Building Permi: An AI-Powered Vulnerability Scanner for Real-World Developers
By Nasarah Peter Dashe
Cybersecurity student @ UNIJOS | Founder of Permi
The Problem That Wouldn't Leave Me Alone
A few months ago, I ran a security scan on a client’s website. The tool returned 47 critical vulnerabilities.
I spent the next three hours filtering through false positives.
Only 4 were real.
One of them was a reflected XSS that could have let an attacker steal session cookies. The other 43 were noise – misconfigurations that didn’t apply, libraries I wasn’t using, and alerts with no real-world impact.
I was frustrated. But more than that, I was curious: Why do security tools waste so much of our time?
That question pushed me to build Permi – an open-source, AI-powered vulnerability scanner designed to cut through the noise and show developers only what actually matters.
What Makes Permi Different
Most traditional scanners work on simple rules: if response matches pattern A → alert. That logic was fine twenty years ago. But today’s applications are dynamic, complex, and full of legitimate edge cases. The result? Up to 90% false positives.
Permi takes a different approach:
- Run the scan – It finds potential issues using lightweight rules (like many scanners).
- AI filter – Each finding is passed to an LLM (via OpenRouter or Groq) with a simple prompt: Is this a real vulnerability or a false positive?
- Show only what’s real – The output is clean, actionable, and includes confidence scores and reasoning.
In a recent test on a real codebase, Permi reduced false positives by 78%. 9 raw findings → 8 real vulnerabilities → 1 false positive removed.
How It Works (With Code)
Permi is written in Python and is available on PyPI. You can install it with one command:
pip install permi
To scan a live website:
bash
permi scan --url https://example.com
To scan your local codebase:
bash
permi scan --path ./my-project
The AI filter uses a simple but effective prompt. Here’s a simplified version:
python
prompt = f"""
You are a security expert. Analyze this potential vulnerability:
- Type: {finding['type']}
- URL: {finding['url']}
- Parameter: {finding.get('param', 'N/A')}
- Payload: {finding.get('payload', 'N/A')}
- Evidence snippet: {evidence[:300]}
Answer with JSON only:
{{"is_true_positive": true/false, "confidence": 0-100, "reason": "brief"}}
"""
The LLM returns a structured decision, and Permi filters accordingly.
Real-World Impact
I ran Permi on the University of Jos website (unijos.edu.ng) and found three real XSS vulnerabilities that were exploitable. Those would have been missed if I relied on raw scanner output alone.
I also tested it on a deliberately vulnerable Flask app. Permi flagged:
SQL injection (string concatenation)
Hardcoded password (db_password = "admin1234")
Use of eval() on user input
SSL/TLS verification disabled (verify=False)
Debug mode enabled in production
Each finding included the file path, line number, code snippet, and a clear explanation. No noise. No fluff.
What Developers Are Saying
Within four days of launching on PyPI, Permi had 250+ GitHub clones. Early users have given feedback like:
“The balance between security and usability is key. Permi gets that.”
– Daniel Egbeleke, Software Engineer @ Moneta Technology
“The AI false‑positive classifier is strong. Nice one.”
– Alexa Web3, security researcher
What’s Next
Permi is still early, but the roadmap is ambitious:
MCP server – So AI agents (like Claude Code) can call Permi natively.
AI autofix – Generate secure patches and open pull requests automatically.
Secrets scanning – Detect hardcoded API keys and credentials.
Dependency confusion protection – Prevent supply chain attacks.
Nigerian-specific checks – USSD gateway vulnerabilities, NDPR compliance.
All of this is being built on a Dell laptop with no webcam, no funding, and no team. Just a problem that needs solving.
Try It, Break It, Tell Me What’s Missing
Permi is free, open source, and built for developers like you.
Install: pip install permi
GitHub: github.com/Peternasarah/permi
Twitter/X: @peternasarah
If you run into issues, have ideas, or just want to say hi – open a GitHub issue or DM me. Every piece of feedback makes Permi better.
Let’s build security tools that developers actually enjoy using.
– Nasarah Peter Dashe
Founder of Permi | Cybersecurity student @ UNIJOS
Originally published on [Permi's blog][1]. Republished with canonical link to original [Dev.to post][2]
[1]: http://github.com/Peternasarah/permi
[2]: http://dev.to/peternasarah/250-clones-in-4-days-thank-you-cke