Shannon

Overview

Shannon (KeygraphHQ/shannon) is an open-source white-box web pentester. Given repository access, it maps attack surfaces from source, spins Docker workers for browser and CLI testing, and reports only validated proof-of-concept findings.

Architecture: CLI orchestrates agents that read code (routes, handlers, middleware), generate hypotheses, execute exploits in isolated workers, and deduplicate false positives through re-test. Targets injection, XSS, SSRF, auth, and authorization flaws.

AGPL-licensed CLI; differs from black-box DAST by using code context for smarter payload selection. Air-gapped deployments possible with local model/worker configs depending on setup.

Keygraph commercial platform extends Shannon with continuous runs, CPG-based SAST, and auto-remediation PRs—Shannon is the OSS core.

Primary use cases

• CI-attached white-box pentest on feature branches
• Validating fix branches with re-run on same repo commit
• Mapping authz gaps from route definitions + live tests
• Dockerized exploit confirmation without manual Burp replay

Key commands

git clone https://github.com/KeygraphHQ/shannon && cd shannon && docker compose up

Related tools

• Keygraph — Commercial AppSec platform built on Shannon. Code Property Graph SAST, continuous pentest runs, finding deduplication, auto-remediation PRs with re-test verification. Self-hosted and air-gapped deployment.
• Burp Suite — HTTP/S intercepting proxy. Repeater, Intruder, scanner, and extension API for web app testing.
• Nuclei — Template scanner. YAML checks for CVEs, misconfigs, and exposed services at scale.