项目简介
Shannon Lite 是一款自主白盒AI渗透测试工具,通过分析源码识别攻击面,并在运行中的应用上执行真实漏洞利用。它提供可复现的概念验证利用,覆盖注入、XSS、SSRF、认证绕过等OWASP漏洞。适用于按需安全测试,填补手动渗透测试之间的空白。
README 预览
>[!NOTE]\n> **[📢 Sunsetting Router Mode (claude-code-router)`. →](https://github.com/KeygraphHQ/shannon/discussions/301)**\n\n\n\n\n\n# Shannon — AI Pentester by Keygraph\n\n\n\nShannon is an autonomous, white-box AI pentester for web applications and APIs. \nIt analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production.\n\n---\n\n\n\n\n---\n\n\n## What is Shannon?\n\nShannon is an AI pentester developed by [Keygraph](https://keygraph.io). It performs white-box security testing of web applications and their underlying APIs by combining source code analysis with live exploitation.\n\nShannon analyzes your web application's source code to identify potential attack vectors, then uses browser automation and command-line tools to execute real exploits (injection attacks, authentication bypass, SSRF, XSS) against the running application and its APIs. Only vulnerabilities with a working proof-of-concept are included in the final report.\n\n**Why Shannon Exists**\n\nThanks to tools like Claude Code and Cursor, your team ships code non-stop. But your penetration test? That happens once a year. This creates a *massive* security gap. For the other 364 days, you could be unknowingly shipping vulnerabilities to production.\n\nShannon closes that gap by providing on-demand, automated penetration testing that can run against every build or release.\n\n## Shannon in Action\n\nShannon identified 20+ vulnerabilities in OWASP Juice Shop, including authentication bypass and database exfiltration. [Full report →](sample-reports/shannon-report-juice-shop.md)\n\n\n\n## Features\n\n- **Fully Autonomous Operation**: A single command launches the full pentest. Shannon handles 2FA/TOTP logins (including SSO), browser navigation, exploitation, and report generation without manual intervention.\n- **Reproducible Proof-of-Concept Exploits**: The final report contains only proven, exploitable findings with copy-and-paste