Question

Permi v0.3.0 – Major Improvements to JS Scanning, AI Accuracy, and Speed

I just shipped a significant update to Permi. This release tackles the biggest pain points you reported: JS scanning that actually works, smarter XSS detection, and much faster scans.

Smarter AI – Now CSP‑Aware

Permi’s AI filter can now recognise when a target uses Content‑Security‑Policy (CSP) that blocks inline script execution. That means fewer false positives on hardened websites (like GitHub, banks, or government portals).

Before: reflected XSS payload found → flagged as REAL, even if CSP blocked it.
After: AI checks CSP header → marks as harmless unless policy allows execution.

Production‑Ready JavaScript Crawling

The new --js flag launches a Playwright headless browser that can render React, Vue, Angular, and other SPAs. It works even behind Cloudflare (thanks to playwright-stealth).

permi scan --url https://example.com --js
Falls back to static HTML if JS times out (no more zero‑URL scans).

Configurable timeout with --js-timeout 30 (default 20 seconds).

Detects XHR/fetch API endpoints via network request interception.

⚠️ JS scanning is still experimental in the community edition. It works well on most sites, but some may require authentication or infinite scroll. Upgrade to Permi Pro (coming soon) for production‑grade crawling.

⚡ Performance Gains
Concurrent SQL + XSS scanning – roughly 50% faster.

Smarter URL deduplication – avoids testing the same parameter signature twice.

Hard crawl timeout – the CLI will never freeze indefinitely.

 Critical Bug Fixes
Export now actually writes files (oops ).

Fixed subfolder creation for --export results/scan.json.

Time‑based SQL injection now uses SLEEP() with a 10s cap, 6s threshold.

Windows asyncio deadlock resolved – Playwright runs in its own thread.

 How to Update
bash
pip install --upgrade permi
Then try:

bash
# Scan a static site
permi scan --url https://example.com

# Scan a JavaScript‑heavy SPA (experimental)
permi scan --url https://example.com --js --js-timeout 30

# Scan your local codebase
permi scan --path ./my-project
 Thank You
This release was shaped by feedback from developers who actually tried Permi and told me what broke. Special thanks to:

BashSnippets for pushing me to improve error handling.

Endura Security for the supply chain insights.

Everyone who opened an issue or DM’d me with raw scan outputs.

Permi is still free, open source, and built for Nigerian devs.
If it saves you time, please star the repo and share with a friend who struggles with false positives.

 GitHub – Permi Scanner

Keep building securely. 

— Nasarah Peter Dashe
Cybersecurity student @ UNIJOS | Founder of Permi