spec sheet
Everything Fimil does, on one page.
The dense version. For the story, read how the pipeline works or meet the pentest agent.
scanning
Eight scanning categories
Fifteen open-source scanners, isolated runs, one normalized output schema.
SAST
Static analysis with Semgrep, Bandit, and Gosec. Find injection, crypto, and logic flaws in source before deployment.
SCA
Dependency scanning with Trivy, Grype, and OSV-Scanner across every major ecosystem — deduplicated into one finding per CVE.
Secrets detection
Gitleaks and TruffleHog find exposed API keys, passwords, and tokens — with rotation guidance per secret type.
IaC security
Checkov and Hadolint scan Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles for misconfigurations.
Container scanning
Trivy analyzes images layer by layer — base image CVEs, stale packages, bad configs.
DAST
OWASP ZAP and Nuclei probe your running app from outside: missing headers, exposed panels, known-template vulnerabilities.
CSPM
Prowler audits AWS, Azure, and GCP accounts for cloud misconfigurations — correlated with the IaC that caused them.
SBOM generation
Syft generates CycloneDX and SPDX software bills of materials per scan, stored and exportable for compliance.
flagship
AI Pentest Agent
- 15 attack vectors, from SQLi and IDOR to SSTI and JWT attacks
- Every finding replay-validated before it is reported
- PoC + curl reproduction export, compliance mappings, advisory fix PRs
intelligence
One signal, not sixteen feeds
Cross-scanner dedup
Fingerprints collapse the same issue found by multiple scanners into one finding with every source credited.
Finding groups
Four correlation types link related findings: same-location, code + vulnerable dep, IaC + container, shared CVE/CWE.
Priority scoring
An auditable composite: 70% severity, 15% age, 10% reachability, 5% EPSS — published weights, no black box.
Call-graph reachability
Walks your code to the vulnerable function and shows the call chain with a confidence rating — beyond direct vs. transitive.
EPSS enrichment
Exploit Prediction Scoring System data on every CVE — know what is being exploited in the wild.
Auto-triage rules
Match on rule id, CVE, package, path, or title; first match wins; every transition lands in an audit trail.
remediation
Fixes as pull requests
Dependency fix PRs
Semver-aware bumps across 7+ ecosystems with upgrade-confidence scoring.
IaC fix PRs
Terraform, CloudFormation, and Kubernetes fixes, validated after patching.
Code fix PRs
75+ CWE-specific handlers across Python, JS, Go, Java, C#, Ruby, Rust, and PHP.
Pentest advisory PRs
Confirmed agent findings open a PR with the PoC, curl repro, and remediation guidance.
workflow
Workflow & integrations
PR checks
GitHub check runs, GitLab and Bitbucket commit status — block merges on your policy.
Diff-aware scanning
PR scans compare against the base branch: only new findings, not the backlog.
Scan policies
Severity thresholds that fail CI builds when findings exceed your tolerance.
Scanner profiles
Reusable configurations per stack — Python, Node, Go, Java — tuned once, used everywhere.
CLI
Pre-commit gate and CI commands with retry-safe API access.
MCP server
More than 40 tools for AI assistants: scans, findings, triage, remediation, reports, pentest.
Kubernetes operator
Declarative installs for self-hosted clusters via custom resources.
Notifications
Slack, email, and custom webhooks with per-user preferences.
deployment
Fimil Cloud or self-hosted
Multi-tenant SaaS with usage-based pentest billing, or licensed single-tenant in your own network — including air-gapped installs.
See it against your own repos.
Get early access and run your first scan. No credit card required.