install · usage · modules · docs · contribute

---

what is sif?

sif is a modular pentesting toolkit written in go. it's designed to be fast, concurrent, and extensible. run multiple scan types against targets with a single command.

./sif -u https://example.com -headers -sh -cms -framework -git

install

homebrew (macos)

brew tap vmfunc/sif
brew install sif

arch linux (aur)

install using your preferred aur helper:

yay -S sif
# or
paru -S sif

nix

# nixpkgs (declarative — add to configuration.nix or home-manager)
environment.systemPackages = [ pkgs.sif ];

# or imperatively
nix profile install nixpkgs#sif

# or just run it without installing
nix run nixpkgs#sif -- -u https://example.com -headers -sh -framework

the repo also ships a flake if you want to build from source:

nix run github:vmfunc/sif

debian/ubuntu (apt)

curl -1sLf 'https://dl.cloudsmith.io/public/sif/deb/setup.deb.sh' | sudo -E bash
sudo apt-get install sif

from releases

grab the latest binary from releases.

from source

git clone https://github.com/vmfunc/sif.git
cd sif
make

requires go 1.23+

aur (manual install)

git clone https://aur.archlinux.org/sif.git
cd sif
makepkg -si

usage

# basic scan
./sif -u https://example.com

# directory fuzzing
./sif -u https://example.com -dirlist medium

# subdomain enumeration
./sif -u https://example.com -dnslist medium

# port scanning
./sif -u https://example.com -ports common

# javascript framework detection + cloud misconfig
./sif -u https://example.com -js -c3

# shodan host intelligence (requires SHODAN_API_KEY env var)
./sif -u https://example.com -shodan

# securitytrails domain discovery (requires SECURITYTRAILS_API_KEY env var)
# discovers subdomains + associated domains, then scans all of them
./sif -u https://example.com -securitytrails -headers

# sql recon + lfi scanning
./sif -u https://example.com -sql -lfi

# web vuln probes (cors, open redirect, reflected xss)
./sif -u https://example.com -cors -redirect -xss

# framework detection (with cve lookup)
./sif -u https://example.com -framework

# a broad sweep
./sif -u https://example.com -dirlist small -dnslist small -ports common -headers -sh -cms -framework -git -whois

run ./sif -h for all options.

commands

a couple of subcommands run without scanning:

# print the version (release builds are stamped; local builds use git describe)
./sif version

# show the latest release notes (also -pn)
./sif patchnote

the first time you run a new release, sif prints that release's notes once. set SIF_NO_PATCHNOTES=1 to turn that off.

modules

sif has a modular architecture. modules are defined in yaml and can be extended by users.

built-in scan flags

flag	description
-dirlist	directory and file fuzzing (small/medium/large)
-dnslist	subdomain enumeration (small/medium/large)
-ports	port scanning (common/full)
-nuclei	vulnerability scanning with nuclei templates
-dork	automated google dorking
-js	javascript analysis + secret and endpoint extraction
-c3	cloud storage misconfiguration
-headers	http header analysis
-sh	security header analysis (missing/weak headers)
-st	subdomain takeover detection
-cms	cms detection
-whois	whois lookups
-git	exposed git repository detection
-shodan	shodan lookup (requires SHODAN_API_KEY)
-securitytrails	domain discovery + target expansion (requires SECURITYTRAILS_API_KEY)
-sql	sql recon
-lfi	local file inclusion
-cors	cors misconfiguration probe
-redirect	open redirect probe
-xss	reflected xss probe
-framework	framework detection with cve lookup
-crawl	web crawler (spider same-host links/scripts/forms)
-crawl-depth	max crawl recursion depth (default 2)
-passive	passive subdomain/url discovery (zero traffic to target)

http options

these apply to every outbound request across all scanners:

flag	description
-proxy	route all traffic through a proxy (http/https/socks5 url)
-H, --header	custom header to send (repeatable or comma-separated, "Key: Value")
-cookie	cookie header to send with every request
-rate-limit	max requests per second (0 = unlimited, default 0)

# scan through a socks5 proxy with a custom header, cookie and 20 req/s cap
./sif -u https://example.com -headers -proxy socks5://127.0.0.1:1080 -H "Authorization: Bearer tok" -cookie "session=abc" -rate-limit 20

a scanner that sets a header explicitly (e.g. an api key) always wins over the global default.

yaml modules

list available modules:

./sif -lm

run specific modules:

# run by id
./sif -u https://example.com -m sqli-error-based,xss-reflected

# run by tag
./sif -u https://example.com -mt owasp-top10

# run all modules
./sif -u https://example.com -am

custom modules

create your own modules in ~/.config/sif/modules/. modules use a yaml format similar to nuclei templates:

id: my-custom-check
info:
  name: my custom security check
  author: you
  severity: medium
  description: checks for something specific
  tags: [custom, recon]

type: http

http:
  method: GET
  paths:
    - "{{BaseURL}}/admin"
    - "{{BaseURL}}/login"

  matchers:
    - type: status
      status:
        - 200

    - type: word
      part: body
      words:
        - "admin panel"
        - "login"
      condition: or

see docs/modules.md for the full module format.

contribute

contributions welcome. see contributing.md for guidelines.

# format
gofmt -w .

# lint
golangci-lint run

# test
go test ./...

community

join our discord for support, feature discussions, and pentesting tips:

contributors

vmfunc 🚧 🧑‍🏫 📆 🛡️ 💻	ProjectDiscovery 📦	macdoos 💻	Matthieu Witrowiez 🤔	tessa 🚇 💬 📓	Eva 📝 🖋 🔬 🛡️ ⚠️ 💻	Zoa Hickenlooper 💻
acxtrilla 📦

acknowledgements

• projectdiscovery for nuclei and other security tools
• shodan for infrastructure intelligence

---

_{bsd 3-clause license · made by vmfunc, xyzeva, and contributors}