snitch-stitch 0.2.0

A security auditor CLI for Git repositories using LLMs

🕸️snitch-stitch

A security auditor CLI for Git repositories. Scans both backend source code and running frontend UIs to find real security vulnerabilities, scores them by severity, and lets you accept or reject LLM-generated code fixes.

---

Installation

pip install snitch-stitch

Or install from source:

git clone https://github.com/snitch-stitch/snitch-stitch.git
cd snitch-stitch
pip install -e .

Requirements

snitch-stitch uses litellm to support multiple LLM providers. Set the API key for whichever provider you want to use:

Environment Variables

Variable	Required for	Description
OPENAI_API_KEY	OpenAI models (default)	e.g. gpt-4o, gpt-4-turbo
ANTHROPIC_API_KEY	Anthropic models	e.g. claude-sonnet-4-5-20250929
GEMINI_API_KEY	Google models	e.g. gemini/gemini-1.5-pro
RTRVR_API_KEY	No	Used for frontend browser scanning via rtrvr.ai

# OpenAI (default)
export OPENAI_API_KEY="sk-..."

# Or Anthropic
export ANTHROPIC_API_KEY="sk-ant-..."

# Or Google
export GEMINI_API_KEY="..."

# Optional: frontend scanning
export RTRVR_API_KEY="..."

Usage

snitch-stitch <repo-path> [options]

Arguments

• <repo-path> - Path to the local repository directory to scan (required)

Options

Flag	Description	Default
--model MODEL	LLM model to use via litellm (see examples below)	gpt-4o
--frontend-url URL	URL of a running frontend (e.g., http://localhost:3000). Enables frontend scanning.	None
--fix-all	Skip the selection prompt and attempt to fix everything	False
--dry-run	Show diffs but never write anything to disk	False
--verbose	Print debug info (raw API responses, parsed JSON)	False

Model Examples

# OpenAI (default)
snitch-stitch ./my-project --model gpt-4o
snitch-stitch ./my-project --model gpt-4-turbo

# Anthropic
snitch-stitch ./my-project --model claude-sonnet-4-5-20250929

# Google Gemini
snitch-stitch ./my-project --model gemini/gemini-1.5-pro

# Azure OpenAI
snitch-stitch ./my-project --model azure/my-deployment-name

Any model supported by litellm can be used.

Examples

Scan a repository for backend vulnerabilities:

snitch-stitch ./my-project

Scan both backend and frontend:

snitch-stitch ./my-project --frontend-url http://localhost:3000

Preview fixes without applying them:

snitch-stitch ./my-project --dry-run

Automatically fix all vulnerabilities:

snitch-stitch ./my-project --fix-all

How It Works

snitch-stitch runs through 5 stages:

Stage 1: Ingest

Converts the repository into a text format suitable for LLM analysis using gitingest.

Stage 2: Backend Scan

Sends the code to the configured LLM with a security analysis prompt. Identifies vulnerabilities like:

• SQL injection
• Command injection
• Path traversal
• Hardcoded secrets
• Missing authentication
• Insecure deserialization
• XSS vulnerabilities

Stage 3: Frontend Scan (Optional)

If --frontend-url is provided and RTRVR_API_KEY is set, uses rtrvr.ai to control a real browser and probe the running application for:

• XSS (Cross-Site Scripting)
• Authentication bypass
• IDOR (Insecure Direct Object Reference)
• Missing input validation
• Admin panel access

Stage 4: Rank

Scores each vulnerability (0-10) based on:

• Exposure: Public-facing (5) vs local-only (1)
• Exploitability: Easy (3) / Moderate (2) / Hard (1)
• Impact: Critical (4) / High (3) / Medium (2) / Low (1)

Severity labels: Critical (9-10), High (7-8), Medium (4-6), Low (1-3)

Stage 5: Fix

For each selected vulnerability:

1. Generates a minimal code fix using the configured LLM
2. Shows a colored diff (red for removals, green for additions)
3. Prompts you to accept or reject
4. Writes accepted fixes to disk

Example Output

$ snitch-stitch ./my-project --frontend-url http://localhost:3000

[1/5] Ingesting repository...
      ✓ Ingested 47 files (82 KB)

[2/5] Scanning backend code (model: gpt-4o)...
      Analyzing code... done.
      ✓ Found 4 backend vulnerabilities

[3/5] Scanning frontend...
      ✓ Found 2 frontend vulnerabilities

[4/5] Ranking findings...
      ✓ Ranked 6 findings

[5/5] Review and fix

╔════╦══════════╦══════════════════════════════════════════════╦═══════╗
║  # ║ Severity ║ Title                                        ║ Score ║
╠════╬══════════╬══════════════════════════════════════════════╬═══════╣
║  1 ║ Critical ║ SQL injection in /api/login                  ║  10   ║
║  2 ║ Critical ║ Hardcoded AWS key in settings.py             ║   9   ║
║  3 ║ High     ║ Command injection in file converter          ║   8   ║
║  4 ║ High     ║ Missing auth on /api/admin/users             ║   7   ║
║  5 ║ Medium   ║ XSS in search input                          ║   5   ║
║  6 ║ Low      ║ No input validation on age field             ║   3   ║
╚════╩══════════╩══════════════════════════════════════════════╩═══════╝

Select vulnerabilities to fix (comma-separated numbers, or 'all'):
> 1, 2

--- Generating fix for: SQL injection in /api/login ---
      Generating fix... done.

 app/auth.py
──────────────────────────────────────────────────
  def login(username, password):
-     query = f"SELECT * FROM users WHERE username = '{username}'"
-     cursor.execute(query)
+     query = "SELECT * FROM users WHERE username = %s"
+     cursor.execute(query, (username,))
      user = cursor.fetchone()
──────────────────────────────────────────────────
Apply this fix? [y/n/a=accept all]: y
✓ Fixed: app/auth.py

Vulnerability Classes Detected

Class	Description
sqli	SQL injection via string concatenation
command_injection	Shell command injection via os.system, subprocess
path_traversal	Directory traversal allowing file access
ssrf	Server-side request forgery
deserialization	Insecure deserialization (pickle, yaml)
xss	Cross-site scripting
secrets_exposure	Hardcoded API keys, passwords, tokens
authz	Missing or broken authorization
idor	Insecure direct object references
input_validation	Missing input validation

License

MIT