OpenSource-Hub

shannon

CLI Tool

KeygraphHQ/shannon

Autonomous AI pentester for web apps and APIs with source code analysis and exploit execution.

Overview

Shannon Lite is an autonomous white-box AI pentester that analyzes source code to identify attack vectors, then executes real exploits against running applications. It provides reproducible proof-of-concept exploits and covers OWASP vulnerabilities like injection, XSS, SSRF, and broken authentication. Designed for on-demand security testing to close the gap between manual pentests.

README Preview

>[!NOTE]\n> **[📢 Sunsetting Router Mode (claude-code-router)`. →](https://github.com/KeygraphHQ/shannon/discussions/301)**\n\n\n\n\n\n# Shannon — AI Pentester by Keygraph\n\n\n\nShannon is an autonomous, white-box AI pentester for web applications and APIs. \nIt analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production.\n\n---\n\n\n\n\n---\n\n\n## What is Shannon?\n\nShannon is an AI pentester developed by [Keygraph](https://keygraph.io). It performs white-box security testing of web applications and their underlying APIs by combining source code analysis with live exploitation.\n\nShannon analyzes your web application's source code to identify potential attack vectors, then uses browser automation and command-line tools to execute real exploits (injection attacks, authentication bypass, SSRF, XSS) against the running application and its APIs. Only vulnerabilities with a working proof-of-concept are included in the final report.\n\n**Why Shannon Exists**\n\nThanks to tools like Claude Code and Cursor, your team ships code non-stop. But your penetration test? That happens once a year. This creates a *massive* security gap. For the other 364 days, you could be unknowingly shipping vulnerabilities to production.\n\nShannon closes that gap by providing on-demand, automated penetration testing that can run against every build or release.\n\n## Shannon in Action\n\nShannon identified 20+ vulnerabilities in OWASP Juice Shop, including authentication bypass and database exfiltration. [Full report →](sample-reports/shannon-report-juice-shop.md)\n\n\n\n## Features\n\n- **Fully Autonomous Operation**: A single command launches the full pentest. Shannon handles 2FA/TOTP logins (including SSO), browser navigation, exploitation, and report generation without manual intervention.\n- **Reproducible Proof-of-Concept Exploits**: The final report contains only proven, exploitable findings with copy-and-paste

FAQ (2)

Troubleshooting
How to fix 'pnpm: command not found' and 'EACCES: permission denied' errors when running Shannon?

Install pnpm from https://pnpm.io/installation. Remove any leftover Shannon directory: rm -rf ~/shannon. Use the npx shortcut to skip manual build: npx @keygraph/shannon setup then npx @keygraph/shannon start -u <URL> -r <REPO_PATH>. Ensure the repo path is owned by the current user; if you get EACCES on .shannon/deliverables, the directory was likely created by a different user (e.g., via sudo). Clone the repo as the same user or fix ownership with sudo chown -R $USER:$USER /path/to/repo.

GitHub Issue #320
Troubleshooting
Why does Shannon get stuck in retry loops with OutputValidationError when using a local LLM?

This is expected behavior when using non-Claude models. Shannon is optimized and tested with Anthropic Claude models (haiku, sonnet, opus tiers). Local LLMs may produce invalid output, triggering output validation failures and Temporal retries. To avoid hangs, use the default Claude model tiers. No direct support for local LLMs to prevent these loops is currently planned.

GitHub Issue #260