gitea-mirror/sif
1
0
Fork 0
mirror of https://github.com/lunchcat/sif.git synced 2026-06-12 19:11:25 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
8823fa76b7396050893d96e6e40dcb00937278cc
sif/docs/development.md
T
vmfunc ce3075ad91 test: hermetic e2e integration suite 
- make the four wordlist base urls (dirlist/dnslist/git/ports) package vars
  instead of consts so tests can repoint them at a local fixture; the default
  values are byte-for-byte unchanged
- add internal/scan/integration_test.go behind a //go:build integration tag: it
  stands up a local "vulnerable app" httptest server with planted artifacts and
  runs git/dirlist/cms/headers/sql/lfi/ports against it, asserting real findings
- go.yml runs them via `go test -tags=integration`; the default test run is
  untouched (the tag keeps them out)
- document the integration run in docs/development.md
2026-06-09 14:32:26 -07:00

3.4 KiB
Raw Blame History

development

setting up a development environment for sif.

prerequisites

  • go 1.25 or later
  • git
  • make

clone and build

git clone https://github.com/dropalldatabases/sif.git
cd sif
make

project structure

sif/
├── cmd/sif/          # entry point
│   └── main.go
├── sif.go            # main application logic
├── internal/         # private packages
│   ├── config/       # configuration parsing
│   ├── logger/       # logging utilities
│   ├── modules/      # module system
│   ├── scan/         # built-in scans
│   └── styles/       # terminal styling
├── modules/          # built-in yaml modules
│   ├── http/         # http-based modules
│   ├── info/         # information gathering
│   └── recon/        # reconnaissance modules
├── docs/             # documentation
└── assets/           # images, etc

running locally

# build
make

# run
./sif -u https://example.com

# run with debug
./sif -u https://example.com -d

code quality

format

gofmt -w .

lint

golangci-lint run

test

go test ./...

race detection

go test -race ./...

adding a new scan

  1. create a new file in internal/scan/
  2. implement the scan function
  3. add flag to internal/config/config.go
  4. integrate in sif.go

see existing scans for examples.

adding a new module

create a yaml file in modules/:

id: my-new-module
info:
  name: my new security check
  author: your-name
  severity: medium
  description: what this checks for
  tags: [custom, security]

type: http

http:
  method: GET
  paths:
    - "{{BaseURL}}/path"

  matchers:
    - type: status
      status:
        - 200

see modules.md for the full format.

module system internals

the module system is in internal/modules/:

  • module.go - core interface and types
  • registry.go - module registration
  • loader.go - discovery and loading
  • yaml.go - yaml parsing
  • executor.go - http execution

adding a new module type

  1. add type constant to module.go
  2. implement executor in new file
  3. update loader to handle new extension/type

testing

unit tests

go test ./internal/...

integration tests

run the scanners against a local testbed that plants the artifacts each one should find (network-free, behind a build tag):

go test -tags=integration ./internal/scan/...

functional test

./sif -u https://example.com -am

test modules

./sif -lm  # list modules
./sif -u https://example.com -m my-module -d  # test specific module

pull requests

  1. fork the repository
  2. create a feature branch
  3. make changes
  4. run gofmt -w . and golangci-lint run
  5. submit pr

commit messages

use lowercase, present tense:

add sql injection module
fix timeout handling in http executor
update readme with new flags

release process

releases are automated via github actions on push to main.

binaries are built for:

  • linux (amd64, 386, arm64)
  • macos (amd64, arm64)
  • windows (amd64, 386)

resources

Reference in New Issue View Git Blame Copy Permalink