{"id":16351026,"url":"https://github.com/netcentric/pickaxe-security-scanner","last_synced_at":"2025-07-14T00:06:07.713Z","repository":{"id":42373113,"uuid":"330970035","full_name":"Netcentric/pickaxe-security-scanner","owner":"Netcentric","description":"Pickaxe is a fast and customizable security scan library which simplifies security testing for web applications like Adobe Experience Manager or API services.  It can be plugged into a maven build to execute build-in checks or custom user provided security checks. Custom security checks can be defined via YAML files or a groovy based DSL.","archived":false,"fork":false,"pushed_at":"2023-12-05T22:08:25.000Z","size":407,"stargazers_count":14,"open_issues_count":9,"forks_count":3,"subscribers_count":9,"default_branch":"develop","last_synced_at":"2025-07-05T11:46:39.288Z","etag":null,"topics":["adobe-experience-manager","aem","aem-automation","aem-tools","dispatcher","groovy","maven-plugin","penetration-testing-tools","security-audit","security-automation","security-scanner","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Groovy","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"epl-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Netcentric.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-19T12:19:11.000Z","updated_at":"2024-12-09T19:55:01.000Z","dependencies_parsed_at":"2024-10-28T09:11:21.368Z","dependency_job_id":"7516ef7f-4a57-49d4-8e6b-519c5156b6af","html_url":"https://github.com/Netcentric/pickaxe-security-scanner","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/Netcentric/pickaxe-security-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcentric%2Fpickaxe-security-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcentric%2Fpickaxe-security-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcentric%2Fpickaxe-security-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcentric%2Fpickaxe-security-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Netcentric","download_url":"https://codeload.github.com/Netcentric/pickaxe-security-scanner/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcentric%2Fpickaxe-security-scanner/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265224102,"owners_count":23730340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adobe-experience-manager","aem","aem-automation","aem-tools","dispatcher","groovy","maven-plugin","penetration-testing-tools","security-audit","security-automation","security-scanner","security-tools"],"created_at":"2024-10-11T01:08:13.981Z","updated_at":"2025-07-14T00:06:07.673Z","avatar_url":"https://github.com/Netcentric.png","language":"Groovy","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Maven Central](https://maven-badges.herokuapp.com/maven-central/biz.netcentric.security/pickaxe/badge.svg)](https://maven-badges.herokuapp.com/maven-central/biz.netcentric.security/pickaxe)\n[![License](https://img.shields.io/badge/License-EPL%201.0-red.svg)](https://opensource.org/licenses/EPL-1.0)\n[![Build Status](https://github.com/netcentric/pickaxe-security-scanner/actions/workflows/ci.yml/badge.svg?branch=develop)](https://github.com/netcentric/pickaxe-security-scanner/actions/workflows/ci.yml)\n\n![pickaxe-logo2-kl](https://user-images.githubusercontent.com/3109217/134664102-fad8ef35-68da-4466-aa22-8558638c2109.png)\n# Pickaxe - AEM and Dispatcher Security Scanner\n\nSecuring an AEM installation requires to continuously check the overall stack. Any failure in one of the involved layers may likely affect a totally different technical layer or even the whole platform.\n\nThe purpose if this project is to simplify continuous automated security testing of Adobe Experience Manager and especially the AEM Dispatcher.\nIf further enables projects to customize the actual test behaviou to specific project requirements and to easily add additional project specific checks.\n\n## Highly customizable for your project needs\n\nPickaxe is scriptable web application test framework with a customizable http scan engine and a large predefined set of security checks for Adobe Experience Manager (AEM) projects.\n\nIt can be easily customized and extended either through a groovy based DSL or using YAML based scan and check configurations.\n\nThe scanner can be integrated \n* into a Maven project, \n* started from Docker container \n* or simply called via its commandline interface.\n\nPickaxe is fully customizable without having to touch or change the project's core and \nis designed to be integrated into build and CICD ecosystems. \n\nBut Pickaxe is not necessarily limited to AEM only and could be used to scan other web applications and API services.\n\n## Features \n\nWhat is in for my project if I decide to use Pickaxe?\n\n- More than 35 built-in Dispatcher and AEM Security Checks\n- Easy remote or local execution\n    - Commandline Interface\n    - Maven build integration as a Maven plugin\n    - Easy Jenkins integration\n- Fully configurable and customizable scans and checks for any project need\n    - Groovy Configuration DSL\n    - YAML Configuration\n- Authentication support\n- Fast and scalable through async and parallel scan execution\n- Multiple report handlers and formats (html, json, console or just-break-the-build)\n\n# Attack Vectors\n\nPlease check [Pickaxe Scans Module Readme](/pickaxe-scans/README.md) for a list of all supported attack vectors.\n\n# Installation\n\nIf you want to build and run it locally, just run a simple maven build from the root of the project and trigger the commandline version.\n\n    mvn clean install\n    \n    java -jar pickaxe-scans/target/pickaxe-security-scanner.jar --url http://\u003cyour target\u003e/path-to-a-page --output /Users/\u003cyouruser\u003e/scans\n    \nAlternatively pull the docker image and run it from via docker:\n\n    docker pull ghcr.io/netcentric/pickaxe-security-scanner:latest\n    docker run --rm -it -v /Users/\u003cyour-home\u003e/temp/output:/app/output ghcr.io/netcentric/pickaxe-security-scanner:latest --url http://host.docker.internal/content/we-retail/us/en.html\n    \n\nPlease check our specific documentation for details on how to run the scanner.\n\n* [Maven Build Integration](/documentation/run-with-maven.md)\n* [Run from Commandline](/documentation/run-with-cli.md)\n* [Run via Docker](/documentation/run-with-docker.md)\n\n\n# Scan Configuration\n\nBefore starting to deep dive into advanced topics, \nit is crucial to understand the domain specific terminology and meaning of certain buzzwords.\n\n| Term    | Description |\n|---------|-------------|\n| scan| The term _scan_ refers to a scan configuration which configures the target and the parameters to use when scanning the target. |\n| check   | The term check refers to a single configuration which tells the scanner how to attack a certain vulnerability. | \n| reporter  |   A reporter is a report handlers or writer which is used to process the scan results and acts according to it's implementation. It can either print output or terminate further processing when issues are detected.|  \n| config dsl  |  Configuration language to influence the runtime behaviour of the scan angine usig an external configuration. |    \n\n### Advanced Configurations\n\n* [Custom Scan Configurations](/documentation/custom-scan.md)\n* [Custom Security Checks](/documentation/custom-checks.md)\n* [Reporting Configurations](/documentation/reporting.md)\n\n## Configuration Languages: Groovy vs. YAML\n\nPickaxe uses either a Groovy Configuration DSL or a YAML config to allow customization or configuration of the scan process or to define custom checks.\nThe Groovy DSL refers to the scan engines domain specific configuration language, which is used to define most buildin scans or checks.\nThe YAML config is a way simpler format which allows quick customizations without needing to now any internals.\n\n* The scan engine interprets and understands it and acts accordingly.\n* It can be loaded via filesystem and dynamically extend the capabilities of the scanner.\n* If you want to keep it simpler, then just go for the YAML based configs, but be aware the groovy DSL is more powerful.\n\n# Questions\n\nIf you have any questions which are still answered after reading the documentation feel free to raise them in the discussion forum.\n\n# Contributions\n\nContributions are highly welcome in the form of [issue reports](https://github.com/Netcentric/pickaxe-security-scanner/issues), [pull request](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork) or providing help in our [discussion forum](https://github.com/Netcentric/pickaxe-security-scanner/discussions).\n\n## Pickaxe Development and Backlog\n\nIf you want to contribute or develop on top of pickaxe please have a look into the following documentation chapters.\n\n* [Runtime Requirements](/documentation/runtime-requirements.md)\n* [Pickaxe Architecture](/documentation/architecture.md)\n* [Pickaxe Development](/documentation/development.md)\n* [Product Features and Backlog](/documentation/backlog.md)\n\n# License\nPickaxe is licensed under the [Eclipse Public License - v 1.0](LICENSE.txt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetcentric%2Fpickaxe-security-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetcentric%2Fpickaxe-security-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetcentric%2Fpickaxe-security-scanner/lists"}