Permi Security Scanner — AI-Powered Vulnerability Scanning for Your Pull Requests
We're launching Permi, an open-source AI-powered security scanner that integrates directly into your GitHub workflow. Built in Jos, Nigeria, Permi automatically scans every pull request for SQL injection, XSS, hardcoded secrets, and more — then uses AI to filter out false positives so you only see findings that matter.
What Problem Does Permi Solve?
Traditional security scanners flood you with hundreds of alerts — most of them false positives. Developers waste hours triaging noise instead of fixing real vulnerabilities. Permi flips that model:
- A detection engine finds potential vulnerabilities in your code
- An AI filter (powered by OpenRouter) confirms which findings are real
- Only confirmed issues are flagged, dramatically reducing alert fatigue
Quick Start (30 Seconds)
Add this to .github/workflows/security.yml:
name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
jobs:
permi-scan:
runs-on: ubuntu-latest
name: Permi Security Scan
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Permi Security Scanner
uses: Peternasarah/permi-action@v1
with:
severity: high
openrouter_api_key: ${{ secrets.OPENROUTER_API_KEY }}
On every pull request, Permi will:
Scan your code for vulnerabilities
Use AI to filter out false positives
Post findings as a PR comment
Optionally block the merge if high-severity issues are found
What Permi Detects
CategoryExamples
SQL InjectionString concatenation, f-strings, % formatting in queries
Cross-Site Scripting (XSS)innerHTML assignment, document.write, Jinja2 |safe
Hardcoded SecretsPasswords, API keys, AWS keys, Paystack/Flutterwave secrets
Insecure Practiceseval(), exec(), pickle.loads(), SSL verification disabled, debug mode
USSD VulnerabilitiesUnvalidated sessionId, phoneNumber, serviceCode (Nigerian‑specific)
AI False‑Positive Filtering (The Key Feature)
The AI filter doesn't just flag everything — it checks whether a reflected parameter is potentially XSS before calling it real. If it's not confirmed, it stays marked as suspicious rather than triggering a false alert. This means:
Fewer interruptions
Higher signal‑to‑noise ratio
More time fixing real issues
Built in Nigeria, for the World
Permi was built from Jos, Nigeria, with Nigerian developers in mind first — including USSD‑specific vulnerability detection that most global scanners miss. But the problems it solves (false‑positive fatigue, noisy security alerts) are universal. That’s why we’re opening it up to the world.
Links
GitHub Action: github.com/peternasarah/permi-action
Main CLI Tool: github.com/peternasarah/permi
PyPI: pip install permi – pypi.org/project/permi
