Fendix

DAST + SAST in one PR check. Fails only when both engines confirm.

• Confirmed findings. The runtime probe and static analysis must agree before fendix fails your build. False-positive flood, gone.
• Single binary. Drop into CI in 30 seconds. Active probes off by default; enable with one flag when you mean it.
• Signed & silent. Releases signed with cosign (keyless via Sigstore). No telemetry — default outbound is only HTTP requests to your scan target. Verify with tcpdump.

Install (macOS & Linux)

curl -fsSL https://get.fendix.dev/install.sh | sh

Downloads the latest release binary for your platform, verifies its sha256 checksum, and installs it to /usr/local/bin/fendix.

First scan

fendix scan --url https://api.example.com --format html --output report.html
open report.html

Detects missing security headers, CORS misconfig, auth bypasses, sensitive data exposure, and rate-limiting gaps — without sending destructive payloads.

In your CI

Drop this into .github/workflows/security.yml for a PR-gated DAST + SAST check that uploads SARIF to the Security tab:

- name: Install Fendix
  run: curl -fsSL https://get.fendix.dev/install.sh | sh

- name: Scan
  run: fendix scan --code ./ --format sarif --output fendix.sarif --fail-on HIGH

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: fendix.sarif
    category: fendix

Full reference workflow with PR-comment integration: examples/github-actions/fendix-scan.yml.

Verify the binary (cosign)

Releases are signed with cosign using keyless (Sigstore Fulcio) — no static public key to distribute. Verify any release artifact against the GitHub Actions OIDC identity that built it:

VERSION=v0.6.0
ASSET=fendix-${VERSION}-linux-amd64

curl -fsSL -o "$ASSET"      "https://github.com/Abdel-RahmanSaied/homebrew-fendix/releases/download/${VERSION}/${ASSET}"
curl -fsSL -o "$ASSET.crt"  "https://github.com/Abdel-RahmanSaied/homebrew-fendix/releases/download/${VERSION}/${ASSET}.crt"
curl -fsSL -o "$ASSET.sig"  "https://github.com/Abdel-RahmanSaied/homebrew-fendix/releases/download/${VERSION}/${ASSET}.sig"

cosign verify-blob \
  --certificate "$ASSET.crt" \
  --signature   "$ASSET.sig" \
  --certificate-identity-regexp "^https://github.com/Abdel-RahmanSaied/Fendix/" \
  --certificate-oidc-issuer     "https://token.actions.githubusercontent.com" \
  "$ASSET"

Same pattern verifies .deb, .rpm, and Docker images. Releases cut before cosign was enabled fall back to .sha256.

Inspect before piping

Sane practice for any curl | sh installer:

curl -fsSL https://get.fendix.dev/install.sh | less

Other install paths

• Homebrew: brew tap Abdel-RahmanSaied/fendix && brew install fendix
• Debian/Ubuntu: download the .deb from the latest release
• RHEL/Fedora: download the .rpm from the same page
• Docker: docker pull ghcr.io/abdel-rahmansaied/fendix:latest
• Manual: grab a binary + sha256 from the releases page

Customize

• FENDIX_DIR=$HOME/.local/bin — install to a user-writable directory
• FENDIX_VERSION=v0.6.0 — pin a specific version

Source: Abdel-RahmanSaied/Fendix · Mirror: homebrew-fendix · Security