Find and fix web-app vulnerabilities in one command — SAST + DAST + AI, for devs who aren't security experts.
AI-powered security scanner for modern web apps. SAST + DAST + LLM code review in a single scan.
Built for developers and vibe coders shipping web apps who need to know if their code is secure — without becoming security experts.
Supports: TypeScript/JavaScript (Next.js, Express, tRPC), Python (Django, FastAPI, Flask), Java/Kotlin (Spring Boot) — and any HTTP API for DAST.
isitsecure scan --repo ./your-app — every scanner narrates as it runs, then you get a graded report (and a browseable HTML page) with the fixes.
isitsecure runs 40 rule-based scanners by default — up to 44 with --depth deep — (plus optional AI code review) against your web app in a single command. It combines four approaches that commercial tools sell separately:
The unique parts:
--output fixes produces a Markdown fix plan you can paste into Cursor or Claude Code.Code → SAST → Findings → Guide DAST → Test → Cross-Reference → LLM Triage → Report → Fixes ↑ | └──────────────── LSP validates / suppresses false positives ───────────────────────────┘
Requirements: Python 3.11+ and git. (isitsecure isn't on PyPI — the isitsecure name there is an unrelated project, so don't pip install it.)
The installer verifies Python/git, then clones the repo, sets up an isolated environment, installs everything, and runs first-time setup:
# macOS / Linux — download it, glance at it, run it curl -fsSLo install.sh https://raw.githubusercontent.com/jaurakunal/isitsecure/main/install.sh bash install.sh
# Windows (PowerShell) irm https://raw.githubusercontent.com/jaurakunal/isitsecure/main/install.ps1 -OutFile install.ps1 ./install.ps1
If Python or git are missing, the installer tells you the exact command to install them for your OS and stops cleanly — it never leaves a half-finished state.
Prefer to do it by hand:
# 1. Clone the repo git clone https://github.com/jaurakunal/isitsecure.git cd isitsecure # 2. Install into a virtual environment (recommended) python3 -m venv .venv source .venv/bin/activate # Windows: .venv\Scripts\activate # 3. Install with all features (browser DAST, LLM review, OOB detection) pip install -e ".[all]" # 4. First-time setup — installs the Chromium browser, language servers, optionally saves an API key isitsecure setup
pip install -e ".[all]" is the recommended install and enables every scanner. If you want a lighter footprint, the extras are opt-in:
| Install | What works |
|---|---|
pip install -e . |
SAST / code-only scans only (--mode code-only) |
pip install -e ".[browser]" |
Adds DAST / live-URL scanning (requires isitsecure setup to install Chromium) |
pip install -e ".[llm]" |
Adds LLM code review, triage, and AI fixes (requires an API key) |
pip install -e ".[all]" |
Everything |
URL/DAST scanning needs the [browser] extra — without it, isitsecure scan <url> exits with a message telling you to install it.
# Scan a live URL (DAST only, no API key needed) isitsecure scan https://your-app.com --llm none # Scan source code (SAST only) isitsecure scan --repo https://github.com/you/your-app --mode code-only --llm none # Full scan (SAST + DAST + LLM review) isitsecure scan https://your-app.com --repo https://github.com/you/your-app --mode full # One command: scan + fix everything (the magic) isitsecure fix --repo ./your-app # Or dry-run first to preview fixes isitsecure fix --repo ./your-app --dry-run # Generate a security badge for your README isitsecure badge --repo ./your-app # Export for GitHub Code Scanning isitsecure scan --repo https://github.com/you/your-app --output sarif # Open the web UI (for non-CLI users) isitsecure launch
isitsecure is free and open source. The only cost is LLM API tokens for the AI-powered features:
| Scan Mode | API Key Needed | Estimated Cost |
|---|---|---|
| URL-only (DAST without LLM) | No | $0 |
| Code-only (SAST without LLM) | No | $0 |
| Code-only + LLM review | Yes | ~$5–8 |
| Full scan (SAST + DAST + LLM) | Yes | ~$10–15 |
Without an API key, you still get all rule-based scanners — 40 in the default quick depth (15 DAST + 8 special DAST + 17 SAST), or 44 with --depth deep (which adds 4 slower/aggressive DAST scanners). The LLM adds business logic review, semantic rule verification, and intelligent triage — things no pattern matcher can do.
Supported LLM providers: Anthropic (Claude), Google (Gemini)
| Mode | What It Does | Requires |
|---|---|---|
url-only |
DAST scanners against a live URL | Target URL |
code-only |
SAST scanners against source code | GitHub repo URL |
authenticated |
DAST with login credentials (IDOR, cross-user BOLA, RLS, privilege escalation) | URL + credentials (add a second account for cross-user tests) |
full |
Everything: SAST + DAST + authenticated + LLM review + cross-referencing | URL + repo + credentials + API key |
auto (default) |
Detects mode from what you provide | Whatever you give it |
Orthogonal to mode, --depth trades speed for coverage:
| Depth | What runs | When to use |
|---|---|---|
quick (default) |
Structural + config checks, error-based injection, and the snapshot-based scanners (headers, CORS, RLS, source-map, SRI, client-exposure, redirects…). Fast. | Everyday scans — a solid first pass in a fraction of the time. |
deep |
Everything in quick plus the slow/aggressive probes: time-based (blind) SQL injection, active XSS, auth-bypass timing, rate-limit bursts, and password-reset flows. |
When you want the full arsenal and can wait. |
# Fast pass (default) isitsecure scan https://your-app.com --llm none # Full, aggressive DAST isitsecure scan https://your-app.com --depth deep --llm none
The scan narrates each phase and every scanner as it runs (with elapsed time), so a longer deep scan shows continuous progress rather than appearing to hang.
19 total — 15 run in the default quick depth; the 4 marked ◆ (slower/aggressive probes) are added by --depth deep.