🛡️ PatchPilot

Automated code security triage — scan, fix, verify, and export compliance evidence. All local. All free.

---

PatchPilot lets you upload a codebase (ZIP) or import a GitHub repository URL, run multiple security scanners in one shot, get proposed fixes, verify them, and download a compliance evidence pack — without paying for any external service.

What it does

Step	What happens
Scan	Runs SAST + dependency + secret scanning in parallel
Fix	Proposes remediations for selected findings
Verify	Re-runs checks to confirm fixes didn't introduce new issues
Evidence Pack	Exports a ZIP with audit artifacts and diffs for compliance

Scanners

• Semgrep — static analysis (SAST)
• OSV-Scanner — dependency vulnerabilities
• Gitleaks — secret detection

Everything runs locally. No data leaves your machine.

---

Quickstart

Prerequisites

Backend

• Python 3.10+
• semgrep, osv-scanner, and gitleaks available on PATH

Frontend

• Node.js 18+

1 — Backend

cd backend
python -m venv .venv
source .venv/bin/activate        # Windows: .venv\Scripts\activate
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8000

2 — Frontend

cd frontend
npm install
npm run dev

Open http://localhost:5173 in your browser.

3 — Run your first scan

1. Go to Dashboard
2. Upload a ZIP or paste a GitHub repo URL
3. View findings in the Findings tab
4. Go to Verify to generate and download an Evidence Pack

---

API reference

Method	Route	Description
GET	/health	Health check
POST	/scan	Upload ZIP and scan
POST	/scan-url	Import GitHub repo URL and scan
POST	/fix	Generate proposed fixes
POST	/verify	Verify fixes
POST	/evidence-pack	Build and download evidence ZIP
DELETE	/jobs/{job_id}	Delete a job workspace

POST /scan — FormData: project (file), project_name (optional)

POST /scan-url — FormData: repo_url, ref (optional, default main), project_name (optional)

POST /fix — JSON: { "job_id": "...", "finding_ids": ["..."] }

---

ML roadmap

PatchPilot is being transformed from a rule-based scanner into an intelligent, self-improving security platform — layer by layer. All models use free, locally-running tools (no API keys).

Tier	Focus	Status
Tier 1 — Triage	Persist findings to SQLite · Severity ranker · Embedding deduplicator · False positive classifier	🟡 Open for contributions
Tier 2 — Predictive	Fix success predictor · Pattern clusterer · Exploit likelihood scorer	🔒 Requires Tier 1
Tier 3 — Autonomous	Local LLM patch generation (Ollama) · Self-healing verify loop · RL reward signal	🔒 Requires Tier 2

Each tier feeds training data into the next. See CONTRIBUTING.md for how to pick up a Tier 1 issue.

---

Repository structure

PatchPilot/
├── backend/               # FastAPI server (Python)
│   ├── app/
│   │   ├── main.py        # API routes
│   │   └── ml/            # ML models (Tier 1+ contributions go here)
│   ├── scripts/           # Training and utility scripts
│   └── requirements.txt
├── frontend/              # React + Vite + Tailwind (TypeScript)
│   └── src/
├── .github/
│   ├── ISSUE_TEMPLATE/    # Bug, feature, and ML issue templates
│   └── workflows/         # CI (backend lint + frontend build)
├── CONTRIBUTING.md
├── SECURITY.md
├── CHANGELOG.md
└── LICENSE

---

Contributing

Contributions are welcome — especially ML components advancing the roadmap above.

Read CONTRIBUTING.md for setup instructions, branch conventions, code style, and the ML contribution guide.

For questions and ideas, open a Discussion rather than an issue.

Security

Found a vulnerability in PatchPilot itself? Please do not open a public issue. Read SECURITY.md for the responsible disclosure process.

License

MIT — see LICENSE.