Skillget

frameseven

mcp
Guvenlik Denetimi
Basarisiz
Health Uyari
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Basarisiz
  • rm -rf — Recursive force deletion command in .github/workflows/release.yml
Permissions Gecti
  • Permissions — No dangerous permissions requested

Bu listing icin henuz AI raporu yok.

SUMMARY

Offensive web security scanner — OWASP Top 10 · MCP server · CLI · Go

README.md

frameseven

A CLI-first offensive web security scanner for authorized security testing.

frameseven maps a target's attack surface and runs active checks for common web
vulnerabilities and misconfigurations, then produces structured reports. It also
ships an MCP server so AI agents can drive the same Framework v1 tooling.

Go
License
Version

[!WARNING]
Only scan systems that you own or have explicit permission to test. Framework
v1 performs active requests and may send methods or payloads that affect a
target application.

Features

  • Attack-surface mapping — recon, crawling, port and banner discovery, and
    subdomain enumeration before any active probing.
  • Active vulnerability checks — XSS, SQL injection, LFI, SSRF, SSTI, XXE,
    command injection, open redirect, access control, and rate-limit testing.
  • Misconfiguration and content audits — security headers, exposed content,
    and external resource review.
  • Structured reporting — generates reports under a configurable output
    directory, with optional PDF rendering.
  • Authenticated scans-auth-browser opens a browser to log in before the
    scan so authenticated surface is covered.
  • MCP server — exposes versioned Framework v1 tools to AI agents over stdio
    or Streamable HTTP.
  • Standard-library focused — a small, explicit Go codebase that is easy to
    read and extend.

Requirements

  • Go 1.26.4 or later in the Go 1.26 release line
  • Python 3 with fpdf2 for PDF report generation
  • Git
  • Network access to the authorized target
  • Linux, macOS, or another environment supported by Go

Quick Start

git clone https://github.com/sayseven7/frameseven.git
cd frameseven

# Optional: enable PDF report generation
python3 -m venv .venv
.venv/bin/python -m pip install "fpdf2>=2.8"

# Verify the build
go test ./...

# Run a scan against an authorized target
go run cmd/cli/v1/main.go -url https://target.example

Run without -url in a terminal to open the interactive setup wizard:

go run cmd/cli/v1/main.go

Build an installable binary:

go build -o bin/frameseven/cli/v1 cmd/cli/v1/main.go
./bin/frameseven/cli/v1 -url https://target.example

Usage

frameseven -url https://target.example [flags]
Flag Default Description
-url required Absolute HTTP or HTTPS target URL
-tools default Comma-separated Framework v1 tools to run, default, or all
-timeout 10s Timeout applied to each HTTP request
-tool-timeout 30s Maximum runtime for each scanner tool
-concurrency 1 Scanner tools to run in parallel after recon
-rate 50 Requests sent by the rate-limit tool
-ua random agent User-Agent header sent by the scanner
-out, -o reports Directory for generated reports and the scan log
-interactive, -i disabled Configure the scan with an interactive wizard
-yes, -y disabled Skip the wizard's final confirmation
-auth-browser disabled Open a browser to log in before the scan
-quiet, -q disabled Hide banner and progress messages
-verbose, -v disabled Show HTTP request and response debug logs
-list-tools disabled List all Framework v1 scanner tools
-version disabled Print the installed build version

See CLI v1 for the complete flag reference and environment
variables.

Scanner tools

recon, crawler, ports, bannergrab, subdomain, external, content,
misconfig, access, auth, xss, sqli, lfi, ssrf, ssti, xxe,
cmdi, redirect, ratelimit.

List them at any time:

frameseven -list-tools

Reports

PDF reports are rendered by the Go wrapper through Python. The wrapper uses
FRAMESEVEN_PYTHON when set, otherwise it looks for .venv/bin/python, then
falls back to python3. If Python or fpdf2 is missing, PDF generation returns
a clear error instead of silently producing a broken report.

See Report Format v1 for the output contract.

MCP Server

frameseven includes an MCP server at cmd/mcp that exposes versioned Framework
v1 tools to AI agents.

# stdio transport
go run ./cmd/mcp -transport stdio

# Streamable HTTP transport
go run ./cmd/mcp -transport http -addr 127.0.0.1:8080

[!CAUTION]
Scanner tools send active security probes. Do not expose the HTTP MCP endpoint
openly to the internet; place it behind an access-controlled network, reverse
proxy, tunnel, or firewall rule.

See MCP Server and MCP configuration for
client setup.

Documentation

Contributing

Contributions are welcome. Please read CONTRIBUTING.md and the
Code of Conduct before opening a pull request. Project
conventions and agent rules live in AGENTS.md.

License

Released under the MIT License.

Yorumlar (0)

Sonuc bulunamadi