Skip to content

Finds it. Proves it. Fixes it.

Fifteen production scanners across code, dependencies, containers, IaC, secrets, and cloud — plus an autonomous pentest agent (beta, sharpest on APIs and server-rendered apps) that validates every finding by replaying the exploit and opens the fix PR.

Start free See the pentest agent
~/acme/api

Terminal transcript: fimil scan ./api. semgrep 14 findings. trivy 31 findings. gitleaks 2 findings. + 12 more scanners. deduplicated 47 raw → 9 findings. SQLi api/users.py:84 — exploit replayed 2/2. fix PR #482 opened

what's inside

No adjectives. Just the numbers.

Every number links to the page that proves it.

15
Open-source scanners + 1 agent
15
Pentest attack vectors
75+
CWE auto-fix handlers
40+
MCP tools for AI assistants

finds

One scan, every layer.

Fifteen open-source scanners across SAST, SCA, containers, secrets, IaC, DAST, CSPM, and SBOM run as one pipeline. Cross-scanner fingerprinting collapses the same CVE found by Trivy and Grype into a single finding — with every source credited.

How the pipeline works
app.fimil.dev/findings
Findings 9 of 47 shown
critical
SQL injection in user search
api/users.py:84 · CWE-89
critical
AWS access key committed
services/deploy.ts:12 · AKIA···REDACTED
high
Command injection in lodash
CVE-2021-23337 · lodash@4.17.20 · package-lock.json
medium
S3 bucket allows public read
infra/storage.tf:33 · CKV_AWS_20
low
Outdated base image packages
Dockerfile · debian:bookworm-slim

proves

No finding ships without a working exploit.

The pentest agent doesn't pattern-match — it attacks across 15 vectors, and a validator replays every candidate exploit before it reaches your dashboard. Each confirmed finding exports a PoC and a copy-paste curl reproduction.

Meet the pentest agent
pentest-agent · run #db41 IDOR
  1. discover IDOR candidate: integer object id

    BFS crawl + OpenAPI ingest — 142 routes mapped

    GET /api/v1/orders/{id} → 200

  2. attempt

    Cross-account read with a second session

    order_id=1337 → 1338 · session B

  3. validate CONFIRMED: foreign record returned

    Exploit replayed before reporting — 2/2 reproductions

  4. proof advisory fix PR opened

    PoC + copy-paste reproduction exported

    curl -s 'https://staging.acme.dev/api/v1/orders/1338' -H 'Cookie: session=B···'

scope guard: 2 off-scope requests blocked · audit logged

fixes

The finding is the pull request.

Semver-aware dependency bumps across 7+ ecosystems, Terraform/CloudFormation/Kubernetes fixes, code fixes from 75+ CWE-specific handlers across eight languages, and advisory fix PRs opened from confirmed pentest findings — each one a ready-to-merge diff.

See the remediation engine
Open fix(deps): bump lodash 4.17.20 → 4.17.21
fimil/fix-CVE-2021-23337 main
package.json
"dependencies": {
"express": "^4.21.2",
"lodash": "4.17.20",
"lodash": "4.17.21",
"pino": "^9.6.0"
}
fimil-bot All checks passed Closes #482

one signal

A priority score you can audit.

Not a black box: 70% severity, 15% age, 10% reachability, 5% EPSS. Call-graph reachability looks past direct-vs-transitive to whether the vulnerable function is actually called — and shows you the call chain.

Priority score 94
severity 70% age 15% reachability 10% EPSS 5%
handler.py:42 → utils/parse.py:18 → lodash.merge() reachable

workflow

Meet your code where it lives.

Six ways into the platform — none of them require changing how you ship.

GitHub, GitLab & Bitbucket

OAuth connect, webhooks, PR checks, and commit status on every push.

Notifications

Slack, email, and custom webhooks, with per-user preferences.

CLI

Pre-commit gate and CI integration for shift-left scanning.

MCP server

More than 40 tools so your AI assistant can run scans, triage, and remediation.

Kubernetes operator

Declarative installs and upgrades for self-hosted clusters.

SaaS or self-hosted

Fimil Cloud, or run the whole platform inside your own network.

built on open source

Fifteen scanners. One agent. One orchestrator.

Fimil orchestrates best-in-class open-source scanners — and adds the layers they can't: validation, correlation, and remediation.

Semgrep SAST
Bandit SAST · Python
Gosec SAST · Go
Trivy SCA
Grype SCA
OSV-Scanner SCA
Trivy Image Containers
Syft SBOM
Gitleaks Secrets
TruffleHog Secrets
Checkov IaC
Hadolint IaC · Docker
OWASP ZAP DAST
Nuclei DAST
Prowler CSPM
Pentest Agent AI Pentest

pricing

Start free. Pay for what you scan.

AI Pentest is usage-based on paid plans — you pay per confirmed finding, and false positives are credited.

Free

For individual developers

$0
  • 3 repositories
  • 10 scans/month
  • Email notifications
Start free
Most Popular

Team

For growing teams

$29 / user / mo
  • 10 repositories
  • 100 scans/month
  • Slack, API access & SBOM export
  • AI Pentest — 2 runs/mo
Start free

Business

For larger organizations

$79 / user / mo
  • 50 repositories
  • 500 scans/month
  • Auto-triage & auto-fix PRs
  • AI Pentest — 10 runs/mo
  • Priority support
Start free
Compare all plans & the AI Pentest add-on

Get Started Today

Start free with 3 repos. No credit card required. Upgrade when you need more.

Start free Compare plans