Show HN: Isitsecure – 1-command SAST and DAST and LLM security scanner for web apps
isitsecure is an open-source tool combining Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Large Language Model (LLM) code review into a single command-line interface. It features an automated workflow where SAST findings trigger targeted DAST tests to validate exploitability, significantly reducing false positives through cross-referencing. The tool provides AI-generated code patches (unified diffs) and integrates with IDEs like Cursor or Claude Cod
Analysis
TL;DR
- isitsecure is an open-source tool combining Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Large Language Model (LLM) code review into a single command-line interface.
- It features an automated workflow where SAST findings trigger targeted DAST tests to validate exploitability, significantly reducing false positives through cross-referencing.
- The tool provides AI-generated code patches (unified diffs) and integrates with IDEs like Cursor or Claude Code via Markdown output, enabling rapid remediation.
- It supports multiple languages including TypeScript/JavaScript, Python, and Java/Kotlin, offering both rule-based scanning (free) and optional LLM-enhanced analysis (paid API costs).
Why It Matters
This tool addresses the fragmentation in application security testing by unifying SAST, DAST, and AI-driven semantic analysis, which are typically sold as separate enterprise solutions. For developers and DevOps engineers, it lowers the barrier to entry for secure coding by providing actionable, AI-generated fixes rather than just vulnerability reports, thereby accelerating the remediation lifecycle.
Technical Details
- Hybrid Architecture: Combines 40+ rule-based scanners (17 SAST, 15+ DAST variants) with an optional LLM layer for business logic flaw detection and semantic verification.
- Automated Cross-Validation: Implements a pipeline where SAST findings (e.g., missing authentication checks) automatically generate specific DAST payloads to confirm exploitability in a live environment.
- AI Integration: Supports Anthropic (Claude) and Google (Gemini) APIs for code review, triage, and generating unified diff patches for identified vulnerabilities.
- Implementation & Output: Built on Python 3.11+, it offers multiple output formats including SARIF for CI/CD integration, HTML reports, and Markdown fix plans compatible with AI coding assistants.
Industry Insight
- Shift-Left Security Automation: The ability to generate immediate code fixes suggests a future where security remediation becomes part of the standard development workflow, potentially reducing the backlog of security tickets.
- Cost-Efficiency for SMEs: By offering a robust, free core engine with optional paid AI features, this tool democratizes access to advanced security testing capabilities previously available only to organizations with large budgets for commercial suites.
- Integration Potential: The support for SARIF output and compatibility with major LLM providers indicates strong potential for embedding such tools directly into GitHub Actions, GitLab CI, or IDE extensions for continuous security monitoring.
Disclaimer: The above content is generated by AI and is for reference only.