Open-source · CLI-first · Ships in CI

AI security for builders,
not buyers.

Run the full open-source AI pen-testing toolkit against your agents, LLMs, repos, and cloud — in CI, on every PR. No sales call. No 6-month procurement cycle.

Try the scanner →
npx nixer scan https://github.com/your-org/your-agent
4 scan tools
OSS powered
free dev tier
nixer scan
$ npx nixer scan https://github.com/your-org/your-agent
Scanning secrets, MCP endpoints, prompt injection surfaces...
[CRIT] OpenAI API key exposed — src/agent.js:14
[CRIT] Prompt injection: 3 unvalidated tool call chains
[WARN] MCP endpoint unauthenticated — port 8080
[WARN] Rate limiting absent — credential stuffing risk
Findings: 2 critical  2 medium
FAIL — critical findings. Exiting 1.
4
findings ranked by severity
Live demo — paste any public GitHub repo

No sign-up · No install

Live findings

Real exposures from AI repos scanned this week

See all findings →
CRITICAL 🔑 Secrets

Hardcoded OpenAI API key in test fixtures

Top 50 OSS AI repo Scanned 2d ago
CRITICAL 💉 Prompt Injection

Tool description allows prompt injection via untrusted input

Top 50 OSS AI repo Scanned 1d ago
HIGH ⚡ MCP

Unauthenticated MCP server — arbitrary tool execution risk

Top 50 OSS AI repo Scanned 3d ago
HIGH 🔧 CI/CD

Unpinned third-party action — supply chain attack surface

Top 50 OSS AI repo Scanned 4d ago
CRITICAL 🔑 Secrets

Anthropic API key in env config committed to repo

Top 50 OSS AI repo Scanned 5d ago
HIGH 📦 Supply Chain

torch.load() without weights_only=True — pickle RCE risk

Top 50 OSS AI repo Scanned 6d ago
CRITICAL 💉 Prompt Injection

System prompt overridable via user input in chat endpoint

Top 50 OSS AI repo Scanned 1w ago
HIGH ⚡ MCP

MCP tool allowlist missing — all tools callable by agent

Top 50 OSS AI repo Scanned 2d ago
CRITICAL 🔑 Secrets

Hardcoded OpenAI API key in test fixtures

Top 50 OSS AI repo Scanned 2d ago
CRITICAL 💉 Prompt Injection

Tool description allows prompt injection via untrusted input

Top 50 OSS AI repo Scanned 1d ago
HIGH ⚡ MCP

Unauthenticated MCP server — arbitrary tool execution risk

Top 50 OSS AI repo Scanned 3d ago
HIGH 🔧 CI/CD

Unpinned third-party action — supply chain attack surface

Top 50 OSS AI repo Scanned 4d ago
CRITICAL 🔑 Secrets

Anthropic API key in env config committed to repo

Top 50 OSS AI repo Scanned 5d ago
HIGH 📦 Supply Chain

torch.load() without weights_only=True — pickle RCE risk

Top 50 OSS AI repo Scanned 6d ago
CRITICAL 💉 Prompt Injection

System prompt overridable via user input in chat endpoint

Top 50 OSS AI repo Scanned 1w ago
HIGH ⚡ MCP

MCP tool allowlist missing — all tools callable by agent

Top 50 OSS AI repo Scanned 2d ago
Live scanner

Scan your agent or repo in 30 seconds.

Paste a GitHub URL or agent config. Get severity-ranked findings with exact file paths and remediation steps. No signup required.

Open the scanner →
github.com/example-org/ai-agent ✓ Scan complete
3 critical 3 high 2 medium
72
F
CRITICAL secrets-scan

Exposed OpenAI API Key

src/agent.js:14

OpenAI API key found in source file committed to repository. Key begins sk-proj-…. Immediately rotatable.

Fix: Remove from source, rotate key at platform.openai.com, add to .gitignore and use environment variables.
CRITICAL prompt-injection

Unvalidated Tool Call Chain — Prompt Injection Surface

src/tools/browser.js · src/tools/email.js

Agent passes raw user input to 3 tool calls without sanitization. An attacker can inject instructions via user message to exfiltrate data or send emails.

Fix: Validate and strip control characters from user input before tool dispatch. Add a content-policy layer between user messages and tool calls.
CRITICAL model-supply-chain

Pickle RCE — torch.load() Without weights_only=True

src/models/load.py:34 · models/classifier.pt

Model loaded with unsafe pickle deserialization. A malicious .pt file can embed arbitrary Python via GLOBAL opcodes — same vector as the 2022 PyTorch nightly compromise.

Fix: Set weights_only=True in torch.load(). Migrate to safetensors format. Verify SHA-256 before loading.
MEDIUM model-supply-chain

ML Package Typosquat: "langchian" ≈ "langchain"

requirements.txt:18

Package 2 edits away from the legitimate langchain. Typosquatted ML packages often run exfil code on pip install.

Fix: Replace with langchain. Audit existing install for unexpected network calls.
HIGH cicd-pipeline-scan

Unpinned Third-Party Action: tj-actions/changed-files@v35

.github/workflows/ci.yml:31

Action pinned to a mutable tag — the same vector used in the 2023 tj-actions supply-chain attack that exfiltrated CI secrets from thousands of repos.

Fix: Pin to a full 40-char commit SHA: uses: tj-actions/changed-files@<sha>. Use Dependabot to keep pins updated.

What we scan.

Four attack surfaces, four dedicated tools. Every scan runs all of them against your target simultaneously.

Agents

MCP endpoint enumeration, tool permission chain audit, unauthenticated endpoint detection, privilege escalation paths, and agent-to-agent trust boundary mapping.

mcp-probe tool-audit auth-check

LLMs

Prompt injection probes against raw user input paths, system prompt leakage tests, jailbreak surface detection, and unvalidated tool call chains that allow data exfiltration.

prompt-injection openai-analysis context-audit

Code & Builds

Secrets and API key detection across commit history, hardcoded credential scanning, dependency confusion checks, unsigned artifact warnings, and GitHub Actions workflow audits (pwn-request, script injection, unpinned actions).

secrets-scan cicd-pipeline-scan model-supply-chain

Cloud Architecture

Auth endpoint fuzzing, rate-limit absence detection (credential stuffing risk), missing account lockout, and login flow anomaly detection for AI-facing APIs.

fraud-scan auth-fuzz rate-check

Why builders, not buyers.

Security tools shouldn't require a 6-month sales cycle to ship safely. Nixer is built for the engineer who finds their agent has a prompt injection vulnerability at 11pm on a Friday — not for the CISO presenting to the board on Tuesday.

Enterprise procurement tools
Demo request → qualification call → proposal → legal review → procurement → onboarding
No CLI — findings live in a dashboard only your CISO can access
Can't block a PR — nothing integrates with your actual build pipeline
$50K+ annual contracts before you can run your first scan
Black box scoring — no remediation steps, just a severity number
Nixer
Free dev tier — npx nixer scan your repo right now, no signup required
CLI-first — pipe findings into CI, fail builds on critical, output JSON
GitHub Action ships in 60 seconds — every PR gets scanned automatically
Open-source tooling — no black box, see exactly what's running
Remediation steps with every finding — exact file path, exact fix

"Security tools shouldn't require a 6-month sales cycle to ship safely."

Try it in 30 seconds →
Developer-first

Drop Nixer into CI in 60 seconds.

One command. Every PR. Automatic.

.github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

permissions:
  security-events: write
  contents: read

jobs:
  nixer:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Nixer security scan
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          scan-targets: ./
          severity-threshold: high

      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: nixer.sarif

Findings appear as PR annotations + in the GitHub Security tab. Fails on high/critical. Add NIXER_API_KEY to repo secrets.

GitHub Marketplace Security · AI scanning
terminal
$ npx nixer scan https://github.com/your-org/your-agent

Nixer Security Scanner
──────────────────────────────────────────────────
Target : https://github.com/your-org/your-agent
Type   : repo_url
Fail on: critical

Starting scan... started (id: 42)

Scan Results
──────────────────────────────────────────────────
Status  : completed
Findings: 3 total
          1 critical  2 medium

[secrets-scan]
  CRITICAL Exposed OpenAI API Key
           src/agent.js:14
           Detected OpenAI API Key in src/agent.js:14
  Fix: Remove or rotate this credential immediately.

FAIL — findings at critical or above. Exiting non-zero.

Works on GitHub URLs, local files, or raw JSON configs. No install — just npx.

🔑 Secrets & API keys
🔌 MCP endpoint exposure
💉 Prompt injection
🚦 Fail-on threshold
📋 JSON artifact output
📌 PR annotations
GitHub Code Scanning

Findings in your PR,
not your CI logs.

Nixer outputs SARIF 2.1.0 by default. One extra step and findings land in the GitHub Security tab — inline on PR diffs, with file:line precision, severity colours, and remediation right where your team reviews code.

1 Run Polsia-Inc/nixer-action@v1 — writes nixer.sarif automatically
2 Add github/codeql-action/upload-sarif@v3 pointing at nixer.sarif
3 Set security-events: write + contents: read permissions
Permissions matter. Missing security-events: write is the #1 reason SARIF upload fails silently. The quickstart workflow has this right.
github.com/your-org/ai-agent/security/code-scanning
Code scanning Secret scanning Dependabot
Critical

Exposed OpenAI API Key

nixer/secrets-scan · src/agent.js:14

Nixer
Critical

Unvalidated Tool Call Chain — Prompt Injection Surface

nixer/prompt-injection · src/tools/browser.js:8

Nixer
High

Pickle RCE — torch.load() Without weights_only=True

nixer/model-supply-chain · src/models/load.py:34

Nixer
Medium

ML Package Typosquat: "langchian" ≈ "langchain"

nixer/model-supply-chain · requirements.txt:18

Nixer
.github/workflows/security.yml Marketplace →
permissions:
  security-events: write   # required — most teams forget this
  contents: read

steps:
  - uses: actions/checkout@v4

  - name: Run Nixer scan
    uses: Polsia-Inc/nixer-action@v1
    with:
      api-key: ${{ secrets.NIXER_API_KEY }}
      scan-targets: ./
      severity-threshold: high
      # format: sarif   ← default, writes nixer.sarif

  - name: Upload to GitHub Security tab
    uses: github/codeql-action/upload-sarif@v3
    if: always()
    with:
      sarif_file: nixer.sarif
      category: nixer

Built by people who've run this attack.

Offensive security isn't a feature checklist. It's a mindset. Nixer is built by operators who've found what attackers find — and believe defenders deserve the same tooling.

Latest: We scanned the top 50 OSS AI repos. The results are not encouraging. →

01

Offense-first, always.

Governance platforms watch your agents. Nixer attacks them. We test for the exploit, not the policy violation.

02

OSS is the moat.

Proprietary tools have blind spots. Open-source tooling evolves with the threat landscape. Nixer orchestrates the best of it — no vendor lock-in, no black box.

03

Depth over coverage theater.

We don't scan for 1,000 things and surface 5. We drill into the findings that matter — the ones that turn into breach stories.

Pricing

Scan without limits.

Free tier for getting started. Paid plans for serious security work.

Free
$0/mo
Try it out. No credit card.
  • 1 scan (30s or 30 requests)
  • Top 5 findings only
  • Basic report
  • Shareable result link
  • Guided scan mode
  • API access
  • Team seats
  • Priority support
Starter
$9/mo
1 repo · 100 scans/mo
  • 1 private repo
  • Full SARIF report
  • CI gate + PR comments
  • Shareable result links
  • Email alerts
  • Team seats
Team
$79/mo
50 repos · unlimited scans
  • 50 private repos
  • Unlimited scans
  • Slack alerts
  • Team seats
  • Priority support
  • SSO / SAML
Enterprise
Custom
Unlimited scanning for your org.
  • Unlimited scans
  • Full SARIF report
  • SSO (SAML/OIDC)
  • Custom SLA
  • Dedicated support
  • On-prem option
  • Audit logs
  • White-glove onboarding
Free
Starter $9/mo
Pro $29/mo
Team $79/mo
Enterprise
Scans per month
∞ (public)
100
1,000
Unlimited
Unlimited
Report depth
Top 5
Full SARIF
Full SARIF
Full SARIF
Full SARIF
Private repos
1
10
50
Unlimited
Email alerts
Team seats
Unlimited
Support
Email
Email
Priority
Dedicated
SSO
On-prem option
NEW
Generate a compliance-ready security report SOC 2 · HIPAA · NIST AI RMF · FedRAMP — with real control mappings, in 60 seconds.
Generate free report →

Common questions

What counts as a scan?
One full run of all 4 scanner tools (secrets, MCP, prompt injection, fraud) against a single target. Even large repos count as one scan.
Can I scan private repos?
Starter ($9/mo) and above: yes. Add a GitHub token as an environment variable and Nixer will scan private repos the same way it scans public ones.
What happens when I hit my scan limit?
You can upgrade at any time with no downtime. Your existing scans and reports stay accessible.
Is there an annual discount?
Yes — 20% off when you pay annually. Starter: $86/yr (was $108), Pro: $278/yr (was $348), Team: $758/yr (was $948). Toggle on the pricing page to see annual rates.
Latest Advisories
View all →