{"id":21482447,"url":"https://github.com/jonhadfield/ipscout","last_synced_at":"2026-02-07T13:02:57.693Z","repository":{"id":238570402,"uuid":"759453858","full_name":"jonhadfield/ipscout","owner":"jonhadfield","description":"Host threat aggregator for network administrators and security analysts.","archived":false,"fork":false,"pushed_at":"2025-11-18T22:02:44.000Z","size":12669,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-19T00:07:31.981Z","etag":null,"topics":["cli","ip","ip-reputation","netsec","netsec-tools","network","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jonhadfield.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-02-18T16:32:28.000Z","updated_at":"2025-11-18T22:02:48.000Z","dependencies_parsed_at":"2024-05-06T19:35:39.047Z","dependency_job_id":"6556ec6a-d0c1-4327-b16c-faeef262c357","html_url":"https://github.com/jonhadfield/ipscout","commit_stats":null,"previous_names":["jonhadfield/ipscout"],"tags_count":47,"template":false,"template_full_name":null,"purl":"pkg:github/jonhadfield/ipscout","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonhadfield%2Fipscout","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonhadfield%2Fipscout/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonhadfield%2Fipscout/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonhadfield%2Fipscout/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jonhadfield","download_url":"https://codeload.github.com/jonhadfield/ipscout/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonhadfield%2Fipscout/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29194434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T12:38:28.597Z","status":"ssl_error","status_checked_at":"2026-02-07T12:38:23.888Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","ip","ip-reputation","netsec","netsec-tools","network","security"],"created_at":"2024-11-23T12:33:28.259Z","updated_at":"2026-02-07T13:02:57.687Z","avatar_url":"https://github.com/jonhadfield.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# IPScout\n\nIPScout is a command-line tool for security analysts to enrich IP addresses with their origin and threat ratings.\nAll of the host reputation providers require registration but each of them offers a free tier.\n\n\u003cimg src=\"docs/logo.png\" alt=\"logo\" width=\"200\"/\u003e\n\n---\n\n[![GoDoc](https://godoc.org/github.com/jonhadfield/ipscout?status.svg)](https://godoc.org/github.com/jonhadfield/ipscout)\n[![Tests on Linux, MacOS and Windows](https://github.com/jonhadfield/ipscout/workflows/Test/badge.svg)](https://github.com/jonhadfield/ipscout/actions?query=workflow%3ATest)\n[![Go Report Card](https://goreportcard.com/badge/github.com/jonhadfield/ipscout)](https://goreportcard.com/report/github.com/jonhadfield/ipscout)\n\n## Table of Contents\n\n- [Features](#features)\n- [Output](#output)\n- [Providers](#providers)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Configuration](#configuration)\n- [Provider Details](#providers-1)\n- [Changelog](#changelog)\n- [License](#license)\n\n## Features\n\n- Query multiple reputation and hosting providers concurrently\n- Cache provider metadata and lookup results\n- Manage cached data with `ipscout cache`\n- Show or output configuration with `ipscout config`\n- Rate hosts using `ipscout rate`, optionally with AI assistance\n- Supports Zscaler IP range lookups\n\n[![GoDoc](https://godoc.org/github.com/jonhadfield/ipscout?status.svg)](https://godoc.org/github.com/jonhadfield/ipscout) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/df6b2974f0844444af617a1c0b0e2cfb)](https://app.codacy.com/gh/jonhadfield/ipscout/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_grade) [![Go Report Card](https://goreportcard.com/badge/github.com/jonhadfield/ipscout)](https://goreportcard.com/report/github.com/jonhadfield/ipscout)\n\n## Output\n### format\nResults are displayed in a table by default but can also be outputted as JSON format using the `--output` flag.\n- [table](examples/table.png)\n- [json](examples/results.json)\n### style\nTable styles include ascii (for basic terminals), cyan, red, yellow, green, blue, and can be specified in the `config.yaml` file or with the `--style` flag.\nExamples:\n- [red](examples/table.png)\n- [ascii](examples/ascii.txt)\n\n## Providers\n\nIPScout supports multiple well known sources. You can also provide custom sources\nwith the [Annotated](#Annotated) and [IPURL](#IPURL) providers.\n\nProvider data and search results can be cached to reduce API calls and improve performance.\n\n| Provider | Category | Notes |\n|:----------------------------------------------------------|:----------------:|:---------------------:|\n| [AbuseIPDB](#AbuseIPDB) | IP Reputation | Registration required |\n| [Annotated](#Annotated) | User Provided | - |\n| [Apple iCloud Private Relay](#Apple-iCloud-Private-Relay) | Anonymiser | - |\n| [AWS](#Amazon-Web-Services) | Hosting Provider | - |\n| [Azure](#Azure) | Hosting Provider | - |\n| [Azure WAF](#Azure-WAF) | WAF | Azure access required |\n| [Bingbot](#Bingbot) | Web crawler | - |\n| [CriminalIP](#CriminalIP) | IP Reputation | Registration required |\n| [DigitalOcean](#DigitalOcean) | Hosting Provider | - |\n| [GCP](#Google-Cloud-Platform) | Hosting Provider | - |\n| [Google](#Google) | Hosting Provider | - |\n| [Google Special-case crawlers](#Google-Special-Crawlers) | Web crawler | - |\n| [Googlebot](#Googlebot) | Web crawler | - |\n| [Hetzner](#Hetzner) | Hosting Provider | - |\n| [IPAPI](#IPAPI) | IP Geolocation | - |\n| [IPQualityScore](#IPQualityScore) | IP Reputation | Registration required |\n| [IPURL](#IPURL) | User Provided | - |\n| [Linode](#Linode) | Hosting Provider | - |\n| [OVH](#OVH) | Hosting Provider | - |\n| [PTR](#PTR) | DNS | - |\n| [Scaleway](#Scaleway) | Hosting Provider | - |\n| [Vultr](#Vultr) | Hosting Provider | - |\n| [Shodan](#Shodan) | IP Reputation | Registration required |\n| [VirusTotal](#VirusTotal) | IP Reputation | Registration required |\n| [Zscaler](#Zscaler) | Security | - |\n\n## Installation\n\nBinaries for macOS, Linux and Windows are available on the [releases](https://github.com/jonhadfield/ipscout/releases)\npage.\n\n### macOS - Homebrew\n\n```\n$ brew tap jonhadfield/ipscout\n$ brew install ipscout\n```\n\n### Linux\nInstall latest release.\n```shell\ncurl -sL https://raw.githubusercontent.com/jonhadfield/ipscout/add_install_script/install | sh\n```\n\n### other distributions\n\nDownload the latest release from the [releases](https://github.com/jonhadfield/ipscout/releases) page.\n\n### Build from source\n\nGo 1.24 or later is required to compile ipscout. Clone the repository and run:\n\n```shell\ngo build ./...\n```\n\nThis will create an `ipscout` binary in the current directory.\n\n## Usage\n\n```shell\n$ ipscout \u003chost\u003e\n```\n`\u003chost\u003e` can be an IP address or a fully qualified domain name.\n\nAdditional commands are available:\n\n```shell\n$ ipscout cache # manage cached results\n$ ipscout config # view or output configuration\n$ ipscout rate # rate a host using provider data\n```\n\n## Configuration\n\nA default configuration is created\non first run and located at: `$HOME/.config/ipscout/config.yaml`.\n\nSome configuration can be overridden on the command line, see `ipscout --help`.\n\n```yaml\n---\nglobal:\n indent_spaces: 2 # number of spaces to indent output\n max_value_chars: 300 # limit the number of characters output in results\n max_age: 90d # maximum age of reports to consider\n max_reports: 5 # maximum number of reports to display\n ports: [\"443/tcp\"] # filter results by port [tcp,udp,443/tcp,...]\n output: table # output format: table or json\n style: cyan # output style [ascii, cyan, green, yellow, red, blue]\n\nproviders:\n# list of providers with their configurations below...\n```\n\n## Providers\n\nProviders are configured in the `config.yaml` file.\nA number of providers are enabled by default, but can be disabled by setting `enabled: false`.\n\n### AbuseIPDB\n\nThis provider queries the [AbuseIPDB](https://www.abuseipdb.com/) API for information on an IP address, with a threat\nconfidence score, and any reports filed for them.\nA [free plan](https://www.abuseipdb.com/pricing) exists for individuals, with a limit of 1000 requests per day.\n\nEnvironment variable `ABUSEIPDB_API_KEY` must be set with your API key.\n\n```yaml\nproviders:\n abuseipdb:\n enabled: false\n```\n\n### Annotated\n\nThe Annotated provider parses one or more user provided files containing prefixes and accomanying annotations.\n\n```yaml\n---\n- prefixes: [ \"20.20.20.0/24\", \"20.20.21.0/24\" ]\n annotations:\n - date: 2024/04/19 18:58\n author: john doe \u003cjohn.doe@example.com\u003e\n notes:\n - My First Annotation\n - My Second Annotation\n- prefixes: [ \"9.9.9.9/32\" ]\n annotations:\n - date: 2024/04/19 19:00\n author: jane doe \u003cjane.does@example.com\u003e\n notes:\n - Another Annotation\n```\n\nA list of files can be specified in the provider's `paths` section:\n\n```yaml\nproviders:\n annotated:\n enabled: true\n paths:\n - /path/to/file.yaml\n```\n\n### Apple iCloud Private Relay\n\nIP anonymisation service from [Apple](https://support.apple.com/en-us/102602).\n\u003e iCloud Private Relay — part of an iCloud+ subscription — helps protect your privacy when you browse the web in Safari.\n\n### Amazon Web Services\n\n[AWS](https://aws.amazon.com/) is a Hosting Provider\nthat [publishes](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html#aws-ip-download) network prefixes\nused by their services.\n\n### Azure\n\n[Azure](https://azure.microsoft.com/) is a hosting provider\nthat [publishes](https://www.microsoft.com/en-gb/download/details.aspx?id=56519) network prefixes used by their\nservices.\n\n### Azure WAF\n\n[Azure WAF](https://azure.microsoft.com/en-gb/products/web-application-firewall/) is a Web Application Firewall used to secure services hosted on Azure.\nThis currently supports Azure Global WAF, used to secure Azure Front Door, and will show custom rules and prefixes matching the provided host.\nAuthentication will be read from the environment.\n\n### Bingbot\n\n[Bingbot](https://www.bing.com/webmasters/help/help-center-661b2d18) is the web crawler for the Bing search engine.\nBing [publishes](https://www.bing.com/toolbox/bingbot.json) network prefixes used by their crawlers.\n\n### CriminalIP\n\nQuery the [CriminalIP](https://www.criminalip.io/) API for information on an IP address/endpoint, with risk ratings, and\nany abuse reports filed for them.\nA [free plan](https://www.criminalip.io/pricing) exists with a small number of free credits.\n\nSet environment variable `CRIMINAL_IP_API_URL` with your API key.\n\n### DigitalOcean\n\n[DigitalOcean](https://www.digitalocean.com/) is a hosting provider\nthat [publishes](https://www.digitalocean.com/geo/google.csv) network prefixes used by their services.\n\n### Google Cloud Platform\n\n[GCP](https://cloud.google.com/) is a hosting provider\nthat [publishes](https://cloud.google.com/compute/docs/faq#find_ip_range) network prefixes used by their\nservices.\n\n### Google\n\n[Google](https://support.google.com/a/answer/10026322?hl=en-GB) provides a list of IP addresses used by customers of their services\n and publishes them [here](https://www.gstatic.com/ipranges/goog.json).\n\n### Google Special Crawlers\n\n[Google](https://developers.google.com/search/docs/crawling-indexing/overview-google-crawlers#special-case-crawlers) provides a list\n of IP addresses used by their non-Googlebot crawlers [here](https://developers.google.com/static/search/apis/ipranges/special-crawlers.json).\n\n### Googlebot\n\n[Googlebot](https://developers.google.com/search/docs/crawling-indexing/googlebot) is a web crawler\nand [publishes](https://developers.google.com/static/search/apis/ipranges/googlebot.json) network prefixes used by their\nbots.\n\n### Hetzner\n\n[Hetzner](https://www.hetzner.com/) is a hosting provider.\nIP ranges are retrieved from the BGPView API and checked for matches against the target host.\n\n### iCloud Private Relay\n\n[iCloud Private Relay](https://support.apple.com/en-us/102602) is an anonymising service provided by Apple. They publish\ntheir network prefixes [here](https://mask-api.icloud.com/egress-ip-ranges.csv).\n\n### IPAPI\n\nQuery the [ipapi](https://ipapi.co/) API for geolocation data.\nThe API is free for up 30,000 requests per day.\n\n### IPQualityScore\n\nQuery the [IPQualityScore](https://www.ipqualityscore.com/documentation/proxy-detection-api/overview) API for host reputation data.\nThe API is free to registered users for 5,000 requests.\n\nSet environment variable `IPQS_API_KEY` with your API key.\n\n### IPURL\n\nIPURL retrieves lists of IP prefixes from user provided URLs and checks the target IP address against them.\nDocuments are expected to contain a list of prefixes in CIDR format, one per line.\n\nExample configuration:\n\n```yaml\n ipurl:\n enabled: true\n urls:\n - \"https://iplists.firehol.org/files/firehol_level1.netset\"\n - \"https://iplists.firehol.org/files/firehol_level2.netset\"\n - \"https://iplists.firehol.org/files/blocklist_de.ipset\"\n```\n\nA match for target IP 3.68.116.6 in two of the above may return:\n\n```\nPrefixes\n 3.68.116.0/28\n |----- https://iplists.firehol.org/files/firehol_level2.netset\n |----- https://iplists.firehol.org/files/blocklist_de.ipset\n```\n\n### Linode\n\n[Linode](https://www.linode.com/) is a hosting provider\nthat [publishes](https://geoip.linode.com/) network prefixes used by their services.\n\n### OVH\n\n[OVH](https://www.ovhcloud.com/) is a hosting provider\nthat [publishes](https://vps.ovh.net/ips.txt) network prefixes used by their services.\n\n### Scaleway\n\n[Scaleway](https://www.scaleway.com/) is a European hosting provider.\nIP ranges are retrieved from the BGPView API and checked for matches against the target host.\n\n### Vultr\n\n[Vultr](https://www.vultr.com/) is a cloud hosting provider.\nIP ranges are retrieved from the BGPView API and checked for matches against the target host.\n\n### PTR\n\nThe PTR provider does a reverse lookup for the target IP.\nSee:\n\n- https://en.wikipedia.org/wiki/Reverse_DNS_lookup\n- https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-ptr-record/\n\nCustom nameservers can be specified in the `config.yaml` file with port defaulting to 53 if not specified.\n\n```yaml\n ptr:\n enabled: true\n nameservers:\n - 1.1.1.1:53\n - 8.8.8.8\n - 8.8.4.4:53\n```\n\n### Shodan\n\nQuery the [Shodan](https://www.shodan.io/) API for information on an IP address, with open ports, and services.\n\nSet environment variable `SHODAN_API_KEY` with your API key.\n\n### VirusTotal\n\nQuery the [VirusTotal](https://www.virustotal.com) API for information from various providers on an IP address.\n\nSet environment variable `VIRUSTOTAL_API_KEY` with your API key.\n\n### Zscaler\n\n[Zscaler](https://www.zscaler.com/) publishes a list of IP prefixes used by its services.\nIPScout downloads this list and checks whether the target IP is within those ranges.\nThe default source URL is `https://api.config.zscaler.com/zscaler.net/cenr/json` and\ncan be overridden in the configuration file.\n\n```yaml\n zscaler:\n enabled: true\n url: https://api.config.zscaler.com/zscaler.net/cenr/json\n document_cache_ttl: 1440 # minutes\n```\n\n## Changelog\n\nSee [CHANGELOG.md](docs/CHANGELOG.md) for release notes.\n\n## License\n\nIPScout is licensed under the [Apache 2.0 License](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjonhadfield%2Fipscout","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjonhadfield%2Fipscout","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjonhadfield%2Fipscout/lists"}