[![go version](https://img.shields.io/github/go-mod/go-version/vmfunc/sif?style=flat-square&color=00ADD8)](https://go.dev/) [![build](https://img.shields.io/github/actions/workflow/status/vmfunc/sif/go.yml?style=flat-square)](https://github.com/vmfunc/sif/actions) [![license](https://img.shields.io/badge/license-BSD--3--Clause-blue?style=flat-square)](LICENSE) [![aur](https://img.shields.io/aur/version/sif?style=flat-square&logo=archlinux&logoColor=white&color=1793D1)](https://aur.archlinux.org/packages/sif) [![nixpkgs](https://img.shields.io/badge/nixpkgs-sif-5277C3?style=flat-square&logo=nixos&logoColor=white)](https://search.nixos.org/packages?query=sif) [![homebrew](https://img.shields.io/badge/homebrew-tap-FBB040?style=flat-square&logo=homebrew&logoColor=white)](https://github.com/vmfunc/homebrew-sif) [![apt](https://img.shields.io/badge/apt-cloudsmith-2A5ADF?style=flat-square&logo=debian&logoColor=white)](https://cloudsmith.io/~sif/repos/deb/packages/) [![discord](https://img.shields.io/badge/discord-join-5865F2?style=flat-square&logo=discord&logoColor=white)](https://discord.gg/Yksy9J2BvE) **[install](#install) · [usage](#usage) · [modules](#modules) · [docs](docs/) · [contribute](#contribute)**

--- ## what is sif? sif is a modular pentesting toolkit written in go. it's designed to be fast, concurrent, and extensible. run multiple scan types against targets with a single command. ```bash ./sif -u https://example.com -headers -sh -cms -framework -git ``` ## install ### homebrew (macos) ```bash brew tap vmfunc/sif brew install sif ``` ### arch linux (aur) install using your preferred aur helper: ```bash yay -S sif # or paru -S sif ``` ### nix ```bash # nixpkgs (declarative — add to configuration.nix or home-manager) environment.systemPackages = [ pkgs.sif ]; # or imperatively nix profile install nixpkgs#sif # or just run it without installing nix run nixpkgs#sif -- -u https://example.com -headers -sh -framework ``` the repo also ships a flake if you want to build from source: ```bash nix run github:vmfunc/sif ``` ### debian/ubuntu (apt) ```bash curl -1sLf 'https://dl.cloudsmith.io/public/sif/deb/setup.deb.sh' | sudo -E bash sudo apt-get install sif ``` ### from releases grab the latest binary from [releases](https://github.com/vmfunc/sif/releases). ### from source ```bash git clone https://github.com/vmfunc/sif.git cd sif make ``` requires go 1.23+ ### aur (manual install) ```bash git clone https://aur.archlinux.org/sif.git cd sif makepkg -si ``` ## usage ```bash # basic scan ./sif -u https://example.com # directory fuzzing ./sif -u https://example.com -dirlist medium # subdomain enumeration ./sif -u https://example.com -dnslist medium # port scanning ./sif -u https://example.com -ports common # javascript framework detection + cloud misconfig ./sif -u https://example.com -js -c3 # shodan host intelligence (requires SHODAN_API_KEY env var) ./sif -u https://example.com -shodan # securitytrails domain discovery (requires SECURITYTRAILS_API_KEY env var) # discovers subdomains + associated domains, then scans all of them ./sif -u https://example.com -securitytrails -headers # sql recon + lfi scanning ./sif -u https://example.com -sql -lfi # web vuln probes (cors, open redirect, reflected xss) ./sif -u https://example.com -cors -redirect -xss # framework detection (with cve lookup) ./sif -u https://example.com -framework # a broad sweep ./sif -u https://example.com -dirlist small -dnslist small -ports common -headers -sh -cms -framework -git -whois ``` run `./sif -h` for all options. ## commands a couple of subcommands run without scanning: ```bash # print the version (release builds are stamped; local builds use git describe) ./sif version # show the latest release notes (also -pn) ./sif patchnote ``` the first time you run a new release, sif prints that release's notes once. set `SIF_NO_PATCHNOTES=1` to turn that off. ## modules sif has a modular architecture. modules are defined in yaml and can be extended by users. ### built-in scan flags | flag | description | |------|-------------| | `-dirlist` | directory and file fuzzing (small/medium/large) | | `-mc` | dirlist: match these status codes (comma list, e.g. 200,301) | | `-fc` | dirlist: filter out these status codes (comma list) | | `-fs` | dirlist: filter out responses of these body sizes (comma list) | | `-fw` | dirlist: filter out responses with these word counts (comma list) | | `-fr` | dirlist: filter out responses whose body matches this regex | | `-ac` | dirlist: auto-calibrate the soft-404 wildcard baseline | | `-w` | dirlist: custom wordlist (local file or url; overrides `-dirlist` size) | | `-e` | dirlist: extensions appended to each word (comma list, e.g. php,bak,env) | | `-dnslist` | subdomain enumeration (small/medium/large) | | `-ports` | port scanning (common/full) | | `-nuclei` | vulnerability scanning with nuclei templates | | `-dork` | automated google dorking | | `-js` | javascript analysis + secret and endpoint extraction | | `-c3` | cloud storage misconfiguration | | `-headers` | http header analysis | | `-sh` | security header analysis (missing/weak headers) | | `-st` | subdomain takeover detection | | `-cms` | cms detection | | `-whois` | whois lookups | | `-git` | exposed git repository detection | | `-shodan` | shodan lookup (requires SHODAN_API_KEY) | | `-securitytrails` | domain discovery + target expansion (requires SECURITYTRAILS_API_KEY) | | `-sql` | sql recon | | `-lfi` | local file inclusion | | `-cors` | cors misconfiguration probe | | `-redirect` | open redirect probe | | `-xss` | reflected xss probe | | `-framework` | framework detection with cve lookup | | `-crawl` | web crawler (spider same-host links/scripts/forms) | | `-crawl-depth` | max crawl recursion depth (default 2) | | `-passive` | passive subdomain/url discovery (zero traffic to target) | | `-probe` | live-host probe (status, title, server, redirect chain) | ### http options these apply to every outbound request across all scanners: | flag | description | |------|-------------| | `-proxy` | route all traffic through a proxy (http/https/socks5 url) | | `-H`, `--header` | custom header to send (repeatable or comma-separated, `"Key: Value"`) | | `-cookie` | cookie header to send with every request | | `-rate-limit` | max requests per second (0 = unlimited, default 0) | ```bash # scan through a socks5 proxy with a custom header, cookie and 20 req/s cap ./sif -u https://example.com -headers -proxy socks5://127.0.0.1:1080 -H "Authorization: Bearer tok" -cookie "session=abc" -rate-limit 20 ``` a scanner that sets a header explicitly (e.g. an api key) always wins over the global default. ### report export write the run's findings out to a file for ci/cd or triage: | flag | description | |------|-------------| | `-sarif` | write a sarif 2.1.0 report to this file | | `-markdown`, `-md` | write a markdown report to this file | | `-silent` | plain output: chrome to stderr, one finding per line to stdout (for pipelines) | ```bash # scan and emit both a sarif and markdown report ./sif -u https://example.com -headers -cors -sarif out.sarif -md out.md ``` sarif output is ingestable by github code scanning; markdown is a readable per-target summary. ### pipe mode sif reads targets from stdin and accepts naked hosts, so it drops into a unix pipeline. `-silent` routes all banner/spinner/log chrome to stderr and prints one normalized finding per line (`[severity] target module title`) to stdout: ```bash # subfinder feeds hosts, sif probes them, notify ships the findings subfinder -d example.com | sif -silent -probe | notify ``` | flag | description | |------|-------------| | stdin | a piped target stream (one host/url per line) is read alongside `-u`/`-f` | scheme-less hosts default to `https://`; an explicit `http://`/`https://` is kept; any other scheme (`ftp://`, ...) is rejected. ### yaml modules list available modules: ```bash ./sif -lm ``` run specific modules: ```bash # run by id ./sif -u https://example.com -m sqli-error-based,xss-reflected # run by tag ./sif -u https://example.com -mt owasp-top10 # run all modules ./sif -u https://example.com -am ``` ### custom modules create your own modules in `~/.config/sif/modules/`. modules use a yaml format similar to nuclei templates: ```yaml id: my-custom-check info: name: my custom security check author: you severity: medium description: checks for something specific tags: [custom, recon] type: http http: method: GET paths: - "{{BaseURL}}/admin" - "{{BaseURL}}/login" matchers: - type: status status: - 200 - type: word part: body words: - "admin panel" - "login" condition: or ``` see [docs/modules.md](docs/modules.md) for the full module format. ## contribute contributions welcome. see [contributing.md](CONTRIBUTING.md) for guidelines. ```bash # format gofmt -w . # lint golangci-lint run # test go test ./... ``` ## community join our discord for support, feature discussions, and pentesting tips: [![discord](https://img.shields.io/badge/join%20our%20discord-5865F2?style=for-the-badge&logo=discord&logoColor=white)](https://discord.gg/sifcli) ## contributors

_vmfunc 🚧 🧑‍🏫 📆 🛡️ 💻	_{ProjectDiscovery} 📦	_macdoos 💻	_{Matthieu Witrowiez} 🤔	_tessa 🚇 💬 📓	_Eva 📝 🖋 🔬 🛡️ ⚠️ 💻	_{Zoa Hickenlooper} 💻
_acxtrilla 📦

## acknowledgements - [projectdiscovery](https://projectdiscovery.io/) for nuclei and other security tools - [shodan](https://www.shodan.io/) for infrastructure intelligence ---

_{bsd 3-clause license · made by vmfunc, xyzeva, and contributors}