AI-powered CLI that orchestrates Claude Code agents to scan vulnerabilities, fix dependencies, review PRs, generate tests, triage incidents, and track DORA metrics
Project description
dobbe is moving to a new architecture. The next version runs as an MCP server inside Claude Code — faster, more reliable, and no subprocess overhead. See the Migration Guide for details. Current CLI (v0.8.x) continues to work but will not receive new features.
dobbe
Scan. Fix. Test. Retry. Ship. — All from your terminal.
AI agents that autonomously resolve vulnerabilities, review PRs, generate tests, and track engineering metrics across your GitHub repos.
Demo
$ dobbe vuln resolve --repo acme/web-app
dobbe v0.6.0 - AI Engineering Platform
● Discovering MCP servers... GitHub ✓ Slack ✓
● Resolving repository... acme/web-app (main)
● Creating fix branch... fix/dobbe-security-2026-03-21
┌─────────────────────────────────────────────────────┐
│ SCAN - Fetching Dependabot alerts │
└─────────────────────────────────────────────────────┘
Found 12 alerts. Triaging with AI...
┌──────┬──────────────────┬──────────┬────────────────┐
│ # │ Package │ Severity │ AI Triage │
├──────┼──────────────────┼──────────┼────────────────┤
│ 1 │ lodash 4.17.20 │ Critical │ Fix - in path │
│ 2 │ express 4.17.1 │ High │ Fix - in path │
│ 3 │ semver 7.3.5 │ Medium │ Skip - unused │
└──────┴──────────────────┴──────────┴────────────────┘
┌─────────────────────────────────────────────────────┐
│ FIX - Upgrading 2 dependencies │
└─────────────────────────────────────────────────────┘
✓ lodash 4.17.20 → 4.17.21
✓ express 4.17.1 → 4.21.0
┌─────────────────────────────────────────────────────┐
│ VERIFY - Running tests (attempt 1/3) │
└─────────────────────────────────────────────────────┘
✓ 847 tests passed
┌─────────────────────────────────────────────────────┐
│ REPORT - Creating pull request │
└─────────────────────────────────────────────────────┘
✓ PR #142 opened: fix/dobbe-security-2026-03-21
https://github.com/acme/web-app/pull/142
Why dobbe?
Other tools bump versions and hope for the best. dobbe works like an engineer:
- Fixes that actually work — Upgrades dependencies, runs your test suite, reads the errors, reverts, and retries with a different approach. Opens a PR only when tests pass.
- AI triage, not alert fatigue — Analyzes each CVE against your actual code paths. Tells you which alerts matter and which are noise.
- Reviews that don't bottleneck — Posts inline PR comments across security, performance, and correctness — so humans focus on architecture.
- No SaaS, no vendor lock-in — Open source, MIT licensed, runs locally. Your code never leaves your machine.
Features
AI-Powered
| Command | Description |
|---|---|
dobbe vuln scan |
Scan repos for vulnerabilities, triage with AI |
dobbe vuln resolve |
Agentic fix loop: scan, upgrade, test, iterate |
dobbe review digest |
AI-powered PR review digest (supports single PR with --pr) |
dobbe review post |
Post AI reviews to GitHub |
dobbe audit report |
Security posture audit with compliance templates |
dobbe deps analyze |
Dependency health, licensing, and usage analysis |
dobbe test gen |
Generate tests for coverage gaps |
dobbe changelog gen |
AI-generated release notes |
dobbe migration plan |
Dependency migration planning and execution |
dobbe incident triage |
Sentry incident triage with AI |
Tools
| Command | Description |
|---|---|
dobbe metrics velocity |
PR velocity and cycle time metrics |
dobbe metrics dora |
DORA metrics |
dobbe scan secrets |
Secrets and credentials scanner |
dobbe workflow |
Multi-step workflow automation |
dobbe schedule |
Recurring task automation |
dobbe setup |
Interactive configuration wizard |
dobbe doctor |
Environment health diagnostics |
dobbe config |
View and manage configuration |
Quick Start
pip install dobbe # or: pipx install dobbe
dobbe setup # interactive config wizard
dobbe vuln scan # auto-detects repo from CWD
dobbe vuln resolve # scan → fix → test → PR (fully autonomous)
dobbe review digest --pr 42 # AI review of a single PR
First time? See the Getting Started guide for prerequisites and walkthrough.
dobbe vs. the Alternatives
Dependabot opens a PR and walks away. Renovate auto-merges and hopes CI catches breakage. dobbe runs tests, reads failures, and iterates — the way you would.
| dobbe | Dependabot | Renovate | Snyk | |
|---|---|---|---|---|
| Auto-bump versions | Yes | Yes | Yes | Yes |
| AI code path analysis | Yes | - | - | - |
| Run tests before PR | Yes | - | - | - |
| Retry on test failure | Yes | - | - | - |
| AI PR code reviews | Yes | - | - | - |
| AI test generation | Yes | - | - | - |
| DORA/velocity metrics | Yes | - | - | - |
| Incident triage | Yes | - | - | - |
| Workflow automation | Yes | - | - | - |
| Dependency migration | Yes | - | - | - |
| Org-wide batch scanning | Yes | - | Yes | Yes |
| Terminal-native CLI | Yes | - | - | Yes |
| Open source | Yes | Yes* | Yes | - |
| No SaaS required | Yes | - | Self-host | - |
*Dependabot is open source but tightly coupled to GitHub's hosted infrastructure.
How It Works
The dobbe vuln resolve pipeline orchestrates multiple AI agents in a feedback loop:
┌─────────────────────────────────────┐
│ dobbe vuln resolve --repo │
└──────────────┬──────────────────────┘
│
v
┌─────────────────────────────────────┐
│ MCP Discovery + Repo Resolution │
└──────────────┬──────────────────────┘
│
v
┌─────────────────────────────────────┐
│ Create fix branch from base │
└──────────────┬──────────────────────┘
│
v
┌─────────────────────────────────────┐
│ SCAN AGENT │
│ Fetch Dependabot alerts, │
│ triage risk with code analysis │
└──────────────┬──────────────────────┘
│
┌─────┴─────┐
│ Dry run? │
└─────┬─────┘
yes | | no
v v
┌────────┐ ┌─────────────────────┐
│ Report │ │ FIX AGENT │<───┐
│ and │ │ Upgrade deps, │ │
│ exit │ │ update lockfiles │ │
└────────┘ └──────────┬──────────┘ │
│ │
v │
┌──────────────────┐ │
│ Git commit │ │
└────────┬─────────┘ │
│ │
v │
┌──────────────────┐ │
│ VERIFY AGENT │ │
│ Run tests, │ │
│ check breaking │ │
│ changes │ │
└────────┬─────────┘ │
│ │
┌─────┴─────┐ │
│ Pass? │ │
└─────┬─────┘ │
yes | | no │
│ v │
│ ┌────────────┐ │
│ │ Iterations │ │
│ │ left? │ │
│ └─────┬──────┘ │
│ yes | | no │
│ │ │ │
│ v │ │
│ Revert, │ │
│ feed back├─────────┘
│ errors │
│ │
v v
┌──────────────────┐
│ REPORT AGENT │
│ Executive │
│ summary │
└────────┬─────────┘
│
v
┌──────────────────┐
│ Create PR │
│ (if converged) │
└──────────────────┘
Each agent has scoped tool access - the fix agent can edit files, the verify agent can only read and run tests, and the report agent can only read. See the resolve pipeline deep dive for full details.
Prerequisites
- Python 3.11+
- Claude Code CLI - installed and authenticated
- gh CLI - for GitHub API access
- MCP servers (optional) - GitHub, Slack, Atlassian, Sentry for enhanced capabilities
Installation
# Install from PyPI
pip install dobbe
# Or with pipx for isolated install
pipx install dobbe
# Development install
git clone https://github.com/nareshnavinash/dobbe.git
cd dobbe
pip install -e ".[dev]"
Configuration
dobbe stores configuration in ~/.dobbe/config.toml. Run dobbe setup to generate it interactively, or edit it directly:
[general]
default_org = "nareshnavinash"
default_format = "table" # table, json, markdown
default_severity = "critical,high,medium,low"
[notifications]
slack_channel = "#security-alerts"
[tools]
gh_path = "gh" # path to GitHub CLI
claude_path = "claude" # path to Claude Code CLI
[timeouts]
scan = 300 # seconds per scan operation
resolve = 600 # seconds per resolve cycle
review = 300 # seconds per review operation
See the full configuration reference for all options.
Documentation
- Why dobbe? - positioning, personas, and design principles
- dobbe vs. Alternatives - detailed comparison with Dependabot, Renovate, Snyk
- Getting Started - install, setup, first scan
- Command Reference - per-command docs with flowcharts and examples
- Architecture - system design, pipeline deep dives
- Configuration Reference - full TOML reference
- CLI Reference - every command and option
- MCP Integrations - GitHub, Slack, Jira, Sentry setup
- Contributing - dev setup and PR guidelines
Contributing
git clone https://github.com/nareshnavinash/dobbe.git
cd dobbe
pip install -e ".[dev]"
pytest
2539 tests with 98%+ coverage. See the contributing guide for full details.
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dobbe-0.8.0.tar.gz.
File metadata
- Download URL: dobbe-0.8.0.tar.gz
- Upload date:
- Size: 640.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.24
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e21fbee070437df18ad6f788fdaa6e7600df2a907b1425cea38fe0616a33aef6
|
|
| MD5 |
fcbc3b87fd615185a4248ee5d2930c9a
|
|
| BLAKE2b-256 |
173b4f8d497eec33a236be560f566e43252dd00f21220688ababbd0dded390e1
|
File details
Details for the file dobbe-0.8.0-py3-none-any.whl.
File metadata
- Download URL: dobbe-0.8.0-py3-none-any.whl
- Upload date:
- Size: 400.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.24
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
518345f11239d3cf6ea284b0a3c383af1b22c853b2c9c8c5e04ad7f809ad1c1c
|
|
| MD5 |
9f34f8d8f08cd4858970b5090c325178
|
|
| BLAKE2b-256 |
0e9a74bce89683b657093cd8952ad9ceb9026d0c5887acf10b3814bba29b77f2
|
