## https://sploitus.com/exploit?id=B4D3B50E-7E2A-5266-B716-249A45349CE7
# Tachyon
Tachyon is a Go-based command-line web vulnerability scanner for authorized security testing. It performs reconnaissance, endpoint discovery, header/version checks, Git exposure checks, SQL injection checks, XSS/reflection checks, and optional Exploit-DB enrichment.
## Important usage notice
Only scan systems you own or have explicit permission to test. Start with conservative limits on fragile or production targets.
## Features
- Fast CLI scanner written in Go
- Safe, normal, and aggressive scan profiles
- Request controls for threads, timeout, rate limit, and maximum request count
- Header, cookie, bearer token, and reusable auth profile support
- Built-in checks for headers, versions, crawl discovery, Git exposure, SQL injection, and XSS/reflection
- Optional custom YAML signatures
- Optional discovery path corpus support
- Output formats: text, JSON, XML, CSV, SARIF, and HTML
- Compatibility aliases for several legacy scanner-style flags
## Requirements
- Go 1.22 or newer recommended
- Git, if you clone the repository
- Optional: `searchsploit` for Exploit-DB enrichment
## Install
Clone the repository and build the binary:
```bash
git clone https://github.com/Zer0Daemon/tachyon.git
cd tachyon
go mod tidy
go build -o tachyon .
```
Run the scanner:
```bash
./tachyon --target http://example.com --timeout 30s --max-requests 500 --no-searchsploit
```
You can also run without building:
```bash
go run . --target http://example.com --timeout 30s --max-requests 500 --no-searchsploit
```
## Quick safe local test
Use the included smoke test script to verify Tachyon against a temporary local static site:
```bash
./scripts/local-smoke-scan.sh
```
This starts a local test target, scans it with conservative limits, and shuts the target down automatically.
## Helper script
The wrapper script builds Tachyon and passes arguments through to the scanner:
```bash
./scripts/run-tachyon.sh --target http://localhost:3000 --verbose --no-searchsploit
```
Skip rebuilding when you already have a binary:
```bash
./scripts/run-tachyon.sh --no-build --target http://localhost:3000
```
## Common examples
Fast local recon scan:
```bash
./tachyon --target http://localhost:3000 --threads 20 --timeout 45s --max-requests 300 --no-searchsploit --verbose
```
Controlled production-style scan:
```bash
./tachyon --target https://app.example.com --threads 20 --rps 10 --max-requests 1000 --timeout 3m --no-searchsploit
```
Aggressive profile:
```bash
./tachyon --target https://app.example.com -A --timeout 5m --max-requests 5000
```
Authenticated scan with a cookie:
```bash
./tachyon --target https://app.example.com --cookie "SESSION=abc123; role=user" --auth-required
```
Add a bearer token:
```bash
./tachyon --target https://api.example.com --bearer-token "$TOKEN" --auth-required
```
Generate JSON output:
```bash
./tachyon --target https://app.example.com --output json > tachyon-results.json
```
Generate SARIF output for security tooling:
```bash
./tachyon --target https://app.example.com --output sarif > tachyon.sarif
```
Generate an HTML report:
```bash
./tachyon --target https://app.example.com --output html > report.html
```
Use custom signatures:
```bash
./tachyon --target https://app.example.com --signatures "./signatures/*.yml"
```
Use an extra discovery corpus:
```bash
./tachyon --target https://app.example.com --discovery-db "./wordlists/common.txt,./db_tests"
```
## Main options
```text
--target Target URL to scan
--profile normal, safe, or aggressive
--threads Worker concurrency
--timeout Total scan timeout, such as 30s, 2m, or 5m
--output text, json, xml, csv, sarif, or html
--rps Global request rate limit; 0 disables it
--max-requests Hard cap on total requests; 0 disables it
--signatures Comma-separated custom signature files/directories/globs
--discovery-db Extra discovery path corpus files/directories/globs
--searchsploit Enable local searchsploit enrichment
--no-searchsploit Disable searchsploit enrichment
--verbose Enable lifecycle logging
--version Print version
--list-plugins List built-in checks
```
## Scan profiles
- `safe`: lower-noise scan settings for cautious targets
- `normal`: baseline defaults
- `aggressive` or `-A`: broader and faster scan behavior; use carefully
## Output formats
- `text`: human-readable terminal report
- `json`: machine-readable findings and evidence
- `xml`: XML export
- `csv`: spreadsheet-friendly summary
- `sarif`: security tooling/code scanning format
- `html`: analyst-friendly report
## Development
Run all tests:
```bash
go test ./...
```
Build locally:
```bash
go build -o tachyon .
```
Show help:
```bash
go run . --help
```
List built-in checks:
```bash
go run . --list-plugins
```