Open Source · Free to Install · Built in Nigeria 🇳🇬

Security findings your
fintech team will actually trust

Permi scans your code and live applications for vulnerabilities, then uses AI to confirm which findings are real. Stop chasing false alarms. Start fixing what matters. Nigerian-specific rules no foreign scanner writes.

Install from PyPI View on GitHub GitHub Action Join the waitlist
$ pip install permi
Requires Python 3.9+  ·  Windows, macOS, Linux
permi scan --url https://yoursite.com
██████╗ ███████╗██████╗ ███╗ ███╗██╗ ██╔══██╗██╔════╝██╔══██╗████╗ ████║██║

[Permi] Mode : Web scan (active HTTP testing)
[Permi] Target : https://yoursite.com
[Permi] Engine found 4 raw finding(s)
[Permi] Running AI filter on 4 finding(s)...

[1/4] WEB_SQL001  REAL (97%)  SQL error returned — unsanitised input reaches query.
[2/4] WEB_XSS001  REAL (91%)  Payload reflected unencoded in HTML response.
[3/4] WEB_HDR001  REAL (95%)  HSTS, CSP, and X-Frame-Options headers missing.
[4/4] WEB_HDR002  FP (90%)  Server header present but no version disclosed.

[Permi] Filter complete — 3 confirmed real  |  1 false positive suppressed

[HIGH]  WEB_SQL001 — /search?id=1
[HIGH]  WEB_XSS001 — /search?q=test
[MEDIUM]  WEB_HDR001 — Missing Security Headers

Scan completed in 48s | 3 confirmed findings | 1 false positive suppressed
permi scan --path ./myapp
██████╗ ███████╗██████╗ ███╗ ███╗██╗ ██╔══██╗██╔════╝██╔══██╗████╗ ████║██║

[Permi] Scanning : ./myapp
[Permi] Engine found 9 raw finding(s) across 3 file(s)
[Permi] Running AI filter on 9 finding(s)...

[1/9] SQL001  REAL (95%)  String concatenation builds SQL from user input.
[2/9] SEC001  REAL (95%)  Hardcoded database password — critical exposure risk.
[3/9] USSD001  FP (92%)  sessionId is server-generated — no injection risk.
[4/9] INS003  REAL (95%)  eval() on user input enables code execution.
[5/9] XSS001  REAL (90%)  User input assigned to innerHTML unsanitised.

[Permi] Filter complete — 6 confirmed real  |  3 false positives suppressed  |  noise reduced 33%

[HIGH]  SQL001 — app/auth.py:8    Fix: cursor.execute("SELECT * FROM users WHERE name = ?", (name,))
[HIGH]  SEC001 — app/auth.py:12   Fix: os.environ.get("DB_PASSWORD")
[HIGH]  INS003 — app/ussd.py:11   Fix: replace eval() with ast.literal_eval()
[HIGH]  XSS001 — app/views.py:11   Fix: use element.textContent not innerHTML
Two scan modes

Scan websites live. Scan code before it ships.

Most security tools do one or the other. Permi does both — from a single install, one CLI command.

--url

Live web scanning

Crawls pages, injects test payloads into parameters, checks security headers. Add --js for React, Vue, Angular, and Next.js SPAs using a headless Playwright browser.

permi scan --url https://yoursite.com
--path

Static source scanning

Reads your code, matches vulnerability patterns, catches issues before production. Works on local folders or any public GitHub repository URL.

permi scan --path ./myapp
Why Permi

Precision over volume. Context over noise.

Most scanners were built for enterprise teams in San Francisco. Permi was built for developers in Lagos, Jos, Abuja — with rules no foreign tool will ever prioritise.

🎯

Precision-first AI filter

Every finding is confirmed by an AI model before you see it. Real vulnerabilities surface. Noise disappears. Average noise reduction: 59% on real-world targets.

🇳🇬

African fintech rules

USSD gateway vulnerabilities, Paystack and Flutterwave secret key exposure, BVN/NIN pattern detection, NDPA-relevant checks. No Semgrep ruleset does this.

🔗

GitHub Action — free forever

Scan every pull request automatically. Post findings as PR comments. Block merges on high severity findings. One line to add to your workflow.

🌐

JS/SPA scanning

Add --js to scan React, Vue, Angular, and Next.js apps using a headless Playwright browser. Discovers endpoints invisible to standard HTTP crawlers.

🔧

Inline fix templates

Every finding includes a Fix: line with the exact code change needed. Not a link to a blog post — the actual fix, for your language and framework.

🆓

Free and open source

Install for free. Use forever. The core scanner is open source. No credit card. No trial period. 50 free AI filter credits with permi setup --community.

CI/CD Integration

Scan every pull request automatically

The Permi GitHub Action runs on every PR, posts findings as comments, and blocks merges if high severity vulnerabilities are found. Free forever.

.github/workflows/security.yml
name: Security Scan

on:
  pull_request:
    branches: [main, develop]

jobs:
  permi-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: Peternasarah/permi-action@v1
        with:
          severity: high
          openrouter_api_key: ${{ secrets.OPENROUTER_API_KEY }}
View on GitHub Marketplace   Action source code
Detection

What Permi finds

Coverage across both scan modes. Web scanning tests your running application. Source scanning catches issues before they ship.

🌐 Web scan (--url)

HIGH
SQL Injection
Error-based, boolean-based blind, time-based blind
HIGH
Reflected XSS
Context-aware payload testing, CSP-aware AI verdict
MED
Missing Security Headers
HSTS, CSP, X-Frame-Options, Permissions-Policy
LOW
Server Version Disclosure
Server and X-Powered-By version number leakage

📁 Source scan (--path)

HIGH
SQL Injection in Code
String concat, f-strings, % formatting in queries
HIGH
Hardcoded Secrets
Passwords, API keys, AWS keys, Paystack/Flutterwave secrets
HIGH
Dangerous Code Execution
eval(), exec(), pickle.loads(), shell=True, os.system()
MED
USSD Vulnerabilities 🇳🇬
Unvalidated sessionId, phoneNumber, serviceCode
Early access

Join the Permi waitlist

Be first to access the VS Code extension, NDPA compliance reports, unlimited AI credits, and Pro tier features when they launch. No spam. Unsubscribe anytime.

Already installed? Give us a ⭐ on GitHub — it helps more African developers find Permi.