Repository Analysis

KeygraphHQ/shannon

Shannon Lite is an autonomous, white-box AI pentester for web applications and APIs. It analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production.

1.3 Likely human-written View on GitHub

1.3

Adjusted Score

1.3

Raw Score

100%

Time Factor

2026-05-28

Last Push

43,970

Stars

TypeScript

Language

28,333

Lines of Code

154

Files

26

Pattern Hits

2026-05-31

Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 3MEDIUM 0LOW 23

Pattern Findings

26 matches across 4 categories. Click a row to expand file-level details.

Hyper-Verbose Identifiers16 hits · 16 pts

Severity	File	Line	Snippet
LOW	apps/cli/src/env.ts	69	function isCustomBaseUrlConfigured(): boolean {
LOW	apps/cli/src/commands/setup.ts	287	async function maybePromptAdaptiveThinking(config: ShannonConfig): Promise<void> {
LOW	apps/worker/src/temporal/worker.ts	173	async function terminateExistingWorkflows(client: Client, workspaceName: string): Promise<string[]> {
LOW	apps/worker/src/temporal/activities.ts	381	export async function runAuthenticationValidation(input: ActivityInput): Promise<void> {
LOW	apps/worker/src/temporal/activities.ts	498	export async function syncPlaywrightStealthConfig(input: ActivityInput): Promise<void> {
LOW	apps/worker/src/temporal/activities.ts	565	export async function injectReportMetadataActivity(input: ActivityInput): Promise<void> {
LOW	apps/worker/src/temporal/activities.ts	727	export async function persistOrValidateRunScope(
LOW	apps/worker/src/temporal/activities.ts	989	export async function generateReportOutputActivity(input: ActivityInput): Promise<void> {
LOW	apps/worker/src/utils/billing-detection.ts	53	export function matchesBillingTextPattern(text: string): boolean {
LOW	apps/worker/src/audit/utils.ts	33	export function generateSessionIdentifier(sessionMetadata: SessionMetadata): string {
LOW	apps/worker/src/ai/playwright-config-writer.ts	77	export async function writePlaywrightStealthConfig(
LOW	apps/worker/src/ai/settings-writer.ts	24	export async function writeUserSettingsForCodePathAvoids(config: DistributedConfig \| null): Promise<void> {
LOW	apps/worker/src/services/container.ts	128	export function getOrCreateContainer(
LOW	apps/worker/src/services/git-manager.ts	118	export async function executeGitCommandWithRetry(
LOW	apps/worker/src/services/prompt-manager.ts	60	function renderVulnSummarySubsections(selected: readonly VulnClass[]): string {
LOW	apps/worker/src/services/queue-validation.ts	284	export async function validateQueueAndDeliverable(

Magic Placeholder Names3 hits · 15 pts

Severity	File	Line	Snippet
HIGH	README.md	159	export ANTHROPIC_API_KEY=your-api-key
HIGH	README.md	180	ANTHROPIC_API_KEY=your-api-key
HIGH	README.md	185	export ANTHROPIC_API_KEY="your-api-key" # or CLAUDE_CODE_OAUTH_TOKEN

Over-Commented Block4 hits · 4 pts

Severity	File	Line	Snippet
LOW	apps/worker/configs/example-config.yaml	1	# Example configuration file for pentest-agent
LOW	apps/worker/configs/example-config.yaml	21	# - Throttle to under 5 requests per second per endpoint. Back off 60 seconds on any 429 response.
LOW	apps/worker/configs/example-config.yaml	81	value: "beta-admin"
LOW	apps/worker/configs/example-config.yaml	101	# guidance: \|

Fake / Example Data3 hits · 3 pts

Severity	File	Line	Snippet
LOW	sample-reports/shannon-report-crapi.md	57	-d '{"email": "admin@example.com", "password": "Admin!123"}'
LOW	sample-reports/shannon-report-crapi.md	139	-d '{"email": "admin@example.com", "password": "Admin!123"}'
LOW	sample-reports/shannon-report-crapi.md	242	- Payload: `{"sub": "admin@example.com", "iat": 1758655244, "exp": 1759260044, "role": "admin"}`