Why I Built a Smarter Vulnerability Scanner (And You Should Try It)

1 4 15
calendar_todayschedule3 min read
— Originally published at www.linkedin.com

Building Permi: An AI-Powered Vulnerability Scanner for Real-World Developers

By Nasarah Peter Dashe
Cybersecurity student @ UNIJOS | Founder of Permi


The Problem That Wouldn't Leave Me Alone

A few months ago, I ran a security scan on a client’s website. The tool returned 47 critical vulnerabilities.

I spent the next three hours filtering through false positives.

Only 4 were real.

One of them was a reflected XSS that could have let an attacker steal session cookies. The other 43 were noise – misconfigurations that didn’t apply, libraries I wasn’t using, and alerts with no real-world impact.

I was frustrated. But more than that, I was curious: Why do security tools waste so much of our time?

That question pushed me to build Permi – an open-source, AI-powered vulnerability scanner designed to cut through the noise and show developers only what actually matters.


What Makes Permi Different

Most traditional scanners work on simple rules: if response matches pattern A → alert. That logic was fine twenty years ago. But today’s applications are dynamic, complex, and full of legitimate edge cases. The result? Up to 90% false positives.

Permi takes a different approach:

  1. Run the scan – It finds potential issues using lightweight rules (like many scanners).
  2. AI filter – Each finding is passed to an LLM (via OpenRouter or Groq) with a simple prompt: Is this a real vulnerability or a false positive?
  3. Show only what’s real – The output is clean, actionable, and includes confidence scores and reasoning.

In a recent test on a real codebase, Permi reduced false positives by 78%. 9 raw findings → 8 real vulnerabilities → 1 false positive removed.


How It Works (With Code)

Permi is written in Python and is available on PyPI. You can install it with one command:

pip install permi
To scan a live website:

bash
permi scan --url https://example.com
To scan your local codebase:

bash
permi scan --path ./my-project
The AI filter uses a simple but effective prompt. Here’s a simplified version:

python
prompt = f"""
You are a security expert. Analyze this potential vulnerability:

- Type: {finding['type']}
- URL: {finding['url']}
- Parameter: {finding.get('param', 'N/A')}
- Payload: {finding.get('payload', 'N/A')}
- Evidence snippet: {evidence[:300]}

Answer with JSON only:
{{"is_true_positive": true/false, "confidence": 0-100, "reason": "brief"}}
"""
The LLM returns a structured decision, and Permi filters accordingly.

Real-World Impact
I ran Permi on the University of Jos website (unijos.edu.ng) and found three real XSS vulnerabilities that were exploitable. Those would have been missed if I relied on raw scanner output alone.

I also tested it on a deliberately vulnerable Flask app. Permi flagged:

SQL injection (string concatenation)

Hardcoded password (db_password = "admin1234")

Use of eval() on user input

SSL/TLS verification disabled (verify=False)

Debug mode enabled in production

Each finding included the file path, line number, code snippet, and a clear explanation. No noise. No fluff.

What Developers Are Saying
Within four days of launching on PyPI, Permi had 250+ GitHub clones. Early users have given feedback like:

“The balance between security and usability is key. Permi gets that.”
– Daniel Egbeleke, Software Engineer @ Moneta Technology

“The AI false‑positive classifier is strong. Nice one.”
– Alexa Web3, security researcher

What’s Next
Permi is still early, but the roadmap is ambitious:

MCP server – So AI agents (like Claude Code) can call Permi natively.

AI autofix – Generate secure patches and open pull requests automatically.

Secrets scanning – Detect hardcoded API keys and credentials.

Dependency confusion protection – Prevent supply chain attacks.

Nigerian-specific checks – USSD gateway vulnerabilities, NDPR compliance.

All of this is being built on a Dell laptop with no webcam, no funding, and no team. Just a problem that needs solving.

Try It, Break It, Tell Me What’s Missing
Permi is free, open source, and built for developers like you.

 Install: pip install permi
 GitHub: github.com/Peternasarah/permi
 Twitter/X: @peternasarah

If you run into issues, have ideas, or just want to say hi – open a GitHub issue or DM me. Every piece of feedback makes Permi better.

Let’s build security tools that developers actually enjoy using.

– Nasarah Peter Dashe
Founder of Permi | Cybersecurity student @ UNIJOS

Originally published on [Permi's blog][1]. Republished with canonical link to original [Dev.to post][2]


  [1]: http://github.com/Peternasarah/permi
  [2]: http://dev.to/peternasarah/250-clones-in-4-days-thank-you-cke

2 Comments

1 vote
1
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.

More Posts

I’m a Senior Dev and I’ve Forgotten How to Think Without a Prompt

Karol Modelskiverified - Mar 19

Your Backup Data Knows More Than You Think. HYCU aiR Is Finally Asking It the Right Questions.

Tom Smithverified - May 14

How I Built a React Portfolio in 7 Days That Landed ₹1.2L in Freelance Work

Dharanidharan - Feb 9

TypeScript Complexity Has Finally Reached the Point of Total Absurdity

Karol Modelskiverified - Apr 23

Your Tech Stack Isn’t Your Ceiling. Your Story Is

Karol Modelskiverified - Apr 9
chevron_left
2.4k Points20 Badges
6Posts
14Comments
21Connections
Rethinking cybersecurity for emerging markets. Building Permi to bridge the gap between global tools and local realities.

Related Jobs

Commenters (This Week)

10 comments
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!