Share
## https://sploitus.com/exploit?id=B4D3B50E-7E2A-5266-B716-249A45349CE7
# Tachyon

Tachyon is a Go-based command-line web vulnerability scanner for authorized security testing. It performs reconnaissance, endpoint discovery, header/version checks, Git exposure checks, SQL injection checks, XSS/reflection checks, and optional Exploit-DB enrichment.

## Important usage notice

Only scan systems you own or have explicit permission to test. Start with conservative limits on fragile or production targets.

## Features

- Fast CLI scanner written in Go
- Safe, normal, and aggressive scan profiles
- Request controls for threads, timeout, rate limit, and maximum request count
- Header, cookie, bearer token, and reusable auth profile support
- Built-in checks for headers, versions, crawl discovery, Git exposure, SQL injection, and XSS/reflection
- Optional custom YAML signatures
- Optional discovery path corpus support
- Output formats: text, JSON, XML, CSV, SARIF, and HTML
- Compatibility aliases for several legacy scanner-style flags

## Requirements

- Go 1.22 or newer recommended
- Git, if you clone the repository
- Optional: `searchsploit` for Exploit-DB enrichment

## Install

Clone the repository and build the binary:

```bash
git clone https://github.com/Zer0Daemon/tachyon.git
cd tachyon
go mod tidy
go build -o tachyon .
```

Run the scanner:

```bash
./tachyon --target http://example.com --timeout 30s --max-requests 500 --no-searchsploit
```

You can also run without building:

```bash
go run . --target http://example.com --timeout 30s --max-requests 500 --no-searchsploit
```

## Quick safe local test

Use the included smoke test script to verify Tachyon against a temporary local static site:

```bash
./scripts/local-smoke-scan.sh
```

This starts a local test target, scans it with conservative limits, and shuts the target down automatically.

## Helper script

The wrapper script builds Tachyon and passes arguments through to the scanner:

```bash
./scripts/run-tachyon.sh --target http://localhost:3000 --verbose --no-searchsploit
```

Skip rebuilding when you already have a binary:

```bash
./scripts/run-tachyon.sh --no-build --target http://localhost:3000
```

## Common examples

Fast local recon scan:

```bash
./tachyon --target http://localhost:3000 --threads 20 --timeout 45s --max-requests 300 --no-searchsploit --verbose
```

Controlled production-style scan:

```bash
./tachyon --target https://app.example.com --threads 20 --rps 10 --max-requests 1000 --timeout 3m --no-searchsploit
```

Aggressive profile:

```bash
./tachyon --target https://app.example.com -A --timeout 5m --max-requests 5000
```

Authenticated scan with a cookie:

```bash
./tachyon --target https://app.example.com --cookie "SESSION=abc123; role=user" --auth-required
```

Add a bearer token:

```bash
./tachyon --target https://api.example.com --bearer-token "$TOKEN" --auth-required
```

Generate JSON output:

```bash
./tachyon --target https://app.example.com --output json > tachyon-results.json
```

Generate SARIF output for security tooling:

```bash
./tachyon --target https://app.example.com --output sarif > tachyon.sarif
```

Generate an HTML report:

```bash
./tachyon --target https://app.example.com --output html > report.html
```

Use custom signatures:

```bash
./tachyon --target https://app.example.com --signatures "./signatures/*.yml"
```

Use an extra discovery corpus:

```bash
./tachyon --target https://app.example.com --discovery-db "./wordlists/common.txt,./db_tests"
```

## Main options

```text
--target              Target URL to scan
--profile            normal, safe, or aggressive
--threads               Worker concurrency
--timeout        Total scan timeout, such as 30s, 2m, or 5m
--output           text, json, xml, csv, sarif, or html
--rps               Global request rate limit; 0 disables it
--max-requests          Hard cap on total requests; 0 disables it
--signatures        Comma-separated custom signature files/directories/globs
--discovery-db      Extra discovery path corpus files/directories/globs
--searchsploit             Enable local searchsploit enrichment
--no-searchsploit          Disable searchsploit enrichment
--verbose                  Enable lifecycle logging
--version                  Print version
--list-plugins             List built-in checks
```

## Scan profiles

- `safe`: lower-noise scan settings for cautious targets
- `normal`: baseline defaults
- `aggressive` or `-A`: broader and faster scan behavior; use carefully

## Output formats

- `text`: human-readable terminal report
- `json`: machine-readable findings and evidence
- `xml`: XML export
- `csv`: spreadsheet-friendly summary
- `sarif`: security tooling/code scanning format
- `html`: analyst-friendly report

## Development

Run all tests:

```bash
go test ./...
```

Build locally:

```bash
go build -o tachyon .
```

Show help:

```bash
go run . --help
```

List built-in checks:

```bash
go run . --list-plugins
```