AI-Powered Security Scanning

Your First AI Security Hire

Stop wasting hours on security reviews. Fenny scans your code, understands context like a senior engineer, and delivers actionable fixes — not just alerts.

  • Find vulnerabilities before hackers do
  • AI-powered auto-fix suggestions
  • Seamless GitHub integration
Connect GitHubSee How It Works

Free for public repos. No credit card required.

fenny-security.com/dashboard
Fenny Scan ResultsLive

SQL Injection in user.js:142

User input flows directly to query. High confidence.

Critical

Missing null check in api.js:89

Input validated upstream in middleware. False positive.

Dismissed

Outdated lodash dependency

Vulnerable method not used. Lower priority.

Medium
12 findings analyzed8 filtered as noise
AI

Everything you need to secure your code

From vulnerability detection to automated fixes, Fenny handles security so you can focus on building features.

Deep Code Analysis

Static analysis that goes beyond pattern matching. Understands data flow, control flow, and business logic.

AI-Powered Context

Our AI understands your codebase like a senior engineer, reducing false positives and prioritizing real threats.

Auto-Fix Magic

Get production-ready fix suggestions, not just alerts. Copy, review, and merge — security made easy.

Dependency Scanning

Full SCA coverage for npm, pip, maven, and more. Know exactly which packages put you at risk.

GitHub Native

PR comments, status checks, and automated scans. Security that fits your existing workflow.

Compliance Ready

Map findings to SOC 2, PCI DSS, HIPAA, and more. Generate audit-ready reports in one click.

How Fenny works

Get from zero to secure in four simple steps. No complex setup, no learning curve.

01

Connect

Link your GitHub repos with one click. We only request the permissions we need.

02

Scan

Fenny analyzes your code for vulnerabilities, misconfigurations, and dependency risks.

03

Review

Get prioritized findings with context. No more wading through false positives.

04

Fix

Apply AI-generated fixes directly or export to your issue tracker.

AI-First Architecture

Not just another scanner. Your AI security teammate.

Traditional scanners blast you with alerts. Fenny thinks like a security engineer — understanding context, filtering noise, and delivering fixes you can actually use.

Contextual Understanding

Unlike pattern-matching tools, Fenny understands your code's intent and business logic.

90% Fewer False Positives

AI filters out noise so your team focuses on real vulnerabilities, not chasing ghosts.

Smart Prioritization

Findings ranked by actual exploitability, not just severity scores.

Instant Fix Generation

Production-ready code fixes generated in seconds, reviewed by AI for correctness.

F

Fenny AI Analysis

Processing findings...

SQL Injection in user.js:142

Critical
User input flows directly to query. High confidence.

Missing null check in api.js:89

Dismissed
Input validated upstream in middleware. False positive.

Outdated lodash dependency

Medium
Vulnerable method not used. Lower priority.
12 findings analyzed8 filtered as noise
Latest Security Insights

Real Vulnerabilities, Real Fixes

Learn from security vulnerabilities we've discovered and fixed in production code

critical8 min

Buffer Overflow in hoeldb.c: How sprintf() Threatened a Racing Sim's Database Layer

A critical buffer overflow vulnerability was discovered in `src/simmonitor/db/hoeldb.c`, where fixed-size heap buffers (150 and 250 bytes) were allocated with `malloc()` and then written to using `sprintf()` without any bounds checking. The fix replaces these unsafe patterns with `asprintf()` for dynamic allocation and `calloc()` for row data buffers, eliminating both the overflow risk and a related uninitialized memory hazard.

Read More
critical7 min

Local File Inclusion in Crawl4AI Docker API via file:// URL Injection

CVE-2026-26217 is a critical Local File Inclusion (LFI) vulnerability in Crawl4AI versions prior to 0.8.0, where the Docker API fails to restrict `file://` URL schemes, allowing attackers to read arbitrary files from the host filesystem. The fix upgrades `crawl4ai` from `0.7.6` to `0.8.0` in `pyproject.toml` and `uv.lock`, closing a direct path to sensitive file exfiltration in any containerized deployment using this library.

Read More
critical8 min

Heap Buffer Overflow in Audio Ring Buffer: How a Missing Bounds Check Could Crash Your App

A critical heap buffer overflow vulnerability was discovered in `audio_backend.c`, where the audio ring buffer's `memcpy` operations lacked bounds validation before writing PCM data. Without checking that incoming data sizes fell within the allocated buffer's capacity, a maliciously crafted audio file could corrupt adjacent heap memory, potentially enabling arbitrary code execution. The fix adds a concise pre-flight validation guard that rejects out-of-range write requests before any memory oper

Read More
critical8 min

Critical Memory Safety Bug: Free of Uninitialized Memory in Rust Telemetry (CVE-2021-29937)

CVE-2021-29937 is a critical memory safety vulnerability in the Rust `telemetry` crate (versions prior to 0.1.3) that allows freeing uninitialized memory, leading to undefined behavior, potential crashes, and possible code execution. The fix involves upgrading the crate from version 0.1.0 to 0.1.3, which patches the unsafe memory handling at the root cause. Despite Rust's reputation for memory safety, this vulnerability demonstrates that `unsafe` code blocks can still introduce serious bugs that

Read More
critical10 min

Critical Heap Buffer Overflow in SSDP Control Point: How Unbounded String Operations Put Networks at Risk

A critical heap buffer overflow vulnerability was discovered and patched in the SSDP control point implementation (`ssdp_ctrlpt.c`), where multiple unbounded `strcpy` and `strcat` operations constructed HTTP request buffers without any length validation. Network-received SSDP response fields — including service type strings and location URLs — could be crafted by an attacker to exceed buffer boundaries, potentially enabling arbitrary code execution or denial of service. The fix replaces the unsa

Read More
critical9 min

Heap Buffer Overflow in OPDS Parser: How a Misplaced Variable Nearly Opened the Door to Remote Code Execution

A critical heap buffer overflow vulnerability was discovered in `lib/OpdsParser/OpdsParser.cpp`, where the buffer allocation size was calculated *after* a fixed chunk size was used to allocate memory, meaning the actual bytes read could exceed the allocated buffer. On embedded devices parsing untrusted OPDS catalog data from the network, this flaw could allow a remote attacker to corrupt heap memory and potentially achieve arbitrary code execution. The fix was elegantly simple: move the `toRead`

Read More
View All Security Insights

Compliance frameworks, covered

Map your security findings to industry standards. Generate audit-ready reports that satisfy your compliance team and auditors.

🔒

SOC 2

Type II Ready

💳

PCI DSS

Level 1 Compliant

🏥

HIPAA

Healthcare Ready

🛡️

OWASP

Top 10 Coverage

📋

ISO 27001

Information Security

One-Click Reports

Export findings mapped to specific compliance controls

Evidence Collection

Automatic documentation for audit trails

Continuous Monitoring

Stay compliant with every code change

Ready to secure your code?

Join thousands of developers who trust Fenny to find and fix vulnerabilities before they become problems. Get started in under 2 minutes.

Connect GitHubLearn More
Free for public reposNo credit card requiredSetup in 2 minutes