shannon-ai-pentester

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Shannon AI Pentester

Shannon AI 渗透测试工具

Skill by ara.so — Daily 2026 Skills collection.

Shannon is an autonomous, white-box AI pentester for web applications and APIs. It reads your source code to identify attack vectors, then executes real exploits (SQLi, XSS, SSRF, auth bypass, authorization flaws) against a live running application — only reporting vulnerabilities with a working proof-of-concept.

由ara.so开发的技能——属于2026每日技能合集。

Shannon是一款面向Web应用与API的自主白盒AI渗透测试工具。它会读取你的源代码以识别攻击向量，随后针对运行中的应用执行真实的漏洞利用（SQLi、XSS、SSRF、身份认证绕过、授权缺陷等）——仅报告带有可复现漏洞验证（PoC）的安全问题。

How It Works

工作原理

Reconnaissance — Nmap, Subfinder, WhatWeb, and Schemathesis scan the target
Code Analysis — Shannon reads your repository to map attack surfaces
Parallel Exploitation — Concurrent agents attempt live exploits across all vulnerability categories
Report Generation — Only confirmed, reproducible findings with copy-paste PoCs are included

侦察阶段 —— 使用Nmap、Subfinder、WhatWeb和Schemathesis对目标进行扫描
代码分析 —— Shannon读取你的代码仓库，梳理攻击面
并行漏洞利用 —— 多Agent同时针对所有漏洞类别尝试实时利用
报告生成 —— 仅包含已确认、可复现的漏洞，且附带可直接复制的PoC

Installation & Prerequisites

安装与前置要求

Docker (required — Shannon runs entirely in containers)
An Anthropic API key, Claude Code OAuth token, AWS Bedrock credentials, or Google Vertex AI credentials

bash

git clone https://github.com/KeygraphHQ/shannon.git
cd shannon

Docker（必需——Shannon完全在容器中运行）
Anthropic API密钥、Claude Code OAuth令牌、AWS Bedrock凭证或Google Vertex AI凭证

bash

git clone https://github.com/KeygraphHQ/shannon.git
cd shannon

Quick Start

快速开始

bash

undefined

bash

undefined

Option A: Export credentials

选项A：导出凭证

export ANTHROPIC_API_KEY="sk-ant-..." export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

Option B: .env file

选项B：使用.env文件

cat > .env << 'EOF' ANTHROPIC_API_KEY=sk-ant-... CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 EOF

Run a pentest

启动渗透测试

./shannon start URL=https://your-app.example.com REPO=/path/to/your/repo


Shannon builds containers, starts the workflow in the background, and returns a workflow ID.

./shannon start URL=https://your-app.example.com REPO=/path/to/your/repo


Shannon会构建容器，在后台启动工作流，并返回一个工作流ID。

Key CLI Commands

核心CLI命令

bash

undefined

bash

undefined

Start a pentest

启动渗透测试

./shannon start URL=https://target.example.com REPO=/path/to/repo

Start with explicit workspace name (for resuming)

使用指定工作区名称启动（用于恢复任务）

./shannon start URL=https://target.example.com REPO=/path/to/repo WORKSPACE=my-audit-2024

Monitor live progress (tail logs)

监控实时进度（查看日志）

./shannon logs <workflow-id>

Check status of a running pentest

查看运行中渗透测试的状态

./shannon status <workflow-id>

Resume an interrupted pentest

恢复中断的渗透测试

./shannon resume WORKSPACE=my-audit-2024

Stop a running pentest

停止运行中的渗透测试

./shannon stop <workflow-id>

View the final report

查看最终报告

./shannon report <workflow-id>

undefined

./shannon report <workflow-id>

undefined

Configuration

配置

Environment Variables

环境变量

bash

undefined

bash

undefined

Required (choose one auth method)

必填（选择一种认证方式）

ANTHROPIC_API_KEY=sk-ant-... # Anthropic direct CLAUDE_CODE_OAUTH_TOKEN=... # Claude Code OAuth

ANTHROPIC_API_KEY=sk-ant-... # Anthropic直接认证 CLAUDE_CODE_OAUTH_TOKEN=... # Claude Code OAuth认证

AWS Bedrock (alternative to Anthropic direct)

AWS Bedrock（替代Anthropic直接认证）

AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... AWS_DEFAULT_REGION=us-east-1 SHANNON_AI_PROVIDER=bedrock SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0

Google Vertex AI (alternative to Anthropic direct)

Google Vertex AI（替代Anthropic直接认证）

GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json SHANNON_AI_PROVIDER=vertex SHANNON_VERTEX_PROJECT=your-gcp-project SHANNON_VERTEX_REGION=us-east5

undefined

GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json SHANNON_AI_PROVIDER=vertex SHANNON_VERTEX_PROJECT=your-gcp-project SHANNON_VERTEX_REGION=us-east5

undefined

.env File Example

.env文件示例

bash

undefined

bash

undefined

.env (place in the shannon project root)

.env（放置在Shannon项目根目录）

ANTHROPIC_API_KEY=sk-ant-... CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

Optional: target credentials for authenticated testing

可选：用于认证测试的目标凭证

TARGET_USERNAME=admin@example.com TARGET_PASSWORD=supersecret TARGET_TOTP_SECRET=BASE32TOTPSECRET # Shannon handles 2FA automatically

undefined

TARGET_USERNAME=admin@example.com TARGET_PASSWORD=supersecret TARGET_TOTP_SECRET=BASE32TOTPSECRET # Shannon会自动处理双因素认证

undefined

Usage Examples

使用示例

Basic Web App Pentest

基础Web应用渗透测试

bash

undefined

bash

undefined

Point Shannon at a running local app with its source code

将Shannon指向本地运行的应用及其源代码

./shannon start
URL=http://localhost:3000
REPO=$(pwd)/../my-express-app

undefined

./shannon start
URL=http://localhost:3000
REPO=$(pwd)/../my-express-app

undefined

Testing Against OWASP Juice Shop (Demo)

针对OWASP Juice Shop的测试（演示）

bash

undefined

bash

undefined

Pull and run Juice Shop

拉取并运行Juice Shop

docker run -d -p 3000:3000 bkimminich/juice-shop

Run Shannon against it

使用Shannon对其进行测试

./shannon start
URL=http://localhost:3000
REPO=/path/to/juice-shop

undefined

./shannon start
URL=http://localhost:3000
REPO=/path/to/juice-shop

undefined

Authenticated Testing with 2FA

带双因素认证的授权测试

bash

export TARGET_USERNAME="admin@yourapp.com"
export TARGET_PASSWORD="$ADMIN_PASSWORD"
export TARGET_TOTP_SECRET="$TOTP_BASE32_SECRET"

./shannon start URL=https://staging.yourapp.com REPO=/path/to/repo

bash

export TARGET_USERNAME="admin@yourapp.com"
export TARGET_PASSWORD="$ADMIN_PASSWORD"
export TARGET_TOTP_SECRET="$TOTP_BASE32_SECRET"

./shannon start URL=https://staging.yourapp.com REPO=/path/to/repo

AWS Bedrock Provider

AWS Bedrock提供商配置

bash

export AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION=us-east-1
export SHANNON_AI_PROVIDER=bedrock
export SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0

./shannon start URL=https://target.example.com REPO=/path/to/repo

bash

export AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION=us-east-1
export SHANNON_AI_PROVIDER=bedrock
export SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0

./shannon start URL=https://target.example.com REPO=/path/to/repo

Google Vertex AI Provider

Google Vertex AI提供商配置

bash

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
export SHANNON_AI_PROVIDER=vertex
export SHANNON_VERTEX_PROJECT=my-gcp-project
export SHANNON_VERTEX_REGION=us-east5

./shannon start URL=https://target.example.com REPO=/path/to/repo

bash

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
export SHANNON_AI_PROVIDER=vertex
export SHANNON_VERTEX_PROJECT=my-gcp-project
export SHANNON_VERTEX_REGION=us-east5

./shannon start URL=https://target.example.com REPO=/path/to/repo

Workspace and Resume Pattern

工作区与恢复机制

Workspaces allow you to pause and resume long-running pentests:

bash

undefined

工作区允许你暂停并恢复长时间运行的渗透测试：

bash

undefined

Start with a named workspace

使用命名工作区启动测试

./shannon start
URL=https://target.example.com
REPO=/path/to/repo
WORKSPACE=sprint-42-audit

Later, resume from where it stopped

后续从暂停处恢复

./shannon resume WORKSPACE=sprint-42-audit

Workspaces persist results so you can re-run reports

工作区会保留结果，你可以重新生成报告

./shannon report WORKSPACE=sprint-42-audit

undefined

./shannon report WORKSPACE=sprint-42-audit

undefined

Output and Reports

输出与报告

Reports are written to the workspace directory (default:

./workspaces/<workflow-id>/

workspaces/
└── my-audit-2024/
    ├── report.md          # Final pentest report with PoC exploits
    ├── findings.json      # Machine-readable findings
    └── logs/              # Per-agent execution logs

The report includes:

Vulnerability title and CVSS-style severity
Affected endpoint and parameter
Root cause with source code reference
Step-by-step reproduction instructions
Copy-paste curl/HTTP PoC

报告会被写入工作区目录（默认路径：

./workspaces/<workflow-id>/

）：

workspaces/
└── my-audit-2024/
    ├── report.md          # 包含PoC漏洞利用的最终渗透测试报告
    ├── findings.json      # 机器可读的漏洞结果
    └── logs/              # 各Agent的执行日志

报告内容包括：

漏洞标题与类CVSS严重等级
受影响的端点与参数
带有源代码引用的根本原因分析
分步复现指南
可直接复制的curl/HTTP请求PoC

Vulnerability Coverage

漏洞覆盖范围

Shannon currently tests for:

Category	Examples
Injection	SQL injection, command injection, LDAP injection
XSS	Reflected, stored, DOM-based
SSRF	Internal network access, cloud metadata endpoints
Broken Authentication	Weak tokens, session fixation, auth bypass
Broken Authorization	IDOR, privilege escalation, missing access controls

Shannon目前可检测以下类别漏洞：

类别	示例
注入攻击	SQL注入、命令注入、LDAP注入
XSS	反射型、存储型、基于DOM的XSS
SSRF	内部网络访问、云元数据端点访问
身份认证缺陷	弱令牌、会话固定、身份认证绕过
授权缺陷	IDOR、权限提升、缺失访问控制

CI/CD Integration Pattern

CI/CD集成示例

yaml

undefined

yaml

undefined

.github/workflows/pentest.yml

name: Shannon Pentest on: push: branches: [staging]

jobs: pentest: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: path: app

  - name: Clone Shannon
    run: git clone https://github.com/KeygraphHQ/shannon.git

  - name: Start Application
    run: |
      cd app
      docker compose up -d
      # Wait for app to be healthy
      sleep 30

  - name: Run Shannon
    working-directory: shannon
    env:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
      CLAUDE_CODE_MAX_OUTPUT_TOKENS: 64000
    run: |
      ./shannon start \
        URL=http://localhost:3000 \
        REPO=${{ github.workspace }}/app \
        WORKSPACE=ci-${{ github.sha }}
      # Wait for completion and get report
      ./shannon wait ci-${{ github.sha }}
      ./shannon report ci-${{ github.sha }} > pentest-report.md

  - name: Upload Report
    uses: actions/upload-artifact@v4
    with:
      name: pentest-report
      path: shannon/pentest-report.md

undefined

name: Shannon Pentest on: push: branches: [staging]

jobs: pentest: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: path: app

  - name: 克隆Shannon
    run: git clone https://github.com/KeygraphHQ/shannon.git

  - name: 启动应用
    run: |
      cd app
      docker compose up -d
      # 等待应用启动完成
      sleep 30

  - name: 运行Shannon
    working-directory: shannon
    env:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
      CLAUDE_CODE_MAX_OUTPUT_TOKENS: 64000
    run: |
      ./shannon start \
        URL=http://localhost:3000 \
        REPO=${{ github.workspace }}/app \
        WORKSPACE=ci-${{ github.sha }}
      # 等待测试完成并获取报告
      ./shannon wait ci-${{ github.sha }}
      ./shannon report ci-${{ github.sha }} > pentest-report.md

  - name: 上传报告
    uses: actions/upload-artifact@v4
    with:
      name: pentest-report
      path: shannon/pentest-report.md

undefined

Troubleshooting

故障排除

Docker not found or permission denied

Docker未找到或权限被拒绝

bash

undefined

bash

undefined

Ensure Docker daemon is running

确保Docker守护进程正在运行

docker info

Add your user to the docker group (Linux)

将用户添加到docker用户组（Linux系统）

sudo usermod -aG docker $USER newgrp docker

undefined

sudo usermod -aG docker $USER newgrp docker

undefined

Shannon containers fail to build

Shannon容器构建失败

bash

undefined

bash

undefined

Force a clean rebuild

强制清理后重新构建

docker compose -f shannon/docker-compose.yml build --no-cache

undefined

docker compose -f shannon/docker-compose.yml build --no-cache

undefined

Pentest stalls / no progress

渗透测试停滞/无进展

bash

undefined

bash

undefined

Check live logs for the blocking agent

查看导致阻塞的Agent的实时日志

./shannon logs <workflow-id>

Common causes:

常见原因：

- Target app is not reachable from inside the Shannon container

- Shannon容器无法访问目标应用

- ANTHROPIC_API_KEY is missing or rate-limited

- ANTHROPIC_API_KEY缺失或触发速率限制

- CLAUDE_CODE_MAX_OUTPUT_TOKENS not set (model hits default limit)

- 未设置CLAUDE_CODE_MAX_OUTPUT_TOKENS（模型达到默认输出限制）

undefined

undefined

Target app not reachable from Shannon containers

Shannon容器无法访问目标应用

bash

undefined

bash

undefined

Use host.docker.internal instead of localhost

使用host.docker.internal替代localhost

./shannon start
URL=http://host.docker.internal:3000
REPO=/path/to/repo

Or put both on the same Docker network

或者将两者加入同一Docker网络

docker network create pentest-net docker run --network pentest-net ... # your app

docker network create pentest-net docker run --network pentest-net ... # 启动你的应用

Then set SHANNON_DOCKER_NETWORK=pentest-net in .env

然后在.env中设置SHANNON_DOCKER_NETWORK=pentest-net

undefined

undefined

Rate limit errors from Anthropic

Anthropic速率限制错误

bash

undefined

bash

undefined

Use AWS Bedrock or Vertex AI to avoid shared rate limits

使用AWS Bedrock或Vertex AI以避开共享速率限制

export SHANNON_AI_PROVIDER=bedrock export AWS_DEFAULT_REGION=us-east-1

undefined

export SHANNON_AI_PROVIDER=bedrock export AWS_DEFAULT_REGION=us-east-1

undefined

Resume after crash

崩溃后恢复

bash

undefined

bash

undefined

Always use WORKSPACE= when starting to enable resumability

启动时务必使用WORKSPACE=参数以支持恢复功能

./shannon start URL=... REPO=... WORKSPACE=named-session

Resume

恢复测试

./shannon resume WORKSPACE=named-session

undefined

./shannon resume WORKSPACE=named-session

undefined

Important Disclaimers

重要免责声明

Only test applications you own or have explicit written permission to test.
Shannon Lite is AGPL-3.0 licensed — any modifications must be open-sourced under the same license.
Shannon is a white-box tool: it expects access to your application's source code.
It is not a black-box scanner. Running it against third-party targets without authorization is illegal.

仅可测试你拥有或已获得明确书面授权的应用。
Shannon Lite采用AGPL-3.0许可证——任何修改都必须以相同许可证开源。
Shannon是一款白盒工具：它需要访问应用的源代码。
它不是黑盒扫描器，未经授权对第三方目标运行属于违法行为。

Key Links

关键链接

GitHub: https://github.com/KeygraphHQ/shannon
Keygraph Platform (Pro): https://keygraph.io

Sample Report (Juice Shop):

sample-reports/shannon-report-juice-shop.md

in the repo

Shannon Pro Architecture:
```
SHANNON-PRO.md
```
in the repo
Announcements: https://github.com/KeygraphHQ/shannon/discussions/categories/announcements
Discord: https://discord.gg/9ZqQPuhJB7

GitHub仓库：https://github.com/KeygraphHQ/shannon
Keygraph平台（专业版）：https://keygraph.io

示例报告（Juice Shop）：仓库中的

sample-reports/shannon-report-juice-shop.md

Shannon专业版架构：仓库中的
```
SHANNON-PRO.md
```
公告：https://github.com/KeygraphHQ/shannon/discussions/categories/announcements
Discord社区：https://discord.gg/9ZqQPuhJB7

shannon-ai-pentester

Original

Translation

Shannon AI Pentester

Shannon AI 渗透测试工具

How It Works

工作原理

Installation & Prerequisites

安装与前置要求

Quick Start

快速开始

Option A: Export credentials

选项A：导出凭证

Option B: .env file

选项B：使用.env文件

Run a pentest

启动渗透测试

Key CLI Commands

核心CLI命令

Start a pentest

启动渗透测试

Start with explicit workspace name (for resuming)

使用指定工作区名称启动（用于恢复任务）

Monitor live progress (tail logs)

监控实时进度（查看日志）

Check status of a running pentest

查看运行中渗透测试的状态

Resume an interrupted pentest

恢复中断的渗透测试

Stop a running pentest

停止运行中的渗透测试

View the final report

查看最终报告

Configuration

配置

Environment Variables

环境变量

Required (choose one auth method)

必填（选择一种认证方式）

Recommended

推荐配置

AWS Bedrock (alternative to Anthropic direct)

AWS Bedrock（替代Anthropic直接认证）

Google Vertex AI (alternative to Anthropic direct)

Google Vertex AI（替代Anthropic直接认证）

.env File Example

.env文件示例

.env (place in the shannon project root)

.env（放置在Shannon项目根目录）

Optional: target credentials for authenticated testing

可选：用于认证测试的目标凭证

Usage Examples

使用示例

Basic Web App Pentest

基础Web应用渗透测试

Point Shannon at a running local app with its source code

将Shannon指向本地运行的应用及其源代码

Testing Against OWASP Juice Shop (Demo)

针对OWASP Juice Shop的测试（演示）

Pull and run Juice Shop

拉取并运行Juice Shop

Run Shannon against it

使用Shannon对其进行测试

Authenticated Testing with 2FA

带双因素认证的授权测试

AWS Bedrock Provider

AWS Bedrock提供商配置

Google Vertex AI Provider

Google Vertex AI提供商配置

Workspace and Resume Pattern

工作区与恢复机制

Start with a named workspace

使用命名工作区启动测试

Later, resume from where it stopped

后续从暂停处恢复

Workspaces persist results so you can re-run reports

工作区会保留结果，你可以重新生成报告

Output and Reports

输出与报告

Vulnerability Coverage