概要
Shannon Lite は、ソースコードを解析して攻撃面を識別し、実行中のアプリケーションで実際の脆弱性を悪用する独立したホワイトボックス AI 浸透テストツールです。それは、注入、XSS、SSRF、認証回避などのOWASPの脆弱性をカバーするための再現可能なコンセプト検証の利用を提供します。手動浸透テストの間の空白を埋めるために必要なセキュリティテストに適しています。
README プレビュー
>[!NOTE]\n> **[📢 Sunsetting Router Mode (claude-code-router)`. →](https://github.com/KeygraphHQ/shannon/discussions/301)**\n\n\n\n\n\n# Shannon — AI Pentester by Keygraph\n\n\n\nShannon is an autonomous, white-box AI pentester for web applications and APIs. \nIt analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production.\n\n---\n\n\n\n\n---\n\n\n## What is Shannon?\n\nShannon is an AI pentester developed by [Keygraph](https://keygraph.io). It performs white-box security testing of web applications and their underlying APIs by combining source code analysis with live exploitation.\n\nShannon analyzes your web application's source code to identify potential attack vectors, then uses browser automation and command-line tools to execute real exploits (injection attacks, authentication bypass, SSRF, XSS) against the running application and its APIs. Only vulnerabilities with a working proof-of-concept are included in the final report.\n\n**Why Shannon Exists**\n\nThanks to tools like Claude Code and Cursor, your team ships code non-stop. But your penetration test? That happens once a year. This creates a *massive* security gap. For the other 364 days, you could be unknowingly shipping vulnerabilities to production.\n\nShannon closes that gap by providing on-demand, automated penetration testing that can run against every build or release.\n\n## Shannon in Action\n\nShannon identified 20+ vulnerabilities in OWASP Juice Shop, including authentication bypass and database exfiltration. [Full report →](sample-reports/shannon-report-juice-shop.md)\n\n\n\n## Features\n\n- **Fully Autonomous Operation**: A single command launches the full pentest. Shannon handles 2FA/TOTP logins (including SSO), browser navigation, exploitation, and report generation without manual intervention.\n- **Reproducible Proof-of-Concept Exploits**: The final report contains only proven, exploitable findings with copy-and-paste