securitychecker

command module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2026 License: MIT Imports: 13 Imported by: 0

README

SecurityChecker

A fast recon helper for pentesters and bug bounty hunters. Paste or upload a list of targets and, for each one, it checks the three standardized files worth looking at first:

  • /robots.txt — surfaces Disallow paths (often hidden endpoints / admin panels) and Sitemap URLs.
  • security.txt (RFC 9116, at /.well-known/security.txt and the legacy /security.txt) — the security Contact, Policy link, Expires validity, encryption key, and more.
  • /.well-known/ — probes a curated list of registered URIs that fingerprint the stack (OIDC, mobile app links, mail security posture, federation, …).

It runs as a CLI (table / JSON / CSV) and ships an optional local web UI (paste box + file upload) — both use the same engine and it's a single static Go binary with no third-party dependencies.

⚠️ Authorized use only. Every request is a plain GET of a public, standardized file — no fuzzing, no exploitation. Only run it against systems you are permitted to test.


Install

Prebuilt binary — grab the archive for your OS/arch from the Releases page (Linux, macOS, Windows; amd64/arm64), extract, and put securitychecker on your PATH.

From source / Go toolchain:

# from source (Go 1.23+)
git clone https://github.com/11lunaric11/securitychecker
cd securitychecker
go build -o securitychecker .

# or install straight from the module
go install github.com/11lunaric11/securitychecker@latest

CLI usage

# scan a few targets
securitychecker scan example.com github.com cloudflare.com

# from a file (.txt one-per-line, or .csv with a url/domain column)
securitychecker scan -f targets.txt
securitychecker scan -f scope.csv --concurrency 20

# machine-readable output
securitychecker scan -f targets.txt --json | jq .
securitychecker scan -f targets.txt --csv -o report.csv

# from stdin
cat targets.txt | securitychecker scan

Example output:

TARGET       ROBOTS     SEC.TXT   EXPIRES  CONTACT                       WELL-KNOWN
github.com   yes (57)   yes (wk)  valid    https://hackerone.com/github  2
google.com   yes (173)  yes (wk)  valid    security@google.com           1
example.com  no         no        —        —                             0

▸ github.com
  robots.txt (57 disallow, 0 sitemaps)
    Disallow: /account-login
    Disallow: */tarball/
    …
  security.txt https://github.com/.well-known/security.txt
    Contact:  https://hackerone.com/github
    Expires:  2026-08-13T09:04:15Z (valid)
    Policy:   https://bounty.github.com
Scan flags
Flag Default Description
-f <file> target list (.txt/.csv), repeatable
--json false output JSON
--csv false output CSV
-o <file> stdout write output to a file
--concurrency N 10 max targets scanned at once
--timeout D 10s per-request timeout
--delay D 0 pause between requests to one host
--wellknown true probe the /.well-known/ list (--wellknown=false)
--user-agent S custom User-Agent
--no-color false disable colored output

Web UI

securitychecker serve --port 8080
# open http://localhost:8080

Paste targets or upload a .txt/.csv, hit Scan, and get a clean results table — summary tiles, colored status pills, expandable per-target detail, and Copy JSON / Download CSV export. Single self-contained page, no external assets.

What gets reported

  • robots.txt — found?, Disallow/Allow rules, Sitemap URLs, Crawl-delay.
  • security.txt — all RFC 9116 fields (Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring, CSAF), extracted contact e-mails, Expires validity (valid / expired / invalid / missing — a common RFC violation), and whether the file is PGP-signed.
  • /.well-known/change-password, openid-configuration, oauth-authorization-server, assetlinks.json, apple-app-site-association, mta-sts.txt, host-meta, webfinger, dnt-policy.txt, gpc.json, nodeinfo, ai-plugin.json, traffic-advice.

Notes

  • Scheme / www fallback — each target is probed on its given scheme first, then the www/apex counterpart and the other scheme, so www-only and http-only sites resolve automatically. (Apex→www redirects are followed anyway.)
  • Slow / unreachable hosts — an unreachable target can cost up to ~3× the --timeout while the fallbacks are tried; lower --timeout when scanning large lists.
  • WAF / bot-protected sites — some hosts stall or block the default User-Agent; pass a browser-like one with --user-agent if a site you can reach in a browser errors out.
  • Markdown-linkified pastes ([host](https://host)), <url>, and quoted/backtick inputs are unwrapped automatically.

Development

go test ./...
go vet ./...

Publishing your own fork

Before pushing, point the module path at your account:

go mod edit -module github.com/<your-username>/securitychecker
grep -rl 11lunaric11/securitychecker . | xargs sed -i 's#11lunaric11/securitychecker#<your-username>/securitychecker#g'
go build ./...

License

MIT — see LICENSE.

Documentation

Overview

SecurityChecker — paste or upload a list of URLs and check each one for robots.txt, security.txt (RFC 9116) and a curated set of /.well-known/ paths.

Usage:

securitychecker scan example.com github.com
securitychecker scan -f targets.txt --json | jq .
cat urls.csv | securitychecker scan --csv -o report.csv
securitychecker serve --port 8080

Directories

Path Synopsis
internal
input
Package input gathers raw target strings from CLI args, files (.txt/.csv) and piped stdin.
Package input gathers raw target strings from CLI args, files (.txt/.csv) and piped stdin.
model
Package model holds the data structures shared by the scanner, the CLI output formatters and the web server.
Package model holds the data structures shared by the scanner, the CLI output formatters and the web server.
output
Package output renders scan results as a terminal table, JSON, or CSV.
Package output renders scan results as a terminal table, JSON, or CSV.
scanner
Package scanner fetches and parses robots.txt, security.txt (RFC 9116) and a curated set of /.well-known/ paths for a list of targets.
Package scanner fetches and parses robots.txt, security.txt (RFC 9116) and a curated set of /.well-known/ paths for a list of targets.
web
Package web serves a small self-contained UI that reuses the scanner engine.
Package web serves a small self-contained UI that reuses the scanner engine.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL