Traditional scanners dump CVSS scores and let you drown in noise. Freki is the AI analyst that reads the vulnerability, checks the code path, and tells you which CVEs are actually exploitable in your stack.
A wolf doesn't kill every deer in the forest. It stalks. It picks the one that's weakest. Freki does the same with CVEs.
Push a Docker image, a CycloneDX/SPDX SBOM, or a raw package list. Freki pulls fresh CVE data from NVD for every component.
An LLM reasons about each CVE in context — is the vulnerable code path reachable? Is the required configuration present? Is there a working exploit?
You get VEX-formatted verdicts: exploitable, safe, or review — each with a written justification.
Five real packages. Real CVE lookups. Click RUN.
Freki is a REST API. No SDK to install. No agent to deploy.
curl -X POST https://freki.odinsecurity.ai/api/v1/scan \
-H "X-API-Key: freki_yourapikey" \
-H "Content-Type: application/json" \
-d '{
"image": "nginx:1.25"
}'import httpx
r = httpx.post(
"https://freki.odinsecurity.ai/api/v1/scan",
headers={"X-API-Key": "freki_yourapikey"},
json={"image": "nginx:1.25"},
timeout=30,
)
scan_id = r.json()["scan_id"]
# Poll until complete
result = httpx.get(
f"https://freki.odinsecurity.ai/api/v1/scan/{scan_id}",
headers={"X-API-Key": "freki_yourapikey"},
).json()
print(result["summary"])const res = await fetch("https://freki.odinsecurity.ai/api/v1/scan", {
method: "POST",
headers: {
"X-API-Key": "freki_yourapikey",
"Content-Type": "application/json",
},
body: JSON.stringify({ image: "nginx:1.25" }),
});
const { scan_id } = await res.json();
const result = await fetch(
`https://freki.odinsecurity.ai/api/v1/scan/${scan_id}`,
{ headers: { "X-API-Key": "freki_yourapikey" } },
).then(r => r.json());
console.log(result.summary);Free tier. 5 scans per month. No credit card. No sales call.
Freki isn't trying to replace Trivy or Snyk — it sits on top of them.
| Capability | Trivy | Snyk | Freki |
|---|---|---|---|
| Finds known CVEs | yes | yes | yes |
| CVSS scoring | yes | yes | yes |
| Exploitability reasoning | no | partial | AI-driven |
| Machine-readable VEX output | no | no | yes |
| Written justification per CVE | no | no | yes |
| Free tier | open source | limited | yes |
| Self-hostable | yes | no | Enterprise |
Trivy is excellent free software by Aqua Security. Snyk is a great enterprise platform. Freki fills the gap — the layer of reasoning between "found a CVE" and "do I need to page someone at 3am?"
VEX (Vulnerability Exploitability eXchange) is an OASIS/CISA standard for communicating whether a product is actually affected by a known CVE. Auditors and procurement teams increasingly demand VEX documents. Freki produces them automatically — no human triage needed.
Freki is conservative by design. When uncertain, it returns needs_review rather than guessing. Every verdict comes with an evidence list and a written justification so your security team can verify in seconds rather than hours.
No. Freki receives a package list (name + version + ecosystem) or an SBOM — never source code, secrets, or binaries. Scan records expire and are purged after 24 hours by default.
You get an HTTP 429 with an upgrade link. No surprise charges. No auto-upgrades. Your key keeps working when the next billing period starts.
Yes, on Enterprise. We ship a Docker Compose bundle that runs fully air-gapped against your own NVIDIA NIM deployment. Your data never leaves your network.
By default Freki uses Llama 3.1 70B Instruct hosted on NVIDIA NIM (build.nvidia.com). On Enterprise you can point at any NIM-compatible endpoint — including your own GPU cluster running Mistral, Nemotron, or Qwen.