Fixor is a GitHub App I've been building for the last few months. It reviews every PR for SQL injection before merge. Not a linter, not Semgrep it reads the actual diff, runs a triage pass, then asks an LLM to generate a parameterized fix that compiles in the existing codebase.
The repo in the screenshot is knowflow. The PR added a single line: db.query("SELECT * FROM users WHERE id = " + req.params.id). Fixor flagged it as high severity, posted the file and line, generated a parameterized replacement, and dropped a PDF report and a SARIF 2.1.0 log as PR comments. The PDF is for compliance. The SARIF feeds into GitHub Code Scanning if you use it.
Total time: 24 seconds. No CI step. No config. Install the App on a repo and it works on the next PR.
The hard part of building this wasn't the detection that's a regex in two lines. The hard part was the layer that decides what reaches the LLM, and the layer after that decides what reaches the developer. Early versions flagged ORM queries that were already safe. Current version triages findings before the LLM call, then applies per-org filtering after. False positive rate sits under 5% on the repos I've tested.
Going public next week. If you run a repo with database queries and want to install it the day it ships, drop a comment and I'll send you the link before the public launch.
Top comments (0)