shannon
by
KeygraphHQ

Description: Shannon is an autonomous, white-box AI pentester for web applications and APIs. It analyzes your source code, identifies attack vectors, and executes real...

View on GitHub ↗

Summary Information

Updated 29 minutes ago
Added to GitGenius on February 9th, 2026
Created on September 27th, 2025
Open Issues & Pull Requests: 23 (+0)
Number of forks: 5,293
Total Stargazers: 45,566 (+0)
Total Subscribers: 220 (+0)

Issue Activity (beta)

Open issues: 13
New in 7 days: 0
Closed in 7 days: 0
Avg open age: 1 days
Stale 30+ days: 3
Stale 90+ days: 0

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

No label distribution available yet.

Most active issues this week

No issue events were indexed in the last 7 days.

Repository Insights (GitGenius)

Median issue/PR response: 4.8 hours
Mean response time: 4.0 days
90th percentile: 9.4 days
Tracked items: 121

Most active contributors

Detailed Description

Shannon is an autonomous, white-box AI pentester for web applications and APIs developed by Keygraph and distributed as open-source software. The tool analyzes application source code to identify potential attack vectors, then executes real exploits against running applications to prove vulnerabilities before they reach production. Rather than generating speculative security warnings, Shannon reports only validated findings with reproducible proof-of-concept steps, making it a proof-by-exploitation system designed to close the gap between continuous code deployment and infrequent annual penetration tests.

The repository is written in TypeScript and serves as Shannon Open Source, the standalone pentester that users run locally from the command line. According to the README, Shannon combines source-code analysis with live exploitation through a multi-agent workflow. The process begins with pre-reconnaissance to identify frameworks, entry points, and data flows from the repository, followed by reconnaissance that explores the live application and correlates runtime behavior with code-level context. Specialized agents then run vulnerability analysis targeting Injection, XSS, SSRF, Authentication, and Authorization issues. The system attempts real proof-of-concept attacks and discards hypotheses that cannot be proven, ultimately compiling validated findings into a final Markdown report.

Key capabilities include white-box attack planning that uses source-code analysis to guide dynamic testing, autonomous execution from a single command that handles reconnaissance through report generation, and authenticated testing through configuration files that describe login flows, test credentials, TOTP, and email-based authentication. Shannon focuses on OWASP-relevant vulnerabilities and supports resumable workspaces that allow interrupted runs to continue without re-executing completed agents. The tool requires Docker for the worker container, Node.js 18 or higher, and AI provider credentials, with Anthropic recommended though AWS Bedrock, Google Vertex AI, and compatible proxy setups are documented.

The repository demonstrates active maintenance and community engagement. GitGenius tracking shows a median issue and pull request response latency of 4.8 hours across 121 items, with mean latency of 95 hours. The most active contributors tracked by GitGenius are ezl-keygraph with 161 events, keygraphVarun with 90 events, and ajmallesh with 19 events. The repository overlaps with contributors from emberjs/ember.js, openai/openai-agents-python, and anthropics/claude-code, indicating cross-pollination with other significant open-source projects.

Shannon Open Source differs from the commercial Keygraph platform in scope and features. While Shannon Open Source provides standalone white-box pentesting on demand, the Keygraph platform surrounds the Shannon engine with continuous analysis including Code Property Graph SAST, SCA with reachability analysis, secrets detection, IaC scanning, and container analysis. The platform adds finding management with deduplication, ownership tracking, SLA management, dashboards, and Jira integration, plus automated remediation that opens pull requests with fixes and verifies them through point re-testing. The Keygraph platform also supports self-hosted and air-gapped deployments with bring-your-own-key models and customer-controlled LLM gateways.

The project includes sample penetration test reports demonstrating Shannon's capabilities against intentionally vulnerable applications including OWASP Juice Shop, c{api}tal API, and OWASP crAPI, each showing discovery of 15 or more vulnerabilities across authentication bypass, SQL injection, IDOR, SSRF, command injection, and authorization issues. A beta feature announced in the README allows Shannon to run on the Pi Harness through the command npx @keygraph/shannon@beta. The repository is licensed under AGPL-3.0 for open-source use, with commercial licensing available through Keygraph.

shannon
by
KeygraphHQKeygraphHQ/shannon

Repository Details

Fetching additional details & charts...