Skip to content

humaidhahm/opencode-pentester

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

opencode-pentester logo

opencode-pentester

AI-Powered Penetration Testing & Security Audit Tool
Automated bug bounty hunting, vulnerability assessment, and OWASP security auditing for opencode

GitHub Stars GitHub Forks MIT License opencode Compatible Last Commit Open Issues 63 Attack Categories 17 Defensive Categories Version 1.6.0 Authorized Use Only

---

Caution

For authorized security testing only. Always obtain written permission before testing any system you do not own. See DISCLAIMER.md for full terms.


Table of Contents


About

opencode-pentester is an open-source, AI-driven penetration testing framework that turns opencode into a full-featured security auditing assistant. It covers 63 attack categories across 11 domains for offensive testing and 17 OWASP top 10 vulnerability categories for defensive source code audits — all through a structured, playbook-driven engagement lifecycle.

Whether you are running a bug bounty program, performing red team exercises, conducting vulnerability assessments on web applications and networks, or auditing AI-generated ("vibe-coded") source code for SQL injection, XSS, SSRF, and misconfigured cloud infrastructure — this tool provides automated, evidence-backed security testing with human-in-the-loop approval at every escalation point.

Built for security researchers, penetration testers, DevSecOps engineers, and bug bounty hunters.

Feature Mode 1: Penetration Testing Mode 2: AI Self Code Audit
Purpose Pentest a live target with authorization Audit your source code for vulnerabilities
Vulnerability categories 63 across 11 domains 17 (OWASP Top 10 + vibe-coding specific)
Agents 12 specialized agents (orchestrator, executors, testers, recon, network, cloud, post-exploit, password, domain) 1 security auditor agent
Database SQLite-based findings store with cross-session target dedup, find-target command Full source code audit per project
Output outputs/{engagement}/ with PoCs, evidence, screenshots security/reports/ + fix plans
Approval gates Plan approval + pre-exploitation approval Review before implementing fixes
Time budget Quota to spend (escalates depth until budget consumed) N/A (runs to completion)
Best for Bug bounty, red teaming, authorized penetration tests CI/CD pipelines, pre-deployment, code review

Installation

One-command install (recommended)

git clone https://github.com/humaidhahm/opencode-pentester.git
cd opencode-pentester
sudo bash install.sh

This does everything: installs 60+ pentest tools, registers the skill globally, and sets up the pentester agent. Run opencode from this directory and the skill is auto-discovered — zero configuration needed.

Verify

bash db/doctor.sh              # Check installed tools (all required: ✔)
opencode run "List available skills" --agent pentester  # Confirm skill loaded

Note

Skip the tools? The AI falls back to whatever is available via bash (curl, basic nmap). Still functional, just less automated. Pass --global-only to install.sh to skip tool installation.


Mode 1: Penetration Testing

Important

You must have written authorization before testing any system you do not own. See DISCLAIMER.md for full terms.

Run fully automated penetration tests against live targets. The AI coordinates 7 specialized agents through a structured engagement lifecycle with human-in-the-loop approval at every escalation point.

Run a pentest

opencode run "I have authorization to pentest https://target.com. Use opencode-pentester. Time budget: 120 minutes. Thoroughness: Deep."

The AI follows a mandatory target-first dialog flow:

  1. Ask for target via interactive dialog
  2. Check the databasefindings.sh find-target <target> json searches across all past engagements
  3. Branch based on result:
    • New target → Full scope collection dialog (budget, thoroughness, auth, scope)
    • Existing target → Shows previous findings summary, prompts: fresh scan / add on top / try different paths / view report

This ensures no target is ever re-tested without the user's explicit choice.

🚫 --dangerous Flag — Skip Permissions / Full Automation

Warning

Only use this if you own the target or have explicit written authorization. This mode SKIPS the authorization question, scope dialog, and all permission gates.

Add --dangerous to the target URL to bypass all human-in-the-loop gates:

# Skips "do you have authorization?" question
# Skips scope collection dialog
# Assumes full authorization, full scope
opencode run "Pentest https://target.com --dangerous. Time budget: 240 minutes."

What --dangerous skips:

Gate Normal Mode --dangerous Mode
Authorization check Asks "Do you have written authorization?" Skipped — assumes yes
Scope collection Asks about budget, scope, categories Skipped — assumes full scope
Pre-exploitation approval Asks "Confirm exploitation of finding X?" Skipped — auto-confirms
Plan approval Asks "Approve this test plan?" Skipped — auto-approves

💥 --full-offensive Flag — Maximum, All-Out Pentesting

Warning

This mode runs every attack category at maximum depth across all vectors. Expect it to take hours and generate significant traffic.

Combine with --dangerous for a true one-shot, no-questions-asked full offensive:

# One-shot: everything, everywhere, all at once
opencode run "Pentest https://target.com --dangerous --full-offensive"

What --full-offensive does:

Setting Normal Mode --full-offensive Mode
Time budget User-specified (typically 15-240 min) 480 min (8 hours) — maximum
Attack categories User-selected subset All 63 categories across all 11 domains
Thoroughness User-specified (Quick/Standard/Deep) Maximum — every vector, every payload, every technique
Parallel agents Sequential Maximum parallelism — deploy all relevant agents simultaneously
Depth Breadth-first, escalate on response Exhaustive — no stone left unturned
Findings Confirmed only Everything with evidence — including low-severity info leaks
Report Standard executive summary Full 8-section professional report with attack chains

Example one-shot commands:

# Quick: dangerous + full-offensive
opencode run "Pentest https://target.com --dangerous --full-offensive"

# With custom time override
opencode run "Pentest https://target.com --dangerous --full-offensive --time 120"

# With specific domain focus
opencode run "Pentest https://target.com --dangerous --full-offensive --focus web-api,cloud"

Important

The --dangerous flag must be explicitly passed in the prompt. The AI will never enter dangerous mode on its own — it only activates when the user literally includes --dangerous in their request.

🤖 Zero Human Intervention — Complete Automation

For 0% human interaction end-to-end, you need to combine three things:

Layer What it bypasses Required
opencode --auto Auto-approves tool permission prompts (bash, edit, write, etc.) opencode run --auto
--dangerous Skips pentester authorization, scope, and approval dialogs In the prompt
question: allow Prevents the AI from asking you anything during execution In opencode.json

Full zero-intervention config:

{
  "permission": {
    "question": "allow",
    "bash": "allow",
    "edit": "allow",
    "write": "allow",
    "read": "allow",
    "glob": "allow",
    "grep": "allow",
    "webfetch": "allow",
    "websearch": "allow",
    "task": "allow"
  }
}

Then run:

opencode run --auto "Pentest https://target.com --dangerous --full-offensive"

The chain of execution with zero intervention:

  1. opencode --auto → auto-approves every tool call (bash, edit, etc.)
  2. question: allow → never pauses to ask you anything
  3. --dangerous → AI skips its own authorization/scope/approval gates
  4. --full-offensive → max budget, max categories, max depth, max parallelism
  5. → Runs to completion automatically, generates full report

Caution

This is the nuclear option. The AI will run every attack it knows against every surface it finds with no oversight. Only use this on targets you own.

Cross-Session Persistence

All pentest data persists in a local SQLite database (~/.opencode-pentester/findings.db):

Table Stores CLI Access
engagements Per-target engagement records with target URL findings.sh stats
hosts IPs, hostnames, OS, roles per engagement findings.sh dashboard
services Open ports, protocols, service banners
vulns Findings with severity, CVE, status, PoC, CVSS vector findings.sh list vulns
credentials Discovered usernames, hashes, passwords
session_log Full agent activity log
attack_chains Correlated compound attack chains findings.sh chain list
# Query a target's history across all engagements
PENTEST_DB=$HOME/.opencode-pentester/findings.db bash db/findings.sh find-target example.com json

# List all vulnerabilities for current engagement
PENTEST_ENGAGEMENT=my-engagement bash db/findings.sh list vulns

# Generate professional report
PENTEST_ENGAGEMENT=my-engagement bash db/handoff.sh

# Add vuln with CVSS vector
PENTEST_ENGAGEMENT=my-engagement bash db/findings.sh add vuln "SQLi in login" --severity critical --cvss-vector "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"

# Knowledge Graph: build entity graph and find attack paths
PENTEST_ENGAGEMENT=my-engagement bash db/findings.sh kg build
PENTEST_ENGAGEMENT=my-engagement bash db/findings.sh kg paths
PENTEST_ENGAGEMENT=my-engagement bash db/findings.sh kg insights
PENTEST_ENGAGEMENT=my-engagement bash db/findings.sh kg export --format mermaid

# Pre-flight: check target reachability and tool availability
bash db/preflight.sh --target https://example.com --tools

See docs/ and plugins/pentest/docs/WORKFLOWS.md for the full engagement lifecycle.

Attack Coverage

63 Attack Categories Across 11 Domains

Domain Attack Categories Techniques
Injection (9) SQLi, NoSQLi, CMDi, SSTI, XXE, LDAP, SAML, Type Juggling, File Inclusion Error-based, blind, time-based, UNION, operator injection, regex injection, template injection, XML external entities, LDAP filter injection, SAML response manipulation, PHP loose comparison, LFI/RFI wrappers
Client-Side (6) XSS, CSRF, DOM-based, Prototype Pollution, CORS, Clickjacking Reflected/stored/DOM-based XSS, framework-specific sinks (React, Vue, Angular), WAF evasion, CSP bypass, SameSite bypass, token reuse, method override, URL/json pollution
Server-Side (6) SSRF, HTTP Smuggling, Path Traversal, File Upload, Deserialization, Host Header Internal service access, cloud metadata, CL.TE/TE.CL smuggling, encoding variants, magic bytes bypass, gadget chains, password reset poisoning
Authentication (4) Auth Bypass, JWT, OAuth, Password Attacks Logic flaws, parameter manipulation, alg:none attack, key confusion, authorization code interception, credential stuffing, brute force
API Security (4) GraphQL, REST API, WebSockets, Web LLM Introspection abuse, field suggestion, deeply nested query DoS, BOLA/IDOR, mass assignment, cross-site WebSocket hijacking, prompt injection
Web Applications (9) Access Control, Business Logic, Cache Attacks, Info Disclosure, Race Conditions, Mass Assignment, Open Redirect, Cache Poisoning, Cache Deception Privilege escalation, multi-step flow manipulation, price tampering, web cache deception, source maps, debug pages, TOCTOU, binding attacks
Cloud & Containers (5) AWS, Azure, GCP, Docker, Kubernetes S3 bucket enumeration, IAM escalation, Lambda abuse, EC2 metadata SSRF, storage account exposure, GCS bucket exposure, privileged container escape, RBAC misconfiguration, etcd exposure
System / Post-Exploit (8) PrivEsc, Active Directory, Hash Cracking, Persistence, Pivoting, Evasion, Exploit Dev, Reverse Shells LinPEAS/WinPEAS, BloodHound, Mimikatz, Kerberoasting, AS-REP roasting, hashcat, john, chisel, proxychains, AMSI bypass, pwntools, msfvenom
IP Infrastructure (8) Port Scanning, DNS, SMB, MITM, Sniffing, DoS, VLAN Hopping, IPv6 nmap, masscan, NSE scripts, dnsrecon, zone transfer, enum4linux, ARP spoofing, ettercap, tcpdump, hping3, yersinia, rogue RA
Physical & Social (1) Social Engineering Spear phishing (Gophish), pretexting, vishing, BEC, Evilginx2, USB baiting
Essential Skills (3) Burp Suite, Methodology, Reporting PTES, OWASP WSTG, MITRE ATT&CK, CVSS scoring, executive summary writing

Agent Architecture

The pentest framework uses 7 agents (on disk) plus a shared scope guard:

Agent File Role
pentester-orchestrator plugins/pentest/agents/pentester-orchestrator.md Engagement planner — reads scope + recon, returns deployment plan
pentester-executor plugins/pentest/agents/pentester-executor.md Generic executor for SSRF, JWT, path traversal, file upload, cloud, infra
xss-tester plugins/pentest/agents/xss-tester.md Reflected/stored/DOM-based XSS with Playwright evidence
csrf-tester plugins/pentest/agents/csrf-tester.md Missing tokens, SameSite bypass, PoC HTML generation
injection-tester plugins/pentest/agents/injection-tester.md SQLi, NoSQLi, CMDi via sqlmap + curl probing
cve-tester plugins/pentest/agents/cve-tester.md Tech fingerprinting, CVE research, PoC adaptation
domain-assessment plugins/pentest/agents/domain-assessment.md Subdomain discovery, port scanning, service enumeration
scope-guard agents/scope-guard.md Shared scope enforcement (included by all agents above)

Tools Used

See docs/reference/TOOL_REGISTRY.md for the full 74-tool catalog with command variants and output parsers. Run bash db/doctor.sh to audit your local tool inventory.

Quick reference — core tools installed by install.sh:

  • Recon: subfinder, amass, dnsx, nmap, masscan, httpx, katana, gau, whatweb
  • Web Discovery: ffuf, gobuster, feroxbuster, dirsearch, arjun, kiterunner, wfuzz
  • Scanning: nuclei, nikto, dalfox, testssl.sh, wpscan
  • Injection: sqlmap, hydra, john, hashcat, commix
  • SAST: semgrep, bandit, gitleaks, trufflehog
  • Post-Exploit: chisel, impacket, linpeas, winpeas, kerbrute, bloodhound
  • Cloud: s3scanner, cloudfox, pacu, scoutsuite, kubectl
  • AI/LLM: garak, pyrit, promptfoo
  • General: python3, jq, curl, bash, proxychains

Engine Architecture

The engine/ directory provides a schema-enforced, JIT-context, event-driven runtime that replaces the old prose-heavy orchestration:

Component File Purpose
State Machine engine/state_machine.json 8 states, 15 transitions, 12 events — pure data, no prose
JIT Context Router engine/router.py Queries SQLite on-demand for service→domain→tool→category routing
Scope Guard engine/scope_guard.py Deterministic target validation (blocks private IPs) + leaky-bucket rate limiter
Tool Abstraction engine/tool_abstraction.py Capability registry consuming doctor.sh --json, fallback routing
Prompt Framer engine/prompt_framer.py Defensive compliance wrapping — sanitizes offensive terms via Authorized Audit framing

All reference data (16 domains, 69 attack categories, 39 checklists) lives in SQLite at ~/.opencode-pentester/findings.db, loaded via db/seed.py. No inline prose bloat in skills.

# Refresh tool capability cache
python3 engine/tool_abstraction.py refresh

# Resolve a tool with fallback
python3 engine/tool_abstraction.py resolve nmap

# JIT context for discovered services
python3 engine/router.py <engagement> --services "80/tcp/http,443/tcp/https"

# Validate target scope
python3 engine/scope_guard.py <target> [--scope <cidr>]

# Frame a prompt with compliance
python3 engine/prompt_framer.py --engage <id> frame "Run sqlmap test"

Mode 2: AI Self Code Audit

Audit your own source code for 17 critical vulnerability categories. Designed for vibe-coded apps built with Cursor, Copilot, Claude Code, Windsurf, or any AI coding tool.

How it works

  1. Copy AGENTS.md into your project root — opencode reads it automatically and enforces security rules during code generation
  2. Run the 17-category audit — opencode investigates every file, writes detailed reports, creates fix plans, implements fixes, and verifies them
  3. Run manual checks for things AI can't catch

Run the audit

# Copy security rules into your project
cp AGENTS.md /path/to/your/project/AGENTS.md

# Run the full 17-category audit
opencode run "Run the security audit defined in AI-CHECKLIST.MD against this project"

# Or use the registered pentester agent
opencode run "Audit this project for security vulnerabilities" --agent pentester

17 Vulnerability Categories

8 Critical 6 High 2 Medium 1 Low

Click to expand the full table
# Vulnerability Severity CWE
1 Misconfigured database (no Row Level Security) Critical CWE-284
2 Unprotected API routes (no auth middleware) Critical CWE-306
3 Committed secrets (.env on GitHub) Critical CWE-798
4 Broken access control (IDOR) Critical CWE-639
5 Secret API keys in frontend code Critical CWE-798
6 Server-Side Request Forgery (SSRF) High CWE-918
7 Missing CSRF protection High CWE-352
8 Missing security headers Medium CWE-693
9 Wildcard CORS High CWE-942
10 No rate limiting Medium CWE-770
11 SQL injection High CWE-89
12 Cross-site scripting (XSS) High CWE-79
13 Unverified Stripe webhooks High CWE-347
14 Insecure file uploads Medium CWE-434
15 Verbose error messages Low CWE-209
16 Weak password hashing Medium CWE-916
17 Hallucinated packages (slopsquatting) High CWE-1104

Results are written to security/reports/ and security/plans/ in your project.

Project Structure

opencode-pentester/
├── AGENTS.md                         # Security rules (copy into your project)
├── AI-CHECKLIST.MD                   # 17-category AI security audit prompt
├── manual-checklist.md               # Manual verification checks
├── agents/
│   └── security-auditor.md           # opencode subagent definition
├── plugins/pentest/
│   ├── .claude-plugin/plugin.json    # Plugin manifest
│   ├── agents/                       # 7 pentest agent definitions
│   │   ├── pentester-orchestrator.md # Engagement planner
│   │   ├── pentester-executor.md     # Generic attack executor
│   │   ├── xss-tester.md             # Cross-site scripting
│   │   ├── csrf-tester.md            # Cross-site request forgery
│   │   ├── injection-tester.md       # SQL/NoSQL/command injection
│   │   ├── cve-tester.md             # CVE research & exploitation
│   │   └── domain-assessment.md      # Subdomain & port scanner
│   ├── skills/pentest/SKILL.md       # 63-category attack index
│   └── docs/                         # Architecture & workflow docs
│       ├── CLAUDE.md                 # Agent architecture overview
│       └── WORKFLOWS.md              # Engagement lifecycle
├── engine/
│   ├── state_machine.json            # Event-driven state machine definition
│   ├── router.py                     # JIT Context Router — SQLite-queried context
│   ├── scope_guard.py                # Target validation + leaky-bucket rate limiter
│   ├── tool_abstraction.py           # Capability registry + fallback routing
│   └── prompt_framer.py              # Defensive compliance wrapper
├── .opencode/
│   └── skills/opencode-pentester/SKILL.md  # Auto-discovered skill definition (slim)
├── SKILL.md                          # opencode skill definition (slimmed, ~100 lines)
├── install.sh                        # One-command installer (tools + skill + agent)
├── install-tools.sh                  # Pentest tool installer (called by install.sh)
├── logo.svg                          # Project logo
├── CHANGELOG.md                      # Version history
├── CLAUDE.md                         # AI assistant project context
├── CONTRIBUTING.md                   # Contribution guidelines
├── DISCLAIMER.md                     # Ethical use disclaimer
├── SECURITY.md                       # Security policy
├── VERSION                           # Semantic version
├── db/
│   ├── doctor.sh                     # Tool installation audit
│   ├── findings.sh                   # Findings database CLI (init, find-target, check, add, list, stats, etc.)
│   ├── schema.sql                    # SQLite database schema (v4, 15+ tables)
│   ├── seed.py                       # Engine seed data loader (domains, categories, tools, checklists)
│   ├── handoff.sh                    # Professional 8-section report generator
│   ├── chain-rules.sh                # Attack chain correlation engine (30+ rules)
│   ├── chains.sh                     # Attack chain management
│   ├── reflect.sh                    # Reflection audit
│   ├── pipeline.sh                   # Pipeline DAG executor
│   ├── migrate.sh                    # Schema migration runner
│   └── lib/common.sh                 # Shared database functions (SQLite/ Python fallback)
├── playbooks/
│   ├── README.md                     # Playbook overview
│   ├── reconnaissance.md             # Reconnaissance playbook
│   ├── web-application.md            # Web application playbook
│   └── network-pentest.md            # Network pentest playbook
├── docs/
│   ├── AGENT-GUIDE.md                # Agent usage guide
│   ├── CUSTOMIZATION.md              # Customization guide
│   ├── DATA-PRIVACY.md               # Data privacy information
│   ├── TIER2-EXECUTION.md            # Execution mode safety model
│   └── reference/
│       ├── TOOL_REGISTRY.md          # 74-tool catalog with command variants
│       ├── ATTACK_INDEX.md           # Expanded 63-category attack index
│       ├── REPORT_CONTRACT.md        # Fixed deliverable schema
│       ├── OUTPUT_STRUCTURE.md       # Standardized per-finding layout
│       └── PATT_STANDARD.md          # Payload governance rules
├── settings.example.env              # Configuration template
├── examples/
│   └── example-pentest-report.md     # Sample pentest report
├── LICENSE                           # MIT License
├── README.md                         # This file

FAQ

Q: Do I need all the tools installed? A: No. The AI works with whatever is available via bash. The install script is optional but recommended for the best results (automated SQL injection with sqlmap, high-speed directory brute-force with ffuf, subdomain discovery with subfinder, etc.).

Q: Can I use this for bug bounty programs? A: Yes, as long as you stay within the program's defined scope and rules of engagement. The human-in-the-loop gates ensure you never accidentally run an out-of-scope test.

Q: What's the "time budget" and why does it matter? A: The time budget is a quota to spend, not a ceiling. If you set 120 minutes, the AI will breadth-first test every category, then escalate depth on responsive parameters, chain findings together, expand payloads, and only stop when the budget is consumed or every surface is proven exhausted. This prevents shallow testing.

Q: Does this replace a human penetration tester? A: No. It covers the most common vulnerability categories found in vibe-coded apps and provides structured, evidence-driven testing. For critical production systems with sensitive user data, hire a professional penetration tester.

Q: What's "vibe coding"? A: Vibe coding is the practice of using AI coding assistants (Cursor, Copilot, Claude Code, Windsurf) to rapidly generate application code. While fast and productive, AI-generated code has a known security gap — Carnegie Mellon found only 10.5% of AI-generated code is secure.


Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines. Report issues via GitHub Issues.


Changelog

See CHANGELOG.md for version history.


Credits

This project combines and builds upon several outstanding open-source security frameworks:

  • benavlabs/vibe-check — Defensive security audit framework for vibe-coded apps. The 17-category checklist, AGENTS.md rules, and AI-CHECKLIST.MD prompt are based on their work.
  • Stickman230/claude-pentest — Offensive penetration testing framework for Claude Code. The 15-agent architecture, 63-category attack index, 4-phase executor workflow, engagement lifecycle, and pre-flight reachability check (db/preflight.sh) are ported from their framework.
  • 0xSteph/pentest-ai-agents (deep pass) — 35 Claude Code subagents for penetration testing. The README structure, badge system, documentation layout (CHANGELOG, SECURITY, DISCLAIMER, CONTRIBUTING), findings database architecture, doctor.sh tool audit, and .github/issue template patterns are adapted from this project. Additional patterns: scope guard (agents/scope-guard.md) with hard refusal list and OPSEC tagging, exploit chainer (db/chains.sh), swarm dashboard (findings.sh dashboard), 8-section professional report template (handoff.sh), agent recommendation engine (agents/recommend.md), and schema migration runner (db/migrate.sh) are all adapted from pentest-ai-agents v3.2.0.
  • GH05TCREW/PentestAgent — AI agent framework for black-box security testing. The playbook system (phase/technique structure), environment detection/inventory pattern (--inventory mode), Shadow Graph concept (Mermaid-format findings graph, now extended to a full NetworkX Knowledge Graph in db/graph.py), agent state machine, and settings configuration system are adapted from this project.
  • SanMuzZzZz/LuaN1aoAgent — Autonomous AI penetration testing agent with dual-graph reasoning. The P-E-R (Reflector) pattern with audit, VETO power, and STE knowledge distillation, the bulletin board (shared findings between parallel agents), context compression for session logs, and intelligence aggregation are adapted from this project.
  • nunenuh/pentest-kit — Tool-orchestrated pentesting framework with pipeline DAG orchestration. The pipeline system (YAML step definitions with input_from/input_params/output/parse fields), tool registry with command templates (db/tools.md), step-based pipeline executor (db/pipeline.sh), and pipeline preflight checks (doctor.sh --pipeline) are adapted from this project.
  • Built for opencode — The open-source AI coding assistant.

Support the Project

opencode-pentester is free and open-source. If you find it useful for your pentesting or security auditing work:

  • ★ Star this repo on GitHub — it helps others find it
  • 🐛 Report bugs and request features via GitHub Issues
  • 📢 Share it with your security team, at conferences, or on social media
  • 🔄 Contribute — see CONTRIBUTING.md for how to get involved
  • 🔬 Follow for updates on new attack categories, tool integrations, and releases

License

MIT License — see LICENSE for details.


About

Full-spectrum security assessment tool for opencode — defensive code audit (17 vulnerability categories) + offensive penetration testing (63 attack categories, 15 agents, 11 domains). AI-powered AppSec, red teaming, and pentesting for vibe-coded apps.

Topics

Resources

License

Contributing

Security policy

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors