Enterprise-Grade · v0.2.0 · Production Ready

Deploy intelligent issue triage
to your infrastructure.

bugsift v0.2.0 is a self-hosted GitHub issue triage system built for enterprises. Classifies, deduplicates, reproduces, and drafts replies in ~90 seconds. Deploy to your domain. Security scanning, code coverage enforcement, and E2E testing built-in.

$ BUGSIFT_DOMAIN=bugsift.yourdomain.com curl -fsSL https://github.com/joym-gits/bugsift/releases/download/v0.2.0/install.sh | bash
Self-hosted only · no SaaS Apache 2.0 · completely free Enterprise-grade CI/CD with security scanning Deploy to your domain in 5 minutes
Why bugsift

Enterprise teams need more than issue classifiers. They need production-grade infrastructure.

Most issue triage tools are either too basic (static classifiers) or too invasive (cloud SaaS that sees all your data). v0.2.0 bridges that gap: enterprise-grade security scanning, code coverage enforcement, and database verification baked into the CI/CD pipeline. Deploy to your infrastructure. No vendor lock-in.

What cloud SaaS offers

  • Data hosted externally — your issue bodies and GitHub tokens live on someone else's servers.
  • No security gates — deploy untested code or vulnerable dependencies without warnings.
  • Per-user fees — licensing costs scale with team size, not value.
  • Vendor lock-in — integration tightly couples your workflow to their platform.

What bugsift v0.2.0 offers

  • Self-hosted entirely — deploy to your infrastructure, your domain, your data stays put.
  • Enterprise CI/CD gates — SAST scanning, dependency audits, code coverage, database migrations all verified.
  • No licensing costs — one-time deployment, pay only for your LLM tokens (Anthropic, OpenAI, Google, or Ollama).
  • Complete control — fork the code, customize prompts, deploy to your servers, audit every decision.
How it works

One deterministic pipeline. Five steps. ~90 seconds per issue.

No LangChain, no ReAct loops, no autonomous planning. A ~300-line orchestrator runs the steps in a fixed order. Every decision is logged, auditable, and human-controllable.

1

Classify

bug · feature-request · question · docs · spam · other. PII redacted before the prompt reaches the LLM.

2

Dedup

Cosine search over issue embeddings + LLM judge. Detects true duplicates and drafts a "duplicates #123" reply.

3

Retrieve

Pinpoints the 3–5 most relevant source files with line ranges. Refined post-repro by stack traces and error contexts.

4

Reproduce

Drafts a minimal repro script and runs it in an isolated sandbox (network off, capabilities dropped, 60-second timeout).

5

Draft

Writes the triage comment, proposes labels, suggests assignees. Lands on a card in the dashboard for your approval.

v0.2.0 Features

Enterprise-grade pipeline with every gate you need.

Not just a classifier. A complete production system with security scanning, code coverage gates, database safety, and E2E testing built in.

🔒

SAST Security Scanning

Bandit (Python) + ESLint (JavaScript) catch vulnerabilities automatically in CI/CD. Blocks merged code with security issues.

📦

Dependency Audits

npm audit + pip audit verify supply chain security. Prevents vulnerable dependencies from shipping to production.

📊

Code Coverage Enforcement

65% minimum coverage threshold enforced in CI/CD. Prevents untested code paths from shipping. Configurable per-project.

🗄️

Database Migrations Safety

Alembic migrations verified and tested before deployment. Ensures schema changes are safe and reversible.

🧪

E2E Testing

Real server startup with health checks. Tests the actual application behavior, not just isolated units.

🏗️

Multi-Architecture Builds

amd64 and arm64 support. Deploy natively to Intel servers or Apple Silicon. No emulation needed.

📋

Learns from Corrections

Every approve / skip / edit trains the next run. Triage quality compounds with use, no manual retraining needed.

Routing Rules + SLA

Operator-defined rules: "If severity=blocker on my-org/api-*, assign @sec-team, notify #incidents, SLA 60 min."

🎛️

Multi-LLM Support

Anthropic, OpenAI, Google Gemini, or self-hosted Ollama. You bring the key. Monthly budget caps with graceful degradation.

Enterprise Security

Production-grade security. Enabled by default. No configuration required.

Every item below ships on by default. Built for enterprises that can't compromise on security or compliance. Complete security audit + mitigation report available in the repository.

Self-Hosted Only

Your GitHub tokens, issue bodies, and operator decisions never leave your infrastructure. No cloud vendor, no SaaS.

SAST Scanning in CI/CD

Bandit (Python) and ESLint (JavaScript) scan every commit. Vulnerabilities block PRs from merging.

Container Security Scanning

GitHub's native container scanning detects CVEs in Docker images. Multi-architecture builds verified before publication.

Sandbox Isolation

Repro containers run with network_mode=none, read-only root, tmpfs scratch, all Linux capabilities dropped, 60-second kill.

Secrets Encrypted at Rest

GitHub App PEM, OAuth secrets, webhook URLs, LLM keys, Slack tokens - all Fernet-encrypted with a master key.

PII Scrubbed Pre-LLM

Emails, phones, SSN, credit cards, API keys, JWTs - redacted before any prompt. Stable tokens preserve referential integrity.

Append-Only Audit Trail

Every login, role change, approval, and decision logged and exportable. CSV format for SOC 2 auditors and compliance teams.

SSRF-Safe HTTP

Every user-supplied URL is validated. Private, loopback, link-local, and CGNAT addresses are rejected.

Get started

Deploy to your domain in one command.

Requires Docker 24+ and 2+ GB RAM. Works on any Linux server, cloud VM, or Kubernetes cluster. One command. No .env editing. No migrations.

$ BUGSIFT_DOMAIN=bugsift.yourdomain.com curl -fsSL https://github.com/joym-gits/bugsift/releases/download/v0.2.0/install.sh | bash
1
The installer runs Verifies Docker, generates encryption keys and secrets, pulls pre-built images from GHCR, runs database migrations, starts all services.
2
Point your domain Add an A record to your domain registrar pointing to your server's IP. Installation prints the exact URL and bootstrap token.
3
Register GitHub App Visit your dashboard at your domain, click Register GitHub App, paste the bootstrap token. GitHub's manifest flow handles the rest.
4
Add LLM key and triage Paste your Anthropic, OpenAI, Google, or Ollama key in Settings. Open an issue on your repo. A triage card appears in ~90 seconds.

Pin a specific release with BUGSIFT_IMAGE_TAG=v0.2.0 for reproducibility. Full deployment guide with TLS, backups, and upgrades: DEPLOY_GUIDE.md. Need local testing first? Use BUGSIFT_DOMAIN=localhost and access on localhost:3001.

v0.2.0 Production Release

Enterprise-grade. Self-hosted. Production-ready.

Deploy bugsift v0.2.0 to your infrastructure. Security scanning, code coverage enforcement, and E2E testing baked into the CI/CD pipeline. No vendor lock-in. Your data stays with you.

FAQ

Questions about self-hosted deployment.

What does "self-hosted" mean? Does my data go to the cloud?

Self-hosted means you deploy bugsift to your own infrastructure. Your GitHub tokens, issue bodies, and all operator decisions stay entirely in your systems. No data ever touches a third-party cloud or SaaS platform. You control the servers, the database, everything.

Can I deploy to my own domain?

Yes. That's the entire point. You point your domain (e.g., bugsift.yourdomain.com or bugsift.mycompany.com) to your server using DNS A records. The installer sets up Nginx and TLS. Your users access bugsift at your domain, not a shared cloud platform.

What about security? Is it production-grade?

Yes. v0.2.0 includes SAST scanning (Bandit + ESLint), dependency audits (npm + pip), code coverage enforcement (65% minimum), database migration verification, E2E testing, multi-architecture builds, container scanning, PII redaction, and append-only audit logging. Every security gate is enabled by default.

How much does it cost?

bugsift itself is free and open-source (Apache 2.0). You pay only for your infrastructure (server, cloud VM, etc.) and LLM tokens (Anthropic, OpenAI, Google, or Ollama - you bring your own key). No per-user licensing, no SaaS subscriptions.

Can I use it on private repositories?

Yes. bugsift runs on your infrastructure, so it works with any GitHub repository you own - public, private, or commercial. There are no restrictions. The Apache 2.0 license permits commercial use.

What LLM providers does bugsift support?

Anthropic Claude, OpenAI GPT, Google Gemini, and self-hosted Ollama. You bring your own API keys. No third-party vendor lock-in. Budget caps and graceful degradation ship in the box - when monthly limits are hit, cheap operations continue while expensive ones skip.

Do I need Kubernetes or complex infrastructure?

No. A single docker-compose.yml file runs the entire stack. Works on a $5/mo VPS, a laptop with Docker, or your existing Kubernetes cluster. No special configuration. One command to start, one command to deploy.

Can bugsift write code or create pull requests?

No. That's deliberately out of scope. bugsift is triage-only: classify, dedup, reproduce, draft comments, propose labels, suggest assignees. Every action lands on a card in the dashboard for you to review and approve. The human is always in the loop.

How do I upgrade to new releases?

Run the installer again with the new version tag, or manually: docker compose pull && docker compose run --rm backend alembic upgrade head && docker compose up -d. Migrations are backward-compatible. Your data persists.

What's the learning curve? How long until it's productive?

Installation takes 5 minutes. Setup takes another 10–15 minutes (domain pointing + GitHub App registration + LLM key). The first triage card appears ~90 seconds after an issue is opened. Full productivity starts within the first hour.

Get in touch
𝕏 DM on X 🐛 GitHub Issues 💻 Discord Community
📧 Email: Coming soon