Open Source · Free to Install · Built in Nigeria

Security scanning that
Nigerian developers actually use

Permi scans live websites and source code for vulnerabilities, then uses AI to filter out false positives — so you only see findings that matter. No cloud. No login. Just install and scan.

Install from PyPI View on GitHub Join the waitlist
$ pip install permi
Requires Python 3.9+  ·  Windows, macOS, Linux
permi scan --url https://yoursite.com
██████╗ ███████╗██████╗ ███╗ ███╗██╗
██╔══██╗██╔════╝██╔══██╗████╗ ████║██║
██████╔╝█████╗ ██████╔╝██╔████╔██║██║
██╔═══╝ ██╔══╝ ██╔══██╗██║╚██╔╝██║██║
██║ ███████╗██║ ██║██║ ╚═╝ ██║██║
╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝

[Permi] Mode : Web scan (active HTTP testing)
[Permi] Target : https://yoursite.com
[Permi] Crawl : up to 30 pages

[Permi] Engine found 4 raw finding(s)
[Permi] Running AI filter on 4 finding(s)...

[1/4] WEB_SQL001  REAL  SQL error returned when quote injected into 'id' parameter.
[2/4] WEB_XSS001  REAL  Payload reflected unencoded in HTML response.
[3/4] WEB_HDR001  REAL  HSTS, CSP, and X-Frame-Options headers are missing.
[4/4] WEB_HDR002  FP   Server header present but no version disclosed — not exploitable.

[Permi] Filter complete — 3 real  |  1 false positive removed

[HIGH]  WEB_SQL001 — /search?id=1 — SQL Injection (Error-based)
[HIGH]  WEB_XSS001 — /search?q=test — Reflected XSS
[MEDIUM]  WEB_HDR001 — Missing Security Headers

Total: 3 findings  ·  2 high  ·  1 medium  ·  1 FP removed
permi scan --path ./myapp
██████╗ ███████╗██████╗ ███╗ ███╗██╗
██╔══██╗██╔════╝██╔══██╗████╗ ████║██║
██████╔╝█████╗ ██████╔╝██╔████╔██║██║
██╔═══╝ ██╔══╝ ██╔══██╗██║╚██╔╝██║██║
██║ ███████╗██║ ██║██║ ╚═╝ ██║██║
╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝

[Permi] Scanning : /home/peter/myapp
[Permi] Engine found 9 raw finding(s) across 3 file(s)
[Permi] Running AI filter on 9 finding(s)...

[1/9] SQL001  REAL  String concatenation embeds user input into SQL query.
[2/9] SEC001  REAL  Hardcoded database password poses a critical security risk.
[3/9] USSD001  FP   sessionId is server-generated — no validation risk here.
[4/9] INS003  REAL  eval() on user input allows arbitrary code execution.
[5/9] XSS001  REAL  User input assigned to innerHTML without sanitisation.

[Permi] Filter complete — 6 real  |  3 false positive(s) removed

[HIGH]  SQL001 — app/auth.py line 8
[HIGH]  SEC001 — app/auth.py line 12
[HIGH]  INS003 — app/ussd.py line 11
[HIGH]  XSS001 — app/views.py line 11

Total: 6 findings  ·  5 high  ·  1 medium  ·  3 FPs removed
Two scan modes

Scan websites live or scan code before it ships

Most security tools do one or the other. Permi does both — from a single install, with a single CLI command.

--url

Live web scanning

Point Permi at any website. It crawls the pages, injects test payloads into parameters, and checks security headers on the running application. No source code access needed.

permi scan --url https://yoursite.com
--path

Static source scanning

Point Permi at a local folder or GitHub URL. It reads your code, matches vulnerability patterns, and catches issues before they ever reach production.

permi scan --path ./myapp
Why Permi

Built for how Nigerian developers actually work

Most security tools were built for enterprise teams in San Francisco. Permi was built for developers in Lagos, Jos, Abuja — and everywhere else where good security tooling should not cost more than a developer earns.

🤖

AI false-positive filter

Every finding is reviewed by an LLM before you see it. Real vulnerabilities surface. Noise disappears.

🌐

Live web scanning

Crawls pages, tests SQL injection payloads, checks XSS, and audits security headers on any running website.

🇳🇬

Nigerian-specific rules

USSD gateway vulnerabilities, Paystack and Flutterwave secret key detection, NDPR-relevant checks. No foreign scanner understands this market.

💻

Works offline

No cloud backend. No login. Scans run on your machine. Use --offline to skip AI calls when your connection is slow.

🔗

GitHub URL support

Scan any public GitHub repository directly. Permi clones it, scans it, and deletes the clone automatically.

🆓

Free and open source

Install for free. Use forever. The core scanner engine is open source. No credit card. No trial period.

Detection

What Permi finds

Coverage across both scan modes. Web scanning tests your running application. Source scanning catches issues before they ship.

🌐 Web scan (--url)

HIGH
SQL Injection
Error-based, boolean-based blind, time-based blind
HIGH
Reflected XSS
Context-aware payload testing across all parameters
MED
Missing Security Headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options
LOW
Server Information Disclosure
Server and X-Powered-By header leakage

📁 Source scan (--path)

HIGH
SQL Injection in Code
String concat, f-strings, % formatting in queries
HIGH
Hardcoded Secrets
Passwords, API keys, AWS keys, Paystack/Flutterwave keys
HIGH
Code Execution & XSS
eval(), exec(), innerHTML, pickle.loads()
MED
USSD Vulnerabilities
Unvalidated sessionId, phoneNumber, serviceCode
Early access

Join the Permi waitlist

Be the first to know when the VS Code extension, NDPR compliance reports, and Pro tier launch. No spam. Unsubscribe anytime.

Already installed? Give us a ⭐ on GitHub — it helps more developers find Permi.