Show HN: isitsecure - 1-command SAST & DAST & LLM security scanner for web apps Kunal Jaura released isitsecure, an open-source command-line tool that combines SAST, DAST, and LLM-powered code review into a single security scanner for web applications. The tool supports multiple languages and frameworks, generates targeted DAST tests from SAST findings, and produces fix plans, aiming to help developers identify and fix vulnerabilities without requiring deep security expertise. AI-powered security scanner for modern web apps. SAST + DAST + LLM code review in a single scan. Built for developers and vibe coders shipping web apps who need to know if their code is secure — without becoming security experts. Supports: TypeScript/JavaScript Next.js, Express, tRPC , Python Django, FastAPI, Flask , Java/Kotlin Spring Boot — and any HTTP API for DAST. isitsecure scan --repo ./your-app — every scanner narrates as it runs, then you get a graded report and a browseable HTML page with the fixes. Demo demo · What It Does what-it-does Install install · Quick Start quick-start · What It Costs what-it-costs Scan Modes scan-modes · Scan Depth scan-depth What It Scans what-it-scans — DAST dast-scanners--tests-your-live-app · Special DAST special-dast-scanners-8 · SAST sast-scanners-17--analyzes-your-code · LLM llm-powered-analysis-requires-api-key · Cross-Referencing cross-referencing--guided-dast Language Support language-support · Output Formats output-formats Auto-Fix auto-fix-one-command-to-fix-your-app · Security Badge security-badge How We Compare how-we-compare · What It Does NOT Cover what-it-does-not-cover Configuration configuration — API Keys api-keys · OOB Callbacks oob-callbacks-blind-vulnerability-detection · Authenticated Scanning authenticated-scanning CLI Reference cli-reference · Web UI web-ui · Try It on the Test App try-it-on-the-test-app Benchmarks benchmarks · Privacy privacy · Architecture architecture Scanner Documentation scanner-documentation · LSP Setup lsp-setup-optional-reduces-false-positives Contributing contributing · License license · Acknowledgements acknowledgements isitsecure runs 40 rule-based scanners by default — up to 44 with --depth deep — plus optional AI code review against your web app in a single command. It combines four approaches that commercial tools sell separately: SAST Static Analysis — scans your source code for vulnerabilities without running it DAST Dynamic Analysis — tests your live app by sending real HTTP requests LLM Code Review — uses AI to find business logic flaws that pattern matchers can't detect AI Fix Generation — generates code patches with unified diffs for every finding The unique parts: SAST findings automatically generate targeted DAST tests . Code shows no auth check → scanner sends an unauthenticated request and confirms it's exploitable. AI generates fixes, not just reports . --output fixes produces a Markdown fix plan you can paste into Cursor or Claude Code. Code → SAST → Findings → Guide DAST → Test → Cross-Reference → LLM Triage → Report → Fixes ↑ | └──────────────── LSP validates / suppresses false positives ───────────────────────────┘ Requirements: Python 3.11+ and git . isitsecure isn't on PyPI — the isitsecure name there is an unrelated project, so don't pip install it. The installer verifies Python/git, then clones the repo, sets up an isolated environment, installs everything, and runs first-time setup: macOS / Linux — download it, glance at it, run it curl -fsSLo install.sh https://raw.githubusercontent.com/jaurakunal/isitsecure/main/install.sh bash install.sh Windows PowerShell irm https://raw.githubusercontent.com/jaurakunal/isitsecure/main/install.ps1 -OutFile install.ps1 ./install.ps1 If Python or git are missing, the installer tells you the exact command to install them for your OS and stops cleanly — it never leaves a half-finished state. Prefer to do it by hand: 1. Clone the repo git clone https://github.com/jaurakunal/isitsecure.git cd isitsecure 2. Install into a virtual environment recommended python3 -m venv .venv source .venv/bin/activate Windows: .venv\Scripts\activate 3. Install with all features browser DAST, LLM review, OOB detection pip install -e ". all " 4. First-time setup — installs the Chromium browser, language servers, optionally saves an API key isitsecure setup pip install -e ". all " is the recommended install and enables every scanner. If you want a lighter footprint, the extras are opt-in: | Install | What works | |---|---| pip install -e . | SAST / code-only scans only --mode code-only | pip install -e ". browser " | Adds DAST / live-URL scanning requires isitsecure setup to install Chromium | pip install -e ". llm " | Adds LLM code review, triage, and AI fixes requires an API key | pip install -e ". all " | Everything | URL/DAST scanning needs the browser extra — without it, isitsecure scan