Skip to content

m1thryn/radar

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Radar

Radar is a passive intelligence enrichment CLI for IP addresses, domains, URLs, and file hashes.

This project was created with assistance from LLMs including Codex and Claude.

Features

  • Normalize and classify indicators.
  • Refang common defanged input.
  • Run matching passive providers concurrently.
  • Cache successful provider results.
  • Render Rich console output or JSON.

Requirements

  • uv
  • Python 3.11+

Install

Install from GitHub:

uv tool install git+https://github.com/m1thryn/radar.git

Run:

radar --help

Upgrade or uninstall:

uv tool upgrade radar
uv tool uninstall radar

For a repository checkout, use uv run radar ... instead of radar ....

Usage

radar evil[.]com
radar 8.8.8.8
radar hxxps://evil[.]com/path
radar evil.com --json
radar evil.com --json --raw
radar evil.com --no-cache
radar evil.com --verbose
radar 8.8.8.8 --provider rdap
radar 8.8.8.8 --provider ip-api --provider rdap

CLI Reference

Usage: radar [OPTIONS] INDICATOR

Arguments:
  indicator  IP, domain, URL, or file hash to enrich. [required]

Options:
  --json           Render structured JSON output.
  --no-cache       Disable provider cache.
  --provider TEXT  Limit execution to one or more provider names.
  --raw            Include raw provider responses with --json.
  --verbose, -v    Show runtime details.
  --help           Show help and exit.

Providers

Radar currently supports:

Provider Purpose API key Indicator types
GreyNoise Internet scanner and business-service IP context Yes ip
IP-API IP metadata No ip
MalwareBazaar Malware sample metadata Yes md5, sha1, sha256
Pulsedive Indicator risk, threats, feeds, and properties Yes ip, domain, url
RDAP Registration metadata No domain, ip
Shodan Internet-exposed services and DNS domain data Yes ip, domain
URLhaus Malware URL, host, and payload metadata Yes url, domain, ip, md5, sha256
urlscan Passive URL scan search, page metadata, verdicts, screenshots Yes url, domain, ip, sha256
ViewDNS DNS records and reverse IP/DNS Yes domain, ip
VirusTotal Reputation Yes domain, ip, url, md5, sha1, sha256

GreyNoise, MalwareBazaar, Pulsedive, Shodan, urlscan, ViewDNS, and VirusTotal are disabled unless API keys are present.

Configuration

Set API keys as environment variables or place them in ~/.config/radar/radar.env.

The repository includes .env.example with the supported variable names and empty values.

Variable Enables
RADAR_ABUSECH_KEY MalwareBazaar, URLhaus
RADAR_GREYNOISE_KEY GreyNoise
RADAR_PULSEDIVE_KEY Pulsedive
RADAR_SHODAN_KEY Shodan
RADAR_URLSCAN_KEY urlscan
RADAR_VIEWDNS_KEY ViewDNS
RADAR_VIRUSTOTAL_KEY VirusTotal
export RADAR_VIRUSTOTAL_KEY="..."

Environment variables override values from the config file. To use a different file:

export RADAR_CONFIG_PATH=/path/to/radar.env

Cache

Successful provider results are cached in SQLite:

~/.cache/radar/provider_cache.sqlite3

Override it with:

export RADAR_CACHE_PATH=/tmp/radar-cache.sqlite3

Disable cache for one run:

radar evil.com --no-cache

Raw provider responses are only included in JSON when requested:

radar evil.com --json --raw

Local Development

Install dependencies:

uv sync
uv run pytest
uv run ruff format .
uv run ruff check .

Apply safe lint fixes:

uv run ruff check . --fix

The test suite uses mocked/offline behavior and does not require live provider network access or API keys.

Manual checks:

uv run radar --help
uv run radar example.com --provider rdap --no-cache
uv run radar 8.8.8.8 --provider ip-api --json

Contributing

Keep provider behavior passive and tests offline by default.

  • Add or update tests for provider parsing, renderer behavior, or CLI changes.
  • Run uv run ruff check . and uv run pytest.
  • Do not commit API keys, cache files, or sensitive live responses.

For new providers, implement the provider class, register it in radar/providers/registry.py, document its API key and supported indicator types, and add mocked tests.

Project Layout

radar/
  cli/          CLI entrypoint
  core/         models, normalization, classification
  providers/    provider interface and implementations
  cache/        SQLite cache
  renderers/    console and JSON output
  engine.py     concurrent enrichment engine
  config.py     environment-backed runtime config
tests/

About

An IoC enrichment CLI tool

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages