.\" man page for sif - the blazing-fast pentesting suite
.TH sif 1 "2026-06-10" "sif" "sif manual"
.SH NAME
sif \- blazing-fast pentesting suite
.SH SYNOPSIS
.B sif
.B \-u
.I url
.RI [ scans ]
.RI [ options ]
.br
.B sif
.B \-f
.I file
.RI [ scans ]
.RI [ options ]
.br
.I "targets"
|
.B sif
.RI [ scans ]
.RI [ options ]
.br
.B sif
.RB { patchnote | version }
.SH DESCRIPTION
.B sif
is a modular recon and exploitation suite. it runs multiple scan types
concurrently against one or more targets, and can be extended with yaml
modules. a scheme\-less target defaults to
.B https://
\&; an explicit
.B http://
or
.B https://
is kept; any other scheme is rejected.
.SH TARGETS
.TP
.BR \-u ", " \-\-urls " \fIlist\fR"
comma\-separated list of urls to scan.
.TP
.BR \-f ", " \-\-file " \fIpath\fR"
file with one url per line.
.TP
.B stdin
when stdin is a pipe, one target per line is read from it, alongside any
.B \-u
/
.B \-f
targets. lets sif slot into a unix pipeline (e.g. \fBsubfinder | sif \-silent | notify\fR).
.SH SCANS
.TP
.BR \-dirlist " \fIsize\fR"
directory and file fuzzing (small/medium/large).
.TP
.BR \-mc " \fIcodes\fR"
dirlist: match only these status codes (comma list, e.g. 200,301).
.TP
.BR \-fc " \fIcodes\fR"
dirlist: filter out these status codes (comma list).
.TP
.BR \-fs " \fIsizes\fR"
dirlist: filter out responses of these body sizes (comma list).
.TP
.BR \-fw " \fIcounts\fR"
dirlist: filter out responses with these word counts (comma list).
.TP
.BR \-fr " \fIregex\fR"
dirlist: filter out responses whose body matches this regex.
.TP
.B \-ac
dirlist: auto\-calibrate the soft\-404 wildcard baseline so catch\-all 200s are dropped.
.TP
.BR \-w " \fIpath|url\fR"
dirlist: custom wordlist (local file or url); overrides the \fB\-dirlist\fR size.
.TP
.BR \-e " \fIexts\fR"
dirlist: extensions appended to each word (comma list, e.g. php,bak,env).
.TP
.BR \-dnslist " \fIsize\fR"
subdomain enumeration (small/medium/large).
.TP
.BR \-ports " \fIscope\fR"
port scanning (common/full).
.TP
.B \-nuclei
vulnerability scanning with nuclei templates.
.TP
.B \-dork
automated google dorking.
.TP
.B \-js
javascript analysis + secret and endpoint extraction.
.TP
.B \-c3
cloud storage misconfiguration scan.
.TP
.B \-headers
dump the target's response headers.
.TP
.BR \-sh ", " \-\-security\-headers
flag missing or weak security headers and headers that leak server internals.
.TP
.B \-st
subdomain takeover detection (requires \fB\-dnslist\fR).
.TP
.B \-cms
cms detection.
.TP
.B \-whois
whois lookup.
.TP
.B \-git
exposed git repository detection.
.TP
.B \-shodan
shodan host lookup (requires \fBSHODAN_API_KEY\fR).
.TP
.B \-securitytrails
domain discovery and target expansion (requires \fBSECURITYTRAILS_API_KEY\fR).
.TP
.B \-sql
sql reconnaissance (admin panels, error disclosure).
.TP
.B \-lfi
local file inclusion reconnaissance.
.TP
.B \-jwt
jwt discovery plus offline weakness analysis (alg:none, weak hmac secret, missing/expired exp, sensitive plaintext claims).
.TP
.B \-openapi
openapi/swagger spec exposure probe; enumerates paths, methods and unauthenticated operations.
.TP
.B \-favicon
favicon hash fingerprinting (shodan\-style mmh3); matches bundled tech and prints the http.favicon.hash pivot query.
.TP
.B \-cors
cors misconfiguration probe (reflected/permissive origins).
.TP
.B \-redirect
open redirect probe.
.TP
.B \-xss
reflected xss probe.
.TP
.B \-framework
framework detection with cve lookup.
.TP
.B \-crawl
web crawler; spiders same\-host links, scripts and forms, respecting robots.txt.
.TP
.BR \-crawl\-depth " \fIn\fR"
max crawl recursion depth (default 2).
.TP
.B \-passive
passive subdomain and historical url discovery from third\-party feeds (zero traffic to the target).
.TP
.B \-probe
live\-host probe; reports liveness, final status, page title, server header and the redirect chain.
.TP
.B \-noscan
skip the base url scan (robots.txt, etc).
.SH OPTIONS
.TP
.BR \-d ", " \-\-debug
enable debug logging.
.TP
.BR \-t ", " \-\-timeout " \fIduration\fR"
per\-request timeout (default 10s).
.TP
.BR \-l ", " \-\-log " \fIdir\fR"
directory to write logs to.
.TP
.BR \-\-threads " \fIn\fR"
number of concurrent workers (default 10). values below 1 are clamped to 1.
.TP
.BR \-\-template " \fIname\fR"
sif runtime template to use.
.TP
.BR \-proxy " \fIurl\fR"
route every request through a proxy. accepts http, https or socks5 urls.
.TP
.BR \-H ", " \-\-header " \fIstring\fR"
custom header to send with every request, as \fBKey: Value\fR. repeatable or comma\-separated.
.TP
.BR \-cookie " \fIstring\fR"
cookie header to send with every request.
.TP
.BR \-rate\-limit " \fIn\fR"
cap outbound requests per second (0 = unlimited, default 0).
.TP
.BR \-sarif " \fIfile\fR"
write a sarif 2.1.0 report of the run to \fIfile\fR.
.TP
.BR \-md ", " \-\-markdown " \fIfile\fR"
write a markdown report of the run to \fIfile\fR.
.TP
.B \-silent
plain output for pipelines: route all chrome to stderr and print one
normalized finding per line to stdout as \fB[severity] target module title\fR.
implies non\-interactive (no spinners).
.TP
.B \-diff
diff mode: snapshot each target's findings to a json file and, on a re\-scan,
print only the delta against the last snapshot (\fB+ new\fR for findings that
appeared, \fB- gone\fR for ones that vanished), then overwrite the snapshot.
the first run for a target reports everything as new.
.TP
.BR \-store " \fIdir\fR"
snapshot directory for \fB\-diff\fR. defaults to the \fB\-log\fR dir if set,
otherwise \fI<user\-config>/sif/state\fR. one sanitized file per target.
.B \-notify
ship findings to every configured provider (slack, discord, telegram, generic
webhook) after the scan. providers are configured env\-first and overridable by a
yaml file; with nothing configured this is a silent no\-op.
.TP
.BR \-notify\-severity " \fIlevel\fR"
minimum severity to send: \fBinfo\fR, \fBlow\fR, \fBmedium\fR, \fBhigh\fR or
\fBcritical\fR (default \fBmedium\fR). findings below the floor are dropped.
.TP
.BR \-notify\-config " \fIfile\fR"
path to a notify\-compatible yaml config whose values override the env vars.
.TP
.B \-api
emit json results and suppress the interactive output.
.SH MODULES
.TP
.BR \-m ", " \-\-modules " \fIids\fR"
comma\-separated module ids to run.
.TP
.BR \-mt ", " \-\-module\-tags " \fItags\fR"
run modules matching these tags.
.TP
.BR \-am ", " \-\-all\-modules
run all loaded modules.
.TP
.BR \-lm ", " \-\-list\-modules
list available modules and exit.
.SH COMMANDS
.TP
.B sif patchnote
fetch the latest github release and print its notes. also available as
.BR \-pn .
.TP
.B sif version
print the sif version and exit.
.SH ENVIRONMENT
.TP
.B SHODAN_API_KEY
api key used by \fB\-shodan\fR.
.TP
.B SECURITYTRAILS_API_KEY
api key used by \fB\-securitytrails\fR.
.TP
.B SLACK_WEBHOOK_URL
slack incoming webhook used by \fB\-notify\fR (yaml key \fBslack_webhook_url\fR).
.TP
.B DISCORD_WEBHOOK_URL
discord webhook used by \fB\-notify\fR (yaml key \fBdiscord_webhook_url\fR).
.TP
.B TELEGRAM_BOT_TOKEN
telegram bot token used by \fB\-notify\fR (yaml key \fBtelegram_api_key\fR);
requires \fBTELEGRAM_CHAT_ID\fR too.
.TP
.B TELEGRAM_CHAT_ID
telegram destination chat used by \fB\-notify\fR (yaml key \fBtelegram_chat_id\fR).
.TP
.B NOTIFY_WEBHOOK_URL
generic json webhook used by \fB\-notify\fR (yaml key \fBwebhook_url\fR).
.TP
.B SIF_NO_PATCHNOTES
set to any value to suppress the once\-per\-version patch note shown at startup.
.SH FILES
.TP
.I ~/.config/sif/modules/
user\-defined yaml modules.
.TP
.I ~/.config/sif/seen_version
records the last release whose notes were shown at startup.
.SH EXAMPLES
.TP
run a few scans against a host:
.B sif \-u https://example.com \-headers \-sh \-cms \-framework
.TP
fuzz directories and enumerate subdomains:
.B sif \-u https://example.com \-dirlist medium \-dnslist medium
.TP
scan a list of targets and write logs:
.B sif \-f targets.txt \-headers \-l ./logs
.SH SEE ALSO
project page: https://github.com/vmfunc/sif
.SH AUTHORS
vmfunc, xyzeva, and the lunchcat contributors.