{"id":30061743,"url":"https://github.com/gemini-15/deadend-cli","last_synced_at":"2025-08-08T02:51:07.244Z","repository":{"id":305963586,"uuid":"1024537085","full_name":"gemini-15/deadend-cli","owner":"gemini-15","description":"Agentic AI tool for offensive security and pentesting ","archived":false,"fork":false,"pushed_at":"2025-08-02T07:24:21.000Z","size":620,"stargazers_count":12,"open_issues_count":2,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-02T09:51:58.859Z","etag":null,"topics":["agentic-ai","ai","cybersecurity","cybersecurity-tools","pentesting","secure-coding"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gemini-15.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-22T21:27:14.000Z","updated_at":"2025-07-29T17:22:49.000Z","dependencies_parsed_at":"2025-07-22T23:40:02.022Z","dependency_job_id":null,"html_url":"https://github.com/gemini-15/deadend-cli","commit_stats":null,"previous_names":["gemini-15/deadend-cli"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gemini-15/deadend-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemini-15%2Fdeadend-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemini-15%2Fdeadend-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemini-15%2Fdeadend-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemini-15%2Fdeadend-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gemini-15","download_url":"https://codeload.github.com/gemini-15/deadend-cli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gemini-15%2Fdeadend-cli/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269356436,"owners_count":24403506,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-08T02:00:09.200Z","response_time":72,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agentic-ai","ai","cybersecurity","cybersecurity-tools","pentesting","secure-coding"],"created_at":"2025-08-08T02:51:05.991Z","updated_at":"2025-08-08T02:51:07.227Z","avatar_url":"https://github.com/gemini-15.png","language":"Python","readme":"# Deadend CLI \n\n\u003e [!WARNING]  \n\u003e This project is still ongoing, any feedback (good or bad) would be awesome ! \n\u003e A lot of things might change, the code needs some optimization on the code chunking \n\u003e a better explanation of what is happening and so on ! But It's coming ! \n\n## Table of Contents\n\n- [What in the world is this ?](#what-in-the-world-is-this-)\n- [A quick demo](#a-quick-demo)\n- [Is this another workflow that runs tools and calls it a day?](#is-this-another-workflow-that-runs-tools-and-calls-it-a-day)\n- [Installation](#installation)\n  - [Clone the repo](#clone-the-repo)\n  - [gvisor sandbox](#gvisor-sandbox)\n  - [ZAP proxy](#zap-proxy)\n  - [Postgres Vector DB](#postgres-vector-db)\n  - [Install with pip](#install-with-pip)\n  - [Build from source](#build-from-source)\n- [Usage](#usage)\n  - [Environment variables](#environment-variables)\n  - [Run example](#run-examples-owasp-juice-shop)\n- [Enjoy](#enjoy)\n- [Disclaimer](#️-disclaimer)\n\n## What in the world is this ? \nDeadend CLI is a prototype AI Agent for security researchers, pentesters and developers. \n\nInspired by Google Zero's project Naptime, this project aims to build a prototype of an agentic AI tool that helps gain time and give a better understanding on analysis.\n\n## A quick demo \nFollow the link --\u003e [https://youtu.be/rDFj5kDgqKM](https://youtu.be/rDFj5kDgqKM)\n\n\n## Is this another workflow that runs tools and calls it a day? \nIn current state of the project, honestly, it is. Even though, it is built using a codebase indexer system, there is still work to do to make more efficient and useful on a daily basis for well-seasoned professionals. \n\nThe project aims to build an AI-assisted vulnerability analysis system by combining code indexing and retrieval for effective security analysis. \n\nIn other words, the goal is to simplify security analysis :\n- by applying taint analysis. \n- by finding sinks and sources. \n- by connecting to specific tools to test a predicate or a complex logic that is not automatable.\n\nThis first prototype targets web application and APIs. The goal is not to replace static and dynamic analysis tools such as SASTs or DASTs, but to add a different method of analysis to find non-automatable vulnerabilities such as : \n- [ ] broken access controls \n- [ ] IDORs \n- [ ] Business logic vulnerabilities \n- [ ] and so on..\n\n\n## Installation \n\n### clone the repo\n\n```bash\ngit clone https://github.com/gemini-15/deadend-cli.git\ncd deadend-cli\n```\n\n### gvisor sandbox \nThe shell tool is ran in a gvisor sandbox (for obvious security concerns). \nAfter install docker, run the following commands : \n\n```bash\nsudo apt update \u0026\u0026 apt install jq \nsudo gvisor_install/install_gvisor.sh\n```\n\nWhat the script does, is that it installs gvisor binaries and sets up docker's `daemon.json` file to be ran with gvisor's `runsc` instead of `runc`.  \n\n### ZAP proxy \nWe use ZAP proxy's internal API for some functionalities (ex. the crawler). Also, all the requests sent from the Agent goes to the ZAP proxy for ulterior manual analysis. \n\nZAP proxy can be installed with `snap` on Ubuntu : \n```bash\nsudo snap install zaproxy\n``` \n\nOtherwise, you can download the packages and installer from the [ZAP website](https://www.zaproxy.org/download/).\n\n\u003e Why not use BURP you may ask? ZAP has the open-source component that is really interesting, and actually does have the same features Burp (even Pro) has. Also, we can add the Burp MCP server which will be interesting too if really needed.\n\nTo use the ZAP proxy API, we need to extract it from ZAP. \nTo do so open ZAP proxy (UI) and go to *Tools-\u003eOptions-\u003eAPI* and you will find an auto generated zap api key to use. \n\n### Postgres Vector DB \nTo index the code source of a webpage, pgvector is used as a database to save the embeddings and relevant code sections. \nA script is available to run an container for pgvector with default credentials :\n```bash\n# creates a container for pgvector with the following DB_URL=\"postgresql://postgres:postgres@localhost:54320/codeindexerdb\"\n./pgvector/setup_pgvector.sh\n```\n\n### Install with pipx\nWe can use pipx to install directly : [https://github.com/pypa/pipx.git](https://github.com/pypa/pipx.git)\n\nThe `deadend-cli` is available on pypi:\n```bash\npipx install deadend-cli --include-deps \n```\n\n### Build from source \nThe project can be ran or rebuilt using `uv` :\n```bash\nuv sync \nuv build # to build \n```\n\n\n## Usage \n### Environment variables\nSet the following environment variables:\n```bash\nexport DB_URL=\"postgresql://postgres:postgres@localhost:54320/codeindexerdb\" # when running locally \nexport OPENAI_API_KEY=sk-proj-\u003cyour-api-key\u003e\nexport OPENAI_MODEL=\"o4-mini-2025-04-16\"\nexport EMBEDDING_MODEL=\"text-embedding-3-small\"\nexport ZAP_PROXY_API_KEY=\u003czap-api-key\u003e\n```\n\n### Run examples (OWASP Juice-shop)\nWe take for the example the OWASP juice shop vulnerable application. \nAfter running the OWASP Juice Shop web app, for instance locally, \n```bash\ndocker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop\n```\n\nWe can try the following example:\n```bash\nuv run main.py chat --target \"http://localhost:3000/#/login\" --prompt \"extract the login endpoint and test for a sql injection\" # To run directly \n```\n\n\n## Enjoy\nIf You find this project cool enough to explore more, drop a star, and if you have a idea that we could implement, create an issue and/or contribute directly to the repo ! \n\n## ⚠️ Disclaimer\n\n**This project is intended for educational and research purposes only.**\n\n\u003e Unauthorized or malicious use of this tool against systems that you do not own or have explicit permission to test is illegal and unethical. The developers of this project are not responsible for any misuse or damage caused by this tool.\n\n\u003e Always conduct cybersecurity research and testing in compliance with all applicable laws, ethical guidelines, and with the proper consent.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgemini-15%2Fdeadend-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgemini-15%2Fdeadend-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgemini-15%2Fdeadend-cli/lists"}