Fendix logo
Changelog

What's new

A phase-by-phase history of Fendix development. 6 of 9 planned phases are complete.

Phase 5 Complete

Active Scanner

March 2026

  • Safe probe framework with audit log and legal disclaimer
  • Time-based blind SQL injection detection (MySQL, PostgreSQL, MSSQL)
  • Command injection canary detection with safe echo payloads
  • CRLF header injection probes
  • Per-endpoint probe rate limiter (max 20 probes/endpoint)
  • --enable-active gate ensures probes never run by default
Phase 4 Complete

Hybrid Engine & Orchestration

March 2026

  • Go subprocess spawner for Python engine with full IPC
  • Streaming Finding reader with malformed-line resilience
  • Correlator: endpoint normalization, fuzzy matching, severity escalation
  • .fendix-ignore suppression with YAML rules and expiry dates
  • Baseline diff for tracking new vs. existing findings
  • --fail-on exit code logic for CI/CD gates
Phase 3 Complete

Auth Scanner

March 2026

  • AuthContext model with multi-source credential resolution
  • Unauthenticated access detection on protected endpoints
  • JWT bypass checks: none algorithm, expired token, signature strip
  • IDOR two-account access control verification
  • Credential masking ([REDACTED]) in all report formats
  • ~/.fendix/profiles/ persistent config system
Phase 2 Complete

White-Box Engine

March 2026

  • Python engine.py with full IPC contract and error handling
  • Secrets analyzer: 7 pattern types (AWS, PEM, API key, JWT, DB URI, etc.)
  • OpenAPI spec parser for 2.0 and 3.x with 4 auth checks
  • Semgrep rules for auth, injection, and secrets
  • AST analyzer for Python and JavaScript code patterns
  • Dependency CVE checker via pip-audit and npm audit
Phase 1 Complete

Passive Scanner & Reporting

February 2026

  • Endpoint crawler with spec parsing, JS discovery, and brute-force
  • Security headers, CORS, data exposure, and rate limit checks
  • Worker pool concurrency model
  • JSON reporter with scan metadata
  • Self-contained HTML reporter with color-coded severity
  • Orchestrator wiring for all passive checks
Phase 0 Complete

Foundation

February 2026

  • Go module and Python package initialization
  • Finding, ScanConfig, and severity scoring models
  • Cobra CLI skeleton with version command
  • GitHub Actions CI workflow
  • Makefile for build, test, lint, and clean
  • ADR-001 and ADR-002 architecture decision records

Phases 6-8 are in progress: advanced reporting, developer experience, and distribution.

Read the docs