Fendix logo
Changelog

What's new

A phase-by-phase history of Fendix development. v0.7.0 shipped May 1, 2026 — the wedge is now defensible. Phase 14 (External Wedge) closed end-to-end with the GitHub App business logic; Phase 15 (Open & Extensible) ratified the open-source posture (ADR-007), shipped the plugin system, and delivered reachability/dataflow correlation. The correlator now distinguishes “DAST + SAST agreed” from “DAST + SAST agreed AND we can prove the exploit path” — the latter gets a double severity escalation.

v0.7.0 Complete
DownloadView on GitHub

Open & Extensible — Phase 14 closeout + Phase 15 (the wedge is now defensible)

May 1, 2026

  • **Headline: the wedge is now defensible.** The correlator now distinguishes 'DAST + SAST agreed' from 'DAST + SAST agreed AND we can prove the exploit path' — the latter gets a double severity escalation, which is exactly what makes the wedge defensible against vendor noise. v0.7.0 folds 8 commits since v0.6.1 across two phase closures: Phase 14 (P4 External Wedge) closing end-to-end with the GitHub App business logic, and Phase 15 (P5 Open & Extensible) shipping open-source ratification + plugin system + reachability/dataflow correlation
  • **Open-source posture ratified via ADR-007 (TASK-112).** What was tactical in v0.1.0 (an MIT `LICENSE` shipped because the project needed *a* license) is now a deliberate strategic decision: MIT, single repo, no open-core split planned. ADR-007 records the rejected alternatives (Apache 2.0, AGPL 3.0, dual-license, open-core) and why each was the wrong fit. README hero gains a fourth bullet 'Open source under MIT — read the source, audit the wedge, fork it, ship plugins.' CONTRIBUTING.md gains a 'Licensing of contributions' section: by submitting a PR, you agree to MIT for your work; no CLA, no copyright assignment. **Out-of-tree plugins choose their own license** — only plugins shipped inside this repo (under `examples/plugins/`) are required to be MIT to match the rest of the tree.
  • **Plugin system: out-of-tree extension via NDJSON IPC (TASK-113).** New `internal/plugin` package: `Discover` walks `<repo>/.fendix/plugins/` (repo-local, takes precedence) + `~/.fendix/plugins/` (user-global), parses each child's `plugin.yaml` with strict `KnownFields(true)` parsing (typos like `entry_point` → loud error, not silent drop), and dedups by name. `(*Plugin).Run` invokes the entrypoint with a JSON `ScanRequest` on stdin and reads NDJSON Findings on stdout — **same wire contract as the embedded Python engine** (ADR-002), so plugin authors writing in Python can reuse most of `engine.py`. Per-plugin timeout (default 30s, max 5m) bounds wall-clock; partial findings before a kill are preserved; plugins inherit `FENDIX_PLUGIN_NAME` + `FENDIX_PLUGIN_DIR` env vars; every emitted finding gets `fendix-plugin:<name>` appended to References for provenance. Plugin findings flow through the same Correlate / Dedup / Sort / ID-assignment pipeline as embedded engine findings — a custom-secret-pattern plugin correlates against blackbox auth checks identically to the built-in secrets analyzer. New **`--no-plugins`** CLI flag disables discovery for sandboxed CI or debugging. Three reference plugins under `examples/plugins/`: `custom-secret-pattern` (Python, regex-based custom secret detection), `custom-blackbox-check` (Python, custom HTTP-response assertion), `custom-semgrep-pack` (shell, wraps a custom Semgrep rule pack). Author guide: `docs/plugins.md` covers discovery, IPC schema, security model, and an authoring checklist.
  • **Reachability/dataflow correlation: `correlated:reachable` for proven exploit paths (TASK-114).** The Python AST analyzer now records taint chains for SQLi, SSRF, and open-redirect findings: when `_collect_taint_chain` proves intra-function dataflow from a request source (`request.args/POST/form/data/json/headers` plus the Flask handler-arg form `req`) through one or more variable assignments to a dangerous sink, the emitted finding carries `taint_chain: [{file, line, expr}, …]` plus `reachable: true`. The chain walks recursively through scope assignments — `q = request.args.get('q'); sql = '...' + q; cursor.execute(sql)` resolves three links without false positives on literal-only chains. **Correlator escalation:** when the whitebox half of a correlated pair carries a chain, the merged finding inherits the chain plus `reachable: true` AND gets a *second* severity escalation. So MEDIUM blackbox + MEDIUM whitebox + reachable jumps to CRITICAL (vs. HIGH without reachability). HTML reporter renders the chain as an ordered list under finding details ('Reachable dataflow (N steps)').
  • **GitHub App business logic wired end-to-end (TASK-107b).** Replaced the v0.6.1 scaffold's stub handlers with the full PR workflow on top of the credentials/auth layer. On every `pull_request.{opened,synchronize,reopened}`, the webhook handler now: (1) fetches an installation token from the cached `TokenSource`; (2) clones the PR head SHA via `git init` + shallow `fetch --depth=1 origin <sha>` + `checkout FETCH_HEAD` (only the exact commit, no history; auth via `x-access-token:<token>@…` userinfo on the HTTPS clone URL); (3) runs `fendix scan --code <tmp> --format json`; (4) re-renders SARIF via `fendix report --format sarif` so the PR comment + Code Scanning tab describe identical findings; (5) renders a Markdown PR comment matching the `examples/github-actions/fendix-scan.yml` github-script template byte-for-byte modulo whitespace; (6) POSTs the comment to `/repos/{o}/{r}/issues/{n}/comments`; (7) gzip+base64-encodes the SARIF and uploads to `/repos/{o}/{r}/code-scanning/sarifs` against `refs/pull/<n>/head`. SARIF upload is best-effort (Code Scanning disabled or `security_events: write` missing → log warning, comment still posts). **`check_run.action == "rerequested"`** re-runs the scan against the recorded head SHA. **Tempdir always cleaned up** via `defer os.RemoveAll`. **Tokens redacted** from any error surfaced for git-step failures. **Per-scan timeout:** 15 minutes wall-clock. **Distribution:** new `Dockerfile.app` (multi-stage; bundles `fendix` + `fendix-app` + Python engine + `git` + tini in ~250 MiB Debian-slim). 26 new ghapp tests under `-race`.
  • **Vulnerable-app benchmark numbers captured (TASK-106).** Stock `fendix scan --url http://localhost:3000` against `bkimminich/juice-shop:v17.1.1` on Fendix v0.6.1 produced **97 endpoints discovered / 7 deduped findings (4 MEDIUM + 2 LOW + 1 INFO) / 41.5s scan time / 0 correlated** (passive-only run; juice-shop's intentional SQLi/XSS/IDOR vulns need `--enable-active` and/or `--code` to surface). Pre-dedup the engine emitted **391 raw findings** that TASK-088 deduplication collapsed to 7. Numbers published in `docs/benchmarks.md` 'Latest results' table with a 'Reading the row' explanation that documents what the row does NOT measure.
  • **GitHub App scaffold (TASK-107).** New `cmd/fendix-app` binary (separate from the `fendix` CLI; long-running webhook server) plus `internal/ghapp` package and `app/manifest.yml` for one-click App registration via GitHub's manifest flow. Webhook layer: HMAC-SHA256 signature verification (legacy `sha1=` rejected), event router, 4 MiB body cap. Auth layer: pure-stdlib RS256 App-JWT signing (no `golang-jwt` dep added — preserves the project's zero-runtime-deps posture), `/app/installations/{id}/access_tokens` exchange, single-flight installation-token cache. Setup guide: `docs/github-app.md`. 28 unit tests under `-race`. Marketplace listing is an operator step distinct from the code deliverable.
  • **`fendix demo` command (TASK-108).** New cobra subcommand spins up `bkimminich/juice-shop:v17.1.1` in Docker on `localhost:3000`, runs a stock scan, renders an HTML report, and (with `--open`) opens it in the user's default browser. Container always cleaned up on exit. Flags: `--open`, `--port`, `--output`, `--image`. Removes the cold-start 'what does a real scan look like?' question for first-time evaluators.
  • **`.fendix.yaml` repo-committed policy (TASK-109).** New `internal/policy` package + new `--config <path>` flag on `fendix scan`. Teams commit a `.fendix.yaml` at repo root encoding scan posture (severity threshold, scan budgets, auth profile reference, crawler defaults, format) and invoke `fendix scan` with one CLI flag instead of the prior six-flag-and-growing wall. **Precedence** matches `git config`: cobra defaults < `.fendix.yaml` values < explicit CLI flags. **Strict YAML parsing** (`yaml.KnownFields(true)`) rejects typos. Schema versioned; future v2 forward-rejected. **`fendix init` now writes 3 files** (workflow + `.fendix.yaml` + `.fendix-ignore`).
  • **Backend not extended for plugins, reachability, `--config`, or the GitHub App.** Plugins run on the host filesystem (backend container can't see them); reachability is a property of findings the engine already emits; `--config` is a host-filesystem flag (the API itself accepts every policy field directly); `fendix-app` is a separate deployable on the GitHub-event side of the pipeline. The frontend dashboard surfaces `reachable: true` and `taint_chain` from the report payload directly when present.
v0.6.1 Complete
DownloadView on GitHub

Patch — install.sh `mkdir -p` fix + Phase 14 partial

May 1, 2026

  • **Critical install-pipe fix.** `scripts/install.sh` now `mkdir -p` the install directory before the `mv`. Previously, `curl -fsSL https://get.fendix.dev/install.sh | FENDIX_DIR=$HOME/.local/bin sh` failed on any system where `$HOME/.local/bin` didn't pre-exist with `mv: cannot move 'fendix' to '/home/runner/.local/bin/fendix': No such file or directory`. Blocked the benchmark CI on every run and broke any first-time user who set `FENDIX_DIR` to a non-existent dir. The fix tries `mkdir -p` non-sudo first, falling back to `sudo mkdir -p` only when a parent up the chain isn't writable — POSIX-sh clean. Mirrored to `get.fendix.dev/install.sh` automatically by the release pipeline's mirror-sync job
  • **`fendix init` zero-config workflow generator (TASK-105, folded into v0.6.1).** New `fendix init` subcommand detects the project's stack (Go via `go.mod`, Python via `pyproject.toml`/`requirements.txt`/`setup.py`/`Pipfile`, Node.js, Ruby, Rust, Java/Kotlin, PHP) plus a colocated OpenAPI/Swagger spec at any of 14 conventional paths. Writes `.github/workflows/fendix.yml` (drop-in PR-gated DAST + SAST scan, embedded via `go:embed`) plus `.fendix-ignore` (commented starter for finding-level suppressions). Refuses to overwrite by default; `--force` overrides; `--print` dry-runs to stdout. **Note:** post-v0.6.1, init was extended to also write `.fendix.yaml` per TASK-109 — see Unreleased entry above
  • **README repositioned around the wedge (TASK-110, folded).** Hero rewritten from generic 'Find vulnerabilities before attackers do.' to 'DAST + SAST in one PR check. Fails only when both engines confirm.' Three-bullet trust block matches the get.fendix.dev landing page (confirmed findings, single binary, signed + silent)
  • **'What Fendix sends to the network' section at top of README (TASK-111, folded).** Five-row table covering default scan / active probing / white-box / no-flags / telemetry. Explicit 'no telemetry code; verify with tcpdump or read go/internal/' claim. Plus a 'Verifying signed releases' section with the full cosign keyless verify recipe
  • **Vulnerable-app benchmark scaffold (TASK-106 partial, folded).** New `scripts/benchmark/run-juice-shop.sh` + `make benchmark` + `.github/workflows/benchmark.yml` (`workflow_dispatch` only) + `docs/benchmarks.md`. CI workflow installs Fendix via `https://get.fendix.dev/install.sh` (doubles as install-pipe smoke test). Real juice-shop numbers captured in the post-v0.6.1 Unreleased entry above
v0.6.0 Complete
DownloadView on GitHub

First Stable Signed Release (Phase 13 complete)

April 30, 2026

  • **First stable signed release.** Every binary, `.deb`, `.rpm`, and Docker manifest ships with `.crt` + `.sig` cosign sidecars verifiable against the build's GitHub Actions OIDC identity — no static public key, no rotation surface, no key-loss recovery story
  • Cosign keyless signing fully active on the release pipeline (Sigstore Fulcio + GitHub Actions OIDC). `COSIGN_ENABLED=true` flipped on the engine repo on 2026-04-30T14:07Z; rc2 was the first tag to exercise the full signed-release path end-to-end, then promoted to v0.6.0 final after pipeline validation. Cosign steps hard-fail the release job, so a broken signing path can't silently ship unsigned artifacts
  • `https://get.fendix.dev/install.sh` is live — DNS CNAME at the registrar, GitHub Pages on the homebrew-fendix mirror, auto-provisioned Let's Encrypt cert. End-to-end smoke test verified the install pipe end-to-end. Mirror URL retained as a documented fallback. Engine repo is now the single source of truth for everything served at get.fendix.dev — auto-synced by `release.yml` on every `v*` tag
  • Linux arm64 release binary added — `brew install fendix` and `curl -fsSL https://get.fendix.dev/install.sh | sh` now serve native ARM builds for Graviton, Ampere, Raspberry Pi, and ARM Linux laptops
  • Multi-arch Docker image at `ghcr.io/abdel-rahmansaied/fendix:vX.Y.Z` — manifest list covers `linux/amd64` + `linux/arm64`; `docker pull` picks the right arch automatically
  • Linux `.deb` and `.rpm` packages built via nfpm — install with `sudo dpkg -i fendix-*.deb && sudo apt-get install -f` or `sudo dnf install ./fendix-*.rpm`. Declares `python3` as required and `semgrep` as recommended
  • Documentation pass for external evaluators: 5-minute juice-shop walkthrough (`docs/walkthrough-juice-shop.md`), Semgrep rule-author guide (`docs/semgrep-rules.md`), triage workflow (`docs/triage-workflow.md`), JSON schema reference (`docs/schema.md`), all cross-linked from a top-level Documentation index in the README
  • New `--debug-bundle <path>` flag writes a redacted diagnostic `.tar.gz` for attaching to bug reports — auth values masked as `[REDACTED]`, full DEBUG slog stream tee'd into the bundle, probe audit log on `--enable-active`. Auth credentials never leak (e2e regression locks this in)
  • `SECURITY.md` + active-scanner threat model (`docs/threat-model.md`): vulnerability disclosure policy, supported-versions, cosign verification instructions, and the 7-threat safety envelope every active probe must maintain
  • Performance benchmark suite: scan time vs endpoint count, peak goroutine count, allocation profile — published in README. Reference: 1000 endpoints in 31.7 ms / 24.7 MB / 166 peak goroutines (Apple M1, Go 1.21)
v0.6.0-rc1RC Complete
DownloadView on GitHub

External Release Readiness (Phase 13 release candidate)

April 30, 2026

  • Linux arm64 release binary added — `brew install fendix` and `curl -fsSL .../install.sh | sh` now serve native ARM builds for Graviton, Ampere, Raspberry Pi, and ARM Linux laptops
  • Multi-arch Docker image at `ghcr.io/abdel-rahmansaied/fendix:vX.Y.Z` — manifest list covers `linux/amd64` + `linux/arm64`; `docker pull` picks the right arch automatically
  • Cosign keyless signing wired (Sigstore Fulcio + GitHub Actions OIDC; opt-in via the `COSIGN_ENABLED=true` repo variable). When enabled, every binary ships with `.sig` + `.crt` sidecar files
  • Linux `.deb` and `.rpm` packages built via nfpm — install with `sudo dpkg -i fendix-*.deb && sudo apt-get install -f` or `sudo dnf install ./fendix-*.rpm`. Declares `python3` as required and `semgrep` as recommended
  • New `docs/install.md` install reference covers every install path with cosign verification one-liners; `get.fendix.dev` short-URL installer planned (operator-action: domain registration + GitHub Pages CNAME)
  • Documentation pass for external evaluators: 5-minute juice-shop walkthrough (`docs/walkthrough-juice-shop.md`), Semgrep rule-author guide (`docs/semgrep-rules.md`), triage workflow (`docs/triage-workflow.md`), JSON schema reference (`docs/schema.md`), all cross-linked from a top-level Documentation index in the README
  • New `--debug-bundle <path>` flag writes a redacted diagnostic `.tar.gz` for attaching to bug reports — auth values masked as `[REDACTED]`, full DEBUG slog stream tee'd into the bundle, probe audit log on `--enable-active`. Auth credentials never leak (e2e regression locks this in)
  • `SECURITY.md` + active-scanner threat model (`docs/threat-model.md`): vulnerability disclosure policy, supported-versions, cosign verification instructions, and the 7-threat safety envelope every active probe must maintain
  • Performance benchmark suite: scan time vs endpoint count, peak goroutine count, allocation profile — published in README. Reference: 1000 endpoints in 31.7 ms / 24.7 MB / 166 peak goroutines (Apple M1, Go 1.21)
  • Release-candidate cut to validate the new pipeline (cosign + nfpm + ghcr) end-to-end before tagging clean v0.6.0; signed-release validation pending `COSIGN_ENABLED=true`
v0.5.0 Complete
DownloadView on GitHub

Quality & Ops (Phase 12 complete)

April 30, 2026

  • Public JSON output schema published (`docs/schema.md` + `docs/schema.json` draft-07); validator runs in tests against every emitted report; `findings: []` instead of `null` when empty
  • Path-parameter substitution: templated endpoints like `/users/{id}` now scan against `/users/1` (or schema-derived sample). Resolution order: `schema.example` → `schema.enum[0]` → type-driven default → name heuristic → fallback `1`. Endpoint.Path stays templated for reports; FullURL is concrete
  • Logging hygiene: aggregated WARN volume — max 3 per check key per scan, rest downgraded to DEBUG. New `INFO warning summary` line at scan end. Real-world: 30 WARN lines → 9 + 1 summary on a 10-endpoint scan against an unreachable target
  • Scan budgets: new `--max-requests` (soft cap on total HTTP requests; discovery exempt), `--max-duration` (Go duration string, e.g. `5m`), `--respect-robots` (treat robots.txt Disallow as hard restriction across all discovery sources)
  • New auth profile: `--auth-type apikey-query` puts the credential in the URL query string instead of a header — common for legacy/sensor APIs that prefer query placement
  • Auth profiles end-to-end: bearer / apikey-header / apikey-query / basic / cookie all covered by e2e tests that record what reaches the server
  • Concurrency review: race-clean proof at 1000 endpoints × 32 workers under `go test -race`; new `FuzzWorkerPool_CancelTiming` fuzzer (4455 execs / zero failures over 15s of fuzzing)
  • Severity↔confidence consistency enforced — LOW confidence caps severity at MEDIUM, MEDIUM caps at HIGH (matches the scoring formula's implicit max). Inconsistent findings get severity downgraded with an aggregated WARN line
  • Drop-in GitHub Actions workflow: `examples/github-actions/fendix-scan.yml` does scan → `actions/cache` baseline → SARIF upload → PR summary comment via `actions/github-script@v7`
v0.4.0 Complete
DownloadView on GitHub

Coverage Parity (Phase 11 complete)

April 29, 2026

  • Correlator finalized: HTTP method-prefix stripping + path-suffix matching (handles base-path skew like spec `/pet/findByStatus` ↔ live `/api/v3/pet/findByStatus`); debug instrumentation with `match_kind=exact|suffix|fuzzy`; blackbox findings consumed at most once
  • Real CVE coverage: pip-audit (PyPI) + npm audit (JS) + govulncheck (Go) as primary paths; hardcoded list as offline fallback. Real-world: badcode/requirements.txt = 6 deps findings (offline) → 97 with pip-audit installed (16× coverage)
  • Go module support — `go.mod` files now scanned by govulncheck; only emits findings on actually-called code paths (vendored-but-uncalled noise dropped)
  • Crawler upgrade: robots.txt + sitemap.xml + HTML link parsing with recursive depth. Real-world: httpbin.org discovery went from 1 endpoint to 3 (Disallow /deny + linked /forms/post + brute-force /robots.txt)
  • New flags: `--wordlist`, `--crawl-depth` (default 1), `--max-endpoints` (default 500); built-in `CommonPaths` expanded ~50 → 117 with admin/dashboard/source-control/DevOps tooling paths
  • Findings deduplication: identical issues across N endpoints collapse into one finding with `affected_endpoints` (real-world: petstore 160 → 10, 16× reduction)
  • Static analyzer: 6 new patterns — pickle.load, yaml.load without SafeLoader, MD5/SHA1 for passwords, open redirect, SSRF, auth-header trust
  • Multi-step SQLi detection via intra-function scope tracking (`sql = '...' + var; cursor.execute(sql)`)
  • Active scanner: body & header param probing; error-based + boolean-based SQLi; SQLite + Oracle time-based payloads (5 DB types total)
  • New `--max-probes-per-endpoint` flag (default 20) for active scan budget control
  • Secrets analyzer: 8 new provider patterns — GitHub, Stripe, Slack, Google, Anthropic, OpenAI, npm, GCP service-account JSON (15 total, was 7)
  • .env file scanning fixed (dotfile walker now yields env-files; unquoted KEY=value pattern gated to .env*)
  • v0.4.0 folds the planned v0.3.0 batch — single tag covering TASK-085..091
v0.2.0 Complete

P0 Flag Wiring

April 29, 2026

  • `--save-baseline` now actually writes a file (was previously a silent no-op at the CLI)
  • `--code`-only scans run successfully (orchestrator no longer early-exits when only --code is given)
  • Active scanner now uses spec-defined query/path parameters instead of hardcoded `id`
  • `--spec` now accepts `https://...` URLs in addition to local file paths (fetched with content-type detection, 50 MB cap)
  • SARIF rule IDs are now stable per check type (`fendix.<category>.<title-slug>`) — breaking change for v0.1 SARIF baseline consumers
  • End-to-end test infrastructure: every CLI flag now has a test that runs the binary and asserts observable effect
v0.1.0 Complete

Initial Release

April 2026

  • All 9 development phases complete — 78 tasks, ~594 tests
  • MIT License, CHANGELOG, .fendix-ignore.example template
  • Ready for production use with full documentation
Phase 9 Complete

Hardening

April 2026

  • Performance benchmark suite across all critical paths
  • Go native fuzz testing (362k+ executions, 0 panics)
  • Python hypothesis fuzz testing — found and fixed 3 real bugs
  • Self-audit: 0 production code vulnerabilities
  • 29 resilience tests: garbage responses, timeouts, crashes, malformed streams
  • Memory profiling: 2.3KB/finding, 15MB/1000 correlations
  • Error message audit — 7 messages improved with actionable guidance
Phase 8 Complete

Documentation

April 2026

  • Complete README.md with all 10 required sections
  • CONTRIBUTING.md with development setup and check-writing guides
  • 11 individual check documentation pages in docs/checks/
  • 6 Architecture Decision Records (ADR-001 through ADR-006)
  • CHANGELOG.md following Keep a Changelog format
  • Full godoc (92 Go symbols) and docstring (16 Python symbols) coverage
Phase 7 Complete

Distribution

April 2026

  • Python engine embedded into Go binary via go:embed
  • Auto-extraction to ~/.fendix/engine/ on first run with version stamp
  • Graceful fallback if Python not installed (whitebox skipped with clear message)
  • GitHub Actions release workflow: linux/amd64, darwin/amd64, darwin/arm64
  • Multi-stage Dockerfile with non-root user
  • curl-pipe installer with platform detection and sha256 verification
  • Homebrew formula (brew tap fendix/tap && brew install fendix)
Phase 6 Complete

Reporting & CI/CD

April 2026

  • JSON reporter with full scan metadata (mode, endpoints, source counts)
  • Self-contained HTML report with JS sorting, expand/collapse, print CSS
  • SARIF 2.1.0 reporter — GitHub Code Scanning compatible
  • fendix report command — re-render JSON to HTML/SARIF without re-scanning
  • Baseline diff mode: --baseline and --save-baseline for PR workflows
  • CI/CD integration docs with GitHub Actions examples
Phase 5 Complete

Active Scanner

March 2026

  • Safe probe framework with audit log and legal disclaimer
  • Time-based blind SQL injection detection (MySQL, PostgreSQL, MSSQL)
  • Command injection canary detection with safe echo payloads
  • CRLF header injection probes
  • Per-endpoint probe rate limiter (max 20 probes/endpoint)
  • --enable-active gate ensures probes never run by default
Phase 4 Complete

Hybrid Engine & Orchestration

March 2026

  • Go subprocess spawner for Python engine with full IPC
  • Streaming Finding reader with malformed-line resilience
  • Correlator: endpoint normalization, fuzzy matching, severity escalation
  • .fendix-ignore suppression with YAML rules and expiry dates
  • Baseline diff for tracking new vs. existing findings
  • --fail-on exit code logic for CI/CD gates
Phase 3 Complete

Auth Scanner

March 2026

  • AuthContext model with multi-source credential resolution
  • Unauthenticated access detection on protected endpoints
  • JWT bypass checks: none algorithm, expired token, signature strip
  • IDOR two-account access control verification
  • Credential masking ([REDACTED]) in all report formats
  • ~/.fendix/profiles/ persistent config system
Phase 2 Complete

White-Box Engine

March 2026

  • Python engine.py with full IPC contract and error handling
  • Secrets analyzer: 7 pattern types (AWS, PEM, API key, JWT, DB URI, etc.)
  • OpenAPI spec parser for 2.0 and 3.x with 4 auth checks
  • Semgrep rules for auth, injection, and secrets
  • AST analyzer for Python and JavaScript code patterns
  • Dependency CVE checker via pip-audit and npm audit
Phase 1 Complete

Passive Scanner & Reporting

February 2026

  • Endpoint crawler with spec parsing, JS discovery, and brute-force
  • Security headers, CORS, data exposure, and rate limit checks
  • Worker pool concurrency model
  • JSON reporter with scan metadata
  • Self-contained HTML reporter with color-coded severity
  • Orchestrator wiring for all passive checks
Phase 0 Complete

Foundation

February 2026

  • Go module and Python package initialization
  • Finding, ScanConfig, and severity scoring models
  • Cobra CLI skeleton with version command
  • GitHub Actions CI workflow
  • Makefile for build, test, lint, and clean
  • ADR-001 and ADR-002 architecture decision records

v0.7.0 shipped May 1, 2026 — the wedge is defensible. Phase 14 closed with the GitHub App; Phase 15 shipped open-source ratification (ADR-007), the plugin system (out-of-tree extension via NDJSON IPC), and reachability correlation (taint chains lift agreed findings to a build-failing severity tier). Every artifact still carries cosign keyless sidecars verifiable against the build's GitHub Actions OIDC identity.

Download a releaseRead the docs