{"id":13542079,"url":"https://github.com/nikitastupin/clairvoyance","last_synced_at":"2025-05-15T03:08:03.100Z","repository":{"id":37772252,"uuid":"306655657","full_name":"nikitastupin/clairvoyance","owner":"nikitastupin","description":"Obtain GraphQL API schema even if the introspection is disabled","archived":false,"fork":false,"pushed_at":"2024-09-28T10:30:15.000Z","size":405,"stargazers_count":1178,"open_issues_count":40,"forks_count":110,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-12T02:42:42.293Z","etag":null,"topics":["bug-bounty","graphql","penetration-testing","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nikitastupin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-23T14:07:46.000Z","updated_at":"2025-05-12T02:19:47.000Z","dependencies_parsed_at":"2024-12-19T00:02:27.659Z","dependency_job_id":"ce44db7c-2fed-412c-ad68-4ec93a931677","html_url":"https://github.com/nikitastupin/clairvoyance","commit_stats":{"total_commits":115,"total_committers":12,"mean_commits":9.583333333333334,"dds":"0.29565217391304344","last_synced_commit":"227f4c5428c18f14021a414bbaa3b203f242131b"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikitastupin%2Fclairvoyance","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikitastupin%2Fclairvoyance/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikitastupin%2Fclairvoyance/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nikitastupin%2Fclairvoyance/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nikitastupin","download_url":"https://codeload.github.com/nikitastupin/clairvoyance/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254264769,"owners_count":22041794,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","graphql","penetration-testing","security"],"created_at":"2024-08-01T10:01:01.101Z","updated_at":"2025-05-15T03:07:58.091Z","avatar_url":"https://github.com/nikitastupin.png","language":"Python","funding_links":[],"categories":["Tools","Exploitation","Weapons","Python","Web Tools","Offensive Security"],"sub_categories":["GraphQL Injection","Tools","GraphQL","Discovery"],"readme":"# Clairvoyance\n\nObtain GraphQL API schema even if the introspection is disabled.\n\n[![PyPI](https://img.shields.io/pypi/v/clairvoyance)](https://pypi.org/project/clairvoyance/)\n[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/clairvoyance)](https://pypi.org/project/clairvoyance/)\n[![PyPI - Downloads](https://img.shields.io/pypi/dm/clairvoyance)](https://pypi.org/project/clairvoyance/)\n[![GitHub](https://img.shields.io/github/license/nikitastupin/clairvoyance)](https://github.com/nikitastupin/clairvoyance/blob/main/LICENSE)\n\n## Introduction\n\nSome GraphQL APIs have disabled introspection. For example, [Apollo Server disables introspection automatically if the `NODE_ENV` environment variable is set to `production`](https://www.apollographql.com/docs/tutorial/schema/#explore-your-schema).\n\nClairvoyance helps to obtain GraphQL API schema even if the introspection is disabled. It produces schema in JSON format suitable for other tools like [GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager), [InQL](https://github.com/doyensec/inql) or [graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum).\n\n## Getting Started\n\n### pip\n\n```bash\npip install clairvoyance\nclairvoyance https://rickandmortyapi.com/graphql -o schema.json\n# should take about 2 minutes\n```\n\n### docker\n\n```bash\ndocker run --rm nikitastupin/clairvoyance --help\n```\n\n## Advanced Usage\n\n### Which wordlist should I use?\n\nThere are at least three approaches:\n\n- Use one of the [wordlists](https://github.com/Escape-Technologies/graphql-wordlist) collected by Escape Technologies\n- Use general English words (e.g. [google-10000-english](https://github.com/first20hours/google-10000-english)).\n- Create target specific wordlist by extracting all valid GraphQL names from application HTTP traffic, from mobile application static files, etc. Regex for GraphQL name is [`[_A-Za-z][_0-9A-Za-z]*`](http://spec.graphql.org/June2018/#sec-Names).\n\n### Environment variables\n\n```bash\nLOG_FMT=`%(asctime)s \\t%(levelname)s\\t| %(message)s` # A string format for logging.\nLOG_DATEFMT=`%Y-%m-%d %H:%M:%S` # A string format for logging date.\nLOG_LEVEL=`INFO` # A string level for logging.\n```\n\n## Support\n\nIn case of questions or issues with Clairvoyance please refer to [wiki](https://github.com/nikitastupin/clairvoyance/wiki) or [issues](https://github.com/nikitastupin/clairvoyance/issues). If this doesn't solve your problem feel free to open a [new issue](https://github.com/nikitastupin/clairvoyance/issues/new).\n\n## Contributing\n\nPull requests are welcome! For major changes, please open an issue first to discuss what you would like to change. For more information about tests, internal project structure and so on refer to our [contributing guide](.github/CONTRIBUTING.md).\n\n## Documentation\n\nYou may find more details on how the tool works in the second half of the [GraphQL APIs from bug hunter's perspective by Nikita Stupin](https://youtu.be/nPB8o0cSnvM) talk.\n\n## Contributors\n\nThanks to the contributors for their work.\n\n- [nikitastupin](https://github.com/nikitastupin)\n- [Escape](https://escape.tech) team\n  - [iCarossio](https://github.com/iCarossio)\n  - [Swan](https://github.com/c3b5aw)\n  - [QuentinN42](https://github.com/QuentinN42)\n  - [Nohehf](https://github.com/Nohehf)\n- [i-tsaturov](https://github.com/i-tsaturov)\n- [EONRaider](https://github.com/EONRaider)\n- [noraj](https://github.com/noraj)\n- [belane](https://github.com/belane)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnikitastupin%2Fclairvoyance","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnikitastupin%2Fclairvoyance","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnikitastupin%2Fclairvoyance/lists"}