{"id":47882287,"url":"https://github.com/madebyaris/chaca-scanner","last_synced_at":"2026-04-04T01:54:53.383Z","repository":{"id":343958436,"uuid":"1173663587","full_name":"madebyaris/chaca-scanner","owner":"madebyaris","description":"Native desktop web security scanner for developers. OWASP Top 10, API exposure, CMS detection, target intelligence. Built with Tauri 2 + React 19 + Rust.","archived":false,"fork":false,"pushed_at":"2026-03-23T02:07:38.000Z","size":5009,"stargazers_count":40,"open_issues_count":0,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-04T01:54:18.693Z","etag":null,"topics":["api-security","cms-detection","owasp","react","rust","security-scanner","tauri","vulnerability-scanner","web-security"],"latest_commit_sha":null,"homepage":"https://madebyaris.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/madebyaris.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-05T16:04:29.000Z","updated_at":"2026-03-30T09:19:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/madebyaris/chaca-scanner","commit_stats":null,"previous_names":["madebyaris/chaca-scanner"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/madebyaris/chaca-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebyaris%2Fchaca-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebyaris%2Fchaca-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebyaris%2Fchaca-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebyaris%2Fchaca-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/madebyaris","download_url":"https://codeload.github.com/madebyaris/chaca-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebyaris%2Fchaca-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31384846,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T01:22:39.193Z","status":"ssl_error","status_checked_at":"2026-04-04T01:22:33.970Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-security","cms-detection","owasp","react","rust","security-scanner","tauri","vulnerability-scanner","web-security"],"created_at":"2026-04-04T01:54:52.804Z","updated_at":"2026-04-04T01:54:53.371Z","avatar_url":"https://github.com/madebyaris.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eChaca\u003c/strong\u003e — Web Security Scanner\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003cem\u003eA native desktop security scanner for vibe coders and developers\u003c/em\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/version-0.6.0-18181b?style=flat-square\" alt=\"version\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Tauri-2-18181b?style=flat-square\" alt=\"tauri\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/React-19-18181b?style=flat-square\" alt=\"react\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Rust-1.77+-18181b?style=flat-square\" alt=\"rust\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  Fast, opinionated security audits of your web apps — no terminal required.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  Support Chaca directly: \u003ca href=\"https://madebyaris.gumroad.com/l/chacha-security\"\u003ebuy Chaca Pro\u003c/a\u003e, support via \u003ca href=\"https://github.com/madebyaris\"\u003eGitHub\u003c/a\u003e, or send $100 founder support via PayPal to \u003ccode\u003earissetia.m@gmail.com\u003c/code\u003e and get your company logo listed here forever.\n\u003c/p\u003e\n\n---\n\n## Screenshots\n\n| New Scan | Dashboard | Full Report |\n|:--------:|:----------:|:-----------:|\n| [\u003cimg src=\"assets/home.png\" width=\"280\" alt=\"Chaca New Scan screen\" /\u003e](assets/home.png) | [\u003cimg src=\"assets/detail.png\" width=\"280\" alt=\"Chaca Dashboard\" /\u003e](assets/detail.png) | [\u003cimg src=\"assets/list-vuln.png\" width=\"280\" alt=\"Chaca vulnerability list\" /\u003e](assets/list-vuln.png) |\n| Configure target URL, scan mode (Passive/Active/Full), or scan a local folder | Security score, vulnerability trend, target intelligence | Filter by severity, CWE references, export to JSON/CSV/SARIF/PDF |\n\n---\n\n## What is Chaca?\n\n**Chaca** = **Cha**lim S**ca**nner — a desktop app built with **Tauri 2**, **React 19**, and **Rust** that scans web applications for security issues. Designed for developers who want actionable results without learning Burp Suite or OWASP ZAP.\n\n---\n\n## Features\n\n### Scanning Engine (Rust)\n\n| Category | Capabilities |\n|----------|--------------|\n| **Passive** | Security headers, cookies, CORS, CSP, CSRF, clickjacking, JWT, rate limits, deserialization indicators |\n| **Active** | XSS (canary + attribute/event injection), SQLi, SSTI, open redirect, path traversal, CORS reflection, CSRF verification |\n| **CMS** | WordPress, Drupal, Joomla, Shopify, Magento fingerprinting + platform-specific checks |\n| **API** | 57+ sensitive path probes (`/swagger.json`, `/env`, `/graphql`, `/wp-json/wp/v2/users`, …) |\n| **Disclosure** | Stack traces, debug headers, file path leaks (Python, Java, PHP, .NET, Go, Ruby, Node.js) |\n| **Services** | Supabase, Firebase, PocketBase, admin panels (phpMyAdmin, Adminer, wp-login, debug consoles) |\n| **Recon** | IP, DNS, TLS, server fingerprinting, tech detection (frameworks, CDNs, WAFs, hosting), `robots.txt` / `sitemap.xml` / `security.txt` |\n| **Knowledge** | 50+ vulnerability definitions with CWE, CVSS severity, remediation, references |\n| **Quality** | Confidence scoring (Confirmed/Firm/Tentative), deduplication, category-capped security score (0–100) |\n\n### Desktop App (React + Tailwind)\n\n- Monospace-first minimal UI\n- Real-time progress (crawl → passive → active)\n- Dashboard with score, charts, stats, target intelligence panel\n- Report viewer with CWE links and external references\n- Filter by severity and confidence\n- Export to JSON, CSV, SARIF, and PDF\n- Pro scan helpers: quick headers, login-first setup, branded PDF exports\n- Persistent scan history across app restarts\n- Scan presets (Quick passive, API audit, Full scan) + custom presets\n- Local folder scanning: secrets, config exposure, endpoint inventory (local-only)\n- Settings page (network, crawling, passive, active, data detection, export, presets) with persistent storage\n\n---\n\n## Tech Stack\n\n| Layer | Technology |\n|-------|------------|\n| Shell | Tauri 2 |\n| Frontend | React 19, TypeScript, Tailwind CSS v4 |\n| State | Zustand, tauri-plugin-store |\n| UI | Radix UI, Lucide icons, Recharts |\n| Backend | Rust (reqwest, regex, tokio, serde, tracing, base64) |\n\n---\n\n## Getting Started\n\n### Prerequisites\n\n- [Node.js](https://nodejs.org/) 18+\n- [Rust](https://rustup.rs/) 1.77+\n- [Tauri prerequisites](https://v2.tauri.app/start/prerequisites/) for your platform\n\n### Run\n\n```bash\nnpm install\nnpm run tauri dev\n```\n\n### Build\n\n```bash\nnpm run tauri build\n```\n\nOutput: `src-tauri/target/release/bundle/`\n\n### Release (GitHub)\n\nPre-built binaries for **Windows (x64)** and **Linux (x64 AppImage)** are published to [GitHub Releases](https://github.com/madebyaris/chaca-scanner/releases) on each version tag. macOS builds currently require local compilation because Chaca is not yet signed/notarized with an Apple Developer account.\n\n**To cut a release:**\n\n1. Bump version in `package.json` and `src-tauri/tauri.conf.json`\n2. Commit and push\n3. Create and push a version tag: `git tag v0.6.0 \u0026\u0026 git push origin v0.6.0`\n4. GitHub Actions builds all platforms and creates a draft release\n5. Edit the draft release, add release notes, and publish\n\n**Expected artifacts:**\n\n| Platform | Artifact | Notes |\n|----------|----------|-------|\n| macOS (Apple Silicon) | Build locally | For now, macOS developers should compile Chaca themselves with `npm run tauri build` |\n| Windows (x64) | `Chaca_0.6.0_x64-portable.exe` | Run directly; requires [WebView2](https://developer.microsoft.com/en-us/microsoft-edge/webview2/) on Windows 10 |\n| Windows (x64) | `Chaca_0.6.0_x64-setup.nsis.exe` | Installer (includes WebView2) |\n| Linux (x64) | `Chaca_0.6.0_amd64.AppImage` | Run directly |\n\n**Note:** Current releases are unsigned. Windows may show security warnings, and macOS public distribution is temporarily blocked until Chaca is signed/notarized. Ensure **Settings → Actions → General → Workflow permissions** is set to \"Read and write permissions\" so the release workflow can create releases.\n\n### macOS \"Damaged\" Warning\n\nIf macOS says `\"Chaca.app\" is damaged and can't be opened`, the app is usually being blocked by Gatekeeper because it is unsigned or was downloaded with a quarantine flag.\n\nIf you are a Mac developer, the most reliable option for now is to clone the repo and build locally:\n\n```bash\nnpm install\nnpm run tauri build\n```\n\nTry these steps:\n\n1. Open the `.dmg`\n2. Drag `Chaca.app` into `Applications`\n3. In Finder, right-click `Chaca.app` and choose `Open`\n4. If macOS still blocks it, go to `System Settings -\u003e Privacy \u0026 Security` and click `Open Anyway`\n\nIf that still does not work, remove the quarantine attribute manually:\n\n```bash\nxattr -dr com.apple.quarantine \"/Applications/Chaca.app\"\n```\n\nThen open the app again.\n\n---\n\n## Usage\n\n### URL Scan\n1. Enter a target URL\n2. Choose **Passive** or **Full** scan\n3. Review dashboard — score, vulnerabilities, target intelligence\n4. Open findings for evidence, remediation, CWE references\n5. Export as JSON, CSV, SARIF, or PDF\n\n### Local Folder Scan (v0.6)\n1. Click **SCAN FOLDER** and select a project directory\n2. Chaca scans for: secrets (AWS, GitHub, Stripe, etc.), exposed config files (`.env`, CI, K8s), and endpoint patterns (Express, Next.js, FastAPI)\n3. All scanning is local-only; no content leaves your machine\n4. Results appear in the same dashboard; export as usual\n\n\u003e **Only scan targets you have explicit permission to test.**\n\n---\n\n## Project Structure\n\n```\nsrc/                    # React frontend\n├── components/\n│   ├── dashboard/      # Scan results, charts, target intelligence\n│   ├── layout/         # App shell, sidebar, header\n│   ├── settings/       # Settings page and controls\n│   └── ui/             # Radix-based primitives\n├── store/              # Zustand (scan state, settings)\n└── utils/              # Export helpers\n\nsrc-tauri/              # Rust backend\n└── src/\n    ├── scanner/\n    │   ├── engine.rs       # Scan orchestrator\n    │   ├── crawler.rs      # URL discovery\n    │   ├── folder_scanner.rs # Local folder scan (secrets, config, endpoints)\n    │   ├── passive.rs      # Passive checks\n    │   ├── active.rs       # Active tests\n    │   ├── cms.rs          # CMS detection\n    │   ├── recon.rs        # Target intelligence\n    │   └── rules/          # api_exposure, data_exposure, info_disclosure,\n    │                       # exposed_services, vuln_db\n    └── lib.rs          # Tauri commands \u0026 data structures\n```\n\n---\n\n## Support\n\n**Chaca Pro** unlocks branded PDF export, unlimited history, scan profiles, quick auth headers, and login-first scanning. [Get a license](https://madebyaris.gumroad.com/l/chacha-security) to support indie development.\n\nIf you want to directly support the work at the founder level, you can also contribute **$100** via:\n\n- [GitHub Sponsors / GitHub profile](https://github.com/madebyaris)\n- PayPal: `arissetia.m@gmail.com`\n\nFounder-level supporters can have their company logo listed here as a permanent founding supporter of the repo.\n\nIf your subscription expires, you have 7 days to resubscribe before Pro features are disabled — no sudden interruptions.\n\n---\n\n## Author\n\n**Aris Setiawan**\n\n- [madebyaris.com](https://madebyaris.com)\n- [GitHub @madebyaris](https://github.com/madebyaris)\n- [X @arisberikut](https://x.com/arisberikut)\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003csub\u003eOpen-source. Use responsibly.\u003c/sub\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadebyaris%2Fchaca-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmadebyaris%2Fchaca-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadebyaris%2Fchaca-scanner/lists"}