bugsift v0.2.0 is a self-hosted GitHub issue triage system built for enterprises. Classifies, deduplicates, reproduces, and drafts replies in ~90 seconds. Deploy to your domain. Security scanning, code coverage enforcement, and E2E testing built-in.
BUGSIFT_DOMAIN=bugsift.yourdomain.com curl -fsSL https://github.com/joym-gits/bugsift/releases/download/v0.2.0/install.sh | bash
Most issue triage tools are either too basic (static classifiers) or too invasive (cloud SaaS that sees all your data). v0.2.0 bridges that gap: enterprise-grade security scanning, code coverage enforcement, and database verification baked into the CI/CD pipeline. Deploy to your infrastructure. No vendor lock-in.
No LangChain, no ReAct loops, no autonomous planning. A ~300-line orchestrator runs the steps in a fixed order. Every decision is logged, auditable, and human-controllable.
bug · feature-request · question · docs · spam · other. PII redacted before the prompt reaches the LLM.
Cosine search over issue embeddings + LLM judge. Detects true duplicates and drafts a "duplicates #123" reply.
Pinpoints the 3–5 most relevant source files with line ranges. Refined post-repro by stack traces and error contexts.
Drafts a minimal repro script and runs it in an isolated sandbox (network off, capabilities dropped, 60-second timeout).
Writes the triage comment, proposes labels, suggests assignees. Lands on a card in the dashboard for your approval.
Not just a classifier. A complete production system with security scanning, code coverage gates, database safety, and E2E testing built in.
Bandit (Python) + ESLint (JavaScript) catch vulnerabilities automatically in CI/CD. Blocks merged code with security issues.
npm audit + pip audit verify supply chain security. Prevents vulnerable dependencies from shipping to production.
65% minimum coverage threshold enforced in CI/CD. Prevents untested code paths from shipping. Configurable per-project.
Alembic migrations verified and tested before deployment. Ensures schema changes are safe and reversible.
Real server startup with health checks. Tests the actual application behavior, not just isolated units.
amd64 and arm64 support. Deploy natively to Intel servers or Apple Silicon. No emulation needed.
Every approve / skip / edit trains the next run. Triage quality compounds with use, no manual retraining needed.
Operator-defined rules: "If severity=blocker on my-org/api-*, assign @sec-team, notify #incidents, SLA 60 min."
Anthropic, OpenAI, Google Gemini, or self-hosted Ollama. You bring the key. Monthly budget caps with graceful degradation.
Every item below ships on by default. Built for enterprises that can't compromise on security or compliance. Complete security audit + mitigation report available in the repository.
Your GitHub tokens, issue bodies, and operator decisions never leave your infrastructure. No cloud vendor, no SaaS.
Bandit (Python) and ESLint (JavaScript) scan every commit. Vulnerabilities block PRs from merging.
GitHub's native container scanning detects CVEs in Docker images. Multi-architecture builds verified before publication.
Repro containers run with network_mode=none, read-only root, tmpfs scratch, all Linux capabilities dropped, 60-second kill.
GitHub App PEM, OAuth secrets, webhook URLs, LLM keys, Slack tokens - all Fernet-encrypted with a master key.
Emails, phones, SSN, credit cards, API keys, JWTs - redacted before any prompt. Stable tokens preserve referential integrity.
Every login, role change, approval, and decision logged and exportable. CSV format for SOC 2 auditors and compliance teams.
Every user-supplied URL is validated. Private, loopback, link-local, and CGNAT addresses are rejected.
Requires Docker 24+ and 2+ GB RAM. Works on any Linux server, cloud VM, or Kubernetes cluster. One command. No .env editing. No migrations.
Deploy bugsift v0.2.0 to your infrastructure. Security scanning, code coverage enforcement, and E2E testing baked into the CI/CD pipeline. No vendor lock-in. Your data stays with you.
Self-hosted means you deploy bugsift to your own infrastructure. Your GitHub tokens, issue bodies, and all operator decisions stay entirely in your systems. No data ever touches a third-party cloud or SaaS platform. You control the servers, the database, everything.
Yes. That's the entire point. You point your domain (e.g., bugsift.yourdomain.com or bugsift.mycompany.com) to your server using DNS A records. The installer sets up Nginx and TLS. Your users access bugsift at your domain, not a shared cloud platform.
Yes. v0.2.0 includes SAST scanning (Bandit + ESLint), dependency audits (npm + pip), code coverage enforcement (65% minimum), database migration verification, E2E testing, multi-architecture builds, container scanning, PII redaction, and append-only audit logging. Every security gate is enabled by default.
bugsift itself is free and open-source (Apache 2.0). You pay only for your infrastructure (server, cloud VM, etc.) and LLM tokens (Anthropic, OpenAI, Google, or Ollama - you bring your own key). No per-user licensing, no SaaS subscriptions.
Yes. bugsift runs on your infrastructure, so it works with any GitHub repository you own - public, private, or commercial. There are no restrictions. The Apache 2.0 license permits commercial use.
Anthropic Claude, OpenAI GPT, Google Gemini, and self-hosted Ollama. You bring your own API keys. No third-party vendor lock-in. Budget caps and graceful degradation ship in the box - when monthly limits are hit, cheap operations continue while expensive ones skip.
No. A single docker-compose.yml file runs the entire stack. Works on a $5/mo VPS, a laptop with Docker, or your existing Kubernetes cluster. No special configuration. One command to start, one command to deploy.
No. That's deliberately out of scope. bugsift is triage-only: classify, dedup, reproduce, draft comments, propose labels, suggest assignees. Every action lands on a card in the dashboard for you to review and approve. The human is always in the loop.
Run the installer again with the new version tag, or manually: docker compose pull && docker compose run --rm backend alembic upgrade head && docker compose up -d. Migrations are backward-compatible. Your data persists.
Installation takes 5 minutes. Setup takes another 10–15 minutes (domain pointing + GitHub App registration + LLM key). The first triage card appears ~90 seconds after an issue is opened. Full productivity starts within the first hour.