PostgREST error code. - Backend / infrastructure fingerprinting (Cloudflare, Vercel, Netlify, … plus
Supabase). - Snapshot scanners: source-map leak (verified, not just present), mixed
content, Subresource Integrity, and client-side exposure (Supabase
service_rolekeys, internal URLs, unreplaced env placeholders). - Endpoint discovery: OpenAPI/Swagger probing, HTML form/link extraction,
/{id}variant generation, and external API-base probing. - Authenticated cross-user IDOR / BOLA with owned-resource-id harvesting
(--auth-email-b,--auth-password-b,--login-url). - Injection: path-parameter injection, broad SQL-error recognition
(SQLAlchemy / sqlite3 / psycopg), time-based SQLi confirmation, and SSTI. - Stored XSS via inject-then-retrieve; allowlist-bypass open-redirect
detection; OSV.dev dependency scanning.
Experience
- Live scan narration: every phase and every scanner reports progress (with
per-item sub-events) as a scrolling log, so long scans never look stuck —
routed to stderr so piped--output json/sarifstays clean. - Auto-generated HTML report led by a plain-English "what this means for you"
risk summary and action plan. - Security badge (SVG), SARIF export for GitHub code scanning, and a local web
UI (isitsecure launch). - Framed, animated welcome banner.
Setup & onboarding
- One-command installers —
install.sh(macOS/Linux) andinstall.ps1
(Windows): verify Python 3.11+/git, clone, create a virtual environment,
install, and run first-time setup. isitsecure setupinstalls the DAST browser and language servers, with
--lsp/--checksub-flows;isitsecure launchalso offers language-server
setup. LSP install is cross-platform (pip / npm / Homebrew) with per-OS
guidance for anything it can't install directly.
Project
- Repeatable benchmark harness (
benchmarks/) with recall + false-positive
scorecards and a per-instance scorer. - CI (GitHub Actions): test gate on Python 3.11 and 3.12.
Security
- Hardened
git cloneagainst argument-injection RCE (scheme allow-list,--
separator,GIT_ALLOW_PROTOCOL); scrub the GitHub token from git stderr. - Contained the AI-fix apply path to the repository (no arbitrary file write).
- Loopback-only CORS on the web server (no wildcard origins).
- API-key config file written
0600; credentials no longer replayed on
cross-origin redirects. - Scrubbed leaked private-product identifiers from generic scanner logic.
Fixed
- Per-resource findings (e.g. per-table RLS) were collapsed by fuzzy
deduplication — now kept distinct. - Confirmed SSTI findings were silently discarded (swallowed
NameError). scan --output jsonproduced invalid JSON when piped/redirected (Rich
word-wrapping mid-string); now written raw so it always parses.- Cross-user REST IDOR now runs regardless of crawler-harvested resource ids.