🔐 yobitsugi — Let Your AI Assistant Fix Security Vulnerabilities While You Watch

I've been working on a tool that bridges the gap between vulnerability scanning and actually fixing the bugs. It's called yobitsugi (呼継ぎ — "called-in joinery" in Japanese).

The Problem

Running a SAST/SCA scanner is easy. Understanding the output? Less so. Coordinating fixes across multiple scanners (bandit, semgrep, eslint, safety, gosec, etc.) is painful. And trusting an automated fix you don't understand is worse than the vulnerability itself.

The Solution

yobitsugi is a skill you install into your AI coding assistant (Claude Code, Cursor, Aider, GitHub Copilot CLI, Gemini CLI, or OpenCode). Type /yobitsugi . and it:

Runs every matching SAST/SCA scanner for your repo's languages in parallel

Normalizes findings into a unified schema (so you see the same structure whether it came from bandit or semgrep)

Hands off to your assistant which reads the findings, summarizes them, proposes a diff for each CRITICAL/HIGH issue, and asks before applying

Re-scans to confirm — diffs the findings before/after, flags any regressions

Your editor's model does the reasoning. The yobitsugi binary just orchestrates the scanners and parses the output.

What You Get:-

Supports 9 languages — Python, JS/TS, Go, Java, Ruby, PHP, C/C++, Rust, Shell

Ephemeral tool mode — spins up a throwaway scanner venv, cleans up automatically

Parallel scanning — bandit, semgrep, pip-audit, trufflehog all run concurrently

Zero telemetry — everything stays on your machine

Cross-platform — Windows, macOS, Linux

Quick Start

pipx install yobitsugi && yobitsugi install

# Inside your editor, type:

/yobitsugi .

GitHub: yobitsugi

PyPI: PyPi package

This is open source (MIT), and I'm happy to add new scanners or assistants.

Would love feedback from the security and dev communities.