fimil platform

From git push to merged fix.

What actually happens inside Fimil: one pipeline that scans, deduplicates, correlates, prioritizes, and remediates.

01 Scan

15 scanners + the agent, isolated runs

semgrep trivy grype gitleaks checkov zap nuclei prowler
02 Normalize

one finding schema
03 Deduplicate

fingerprints + groups

4,213 → 387
04 Prioritize

severity · age · reach · EPSS

epss 0.91 reachable
05 Fix

ready-to-merge PRs

PR #482 opened

stage 01 · scan

Fifteen scanners plus the agent, one orchestrator.

Each scanner runs in an isolated environment; outputs normalize into a single finding schema. SAST, SCA, containers, SBOM, secrets, IaC, DAST, CSPM — and the AI Pentest Agent alongside them.

Semgrep SAST

Bandit SAST · Python

Gosec SAST · Go

Trivy SCA

Grype SCA

OSV-Scanner SCA

Trivy Image Containers

Syft SBOM

Gitleaks Secrets

TruffleHog Secrets

Checkov IaC

Hadolint IaC · Docker

OWASP ZAP DAST

Nuclei DAST

Prowler CSPM

Pentest Agent AI Pentest

stage 02 · deduplicate

Trivy and Grype found the same CVE. You see one finding.

Fingerprints collapse identical findings across scanners; finding groups link related ones with four correlation types — so a Terraform misconfiguration and the container it produced read as one story, not two tickets.

same-location — Two scanners flag the same file and line.
code + vulnerable dep — Your code calls into a dependency with a known CVE.
IaC + container — A misconfiguration and the image it produces, linked.
shared CVE / CWE — The same weakness surfacing across artifacts.

app.fimil.dev/findings

Findings 9 of 47 shown dedup: 12 sources merged

critical

SQL injection in user search

api/users.py:84 · CWE-89

0.91

reachable

semgrep + pentest-agent ⇒ 1

critical

AWS access key committed

services/deploy.ts:12 · AKIA···REDACTED

—

gitleaks + trufflehog ⇒ 1

high

Command injection in lodash

CVE-2021-23337 · lodash@4.17.20 · package-lock.json

0.42

transitive

trivy + grype + osv ⇒ 1

medium

S3 bucket allows public read

infra/storage.tf:33 · CKV_AWS_20

—

checkov

low

Outdated base image packages

Dockerfile · debian:bookworm-slim

0.04

—

trivy-image

stage 03 · prioritize

A score you can audit.

The composite is published, not proprietary: 70% severity, 15% age, 10% reachability, 5% EPSS. Call-graph reachability goes beyond direct-vs-transitive — it walks your code to the vulnerable function and shows the chain, with a confidence rating.

priority_factors 94 / 100

severity: critical 66.5

age: 34 days 12.0

reachability: reachable 10.0

epss: 0.91 4.6

api/handler.py:42 → utils/parse.py:18 → lodash.merge() confidence: high

stage 04 · triage

Rules, not heroics.

Auto-triage rules match on rule id, CVE, package, path, or title — first match wins, and every status change lands in an audit trail. Mark a test fixture as accepted-risk once; never see it again, and always be able to show why.

rule: test-fixtures-fp priority 10

if file_path ~ ^tests/fixtures/ → FALSE_POSITIVE

audit: finding f_8a21 OPEN → FALSE_POSITIVE

by: triage-rule test-fixtures-fp

at: 2026-06-02T14:11:09Z

stage 05 · fix

Remediation across four surfaces.

All delivered as pull requests with diffs — review and merge, don't transcribe.

Dependencies

Semver-aware bumps across 7+ package ecosystems, with confidence scoring on every upgrade.

Infrastructure as code

Terraform, CloudFormation, and Kubernetes manifest fixes, validated after patching.

Code

75+ CWE-specific handlers across Python, JavaScript, Go, Java, C#, Ruby, Rust, and PHP — parameterized queries, output encoding, safe deserialization.

Secrets

Rotation and revocation guidance per secret type, opened as an actionable PR.

Open fix(deps): bump lodash 4.17.20 → 4.17.21

fimil/fix-CVE-2021-23337 → main

package.json

"dependencies": {

"express": "^4.21.2",

"lodash": "4.17.20",

"lodash": "4.17.21",

"pino": "^9.6.0"

}

fimil-bot All checks passed Closes #482

integration

Six ways in.

The pipeline meets you wherever your code already lives.

SCM integrations

GitHub, GitLab, and Bitbucket: OAuth, repo sync, webhooks, PR check runs, and commit status.

Notifications

Slack, email, and custom webhooks with per-user preferences.

CLI

A pre-commit gate and CI commands: scan, wait, check — fail builds on your policy.

MCP server

More than 40 tools covering scans, findings, triage, remediation, reports, pentest runs, and webhooks.

Kubernetes operator

Declarative custom resources for self-hosted installs and upgrades.

REST API

Everything the dashboard does, scriptable.

deployment

SaaS or self-hosted.

Fimil Cloud for zero-ops, or the full platform inside your own network — including air-gapped installs — with license tiers for both.

How we handle your code

See the whole pipeline on your own repos.

Connect a repo, run a scan, and watch fifteen scanners become one signal.

Start free