Automated code security triage — scan, fix, verify, and export compliance evidence. All local. All free.
PatchPilot lets you upload a codebase (ZIP) or import a GitHub repository URL, run multiple security scanners in one shot, get proposed fixes, verify them, and download a compliance evidence pack — without paying for any external service.
| Step | What happens |
|---|---|
| Scan | Runs SAST + dependency + secret scanning in parallel |
| Fix | Proposes remediations for selected findings |
| Verify | Re-runs checks to confirm fixes didn't introduce new issues |
| Evidence Pack | Exports a ZIP with audit artifacts and diffs for compliance |
- Semgrep — static analysis (SAST)
- OSV-Scanner — dependency vulnerabilities
- Gitleaks — secret detection
Everything runs locally. No data leaves your machine.
Backend
- Python 3.10+
semgrep,osv-scanner, andgitleaksavailable onPATH
Frontend
- Node.js 18+
cd backend
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8000cd frontend
npm install
npm run devOpen http://localhost:5173 in your browser.
- Go to Dashboard
- Upload a ZIP or paste a GitHub repo URL
- View findings in the Findings tab
- Go to Verify to generate and download an Evidence Pack
| Method | Route | Description |
|---|---|---|
GET |
/health |
Health check |
POST |
/scan |
Upload ZIP and scan |
POST |
/scan-url |
Import GitHub repo URL and scan |
POST |
/fix |
Generate proposed fixes |
POST |
/verify |
Verify fixes |
POST |
/evidence-pack |
Build and download evidence ZIP |
DELETE |
/jobs/{job_id} |
Delete a job workspace |
POST /scan — FormData: project (file), project_name (optional)
POST /scan-url — FormData: repo_url, ref (optional, default main), project_name (optional)
POST /fix — JSON: { "job_id": "...", "finding_ids": ["..."] }
PatchPilot is being transformed from a rule-based scanner into an intelligent, self-improving security platform — layer by layer. All models use free, locally-running tools (no API keys).
| Tier | Focus | Status |
|---|---|---|
| Tier 1 — Triage | Persist findings to SQLite · Severity ranker · Embedding deduplicator · False positive classifier | 🟡 Open for contributions |
| Tier 2 — Predictive | Fix success predictor · Pattern clusterer · Exploit likelihood scorer | 🔒 Requires Tier 1 |
| Tier 3 — Autonomous | Local LLM patch generation (Ollama) · Self-healing verify loop · RL reward signal | 🔒 Requires Tier 2 |
Each tier feeds training data into the next. See CONTRIBUTING.md for how to pick up a Tier 1 issue.
PatchPilot/
├── backend/ # FastAPI server (Python)
│ ├── app/
│ │ ├── main.py # API routes
│ │ └── ml/ # ML models (Tier 1+ contributions go here)
│ ├── scripts/ # Training and utility scripts
│ └── requirements.txt
├── frontend/ # React + Vite + Tailwind (TypeScript)
│ └── src/
├── .github/
│ ├── ISSUE_TEMPLATE/ # Bug, feature, and ML issue templates
│ └── workflows/ # CI (backend lint + frontend build)
├── CONTRIBUTING.md
├── SECURITY.md
├── CHANGELOG.md
└── LICENSE
Want to understand how the internal components communicate? Check out the ARCHITECTURE.md document for Mermaid diagrams and details on the Scan, Fix, and Verify pipelines, database schema, and ML roadmap flow.
Contributions are welcome — especially ML components advancing the roadmap above.
Read CONTRIBUTING.md for setup instructions, branch conventions, code style, and the ML contribution guide.
For questions and ideas, open a Discussion rather than an issue.
Special thanks to the mentors helping guide contributors and review changes.
@ionfwsrijan
@arpit2006
Thanks to all our contributors ❤️
Found a vulnerability in PatchPilot itself? Please do not open a public issue. Read SECURITY.md for the responsible disclosure process.
MIT — see LICENSE.