isitsecure v0.1.0 — first public release
First public release — an AI-powered SAST + DAST + LLM security scanner for
modern web apps, run from a single command.
Added
Scanning
- 40 rule-based scanners by default (44 with
--depth deep): SAST, DAST, and
special DAST scanners, plus optional LLM code review, triage, and AI fixes. - SAST → DAST feedback loop: static findings generate targeted live tests.
- Scan depth (
--depth quick|deep, defaultquick): quick runs the fast
structural + error-based scanners in seconds; deep adds time-based (blind)
SQL injection, active XSS, auth-bypass timing, rate-limit bursts, and
password-reset probes. - Live Supabase RLS testing with the anon key in url-only mode: flags tables
readable/writable without authentication, escalates to CRITICAL when a
sensitive column (email, etc.) is exposed, and infers anon-INSERT exposure
from the PostgREST error code. - Backend / infrastructure fingerprinting (Cloudflare, Vercel, Netlify, … plus
Supabase). - Snapshot scanners: source-map leak (verified, not just present), mixed
content, Subresource Integrity, and client-side exposure (Supabase
service_rolekeys, internal URLs, unreplaced env placeholders). - Endpoint discovery: OpenAPI/Swagger probing, HTML form/link extraction,
/{id}variant generation, and external API-base probing. - Authenticated cross-user IDOR / BOLA with owned-resource-id harvesting
(--auth-email-b,--auth-password-b,--login-url). - Injection: path-parameter injection, broad SQL-error recognition
(SQLAlchemy / sqlite3 / psycopg), time-based SQLi confirmation, and SSTI. - Stored XSS via inject-then-retrieve; allowlist-bypass open-redirect
detection; OSV.dev dependency scanning.
Experience
- Live scan narration: every phase and every scanner reports progress (with
per-item sub-events) as a scrolling log, so long scans never look stuck —
routed to stderr so piped--output json/sarifstays clean. - Auto-generated HTML report led by a plain-English "what this means for you"
risk summary and action plan. - Security badge (SVG), SARIF export for GitHub code scanning, and a local web
UI (isitsecure launch). - Framed, animated welcome banner.
Setup & onboarding
- One-command installers —
install.sh(macOS/Linux) andinstall.ps1
(Windows): verify Python 3.11+/git, clone, create a virtual environment,
install, and run first-time setup. isitsecure setupinstalls the DAST browser and language servers, with
--lsp/--checksub-flows;isitsecure launchalso offers language-server
setup. LSP install is cross-platform (pip / npm / Homebrew) with per-OS
guidance for anything it can't install directly.
Project
- Repeatable benchmark harness (
benchmarks/) with recall + false-positive
scorecards and a per-instance scorer. - CI (GitHub Actions): test gate on Python 3.11 and 3.12.
Security
- Hardened
git cloneagainst argument-injection RCE (scheme allow-list,--
separator,GIT_ALLOW_PROTOCOL); scrub the GitHub token from git stderr. - Contained the AI-fix apply path to the repository (no arbitrary file write).
- Loopback-only CORS on the web server (no wildcard origins).
- API-key config file written
0600; credentials no longer replayed on
cross-origin redirects. - Scrubbed leaked private-product identifiers from generic scanner logic.
Fixed
- Per-resource findings (e.g. per-table RLS) were collapsed by fuzzy
deduplication — now kept distinct. - Confirmed SSTI findings were silently discarded (swallowed
NameError). scan --output jsonproduced invalid JSON when piped/redirected (Rich
word-wrapping mid-string); now written raw so it always parses.- Cross-user REST IDOR now runs regardless of crawler-harvested resource ids.