Shannon AI渗透测试工具：自动化白盒Web应用与API安全审计

shannon-ai-pentester by aradotso/trending-skills

255 周安装量

10 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/aradotso/trending-skills --skill shannon-ai-pentester

自动化测试安全

🇨🇳中文介绍

Shannon AI 渗透测试工具

技能来自 ara.so — Daily 2026 Skills 合集。

Shannon 是一款面向 Web 应用程序和 API 的自动化白盒 AI 渗透测试工具。它会读取您的源代码以识别攻击向量，然后对正在运行的应用程序执行真实的漏洞利用（SQL 注入、XSS、SSRF、身份验证绕过、授权缺陷）——仅报告那些带有有效概念验证的漏洞。

工作原理

侦察阶段 — 使用 Nmap、Subfinder、WhatWeb 和 Schemathesis 扫描目标
代码分析 — Shannon 读取您的代码仓库以绘制攻击面
并行漏洞利用 — 并发代理尝试在所有漏洞类别上进行实时漏洞利用
报告生成 — 仅包含经过确认、可复现且附带可复制粘贴概念验证的发现

安装与先决条件

Docker（必需 — Shannon 完全在容器中运行）
Anthropic API 密钥、Claude Code OAuth 令牌、AWS Bedrock 凭据或 Google Vertex AI 凭据

git clone https://github.com/KeygraphHQ/shannon.git
cd shannon

快速开始

# 选项 A：导出凭据
export ANTHROPIC_API_KEY="sk-ant-..."
export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

# 选项 B：使用 .env 文件
cat > .env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
EOF

# 运行渗透测试
./shannon start URL=https://your-app.example.com REPO=/path/to/your/repo

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

基础 Web 应用渗透测试

# 将 Shannon 指向正在运行的本地应用及其源代码
./shannon start \
  URL=http://localhost:3000 \
  REPO=$(pwd)/../my-express-app

针对 OWASP Juice Shop 的测试（演示）

# 拉取并运行 Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop

# 使用 Shannon 对其进行测试
./shannon start \
  URL=http://localhost:3000 \
  REPO=/path/to/juice-shop

带 2FA 的认证测试

export TARGET_USERNAME="admin@yourapp.com"
export TARGET_PASSWORD="$ADMIN_PASSWORD"
export TARGET_TOTP_SECRET="$TOTP_BASE32_SECRET"

./shannon start URL=https://staging.yourapp.com REPO=/path/to/repo

AWS Bedrock 提供商

export AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION=us-east-1
export SHANNON_AI_PROVIDER=bedrock
export SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0

./shannon start URL=https://target.example.com REPO=/path/to/repo

Google Vertex AI 提供商

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
export SHANNON_AI_PROVIDER=vertex
export SHANNON_VERTEX_PROJECT=my-gcp-project
export SHANNON_VERTEX_REGION=us-east5

./shannon start URL=https://target.example.com REPO=/path/to/repo

工作区与恢复模式

工作区允许您暂停和恢复长时间运行的渗透测试：

# 使用命名的工作区启动
./shannon start \
  URL=https://target.example.com \
  REPO=/path/to/repo \
  WORKSPACE=sprint-42-audit

# 稍后，从停止的地方恢复
./shannon resume WORKSPACE=sprint-42-audit

# 工作区会持久化结果，以便您可以重新运行报告
./shannon report WORKSPACE=sprint-42-audit

报告被写入工作区目录（默认：./workspaces/<workflow-id>/）：

workspaces/
└── my-audit-2024/
    ├── report.md          # 包含 PoC 利用的最终渗透测试报告
    ├── findings.json      # 机器可读的发现结果
    └── logs/              # 每个代理的执行日志

报告内容包括：

漏洞标题和 CVSS 风格严重性等级
受影响的端点和参数
带有源代码引用的根本原因
分步复现说明
可复制粘贴的 curl/HTTP PoC

Shannon 当前测试以下类别：

类别	示例
注入攻击	SQL 注入、命令注入、LDAP 注入
XSS	反射型、存储型、基于 DOM 的 XSS
SSRF	内部网络访问、云元数据端点
身份验证缺陷	弱令牌、会话固定、身份验证绕过
授权缺陷	IDOR、权限提升、访问控制缺失

# .github/workflows/pentest.yml
name: Shannon Pentest
on:
  push:
    branches: [staging]

jobs:
  pentest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          path: app

      - name: Clone Shannon
        run: git clone https://github.com/KeygraphHQ/shannon.git

      - name: 启动应用程序
        run: |
          cd app
          docker compose up -d
          # 等待应用程序健康启动
          sleep 30

      - name: 运行 Shannon
        working-directory: shannon
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          CLAUDE_CODE_MAX_OUTPUT_TOKENS: 64000
        run: |
          ./shannon start \
            URL=http://localhost:3000 \
            REPO=${{ github.workspace }}/app \
            WORKSPACE=ci-${{ github.sha }}
          # 等待完成并获取报告
          ./shannon wait ci-${{ github.sha }}
          ./shannon report ci-${{ github.sha }} > pentest-report.md

      - name: 上传报告
        uses: actions/upload-artifact@v4
        with:
          name: pentest-report
          path: shannon/pentest-report.md

未找到 Docker 或权限被拒绝

# 确保 Docker 守护进程正在运行
docker info

# 将您的用户添加到 docker 组（Linux）
sudo usermod -aG docker $USER
newgrp docker

Shannon 容器构建失败

# 强制进行干净的重新构建
docker compose -f shannon/docker-compose.yml build --no-cache

渗透测试停滞 / 无进展

# 检查阻塞代理的实时日志
./shannon logs <workflow-id>

# 常见原因：
# - 目标应用程序无法从 Shannon 容器内部访问
# - ANTHROPIC_API_KEY 缺失或达到速率限制
# - 未设置 CLAUDE_CODE_MAX_OUTPUT_TOKENS（模型达到默认限制）

目标应用无法从 Shannon 容器访问

# 使用 host.docker.internal 替代 localhost
./shannon start \
  URL=http://host.docker.internal:3000 \
  REPO=/path/to/repo

# 或者将两者放在同一个 Docker 网络中
docker network create pentest-net
docker run --network pentest-net ...   # 您的应用
# 然后在 .env 中设置 SHANNON_DOCKER_NETWORK=pentest-net

Anthropic 的速率限制错误

# 使用 AWS Bedrock 或 Vertex AI 以避免共享速率限制
export SHANNON_AI_PROVIDER=bedrock
export AWS_DEFAULT_REGION=us-east-1

# 启动时始终使用 WORKSPACE= 以启用可恢复性
./shannon start URL=... REPO=... WORKSPACE=named-session

# 恢复
./shannon resume WORKSPACE=named-session

仅测试您拥有或已获得明确书面测试许可的应用程序。
Shannon Lite 采用 AGPL-3.0 许可证 — 任何修改都必须以相同许可证开源。
Shannon 是一个白盒工具：它期望访问您应用程序的源代码。
它不是黑盒扫描器。未经授权对第三方目标运行它是非法的。

GitHub : https://github.com/KeygraphHQ/shannon
Keygraph 平台（专业版） : https://keygraph.io
示例报告（Juice Shop） : 仓库中的 sample-reports/shannon-report-juice-shop.md
Shannon Pro 架构 : 仓库中的 SHANNON-PRO.md
公告 : https://github.com/KeygraphHQ/shannon/discussions/categories/announcements
Discord : https://discord.gg/9ZqQPuhJB7

🇺🇸English

Shannon AI Pentester

Skill by ara.so — Daily 2026 Skills collection.

Shannon is an autonomous, white-box AI pentester for web applications and APIs. It reads your source code to identify attack vectors, then executes real exploits (SQLi, XSS, SSRF, auth bypass, authorization flaws) against a live running application — only reporting vulnerabilities with a working proof-of-concept.

How It Works

Reconnaissance — Nmap, Subfinder, WhatWeb, and Schemathesis scan the target
Code Analysis — Shannon reads your repository to map attack surfaces
Parallel Exploitation — Concurrent agents attempt live exploits across all vulnerability categories
Report Generation — Only confirmed, reproducible findings with copy-paste PoCs are included

Installation & Prerequisites

Docker (required — Shannon runs entirely in containers)
An Anthropic API key, Claude Code OAuth token, AWS Bedrock credentials, or Google Vertex AI credentials

git clone https://github.com/KeygraphHQ/shannon.git cd shannon

Quick Start

# Option A: Export credentials
export ANTHROPIC_API_KEY="sk-ant-..."
export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

# Option B: .env file
cat > .env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
EOF

# Run a pentest
./shannon start URL=https://your-app.example.com REPO=/path/to/your/repo

Shannon builds containers, starts the workflow in the background, and returns a workflow ID.

Key CLI Commands

# Start a pentest
./shannon start URL=https://target.example.com REPO=/path/to/repo

# Start with explicit workspace name (for resuming)
./shannon start URL=https://target.example.com REPO=/path/to/repo WORKSPACE=my-audit-2024

# Monitor live progress (tail logs)
./shannon logs <workflow-id>

# Check status of a running pentest
./shannon status <workflow-id>

# Resume an interrupted pentest
./shannon resume WORKSPACE=my-audit-2024

# Stop a running pentest
./shannon stop <workflow-id>

# View the final report
./shannon report <workflow-id>

Configuration

Environment Variables

# Required (choose one auth method)
ANTHROPIC_API_KEY=sk-ant-...           # Anthropic direct
CLAUDE_CODE_OAUTH_TOKEN=...            # Claude Code OAuth

# Recommended
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000   # Increase output window for large reports

# AWS Bedrock (alternative to Anthropic direct)
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_DEFAULT_REGION=us-east-1
SHANNON_AI_PROVIDER=bedrock
SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0

# Google Vertex AI (alternative to Anthropic direct)
GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
SHANNON_AI_PROVIDER=vertex
SHANNON_VERTEX_PROJECT=your-gcp-project
SHANNON_VERTEX_REGION=us-east5

.env File Example

# .env (place in the shannon project root)
ANTHROPIC_API_KEY=sk-ant-...
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

# Optional: target credentials for authenticated testing
TARGET_USERNAME=admin@example.com
TARGET_PASSWORD=supersecret
TARGET_TOTP_SECRET=BASE32TOTPSECRET   # Shannon handles 2FA automatically

Usage Examples

Basic Web App Pentest

# Point Shannon at a running local app with its source code
./shannon start \
  URL=http://localhost:3000 \
  REPO=$(pwd)/../my-express-app

Testing Against OWASP Juice Shop (Demo)

# Pull and run Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop

# Run Shannon against it
./shannon start \
  URL=http://localhost:3000 \
  REPO=/path/to/juice-shop

Authenticated Testing with 2FA

export TARGET_USERNAME="admin@yourapp.com"
export TARGET_PASSWORD="$ADMIN_PASSWORD"
export TARGET_TOTP_SECRET="$TOTP_BASE32_SECRET"

./shannon start URL=https://staging.yourapp.com REPO=/path/to/repo

AWS Bedrock Provider

export AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION=us-east-1
export SHANNON_AI_PROVIDER=bedrock
export SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0

./shannon start URL=https://target.example.com REPO=/path/to/repo

Google Vertex AI Provider

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
export SHANNON_AI_PROVIDER=vertex
export SHANNON_VERTEX_PROJECT=my-gcp-project
export SHANNON_VERTEX_REGION=us-east5

./shannon start URL=https://target.example.com REPO=/path/to/repo

Workspace and Resume Pattern

Workspaces allow you to pause and resume long-running pentests:

# Start with a named workspace
./shannon start \
  URL=https://target.example.com \
  REPO=/path/to/repo \
  WORKSPACE=sprint-42-audit

# Later, resume from where it stopped
./shannon resume WORKSPACE=sprint-42-audit

# Workspaces persist results so you can re-run reports
./shannon report WORKSPACE=sprint-42-audit

Output and Reports

Reports are written to the workspace directory (default: ./workspaces/<workflow-id>/):

workspaces/
└── my-audit-2024/
    ├── report.md          # Final pentest report with PoC exploits
    ├── findings.json      # Machine-readable findings
    └── logs/              # Per-agent execution logs

The report includes:

Vulnerability title and CVSS-style severity
Affected endpoint and parameter
Root cause with source code reference
Step-by-step reproduction instructions
Copy-paste curl/HTTP PoC

Vulnerability Coverage

Shannon currently tests for:

Category	Examples
Injection	SQL injection, command injection, LDAP injection
XSS	Reflected, stored, DOM-based
SSRF	Internal network access, cloud metadata endpoints
Broken Authentication	Weak tokens, session fixation, auth bypass
Broken Authorization	IDOR, privilege escalation, missing access controls

CI/CD Integration Pattern

# .github/workflows/pentest.yml
name: Shannon Pentest
on:
  push:
    branches: [staging]

jobs:
  pentest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          path: app

      - name: Clone Shannon
        run: git clone https://github.com/KeygraphHQ/shannon.git

      - name: Start Application
        run: |
          cd app
          docker compose up -d
          # Wait for app to be healthy
          sleep 30

      - name: Run Shannon
        working-directory: shannon
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          CLAUDE_CODE_MAX_OUTPUT_TOKENS: 64000
        run: |
          ./shannon start \
            URL=http://localhost:3000 \
            REPO=${{ github.workspace }}/app \
            WORKSPACE=ci-${{ github.sha }}
          # Wait for completion and get report
          ./shannon wait ci-${{ github.sha }}
          ./shannon report ci-${{ github.sha }} > pentest-report.md

      - name: Upload Report
        uses: actions/upload-artifact@v4
        with:
          name: pentest-report
          path: shannon/pentest-report.md

Troubleshooting

Docker not found or permission denied

# Ensure Docker daemon is running
docker info

# Add your user to the docker group (Linux)
sudo usermod -aG docker $USER
newgrp docker

Shannon containers fail to build

# Force a clean rebuild
docker compose -f shannon/docker-compose.yml build --no-cache

Pentest stalls / no progress

# Check live logs for the blocking agent
./shannon logs <workflow-id>

# Common causes:
# - Target app is not reachable from inside the Shannon container
# - ANTHROPIC_API_KEY is missing or rate-limited
# - CLAUDE_CODE_MAX_OUTPUT_TOKENS not set (model hits default limit)

Target app not reachable from Shannon containers

# Use host.docker.internal instead of localhost
./shannon start \
  URL=http://host.docker.internal:3000 \
  REPO=/path/to/repo

# Or put both on the same Docker network
docker network create pentest-net
docker run --network pentest-net ...   # your app
# Then set SHANNON_DOCKER_NETWORK=pentest-net in .env

Rate limit errors from Anthropic

# Use AWS Bedrock or Vertex AI to avoid shared rate limits
export SHANNON_AI_PROVIDER=bedrock
export AWS_DEFAULT_REGION=us-east-1

Resume after crash

# Always use WORKSPACE= when starting to enable resumability
./shannon start URL=... REPO=... WORKSPACE=named-session

# Resume
./shannon resume WORKSPACE=named-session

Important Disclaimers

Only test applications you own or have explicit written permission to test.
Shannon Lite is AGPL-3.0 licensed — any modifications must be open-sourced under the same license.
Shannon is a white-box tool : it expects access to your application's source code.
It is not a black-box scanner. Running it against third-party targets without authorization is illegal.

Key Links

GitHub : https://github.com/KeygraphHQ/shannon
Keygraph Platform (Pro) : https://keygraph.io
Sample Report (Juice Shop) : sample-reports/shannon-report-juice-shop.md in the repo
Shannon Pro Architecture : SHANNON-PRO.md in the repo
Announcements : https://github.com/KeygraphHQ/shannon/discussions/categories/announcements
Discord : https://discord.gg/9ZqQPuhJB7

Weekly Installs

255

Repository

aradotso/trending-skills

GitHub Stars

First Seen

6 days ago

Security Audits

Gen Agent Trust HubFail SocketPass SnykWarn

Installed on

gemini-cli254

github-copilot254

codex254

amp254

cline254

kimi-cli254

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

27,600 周安装