{"id":16361876,"url":"https://github.com/enet4/heel-gun","last_synced_at":"2026-03-04T23:02:45.798Z","repository":{"id":34979234,"uuid":"175308624","full_name":"Enet4/heel-gun","owner":"Enet4","description":"Test HTTP servers for robustness to arbitrary requests","archived":false,"fork":false,"pushed_at":"2023-06-13T22:18:12.000Z","size":80,"stargazers_count":17,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-03T18:58:18.854Z","etag":null,"topics":["cli-app","http","rust","testing-tools"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Enet4.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-12T22:56:26.000Z","updated_at":"2022-06-06T20:31:55.000Z","dependencies_parsed_at":"2024-10-28T09:12:04.303Z","dependency_job_id":"eef59909-824a-4291-a3d2-71fd8ddc9fd1","html_url":"https://github.com/Enet4/heel-gun","commit_stats":{"total_commits":27,"total_committers":2,"mean_commits":13.5,"dds":0.03703703703703709,"last_synced_commit":"434f68fcde524e8d14eda93641c3b337d5535bb6"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Enet4/heel-gun","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Enet4%2Fheel-gun","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Enet4%2Fheel-gun/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Enet4%2Fheel-gun/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Enet4%2Fheel-gun/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Enet4","download_url":"https://codeload.github.com/Enet4/heel-gun/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Enet4%2Fheel-gun/sbom","scorecard":{"id":45864,"data":{"date":"2025-08-11","repo":{"name":"github.com/Enet4/heel-gun","commit":"434f68fcde524e8d14eda93641c3b337d5535bb6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.5,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rust.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/Enet4/heel-gun/rust.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/rust.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/Enet4/heel-gun/rust.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/rust.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/Enet4/heel-gun/rust.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rust.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/Enet4/heel-gun/rust.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/rust.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/Enet4/heel-gun/rust.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/rust.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/Enet4/heel-gun/rust.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   4 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":0,"reason":"Found 0/27 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/rust.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE-APACHE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE-APACHE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"18 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: RUSTSEC-2021-0139","Warn: Project is vulnerable to: RUSTSEC-2021-0145 / GHSA-g98v-hv3f-hcfr","Warn: Project is vulnerable to: RUSTSEC-2024-0375","Warn: Project is vulnerable to: RUSTSEC-2022-0041 / GHSA-qc84-gqf4-9926","Warn: Project is vulnerable to: RUSTSEC-2019-0036 / RUSTSEC-2020-0036 / GHSA-jq66-xh47-j9f3 / GHSA-r98r-j25q-rmpr","Warn: Project is vulnerable to: RUSTSEC-2023-0034 / GHSA-f8vr-r385-rh5r","Warn: Project is vulnerable to: RUSTSEC-2024-0003 / GHSA-8r5v-vm4m-4g25","Warn: Project is vulnerable to: RUSTSEC-2024-0332 / GHSA-q6cp-qfwq-4gcv","Warn: Project is vulnerable to: RUSTSEC-2021-0079 / GHSA-5h46-h7hh-c6x9","Warn: Project is vulnerable to: RUSTSEC-2021-0078 / GHSA-f3pg-qwvg-p99c","Warn: Project is vulnerable to: RUSTSEC-2022-0022 / GHSA-f67m-9j94-qv9j","Warn: Project is vulnerable to: RUSTSEC-2020-0070 / GHSA-5wg8-7c9q-794v / GHSA-gmv4-vmx3-x9f3 / GHSA-hj9h-wrgg-hgmx / GHSA-ppj3-7jw3-8vc4 / GHSA-vh4p-6j7g-f4j9","Warn: Project is vulnerable to: RUSTSEC-2023-0045 / GHSA-wfg4-322g-9vqv","Warn: Project is vulnerable to: RUSTSEC-2020-0016","Warn: Project is vulnerable to: RUSTSEC-2024-0370","Warn: Project is vulnerable to: RUSTSEC-2020-0071 / GHSA-wcg3-cvx6-7396","Warn: Project is vulnerable to: RUSTSEC-2021-0124 / GHSA-fg7r-2g4j-5cgr","Warn: Project is vulnerable to: RUSTSEC-2024-0320"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-14T22:44:37.926Z","repository_id":34979234,"created_at":"2025-08-14T22:44:37.926Z","updated_at":"2025-08-14T22:44:37.926Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30098100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T22:49:54.894Z","status":"ssl_error","status_checked_at":"2026-03-04T22:49:48.883Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli-app","http","rust","testing-tools"],"created_at":"2024-10-11T02:15:04.818Z","updated_at":"2026-03-04T23:02:45.767Z","avatar_url":"https://github.com/Enet4.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Heel Gun\n[![Latest Version](https://img.shields.io/crates/v/heel-gun.svg)](https://crates.io/crates/heel-gun) [![Build Status](https://travis-ci.org/Enet4/heel-gun.svg?branch=master)](https://travis-ci.org/Enet4/heel-gun) [![dependency status](https://deps.rs/repo/github/Enet4/heel-gun/status.svg)](https://deps.rs/repo/github/Enet4/heel-gun) ![Minimum Rust Version Stable](https://img.shields.io/badge/rustc-stable-green.svg)\n\nTest your HTTP server for robustness to arbitrary inputs. `heel-gun` is a tool\nwhich performs several HTTP requests to identify cases where the server\nmisbehaves. Requests are built randomly based on a set of configurable rules.\n\n## Using\n\nThis CLI tool expects two main arguments: the base URL to the HTTP server, and\na configuration file defining the HTTP endpoints to test and how these\narguments are generated.\n\n```none\nUSAGE:\n    heel-gun [OPTIONS] \u003curl\u003e \u003cconfig\u003e [outdir]\n\nFLAGS:\n    -h, --help       Prints help information\n    -V, --version    Prints version information\n\nOPTIONS:\n    -N \u003cn\u003e        number of iterations to test for each target [default: 100]\n\nARGS:\n    \u003curl\u003e       the base URL to test\n    \u003cconfig\u003e    path to configuration file\n    \u003coutdir\u003e    path to the output directory containing the logs [default: output]\n```\n\nExample:\n\n```\nheel-gun http://testmachine.myspot.net:8080 resources/example.yaml -N 4\n```\n\nThis will test the server with a random assortment of requests, such as these:\n\n```none\nGET http://testmachine.myspot.net:8080/cool-endpoint/lBtY2g18?id=0\u0026more=891134\nGET http://testmachine.myspot.net:8080/cool-endpoint/ie9EMV9G?id=-1\u0026more=238164\nGET http://testmachine.myspot.net:8080/cool-endpoint/dJ7iV7cs?id=null\u0026more=415128\nGET http://testmachine.myspot.net:8080/cool-endpoint/HCvpC90k?id=null\u0026more=902781\nPOST http://testmachine.myspot.net:8080/user/UBwqFvFnXh?admin=undefined\nPOST http://testmachine.myspot.net:8080/user/LkspwEu0g4?admin=null\nPOST http://testmachine.myspot.net:8080/user/pkgagTBnem?admin\nPOST http://testmachine.myspot.net:8080/user/rRdlgzll2D?admin=false\n```\n\nAnd record problematic responses in a CSV file:\n\n```csv\nmethod,uri,reason,file\nGET,http://testmachine.myspot.net:8080/cool-endpoint/lBtY2g18?id=0\u0026more=891134,501 Not Implemented\nGET,http://testmachine.myspot.net:8080/cool-endpoint/ie9EMV9G?id=-1\u0026more=238164,501 Not Implemented\nGET,http://testmachine.myspot.net:8080/cool-endpoint/dJ7iV7cs?id=null\u0026more=415128,501 Not Implemented\nGET,http://testmachine.myspot.net:8080/cool-endpoint/HCvpC90k?id=null\u0026more=902781,501 Not Implemented\nPOST,http://testmachine.myspot.net:8080/user/UBwqFvFnXh?admin=undefined,501 Not Implemented\nPOST,http://testmachine.myspot.net:8080/user/LkspwEu0g4?admin=null,501 Not Implemented\nPOST,http://testmachine.myspot.net:8080/user/pkgagTBnem?admin,501 Not Implemented\nPOST,http://testmachine.myspot.net:8080/user/rRdlgzll2D?admin=false,501 Not Implemented\n```\n\nMoreover, the HTTP bodies of server error responses are saved as independent\nfiles in an output directory:\n\n```none\noutput/\n├── GET\n│   └── cool-endpoint\n│       ├── lBtY2g18?id=0\u0026more=891134\n│       ├── ie9EMV9G?id=-1\u0026more=238164\n│       ├── dJ7iV7cs?id=null\u0026more=415128\n│       └──  HCvpC90k?id=null\u0026more=902781\n└── POST\n    └── user\n        ├── UBwqFvFnXh?admin=undefined\n        ├── LkspwEu0g4?admin=null\n        ├── pkgagTBnem?admin\n        └── rRdlgzll2D?admin=false\n```\n\nFor the time being, problematic responses are either HTTP responses with a\n`5xx` status code, or requests which result in a broken or timed out\nconnection.\n\n`\u003cconfig\u003e` is a file describing a set of rules for producing URI paths and\nother parameters such as query string arguments. The schema is available as a\nTypeScript type definition file ([heel-gun.d.ts](./heel-gun.d.ts)). See also\nthe [resources](resources) directory for examples. Support for\n[Play framework \"routes\"](https://www.playframework.com/documentation/2.7.x/ScalaRouting#The-routes-file-syntax)\ndefinitions is available as an experimental feature.\n\nYou can also define the `RUST_LOG` environment variable for additional logging\noutput (as defined by [`log`](https://crates.io/crates/log), to one of \"error\",\n\"warn\", \"info\", \"debug\" or \"trace\"):\n\n```\nRUST_LOG=info heel-gun http://testmachine.myspot.net:8080 resources/example.yaml\n```\n\n## License and Warning Note\n\nLicensed under either of\n\n* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or \u003chttp://www.apache.org/licenses/LICENSE-2.0\u003e)\n* MIT license ([LICENSE-MIT](LICENSE-MIT) or \u003chttp://opensource.org/licenses/MIT\u003e)\n\nat your option.\n\nUnless you explicitly state otherwise, any contribution intentionally submitted\nfor inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any\nadditional terms or conditions.\n\nIn spite of the main goal of testing for server robustness, this tool may also\npresent itself as capable of doing dangerous mistakes (such as running in\nproduction), poorly intended actions (DoS attacks), and other sorts of misuse.\nPlease be responsible when using `heel-gun`. As defined by the aforementioned\nlicense, all authors and contributors to `heel-gun` cannot be held liable for\nany damage which may occur from the use of this software.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenet4%2Fheel-gun","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fenet4%2Fheel-gun","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fenet4%2Fheel-gun/lists"}