snitch-stitch

One-command security audits for any repo that finds any real backend & frontend vulnerabilities, ranks risk, and lets you safely apply fixes straight to your code bridging the gap to production.

Comment

snitch-stitch

Inspiration

Security vulnerabilities hide in plain sight. Developers ship code daily without realizing they've left SQL injection holes, hardcoded API keys, or command injection vectors throughout their codebase. Professional security audits cost thousands and take weeks. We wanted to give every developer the power to find and fix real vulnerabilities in minutes, not months.

What it does

snitch-stitch is a CLI tool that acts as your personal security auditor. Point it at any Git repository, and it:

  1. Ingests your entire codebase into a format an LLM can analyze
  2. Scans backend code using GPT to detect real vulnerabilities including SQL injection, command injection, hardcoded secrets, path traversal, insecure deserialization, and more
  3. Ranks findings by severity using a scoring system based on exposure, exploitability, and impact
  4. Generates minimal fixes for each vulnerability and shows you a colored diff
  5. Applies fixes directly to your files when you approve them

One command. Real vulnerabilities. Actual fixes written to files.

How we built it

  • Python CLI using Click for argument parsing and orchestration
  • gitingest to convert entire repositories into prompt-friendly text
  • OpenAI API (Claude Sonnet 4.5 with extended thinking) for deep security analysis and fix generation
  • Simple string replacement for applying fixes, just find and replace what the LLM identifies

The architecture is intentionally linear: ingest → scan backend→ rank → fix. Each stage is its own module, making the tool easy to extend.

Challenges we ran into

  • *PDD Errors *: Ran into errors where prompt files wouldn't be generated and the process would abruptly stop throughout the process making us restart
  • Token limits: Large repositories exceed OpenAI's TPM limits. We had to handle large amount of errors gracefully and consider chunking strategies for massive codebases.
  • Fix accuracy: Getting the LLM to return exact string matches for the vulnerable code block is tricky. If it paraphrases or reformats, the fix can't be applied.
  • Balancing automation vs. safety: The tool writes directly to files. We added --dry-run mode and explicit accept/reject prompts to prevent accidental damage.

Accomplishments that we're proud of

  • End-to-end automation: From raw repo to fixed code in one command
  • Real vulnerability detection: No theoretical warnings only issues that exist in the actual code
  • Human-in-the-loop fixes: You see exactly what changes before they're applied
  • Dual scanning: Both static analysis of source code AND dynamic testing of backend
  • Clean UX: Colored diffs, severity tables, and clear progress indicators make it pleasant to use

What we learned

  • LLMs are surprisingly good at security analysis when given specific instructions and the full code context
  • The hardest part of automated fixing isn't generating the fix; it's locating the exact code to replace
  • Browser automation for security testing is powerful but needs guardrails
  • Simple tools that do one thing well are more useful than complex frameworks

What's next for snitch-stitch

  • Scans your running frontend using rtrvr.ai to probe for XSS, authentication bypass, IDOR, and other client-side issues
  • Chunked scanning for repositories too large to fit in a single prompt
  • CI/CD integration to run automatically on pull requests
  • Custom rule definitions so teams can add their own vulnerability patterns
  • Fix verification to automatically test that fixes don't break functionality
  • Support for more LLM providers
  • Detailed HTML reports for sharing with security teams

Built With

Share this project:

Updates