AI News AI资讯 6h ago Updated 2h ago 更新于 2小时前 46

Show HN: Isitsecure – 1-command SAST and DAST and LLM security scanner for web apps Show HN:Isitsecure - 一条命令即可进行SAST、DAST和LLM安全扫描的Web应用工具

isitsecure is an open-source tool combining Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Large Language Model (LLM) code review into a single command-line interface. It features an automated workflow where SAST findings trigger targeted DAST tests to validate exploitability, significantly reducing false positives through cross-referencing. The tool provides AI-generated code patches (unified diffs) and integrates with IDEs like Cursor or Claude Cod isitsecure 是一个开源的 AI 驱动 Web 应用安全扫描器,集成 SAST、DAST 和 LLM 代码审查于一体。 默认运行 40 个规则扫描器(深度模式 44 个),支持 TypeScript/JS、Python、Java/Kotlin 及任意 HTTP API。 核心创新在于 SAST 发现可自动生成定向 DAST 测试,并结合 LLM 进行业务逻辑漏洞检测与修复代码生成。 提供从扫描到修复的一站式工作流,支持生成 Markdown 修复计划供 Cursor/Claude Code 使用,以及安全徽章。 基础规则扫描免费,仅 LLM 功能需消耗 API Token,支持 Ant

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • isitsecure is an open-source tool combining Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Large Language Model (LLM) code review into a single command-line interface.
  • It features an automated workflow where SAST findings trigger targeted DAST tests to validate exploitability, significantly reducing false positives through cross-referencing.
  • The tool provides AI-generated code patches (unified diffs) and integrates with IDEs like Cursor or Claude Code via Markdown output, enabling rapid remediation.
  • It supports multiple languages including TypeScript/JavaScript, Python, and Java/Kotlin, offering both rule-based scanning (free) and optional LLM-enhanced analysis (paid API costs).

Why It Matters

This tool addresses the fragmentation in application security testing by unifying SAST, DAST, and AI-driven semantic analysis, which are typically sold as separate enterprise solutions. For developers and DevOps engineers, it lowers the barrier to entry for secure coding by providing actionable, AI-generated fixes rather than just vulnerability reports, thereby accelerating the remediation lifecycle.

Technical Details

  • Hybrid Architecture: Combines 40+ rule-based scanners (17 SAST, 15+ DAST variants) with an optional LLM layer for business logic flaw detection and semantic verification.
  • Automated Cross-Validation: Implements a pipeline where SAST findings (e.g., missing authentication checks) automatically generate specific DAST payloads to confirm exploitability in a live environment.
  • AI Integration: Supports Anthropic (Claude) and Google (Gemini) APIs for code review, triage, and generating unified diff patches for identified vulnerabilities.
  • Implementation & Output: Built on Python 3.11+, it offers multiple output formats including SARIF for CI/CD integration, HTML reports, and Markdown fix plans compatible with AI coding assistants.

Industry Insight

  • Shift-Left Security Automation: The ability to generate immediate code fixes suggests a future where security remediation becomes part of the standard development workflow, potentially reducing the backlog of security tickets.
  • Cost-Efficiency for SMEs: By offering a robust, free core engine with optional paid AI features, this tool democratizes access to advanced security testing capabilities previously available only to organizations with large budgets for commercial suites.
  • Integration Potential: The support for SARIF output and compatibility with major LLM providers indicates strong potential for embedding such tools directly into GitHub Actions, GitLab CI, or IDE extensions for continuous security monitoring.

TL;DR

  • isitsecure 是一个开源的 AI 驱动 Web 应用安全扫描器,集成 SAST、DAST 和 LLM 代码审查于一体。
  • 默认运行 40 个规则扫描器(深度模式 44 个),支持 TypeScript/JS、Python、Java/Kotlin 及任意 HTTP API。
  • 核心创新在于 SAST 发现可自动生成定向 DAST 测试,并结合 LLM 进行业务逻辑漏洞检测与修复代码生成。
  • 提供从扫描到修复的一站式工作流,支持生成 Markdown 修复计划供 Cursor/Claude Code 使用,以及安全徽章。
  • 基础规则扫描免费,仅 LLM 功能需消耗 API Token,支持 Anthropic 和 Google 模型。

为什么值得看

该工具解决了传统安全扫描器分散且缺乏上下文的问题,通过结合静态与动态分析显著降低误报率并提升漏洞验证效率。对于希望在不成为安全专家的情况下快速获得可执行修复方案的开发者而言,它提供了极具吸引力的自动化闭环体验。

技术解析

  • 混合扫描架构:同时执行 SAST(源码静态分析)、DAST(针对运行中应用的动态测试)和 LLM 代码审查。SAST 结果可直接触发针对性的 DAST 请求以验证漏洞可利用性,形成闭环。
  • LLM 增强能力:利用大语言模型识别模式匹配无法发现的复杂业务逻辑缺陷,并进行智能去重(Triage)。支持生成统一差异(unified diffs)格式的修复补丁,可直接用于 IDE 插件。
  • 安装与依赖管理:基于 Python 3.11+,通过 pip install -e ".[all]" 启用所有功能(包括浏览器 DAST 所需的 Chromium 和 LSP)。提供自动化的 shell/PowerShell 安装脚本,确保环境隔离。
  • 多语言与框架支持:原生支持 Next.js, Express, Django, FastAPI, Spring Boot 等主流框架,并通过 LSP 辅助验证和抑制误报。
  • 输出与集成:支持 CLI 叙事化报告、HTML 浏览页面、SARIF 格式导出(用于 GitHub Code Scanning)以及自动生成 README 安全徽章。

行业启示

  • DevSecOps 自动化新范式:安全工具正从“报告问题”向“解决问题”转变,自动生成可执行的代码修复方案将成为开发者首选的安全辅助功能。
  • 静态与动态分析的融合:单一维度的扫描已显不足,将 SAST 的广度与 DAST 的深度结合,并利用 AI 进行关联分析,是提升漏洞检出率和准确性的关键趋势。
  • 低成本高覆盖的安全策略:开源工具结合按需付费的 LLM API,为中小团队提供了接近商业级安全扫描能力的可行路径,降低了安全门槛。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Open Source 开源 Security 安全 LLM 大模型