{"slug": "show-hn-isitsecure-1-command-sast-dast-llm-security-scanner-for-web-apps", "title": "Show HN: isitsecure - 1-command SAST & DAST & LLM security scanner for web apps", "summary": "Kunal Jaura released isitsecure, an open-source command-line tool that combines SAST, DAST, and LLM-powered code review into a single security scanner for web applications. The tool supports multiple languages and frameworks, generates targeted DAST tests from SAST findings, and produces fix plans, aiming to help developers identify and fix vulnerabilities without requiring deep security expertise.", "body_md": "AI-powered security scanner for modern web apps. SAST + DAST + LLM code review in a single scan.\n\nBuilt for developers and **vibe coders** shipping web apps who need to know if their code is secure — without becoming security experts.\n\n**Supports:** TypeScript/JavaScript (Next.js, Express, tRPC), Python (Django, FastAPI, Flask), Java/Kotlin (Spring Boot) — and any HTTP API for DAST.\n\n`isitsecure scan --repo ./your-app`\n\n— every scanner narrates as it runs, then you get a graded report (and a browseable HTML page) with the fixes.\n\n[Demo](#demo)·[What It Does](#what-it-does)[Install](#install)·[Quick Start](#quick-start)·[What It Costs](#what-it-costs)[Scan Modes](#scan-modes)·[Scan Depth](#scan-depth)[What It Scans](#what-it-scans)—[DAST](#dast-scanners--tests-your-live-app)·[Special DAST](#special-dast-scanners-8)·[SAST](#sast-scanners-17--analyzes-your-code)·[LLM](#llm-powered-analysis-requires-api-key)·[Cross-Referencing](#cross-referencing--guided-dast)[Language Support](#language-support)·[Output Formats](#output-formats)[Auto-Fix](#auto-fix-one-command-to-fix-your-app)·[Security Badge](#security-badge)[How We Compare](#how-we-compare)·[What It Does NOT Cover](#what-it-does-not-cover)[Configuration](#configuration)—[API Keys](#api-keys)·[OOB Callbacks](#oob-callbacks-blind-vulnerability-detection)·[Authenticated Scanning](#authenticated-scanning)[CLI Reference](#cli-reference)·[Web UI](#web-ui)·[Try It on the Test App](#try-it-on-the-test-app)[Benchmarks](#benchmarks)·[Privacy](#privacy)·[Architecture](#architecture)[Scanner Documentation](#scanner-documentation)·[LSP Setup](#lsp-setup-optional-reduces-false-positives)[Contributing](#contributing)·[License](#license)·[Acknowledgements](#acknowledgements)\n\nisitsecure runs **40 rule-based scanners by default** — up to **44 with --depth deep** — (plus optional AI code review) against your web app in a single command. It combines four approaches that commercial tools sell separately:\n\n**SAST (Static Analysis)**— scans your source code for vulnerabilities without running it** DAST (Dynamic Analysis)**— tests your live app by sending real HTTP requests** LLM Code Review**— uses AI to find business logic flaws that pattern matchers can't detect** AI Fix Generation**— generates code patches with unified diffs for every finding\n\nThe unique parts:\n\n**SAST findings automatically generate targeted DAST tests**. Code shows no auth check → scanner sends an unauthenticated request and confirms it's exploitable.** AI generates fixes, not just reports**.`--output fixes`\n\nproduces a Markdown fix plan you can paste into Cursor or Claude Code.\n\n```\nCode → SAST → Findings → Guide DAST → Test → Cross-Reference → LLM Triage → Report → Fixes\n  ↑                                                                                       |\n  └──────────────── LSP validates / suppresses false positives ───────────────────────────┘\n```\n\n**Requirements:** Python 3.11+ and `git`\n\n. (isitsecure isn't on PyPI — the `isitsecure`\n\nname there is an unrelated project, so don't `pip install`\n\nit.)\n\nThe installer verifies Python/git, then clones the repo, sets up an isolated environment, installs everything, and runs first-time setup:\n\n```\n# macOS / Linux — download it, glance at it, run it\ncurl -fsSLo install.sh https://raw.githubusercontent.com/jaurakunal/isitsecure/main/install.sh\nbash install.sh\n# Windows (PowerShell)\nirm https://raw.githubusercontent.com/jaurakunal/isitsecure/main/install.ps1 -OutFile install.ps1\n./install.ps1\n```\n\nIf Python or git are missing, the installer tells you the exact command to install them for your OS and stops cleanly — it never leaves a half-finished state.\n\nPrefer to do it by hand:\n\n```\n# 1. Clone the repo\ngit clone https://github.com/jaurakunal/isitsecure.git\ncd isitsecure\n\n# 2. Install into a virtual environment (recommended)\npython3 -m venv .venv\nsource .venv/bin/activate          # Windows: .venv\\Scripts\\activate\n\n# 3. Install with all features (browser DAST, LLM review, OOB detection)\npip install -e \".[all]\"\n\n# 4. First-time setup — installs the Chromium browser, language servers, optionally saves an API key\nisitsecure setup\n```\n\n`pip install -e \".[all]\"`\n\nis the recommended install and enables every scanner. If you want a lighter footprint, the extras are opt-in:\n\n| Install | What works |\n|---|---|\n`pip install -e .` |\nSAST / code-only scans only (`--mode code-only` ) |\n`pip install -e \".[browser]\"` |\nAdds DAST / live-URL scanning (requires `isitsecure setup` to install Chromium) |\n`pip install -e \".[llm]\"` |\nAdds LLM code review, triage, and AI fixes (requires an API key) |\n`pip install -e \".[all]\"` |\nEverything |\n\nURL/DAST scanning needs the `[browser]`\n\nextra — without it, `isitsecure scan <url>`\n\nexits with a message telling you to install it.\n\n```\n# Scan a live URL (DAST only, no API key needed)\nisitsecure scan https://your-app.com --llm none\n\n# Scan source code (SAST only)\nisitsecure scan --repo https://github.com/you/your-app --mode code-only --llm none\n\n# Full scan (SAST + DAST + LLM review)\nisitsecure scan https://your-app.com --repo https://github.com/you/your-app --mode full\n\n# One command: scan + fix everything (the magic)\nisitsecure fix --repo ./your-app\n\n# Or dry-run first to preview fixes\nisitsecure fix --repo ./your-app --dry-run\n\n# Generate a security badge for your README\nisitsecure badge --repo ./your-app\n\n# Export for GitHub Code Scanning\nisitsecure scan --repo https://github.com/you/your-app --output sarif\n\n# Open the web UI (for non-CLI users)\nisitsecure launch\n```\n\nisitsecure is free and open source. The only cost is LLM API tokens for the AI-powered features:\n\n| Scan Mode | API Key Needed | Estimated Cost |\n|---|---|---|\nURL-only (DAST without LLM) |\nNo | $0 |\nCode-only (SAST without LLM) |\nNo | $0 |\nCode-only + LLM review |\nYes | ~$5–8 |\nFull scan (SAST + DAST + LLM) |\nYes | ~$10–15 |\n\nWithout an API key, you still get all rule-based scanners — **40 in the default quick depth** (15 DAST + 8 special DAST + 17 SAST), or\n\n**44 with**(which adds 4 slower/aggressive DAST scanners). The LLM adds business logic review, semantic rule verification, and intelligent triage — things no pattern matcher can do.\n\n`--depth deep`\n\n**Supported LLM providers:** Anthropic (Claude), Google (Gemini)\n\n| Mode | What It Does | Requires |\n|---|---|---|\n`url-only` |\nDAST scanners against a live URL | Target URL |\n`code-only` |\nSAST scanners against source code | GitHub repo URL |\n`authenticated` |\nDAST with login credentials (IDOR, cross-user BOLA, RLS, privilege escalation) | URL + credentials (add a second account for cross-user tests) |\n`full` |\nEverything: SAST + DAST + authenticated + LLM review + cross-referencing | URL + repo + credentials + API key |\n`auto` (default) |\nDetects mode from what you provide | Whatever you give it |\n\nOrthogonal to mode, `--depth`\n\ntrades speed for coverage:\n\n| Depth | What runs | When to use |\n|---|---|---|\n`quick` (default) |\nStructural + config checks, error-based injection, and the snapshot-based scanners (headers, CORS, RLS, source-map, SRI, client-exposure, redirects…). Fast. | Everyday scans — a solid first pass in a fraction of the time. |\n`deep` |\nEverything in `quick` plus the slow/aggressive probes: time-based (blind) SQL injection, active XSS, auth-bypass timing, rate-limit bursts, and password-reset flows. |\nWhen you want the full arsenal and can wait. |\n\n```\n# Fast pass (default)\nisitsecure scan https://your-app.com --llm none\n\n# Full, aggressive DAST\nisitsecure scan https://your-app.com --depth deep --llm none\n```\n\nThe scan narrates each phase and every scanner as it runs (with elapsed time), so a longer `deep`\n\nscan shows continuous progress rather than appearing to hang.\n\n**19 total** — 15 run in the default `quick`\n\ndepth; the 4 marked **◆** (slower/aggressive probes) are added by `--depth deep`\n\n.\n\n| Scanner | What It Finds |\n|---|---|\nXSS Scanner ◆ |\nReflected, POST body, and DOM-based cross-site scripting |\n| Active Injection Scanner | SQL injection (error + time-based, incl. SQLAlchemy/sqlite3/psycopg errors), command injection, NoSQL injection, XXE, SSTI — injects query, body, and path parameters |\n| CSRF Scanner | Cross-site request forgery on state-changing endpoints |\nRate Limit Scanner ◆ |\nMissing or bypassable rate limiting on auth endpoints |\n| Session Scanner | Insecure token storage (localStorage), missing cookie flags, long-lived JWTs |\n| GraphQL Scanner | Introspection enabled, no depth limits, batch query abuse |\n| SSRF Scanner | Server-side request forgery (internal IPs, cloud metadata) |\n| File Upload Scanner | Unrestricted file types, path traversal in filenames |\n| Mass Assignment Scanner | Accepting privileged fields (role, isAdmin) in request body |\n| Security Headers Scanner | Missing CSP, HSTS, X-Frame-Options; server version disclosure |\n| CORS Scanner | Wildcard origins, credentials with permissive CORS |\n| Open Redirect Scanner | Unvalidated redirect parameters |\nAuth Bypass Scanner ◆ |\nUsername enumeration, default credentials, account lockout bypass |\n| HTTP Probe Scanner | Method tampering, host header injection, directory listing, .env exposure |\nPassword Reset Scanner ◆ |\nToken leakage in response body, email enumeration, no rate limiting |\n| Source Map Scanner | Publicly exposed `.map` files leaking original source (verified, not just present) |\n| Mixed Content Scanner | `http://` resources loaded on an HTTPS page |\n| SRI Scanner | External CDN scripts/styles loaded without Subresource Integrity hashes |\n| Client Exposure Scanner | Secrets in client JS — Supabase `service_role` keys, internal URLs, unreplaced env placeholders |\n\n| Scanner | What It Finds |\n|---|---|\n| IDOR Scanner | Insecure direct object references via ID swapping, plus authenticated cross-user (BOLA) testing with two accounts and an anonymous-access false-positive guard |\n| JWT Scanner | Algorithm none bypass, weak secrets, key confusion attacks |\n| RLS Deep Scanner | Supabase Row Level Security bypass via anon key and cross-user queries |\n| Privilege Escalation Scanner | Admin route access, role self-elevation, object-level write bypass |\n| Authenticated Crawler | Playwright-based login + BFS crawl to discover authenticated endpoints |\n| Race Condition Scanner | TOCTOU bugs via concurrent mutation requests |\n| DOM XSS Scanner | Playwright-based sink hooking (innerHTML, eval, location.assign) |\n| Body Param Fuzzer | Prototype pollution, type confusion, injection via JSON body fields |\n\n| Scanner | What It Finds |\n|---|---|\n| Git Secret Scanner | API keys, tokens, and credentials in git history (not just HEAD) |\n| Route Auth Analyzer | Next.js/Express/Django/FastAPI/Spring routes missing authentication |\n| RLS Policy Analyzer | Supabase tables without Row Level Security enabled |\n| Middleware Analyzer | Incomplete middleware coverage (protects pages but not API routes) |\n| Express Middleware Analyzer | Express-specific auth middleware gaps |\n| Drizzle Schema Analyzer | Sensitive fields (isAdmin, role) exposed to mass assignment |\n| Prisma Schema Analyzer | Similar checks for Prisma schemas |\n| IaC Scanner | Terraform/CloudFormation misconfigurations (public S3, no encryption) |\n| Docker Scanner | Running as root, exposed ports, .env copied into image |\n| Shell Script Scanner | Command injection in deploy scripts |\n| Dependency Scanner (npm) | Known CVEs in package.json dependencies |\n| Python Dependency Scanner | Known CVEs in requirements.txt / pyproject.toml (Django, Flask, FastAPI, PyJWT, etc.) |\n| Java Dependency Scanner | Known CVEs in pom.xml / build.gradle (Log4Shell, Spring, Struts, Jackson, etc.) |\n| OSV Dependency Scanner | Real-time CVE lookups against Google's OSV.dev database (200K+ vulns, all ecosystems: npm, PyPI, Maven, Gradle, Go, Rust) — no hardcoded CVE list, no API key |\n| Firebase Rules Analyzer | Overly permissive Firestore/RTDB security rules |\n| OpenAPI Scanner | Internal endpoints exposed in API specifications |\n| K8s Scanner | Privileged containers, no resource limits, hostPath mounts |\n\n| Scanner | What It Finds |\n|---|---|\n| LLM Code Reviewer | Business logic flaws: missing ownership checks, race conditions in payments, incorrect authorization logic |\n| Semantic Rule Verifier | Logical errors in RLS policies and Firebase rules (wrong column references, tenant isolation bugs) |\n| LLM Business Logic Scanner | Attack planning: price manipulation, double-spend, privilege escalation via application logic |\n| LLM Triage Service | Deduplicates findings, assigns priority, generates plain-language owner summary with A–F grade |\n| AI Fix Generator | Generates code patches (unified diffs) for each finding — paste into Cursor/Claude Code to fix |\n\n| Feature | What It Does |\n|---|---|\n| OpenAPI/Swagger Discovery | Probes `/openapi.json` , `/swagger.json` , `/v3/api-docs` and parses the spec into testable endpoints — finds attack surface on APIs with no crawlable frontend |\n| HTML Form/Link Discovery | Reads `<form>` /`<input>` /query-links from server-rendered pages (bounded url-only crawl + inside the authenticated crawler) — finds attack surface on classic MVC apps with no JS API bundle |\n| Endpoint Prioritizer + Time Budget | Ranks likely-vulnerable endpoints first and tests within a per-scanner time budget, so high-risk paths get covered before the clock runs out |\n| SAST→DAST Feedback Loop | SAST findings generate targeted DAST tests (6 strategies: auth bypass, IDOR, injection, mass assignment, race condition, RLS bypass) |\n| Cross-Referencer | Matches DAST + SAST findings for high-confidence confirmed vulnerabilities |\n| Import Graph Centrality | Identifies shared utility files imported by many risky routes for LLM review |\n| LSP Auth Flow Tracing | Uses TypeScript Language Server to verify auth middleware is genuinely applied |\n\n| Language | Route Mapping | Auth Detection | Dependency Scan | DAST |\n|---|---|---|---|---|\nTypeScript/JavaScript (Next.js, Express, tRPC, GraphQL) |\nYes | Yes | Yes (npm) | Yes |\nPython (Django, FastAPI, Flask) |\nYes | Yes | Yes (pip) | Yes |\nJava/Kotlin (Spring Boot) |\nYes | Yes | Yes (Maven, Gradle) | Yes |\nGo, Ruby, Rust, etc. |\nNo | No | No | Yes (DAST works against any HTTP API) |\n\nDAST scanners test live HTTP endpoints regardless of backend language. SAST route mapping, auth detection, and dependency scanning are language-specific.\n\n```\nisitsecure scan URL --output table   # Terminal table (default)\nisitsecure scan URL --output json    # Full JSON report\nisitsecure scan URL --output html    # Self-contained HTML report\nisitsecure scan URL --output sarif   # SARIF 2.1.0 for GitHub Code Scanning\nisitsecure scan URL --output fixes   # AI-generated fix plan (Markdown with diffs)\n# Scan your code and apply AI-generated fixes automatically\nisitsecure fix --repo ./my-app\n\n# Preview fixes without applying (dry run)\nisitsecure fix --repo ./my-app --dry-run\n\n# Only fix critical issues\nisitsecure fix --repo ./my-app --severity critical\n```\n\nWhat it does:\n\n- Scans your repo with all SAST scanners\n- For each critical/high finding with a code location, sends the file to the LLM\n- Generates a fixed version of the file\n- Writes the fixed code directly to your files\n- Shows a summary of what changed\n\nAfter running, check `git diff`\n\nto review the changes, run your tests, and commit.\n\nAdd a security grade badge to your README:\n\n```\nisitsecure badge --repo ./my-app -o badge.svg\n```\n\nThen add to your README:\n\n```\n![Security Grade](./badge.svg)\n```\n\nThe badge shows your grade (A–F) and total finding count, styled like a shields.io badge.\n\nisitsecure is not a replacement for enterprise security platforms. It's designed to be the **one tool a solo developer or small team needs** — combining capabilities that otherwise require 4-5 separate tools.\n\n- SAST findings automatically generate targeted DAST tests (closed feedback loop)\n- LLM reviews business logic (race conditions, price manipulation, ownership checks)\n- One command scans + generates + applies AI fixes (\n`isitsecure fix`\n\n) - Cross-references DAST + SAST findings for confirmed vulnerabilities\n- LSP traces auth flows through call chains (TypeScript, Python, Java)\n\n| Need | Best specialized tool | How isitsecure compares |\n|---|---|---|\n| Deep SAST (30+ languages) |\n|\n\n[OWASP ZAP](https://zaproxy.org)/[Burp Suite](https://portswigger.net)[TruffleHog](https://github.com/trufflesecurity/trufflehog)/[Gitleaks](https://github.com/gitleaks/gitleaks)[Trivy](https://github.com/aquasecurity/trivy)/[Checkov](https://github.com/bridgecrewio/checkov)[Snyk](https://snyk.io)/[Checkmarx](https://checkmarx.com)[Nuclei](https://github.com/projectdiscovery/nuclei)(28K+ stars)| You are | Use this |\n|---|---|\n| Solo dev / vibe coder shipping a web app | isitsecure — one tool, one command |\n| Team with $25K+ security budget | Snyk + GitHub Advanced Security |\n| Enterprise with compliance requirements | Checkmarx / Veracode |\n| Pentester doing deep exploitation | Burp Suite Pro + Nuclei |\n| DevOps focused on containers/IaC | Trivy + Checkov + Gitleaks |\n\nisitsecure works well alongside other tools. Run `isitsecure scan`\n\nfor the combined SAST+DAST+LLM view, and use specialized tools where you need deeper coverage.\n\n**Formal taint analysis**— No dataflow tracking across function boundaries. Uses regex + LLM reasoning instead** WAF evasion**— DAST payloads don't include advanced bypass techniques** Compliance mapping**— No OWASP Top 10, CWE, or PCI-DSS tagging (yet)** Network-level scanning**— No port scanning, TLS analysis, or infrastructure enumeration** Mobile apps**— Web APIs only** Go/Ruby/Rust SAST**— Route mapping not yet implemented (DAST and dependency scanning via OSV still work)\n\nSet via environment variable, `.env`\n\nfile, or `~/.isitsecure/config.toml`\n\n:\n\n```\n# Environment variable\nexport ANTHROPIC_API_KEY=sk-ant-...\n\n# Or .env file in your project\necho \"ANTHROPIC_API_KEY=sk-ant-...\" > .env\n\n# Or interactive setup\nisitsecure setup\n```\n\nisitsecure detects blind SSRF, XXE, and injection vulnerabilities using out-of-band (OOB) callbacks. By default it uses `oob.isitsecure.ai`\n\n— a free community server running [interactsh](https://github.com/projectdiscovery/interactsh).\n\n**What data is sent?** Only the scan *target* makes DNS/HTTP requests to the OOB server. Your source code never leaves your machine.\n\n**Self-host your own:**\n\n```\n# Deploy interactsh\ndocker run projectdiscovery/interactsh-server\n\n# Point isitsecure to it in ~/.isitsecure/config.toml\n[oob]\nserver = \"http://oob.yourdomain.com\"\n```\n\n**Disable entirely:** Add `enabled = false`\n\nunder `[oob]`\n\nin config.\n\n```\n# Supabase auth\nisitsecure scan https://your-app.com \\\n  --auth-email user@example.com \\\n  --auth-password yourpassword \\\n  --auth-provider supabase\n\n# Firebase auth\nisitsecure scan https://your-app.com \\\n  --auth-email user@example.com \\\n  --auth-password yourpassword \\\n  --auth-provider firebase\n\n# Direct token\nisitsecure scan https://your-app.com \\\n  --auth-provider token \\\n  --auth-token \"eyJ...\"\n```\n\n**Cross-user IDOR / BOLA** — supply a *second* account and isitsecure logs in as both users and checks whether one user can read or mutate another user's objects (broken object-level authorization). An anonymous-access guard suppresses false positives from endpoints that are simply public.\n\n```\nisitsecure scan https://your-app.com \\\n  --auth-email  alice@example.com --auth-password alicepass \\\n  --auth-email-b bob@example.com  --auth-password-b bobpass \\\n  --mode authenticated\n```\n\n**Frontend-less / plain REST APIs** — use `--auth-provider token`\n\n, which logs in against a generic REST login endpoint (auto-discovered, or pass it explicitly with `--login-url`\n\n):\n\n```\nisitsecure scan https://api.your-app.com \\\n  --auth-provider token \\\n  --auth-email alice@example.com --auth-password alicepass \\\n  --auth-email-b bob@example.com --auth-password-b bobpass \\\n  --login-url https://api.your-app.com/login\nisitsecure scan [URL] [OPTIONS]\n\nArguments:\n  URL                    Target URL to scan (DAST)\n\nOptions:\n  -r, --repo TEXT        GitHub repo URL (SAST)\n  -b, --branch TEXT      Git branch [default: main]\n  -m, --mode TEXT        Scan mode: auto|url-only|code-only|authenticated|full\n  --depth TEXT           Scan depth: quick|deep [default: quick]\n  --llm TEXT             LLM provider: anthropic|google|none [default: anthropic]\n  -o, --output TEXT      Output format: table|json|html|sarif|fixes [default: table]\n  -f, --output-file TEXT Write report to file\n  --auth-email TEXT      Auth email/username for authenticated scanning (user A)\n  --auth-password TEXT   Auth password (user A)\n  --auth-provider TEXT   Auth provider: supabase|firebase|browser|token\n                         (use token for a plain REST login)\n  --auth-email-b TEXT    Second user's email — enables cross-user IDOR/BOLA testing\n  --auth-password-b TEXT Second user's password (paired with --auth-email-b)\n  --login-url TEXT       Explicit login endpoint (else auto-discovered)\n  --github-token TEXT    GitHub token for private repos\n  -v, --verbose          Enable debug logging\n\nisitsecure launch [OPTIONS]\n  -p, --port INT         Port for web UI [default: 3000]\n  --host TEXT            Host to bind [default: 127.0.0.1]\n\nisitsecure setup          Interactive first-time setup\nisitsecure version        Show version\n```\n\nPrefer a GUI? `isitsecure launch`\n\nstarts a local web interface backed by the same scan engine — no CLI flags to remember:\n\n```\nisitsecure launch\n# Opens http://localhost:3000 in your browser\n```\n\nThe UI provides:\n\n**Visual scan configuration**— target URL, repo, scan mode, AI provider, and optional login credentials** Live scan progress**— a progress bar and a streaming scanner log** Finding browser**— filter by severity or scanner, plus full-text search, with each finding expandable for evidence, technical detail, and remediation**Plain-language risk summary**— an A–F grade, key risks, and a phased remediation plan** One-click AI fixes**— a \"Generate Fix\" button on any finding produces a unified diff inline (one finding at a time)** Report export**— download JSON, or open the self-contained HTML report in a new tab** Scan history**— recent scans are remembered locally in your browser\n\nThe web server resolves your LLM API key the same way the CLI does (`ANTHROPIC_API_KEY`\n\n, a `.env`\n\nfile, or `isitsecure setup`\n\n), so scans and fixes work without pasting a key into the browser. You can still enter one in the scan form to override it.\n\nThe repo includes **VibeTasks** — an intentionally vulnerable Next.js + Supabase app with ~50 security issues. All commands below are run from the repo root.\n\n```\n# Scan the bundled app's source (SAST only — fast, no API key needed)\nisitsecure scan --repo ./test-app --mode code-only --llm none\n```\n\nTo also run the live-app (DAST) scanners, start the app first, then scan its URL:\n\n```\n# In one terminal: start the vulnerable app\ncd test-app && npm install && npm run dev   # serves on port 4000\n\n# In another terminal, from the repo root: full scan (SAST + DAST)\nisitsecure scan http://localhost:4000 --repo ./test-app --mode full\n```\n\n`--repo`\n\naccepts a local directory (scanned in place, including uncommitted changes) or a remote git URL like `https://github.com/you/your-app`\n\n. See `examples/sample-report.json`\n\nfor what a scan produces.\n\nisitsecure ships a repeatable benchmark harness that scores **recall** (of the vulnerability classes an app is known to have, how many we catch) and **false positives** (findings that must not appear against a hardened build) on public, deliberately-vulnerable apps.\n\n**Measured coverage — be realistic about what a scanner catches.** On [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/) — a deliberately hard benchmark of 100+ challenges — isitsecure detects roughly **40% of the 45 DAST-detectable challenge classes** in an authenticated scan (36% url-only), scored automatically against the app's own `/api/Challenges`\n\nlist. It's strong on authentication bypass, cross-user BOLA/IDOR, injection and misconfiguration, and open redirects; it's weak on interactive client-side XSS and challenges that require multi-step business-logic exploitation. In other words: it's a solid automated first pass that catches whole classes of real bugs in one command — **not** a substitute for a manual pentest. Full per-class breakdown and methodology are in [benchmarks/RESULTS.md](/jaurakunal/isitsecure/blob/main/benchmarks/RESULTS.md).\n\n```\npython benchmarks/run_benchmarks.py          # VAmPI (vulnerable + secure builds)\npython benchmarks/run_benchmarks.py --all    # + NodeGoat + crAPI (heavy)\n```\n\nEach run spins the target up in Docker, runs a DAST scan, scores against a known ground truth, and tears it down (requires Docker). Measured results are tracked in [benchmarks/RESULTS.md](/jaurakunal/isitsecure/blob/main/benchmarks/RESULTS.md); see [benchmarks/README.md](/jaurakunal/isitsecure/blob/main/benchmarks/README.md) for targets and how scoring works.\n\n**Rule-based scanning is fully local.** SAST scanners clone your repo to a local temp directory and analyze it on your machine — no code leaves your computer unless you enable LLM review.**DAST scanners send HTTP requests to your target URL.** Nothing is proxied through external servers.**LLM review sends code to your chosen API provider**(Anthropic or Google). To be precise: it sends the** full contents of files flagged by the rule-based scanners**(capped at ~50 KB per file) — not your entire codebase, but for most source files that is the whole file, not just a snippet. Run`--llm none`\n\nto keep everything local.**OOB callbacks** only involve your scan target making DNS/HTTP requests to the callback server. Your code is never sent there.\n\nSee [docs/architecture.md](/jaurakunal/isitsecure/blob/main/docs/architecture.md) for the full pipeline design, including how SAST feeds DAST, how LLM review is prioritized, and how cross-referencing works.\n\nSee [docs/scanners/](/jaurakunal/isitsecure/blob/main/docs/scanners) for detailed documentation on every scanner — what it detects, why it matters, real-world breach examples, and how to fix the vulnerabilities it finds.\n\nLanguage servers let the scanner trace auth flows through your code (via go-to-definition) and suppress false positives — confirming auth middleware is genuinely *applied*, not just imported.\n\n**Let isitsecure install them for you:**\n\n```\nisitsecure setup --lsp      # install/verify the Python, TypeScript, and Java language servers\nisitsecure setup --check    # report what's installed (API key, DAST browser, LSP) — installs nothing\n```\n\n`setup --lsp`\n\ninstalls what it can cleanly (Python via pip always; TypeScript via npm if Node is present; Java via Homebrew if available) and prints guidance for anything it can't. It's also offered as a step in the full `isitsecure setup`\n\n. This is optional — scans still work without it using regex-based detection. For manual setup and per-language detail, see [docs/lsp-setup.md](/jaurakunal/isitsecure/blob/main/docs/lsp-setup.md).\n\nisitsecure is built on protocols and the strategy pattern. Adding a new scanner is straightforward:\n\n- Implement\n`DASTScannerProtocol`\n\nor`CodeScannerProtocol`\n\n- Add it to the scanner list in\n`isitsecure/engine/factory.py`\n\n- Add tests under\n`tests/`\n\nSet up a dev environment with `pip install -e \".[all,dev]\"`\n\n, then run the suite with `pytest`\n\n. Issues and pull requests welcome at [github.com/jaurakunal/isitsecure](https://github.com/jaurakunal/isitsecure).\n\nApache 2.0 — see [LICENSE](/jaurakunal/isitsecure/blob/main/LICENSE).\n\n[interactsh](https://github.com/projectdiscovery/interactsh)by ProjectDiscovery for the OOB callback protocol[Playwright](https://playwright.dev/)for browser automation in authenticated crawling and DOM XSS detection", "url": "https://wpnews.pro/news/show-hn-isitsecure-1-command-sast-dast-llm-security-scanner-for-web-apps", "canonical_source": "https://github.com/jaurakunal/isitsecure", "published_at": "2026-07-11 05:39:42+00:00", "updated_at": "2026-07-11 06:29:11.382771+00:00", "lang": "en", "topics": ["developer-tools", "ai-tools", "artificial-intelligence"], "entities": ["Kunal Jaura", "isitsecure", "Next.js", "Express", "tRPC", "Django", "FastAPI", "Flask"], "alternates": {"html": "https://wpnews.pro/news/show-hn-isitsecure-1-command-sast-dast-llm-security-scanner-for-web-apps", "markdown": "https://wpnews.pro/news/show-hn-isitsecure-1-command-sast-dast-llm-security-scanner-for-web-apps.md", "text": "https://wpnews.pro/news/show-hn-isitsecure-1-command-sast-dast-llm-security-scanner-for-web-apps.txt", "jsonld": "https://wpnews.pro/news/show-hn-isitsecure-1-command-sast-dast-llm-security-scanner-for-web-apps.jsonld"}}