Lucky3mc/debuggix

# 🛡️ Debuggix：9 款安全扫描器 + AI，真正帮你修复代码

检测漏洞。自信地应用修复。
Debuggix 会针对您的代码库运行 9 个安全引擎，关联结果以消除误报，并生成经过验证的补丁供您在合并前审查。

🚀 免费开始 — 无需信用卡 →

## 📖 目录 - [概述](#-overview) - [工作原理](#-how-it-works) - [9 款安全引擎](#-the-9-security-engines) - [功能特性](#-features) - [系统架构](#-architecture) - [API 参考](#-api-reference) - [Webhooks](#-webhooks) - [Slack 集成](#-slack-integration) - [定价](#-pricing) - [隐私与安全](#-privacy--security) - [路线图](#-roadmap) - [技术栈](#-tech-stack) ## 🔍 概述 Debuggix 是一个安全平台，不仅能发现代码中的漏洞，还能生成可行的修复方案——而不仅仅是列出问题。它并行编排 9 个开源安全扫描器，关联它们的结果以消除重复和误报，然后使用 AI 生成可用于生产环境的代码补丁。 **为什么选择 Debuggix？** 传统的安全工具会倾倒出 500 个漏洞的列表然后说“祝你好运”。你需要花费数小时手动修复每一个。67% 的安全修复需要超过 4 小时。Debuggix 能够同时发现并修复问题，将数小时的手动修补转化为 60 秒的审查。 ## ⚙️ 工作原理 1. **连接** — 粘贴任何 GitHub 仓库 URL 或上传 ZIP 文件 2. **扫描** — 9 个专用引擎在你的代码库中并行运行 3. **审查** — 查看带有置信度分数、来源归因和 AI 解释的发现结果 4. **修复** — AI 生成带有 diff 的工作代码补丁。可以审查、复制或合并。 ## 🛠️ 9 款安全引擎 | 引擎 | 类别 | 检测内容 | 覆盖范围 | |--------|----------|----------------|----------| | **Semgrep** | Static Analysis | SQL injection、XSS、path traversal、代码漏洞 | Python、JS、Go、Java、Ruby、PHP、Terraform | | **Gitleaks** | Secret Detection | 硬编码的 API keys、tokens、passwords、凭据 | 所有文件类型 | | **TruffleHog** | Secret Detection | 隐藏在 git 提交历史中的机密 | Git 历史 | | **Trivy** | Dependency Scanning | 包和容器镜像中的已知 CVE | pip、npm、Docker、apt、yum、gem | | **Bandit** | Static Analysis | 特定于 Python 的安全问题 | Python | | **ESLint** | Static Analysis | JavaScript/TypeScript 安全检查 | .js、.ts、.jsx、.tsx | | **Hadolint** | Configuration | Dockerfile 配置不当与最佳实践 | Dockerfiles | | **Checkov** | Configuration | Infrastructure-as-Code 配置不当 | Terraform、K8s、CloudFormation、Helm | | **OSV-Scanner** | Dependency Scanning | 开源漏洞数据库 | 10+ 个生态系统 | 所有引擎并行运行。结果将被合并、去重并由 AI 验证。 ## 🔥 功能特性 ### AI 驱动的修复生成 对于每个漏洞，Debuggix 使用多个 LLM 提供商（Google Gemini、DeepSeek、OpenAI、OpenRouter）生成可行的代码修复，并带有自动回退机制。每项修复包括： - **Diff 视图** — 查看具体更改内容 - **解释说明** — 了解修复生效的原因 - **置信度分数** — 了解修复的可靠性 - **影响评估** — 了解问题的严重性 ### 安全副驾驶 (Pro+) 一个了解你整个代码库的 AI 聊天界面。可以提出如下问题： - "最关键的漏洞在哪里？" - "解释一下认证流程" - "显示所有硬编码的凭据" - "存在哪些依赖项问题？" 副驾驶会读取你实际的源文件并引用扫描结果。回复包括文件路径、行号和代码片段。上下文会被缓存，以加快后续提问的速度。你可以使用清除按钮随时清除缓存的上下文。 ### 置信度评分与误报控制 每项发现都会获得一个 AI 置信度分数（0-100%）。分数越高，是真实漏洞的可能性越大。可以将发现标记为已确认或误报，以便过滤结果。 ### GitHub 集成 - **OAuth 登录** — 使用你的 GitHub 账号注册 - **私有仓库** — 使用你的 GitHub token 扫描私有仓库 - **一键 PR** — 创建一个应用了所有 AI 生成修复的 Pull Request - **github.dev & Codespaces** — 直接在基于浏览器的编辑器中打开文件 ### 公开报告与徽章 - **可分享的报告** — 生成不暴露代码的公开 URL - **README 徽章** — 将安全状态徽章添加到你的仓库： ``` [](https://debuggix.space) ``` ### 团队协作 - **共享扫描** — 与团队成员共享扫描结果 - **评论** — 讨论各项发现 - **自定义规则** — 添加自定义的 Semgrep 检测规则 (Pro+) ## 🏗️ 系统架构 ### 系统设计 ``` Users → Frontend (React, Render) ↓ Backend API (FastAPI, Render) ↓ Redis (Upstash) → Celery Worker (DigitalOcean Droplet) ↓ 9 Security Engines (Semgrep, Gitleaks, Trivy, etc.) ↓ AI Fix Generation (Multi-LLM with fallback) ↓ PostgreSQL (Render) ``` ### 扫描流水线 1. 用户提交 GitHub URL 或 ZIP 文件 2. 后端创建扫描记录，并通过 Redis 派发 Celery 任务 3. Celery worker 使用 `--depth 1 --single-branch` 克隆仓库以提升速度 4. 9 个安全引擎在具有可配置超时的状态下并行运行 5. 自动排除 vendor 目录、测试文件和 node_modules 6. 结果被合并、去重并评分 7. AI 噪声过滤会移除误报和低置信度的发现 8. 发现结果连同元数据保存到 PostgreSQL 9. 源代码立即从 worker 中删除 10. 用户查看带有置信度分数和 AI 生成修复的结果 ### AI 提供商回退 ``` Request → Google Gemini (free, 1000/day) ↓ fails → DeepSeek ($0.14/1M tokens) ↓ fails → OpenAI ↓ fails → OpenRouter (free models as backup) ``` ### 性能优化 - 排除 vendor 目录、测试文件和缓存目录 - 跳过大于 500KB 的文件 - Git clone 使用 `--depth 1 --single-branch` - Celery worker 以可配置的并发数运行 - Trivy 数据库在 worker 上缓存 - AI 聊天上下文按扫描会话缓存（1 小时 TTL） ## 📡 API 参考 ### Base URL ``` https://ai-debugger-backend-eah5.onrender.com ``` ### 身份验证 所有 API 请求都需要一个 JWT token： ``` Authorization: Bearer ``` 通过 login endpoint 获取 token。 ### 速率限制 - Free 级别：10 次请求/分钟 - Pro 级别：60 次请求/分钟 - Pro+ 级别：120 次请求/分钟 ### 身份验证 Endpoints **注册** ``` POST /api/v1/auth/register Content-Type: application/json { "email": "user@example.com", "password": "secure_password", "name": "Your Name", "plan": "free" } ``` **登录** ``` POST /api/v1/auth/login Content-Type: application/json { "email": "user@example.com", "password": "secure_password" } Response: { "access_token": "jwt...", "token_type": "bearer", "user": {...} } ``` **GitHub OAuth 登录** ``` GET /api/v1/auth/github/login → Redirects to GitHub for authentication → Returns JWT token after callback ``` **登出** ``` POST /api/v1/auth/logout Authorization: Bearer ``` ### 扫描 Endpoints **触发 GitHub 扫描** ``` POST /api/v1/scan/github Authorization: Bearer Content-Type: application/json { "repo_url": "https://github.com/user/repo", "name": "Optional scan name" } Response: { "id": "scan-uuid", "name": "repo", "status": "pending" } ``` **触发 ZIP 上传扫描** ``` POST /api/v1/scan/zip Authorization: Bearer Content-Type: multipart/form-data file: your_code.zip name: Optional name Response: { "id": "scan-uuid", "name": "filename", "status": "pending" } ``` **列出所有扫描** ``` GET /api/v1/scan/?page=1&limit=50 Authorization: Bearer Response: { "scans": [ { "id": "uuid", "name": "my-repo", "repo_url": "https://github.com/user/repo", "status": "completed", "findings_count": 15, "critical_count": 2, "high_count": 5, "created_at": "2026-04-30T12:00:00Z", "completed_at": "2026-04-30T12:01:15Z" } ], "total": 42, "page": 1, "total_pages": 1 } ``` **获取扫描结果** ``` GET /api/v1/scan/{scan_id} Authorization: Bearer Response: { "scan": { "id": "uuid", "name": "my-repo", "repo_url": "https://github.com/user/repo", "status": "completed", "findings_count": 15, "critical_count": 2, "high_count": 5, "medium_count": 6, "low_count": 2 }, "findings": [ { "id": "finding-id", "tool": "semgrep", "severity": "critical", "file_path": "src/auth.js", "line_number": 42, "message": "SQL injection vulnerability detected", "code_snippet": "query = 'SELECT * FROM users WHERE id=' + userId", "ai_confidence": 92, "ai_fix": { "fixed_code": "query = 'SELECT * FROM users WHERE id=?'", "explanation": "Use parameterized queries to prevent SQL injection" } } ], "summary": { "total": 15, "critical": 2, "high": 5, "medium": 6, "low": 2 } } ``` **删除扫描** ``` DELETE /api/v1/scan/{scan_id} Authorization: Bearer Response: { "message": "Scan deleted" } ``` **创建修复 Pull Request** ``` POST /api/v1/scan/{scan_id}/create-fix-pr Authorization: Bearer Response: { "success": true, "pr_url": "https://github.com/user/repo/pull/42", "message": "Fix PR created successfully" } ``` ### 公共 Endpoints (无需身份验证) **公开扫描报告** ``` GET /api/v1/scan/public/{scan_id} Response: { "scan": { "id": "abc12345", "name": "my-repo", "repo_url": "https://github.com/user/repo", "scanned_at": "2026-04-30T12:00:00Z", "duration_seconds": 75.3, "lines_scanned": 15000 }, "summary": { "total": 15, "by_severity": { "critical": 2, "high": 5, "medium": 6, "low": 2 }, "risk_level": "HIGH" }, "findings": [...], // No code snippets exposed "engines_used": ["Semgrep", "Gitleaks", "Trivy", "Bandit", "ESLint", "Hadolint", "Checkov", "OSV-Scanner", "TruffleHog"] } ``` **安全徽章** ``` GET /api/v1/scan/badge/{username}/{repo} Response: SVG badge image showing security status Statuses: "secure", "X critical", "X high", "not scanned" ``` ### AI Endpoints **为发现生成 AI 修复** ``` POST /api/v1/ai/fix Authorization: Bearer Content-Type: application/json { "code_snippet": "query = 'SELECT * FROM users WHERE id=' + userId", "error_message": "SQL injection detected", "language": "javascript", "file_path": "/src/auth.js" } Response: { "success": true, "fixed_code": "query = 'SELECT * FROM users WHERE id=?'", "explanation": "Parameterized queries prevent SQL injection by separating SQL logic from data.", "model": "gemini-2.0-flash", "provider": "gemini" } ``` **解释代码** ``` POST /api/v1/ai/explain Authorization: Bearer Content-Type: application/json { "code_snippet": "const result = await db.query('SELECT * FROM users');", "question": "Is this query safe?", "language": "javascript" } Response: { "success": true, "explanation": "This query is safe because..." } ``` **代码审查** ``` POST /api/v1/ai/review Authorization: Bearer Content-Type: application/json { "code_snippet": "function processUser(input) { eval(input); }", "language": "javascript" } Response: { "success": true, "issues": [{ "severity": "critical", "message": "eval() is dangerous..." }] } ``` **改进代码** ``` POST /api/v1/ai/improve Authorization: Bearer Content-Type: application/json { "code_snippet": "for (let i = 0; i < arr.length; i++) { console.log(arr[i]); }", "language": "javascript" } Response: { "success": true, "improved_code": "arr.forEach(item => console.log(item));", "changes": ["..." ] } ``` **安全副驾驶 (流式传输)** ``` POST /api/v1/ai/copilot/stream Authorization: Bearer Content-Type: application/json { "scan_id": "scan-uuid", "question": "Where are all the SQL queries in this codebase?", "chat_history": [] } Response: Server-Sent Events stream Events: status, progress, finding, complete ``` **清除副驾驶缓存** ``` POST /api/v1/ai/copilot/cache/flush Authorization: Bearer Content-Type: application/json { "scan_id": "scan-uuid" } Response: { "message": "Chat context flushed. Next query will re-analyze the codebase." } ``` **AI 服务状态** ``` GET /api/v1/ai/status Authorization: Bearer Response: { "available": true, "provider": "gemini", "model": "gemini-2.0-flash", "user_has_access": true, "user_tier": "pro_plus", "copilot_enabled": true } ``` ## 🔔 Webhooks Webhooks 允许你接收关于扫描事件的实时通知。请在 Dashboard → Settings → Webhooks 中进行配置。 ### 可用事件 | 事件 | 触发条件 | Payload | |-------|---------|---------| | `scan.started` | 扫描开始处理 | `scan_id`、`repo_url`、`timestamp` | | `scan.completed` | 扫描成功完成 | `scan_id`、`findings_count`、`critical_count`、`high_count`、`timestamp` | | `scan.failed` | 扫描遇到错误 | `scan_id`、`error_message`、`timestamp` | | `finding.critical` | 发现严重漏洞 | `scan_id`、`finding_id`、`severity`、`message`、`file_path` | | `finding.high` | 发现高危漏洞 | `scan_id`、`finding_id`、`severity`、`message`、`file_path` | ### 配置 Webhooks **生成 Webhook URL** ``` POST /api/v1/integrations/webhooks/generate Authorization: Bearer Content-Type: application/json { "events": ["scan.completed", "finding.critical", "finding.high"] } Response: { "webhook_url": "https://ai-debugger-backend-eah5.onrender.com/api/v1/webhooks/receive/abc12345", "secret": "generated_secret_key_here", "events": ["scan.completed", "finding.critical", "finding.high"], "message": "Webhook generated. Copy your secret now - it won't be shown again!" } ``` **更新 Webhook 事件** ``` PUT /api/v1/integrations/webhooks/events Authorization: Bearer Content-Type: application/json { "events": ["scan.started", "scan.completed", "scan.failed"] } Response: { "events": [...], "message": "Webhook events updated" } ``` **测试 Webhook** ``` POST /api/v1/integrations/webhooks/test Authorization: Bearer Response: { "message": "Test webhook sent successfully" } ``` **撤销 Webhook** ``` DELETE /api/v1/integrations/webhooks/revoke Authorization: Bearer Response: { "message": "Webhook revoked" } ``` **获取 Webhook 状态** ``` GET /api/v1/integrations/webhooks Authorization: Bearer Response: { "url": "https://ai-debugger-backend-eah5.onrender.com/api/v1/webhooks/receive/abc12345", "secret": "***hidden***", "events": ["scan.completed", "finding.critical"] } ``` ### Webhook Payload 示例 当扫描完成时，你的 endpoint 会收到： ``` { "event": "scan.completed", "scan_id": "c6c1c371-9d26-4010-9867-e9a63114203a", "scan_name": "my-repo", "repo_url": "https://github.com/user/repo", "findings_count": 15, "critical_count": 2, "high_count": 5, "medium_count": 6, "low_count": 2, "timestamp": "2026-04-30T12:01:15Z" } ``` ### 验证 Webhook 签名 每个 webhook 请求都包含一个 `X-Debuggix-Signature` 头。使用你的 webhook secret 对其进行验证： ``` import hmac import hashlib def verify_webhook(payload: bytes, signature: str, secret: str) -> bool: expected = hmac.new( secret.encode(), payload, hashlib.sha256 ).hexdigest() return hmac.compare_digest(expected, signature) ``` ``` const crypto = require('crypto'); function verifyWebhook(payload, signature, secret) { const expected = crypto .createHmac('sha256', secret) .update(payload) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(expected), Buffer.from(signature) ); } ``` ## 💬 Slack 集成 直接向 Slack 频道发送扫描通知。需要 Pro+ 套餐。 **连接 Slack** ``` GET /api/v1/integrations/slack/auth Authorization: Bearer → Redirects to Slack OAuth → Saves webhook URL after authorization ``` **断开 Slack** ``` POST /api/v1/integrations/slack/disconnect Authorization: Bearer Response: { "message": "Slack disconnected" } ``` **发送测试通知** ``` POST /api/v1/integrations/slack/test Authorization: Bearer Response: { "message": "Test notification sent" } ``` ## 💰 定价 | 套餐 | 价格 | 扫描次数 | 核心功能 | |------|-------|-------|-------------| | **Free** | $0 永久 | 10 次公开扫描/月 | 所有 9 款引擎，基础检测，社区支持 | | **Pro** | $29/月 | 100 次私有扫描/月 | AI 驱动的修复，GitHub PR 集成，邮件支持 | | **Pro+** | $50/月 | 500 次私有扫描/月 | 安全副驾驶，API 访问，3 个团队席位，Slack 集成，webhooks，自定义规则 | 所有套餐均包含免费试用。免费层级无需信用卡。 [免费开始 →](https://debuggix.space/register) ## 🔒 隐私与安全 - **零保留：** 你的源代码在处理并扫描后会立即删除 - **不用你的代码训练：** 我们从不使用你的代码来训练 AI 模型 - **端到端加密：** 所有数据在传输过程 (TLS 1.3) 和静止状态 (AES-256) 下均经过加密 - **开源引擎：** 所有 9 款扫描器均是开源的，可独立审计 - **你的数据归你所有：** 随时导出或删除你的数据 ## 🗺️ 路线图 - [x] **第一阶段：** 多扫描器编排与 Web Dashboard - [x] **第二阶段：** AI 驱动的修复生成 - [x] **第三阶段：** 团队协作与共享扫描 - [x] **第四阶段：** GitHub、Slack 与 Webhook 集成 - [x] **第五阶段：** 公开报告与安全徽章 - [ ] **第六阶段：** VS Code 扩展 (2026 年第二季度) - [ ] **第七阶段：** 自托管企业版 (2026 年第三季度) - [ ] **第八阶段：** 原生 CI/CD 集成 (GitHub Actions、GitLab CI) ## ⚡ 技术栈 | 层级 | 技术 | |-------|-----------| | 后端 | FastAPI (Python) | | 前端 | React + TypeScript + Tailwind CSS | | 数据库 | PostgreSQL | | 队列 | Redis + Celery | | AI | Google Gemini、DeepSeek、OpenAI、OpenRouter (自动回退) | | 托管 | Render (API)、DigitalOcean (Workers) | | 安全工具 | Semgrep、Gitleaks、Trivy、Bandit、ESLint、Hadolint、Checkov、OSV-Scanner、TruffleHog | ## 🤝 由独立开发者构建 Debuggix 是一款独立产品。没有风险投资。不出售数据。没有你不需要的臃肿企业功能。只有一位致力于让网络更安全的开发者。 - ⭐ **Star 本仓库** 以支持该项目 - 🐛 **发现了 Bug？**[提交 Issue](https://github.com/Lucky3mc/debuggix/issues) - 📧 **企业咨询：**[luckydiety@gmail.com]( 保护代码安全的最佳时机是昨天，其次就是现在。
免费试用 Debuggix →

标签：AI代码修复, AI辅助编程, AST关联分析, CISA项目, Debuggix, DevSecOps, GitHub集成, Semgrep, Slack集成, WordPress安全扫描, 上游代理, 代码安全分析, 代码审查, 后端开发, 安全左移, 安全扫描引擎, 开源安全工具, 搜索引擎查询, 测试用例, 漏洞检测与修复, 网络安全, 自动化补丁生成, 误报消除, 逆向工具, 逆向工程平台, 隐私保护, 静态应用安全测试(SAST)