{"id":45412844,"url":"https://github.com/tbckr/trident","last_synced_at":"2026-04-04T19:03:56.053Z","repository":{"id":332744723,"uuid":"1119742316","full_name":"tbckr/trident","owner":"tbckr","description":"CLI tool for OSINT investigations","archived":false,"fork":false,"pushed_at":"2026-02-25T22:48:42.000Z","size":754,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-26T01:22:20.564Z","etag":null,"topics":["osint","osint-framework","threat-intelligence","threatintel"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tbckr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-19T19:12:01.000Z","updated_at":"2026-02-25T22:48:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tbckr/trident","commit_stats":null,"previous_names":["tbckr/trident"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/tbckr/trident","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tbckr%2Ftrident","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tbckr%2Ftrident/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tbckr%2Ftrident/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tbckr%2Ftrident/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tbckr","download_url":"https://codeload.github.com/tbckr/trident/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tbckr%2Ftrident/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29935107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T13:00:17.143Z","status":"ssl_error","status_checked_at":"2026-02-28T12:59:13.669Z","response_time":90,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["osint","osint-framework","threat-intelligence","threatintel"],"created_at":"2026-02-22T00:14:00.333Z","updated_at":"2026-04-04T19:03:56.035Z","avatar_url":"https://github.com/tbckr.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# trident\n\n[![CI](https://github.com/tbckr/trident/actions/workflows/ci.yml/badge.svg)](https://github.com/tbckr/trident/actions/workflows/ci.yml)\n[![Latest Release](https://img.shields.io/github/v/release/tbckr/trident)](https://github.com/tbckr/trident/releases)\n[![Go Version](https://img.shields.io/github/go-mod/go-version/tbckr/trident)](https://github.com/tbckr/trident/blob/main/go.mod)\n[![Go Report Card](https://goreportcard.com/badge/github.com/tbckr/trident)](https://goreportcard.com/report/github.com/tbckr/trident)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/tbckr/trident/badge)](https://securityscorecards.dev/viewer/?uri=github.com/tbckr/trident)\n[![CodeQL](https://github.com/tbckr/trident/actions/workflows/codeql.yml/badge.svg)](https://github.com/tbckr/trident/actions/workflows/codeql.yml)\n\n**Fast, keyless OSINT in a single binary.** DNS lookups, Cymru ASN info, certificate transparency, threat intelligence, PGP key search, and CDN/provider detection — no API keys, no registration, no configuration required.\n\ntrident is a Go port and evolution of the Python [Harpoon](https://github.com/Te-k/harpoon) tool, built for analysts and security researchers who live in the terminal.\n\n```console\n$ trident dns example.com\n+------+------------------------------------------+\n| TYPE | VALUE                                    |\n+------+------------------------------------------+\n| NS   | a.iana-servers.net.                      |\n|      | b.iana-servers.net.                      |\n+------+------------------------------------------+\n| A    | 93.184.216.34                            |\n+------+------------------------------------------+\n| AAAA | 2606:2800:21f:cb07:6819:42b5:ba16:c9cb  |\n+------+------------------------------------------+\n| MX   | 0 .                                      |\n+------+------------------------------------------+\n| TXT  | \"v=spf1 -all\"                            |\n+------+------------------------------------------+\n```\n\n---\n\n## Contents\n\n- [Installation](#installation)\n- [Verify Release Artifacts](#verify-release-artifacts)\n- [Quickstart](#quickstart)\n- [Features](#features)\n- [Services](#services)\n- [Output Formats](#output-formats)\n- [Bulk Input](#bulk-input)\n- [PAP System](#pap-system)\n- [Configuration](#configuration)\n- [Global Flags](#global-flags)\n- [Commands Reference](#commands-reference)\n- [Development](#development)\n- [Responsible Use](#responsible-use)\n- [Contributing](#contributing)\n- [Security](#security)\n- [Code of Conduct](#code-of-conduct)\n\n---\n\n## Installation\n\n**The fastest way** — requires Go 1.26+:\n\n```bash\ngo install github.com/tbckr/trident/cmd/trident@latest\n```\n\n**Pre-built binaries** — download for Linux, macOS, or Windows (amd64/arm64) from the [releases page](https://github.com/tbckr/trident/releases). Linux packages (`.deb`, `.rpm`, `.apk`, `pkg.tar.zst`) are included.\n\n**Nix** — run without installing or add to your system profile:\n\n```bash\n# Run directly\nnix run github:tbckr/trident -- dns example.com\n\n# Install to profile\nnix profile install github:tbckr/trident\n```\n\n**Build from source:**\n\n```bash\ngit clone https://github.com/tbckr/trident\ncd trident\ngo build -o trident ./cmd/trident\n```\n\n---\n\n## Verify Release Artifacts\n\n\u003e **Note:** Starting with **v0.10.0**, releases use [GitHub Artifact Attestation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) for provenance. Previous releases (v0.9.x) used `cosign attest-blob`; releases before v0.8.0 used `cosign sign-blob`.\n\nEvery release is attested via GitHub Artifact Attestation using [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance). GitHub signs a provenance statement for every artifact listed in `checksums.txt`, proving it was built by the official release workflow. The attestation includes the artifact's SHA-256 digest, so a single `gh attestation verify` call proves both provenance and integrity.\n\n### Manual verification\n\n```bash\nARCHIVE=trident_Linux_x86_64.tar.gz\n\n# Download the archive from the releases page, then verify attestation\ngh attestation verify \"$ARCHIVE\" --repo tbckr/trident\n```\n\n### Script\n\n`scripts/verify-release.sh` automates the step above:\n\n```bash\n# Download the archive from the releases page first, then:\n./scripts/verify-release.sh trident_Linux_x86_64.tar.gz\n```\n\nThe script runs `gh attestation verify` and exits non-zero on failure. It requires the [GitHub CLI](https://cli.github.com/) (2.49+).\n\n### Checksum-only (without gh CLI)\n\nIf you do not have the GitHub CLI installed, you can still verify the archive hash against `checksums.txt` after downloading it from the releases page:\n\n```bash\n# Linux\nsha256sum --check --ignore-missing checksums.txt\n\n# macOS\nshasum -a 256 --check --ignore-missing checksums.txt\n```\n\nThis confirms the archive was not corrupted in transit, but does not verify it was produced by the official release workflow.\n\n---\n\n## Quickstart\n\n```bash\n# DNS records — forward lookup or reverse PTR\ntrident dns example.com\ntrident dns 8.8.8.8\n\n# ASN info — IP address or ASN number (IPv4 and IPv6)\ntrident cymru 8.8.8.8\ntrident cymru AS15169\n\n# Subdomains from certificate transparency logs\ntrident crtsh example.com\n\n# Threat intelligence — domain, IP, or file hash\ntrident threatminer example.com\ntrident threatminer d41d8cd98f00b204e9800998ecf8427e\n\n# PGP key search — by email, name, or fingerprint\ntrident pgp alice@example.com\ntrident pgp 0xDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF\n\n# Check whether Quad9 has blocked a domain as malicious\ntrident quad9 malicious.example.com\n\n# Aggregate DNS recon for an apex domain\ntrident apex example.com\n\n# Detect CDN, email, and DNS hosting providers via live DNS queries\ntrident detect example.com\n\n# Identify providers from known DNS record values (no network calls)\ntrident identify --cname abc.cloudfront.net --mx aspmx.l.google.com --txt \"v=spf1 include:_spf.google.com ~all\"\n```\n\n---\n\n## Features\n\n- **No API keys** — all current services are keyless; install and run immediately\n- **Bulk input** — pipe a target list via stdin or pass multiple arguments\n- **Three output formats** — `table` (tables), `json`, and `text` (one result per line for piping)\n- **PAP system** — Permissible Actions Protocol (RED/AMBER/GREEN/WHITE) prevents accidental active interaction\n- **Proxy support** — HTTP, HTTPS, and SOCKS5 proxies; honours `HTTP_PROXY`/`HTTPS_PROXY` env vars automatically\n- **Auto-defanging** — URLs and IPs are defanged at strict PAP levels\n- **Rate limiting** — per-service token-bucket rate limiter with jitter to avoid detectable request patterns\n- **Concurrent processing** — configurable worker pool for fast bulk lookups\n- **Cross-platform** — single binary for Linux, macOS, and Windows\n\n---\n\n## Services\n\n| Command | Description | PAP | Data Source |\n|---------|-------------|-----|-------------|\n| `dns` | A, AAAA, MX, NS, TXT records; reverse PTR | GREEN | Direct DNS resolver |\n| `detect` | Detect CDN, email, DNS hosting, and verification providers via live DNS queries (CNAME, MX, NS, TXT) | GREEN | Direct DNS resolver |\n| `cymru` | ASN info for IPs and ASN numbers (IPv4 + IPv6) | AMBER | Team Cymru DNS |\n| `crtsh` | Subdomain enumeration via certificate transparency | AMBER | [crt.sh](https://crt.sh) |\n| `threatminer` | Threat intel for domains, IPs, and file hashes | AMBER | [ThreatMiner](https://www.threatminer.org) |\n| `pgp` | PGP key search by email, name, or fingerprint | AMBER | [keys.openpgp.org](https://keys.openpgp.org) |\n| `quad9` | Detect whether Quad9 has flagged a domain as malicious | AMBER | [dns.quad9.net](https://www.quad9.net) |\n| `apex` | Aggregate DNS recon across many record types and subdomains; CDN/email/DNS/TXT detection and ASN lookup | AMBER | [dns.quad9.net](https://www.quad9.net), Team Cymru DNS |\n| `identify` | Identify CDN, email, DNS hosting, and verification providers from known DNS record values (CNAME, MX, NS, TXT) | RED | Local (no network) |\n\n---\n\n## Output Formats\n\n**Table (default)** — formatted ASCII tables for human reading:\n\n```bash\ntrident dns example.com\ntrident cymru AS15169 -o table\n```\n\n**JSON** — structured output for scripting and integration:\n\n```bash\ntrident dns example.com -o json\ntrident crtsh example.com -o json | jq '.subdomains | length'\n```\n\n**Text** — one result per line, ideal for piping:\n\n```bash\ntrident crtsh example.com -o text | sort -u \u003e subdomains.txt\ntrident dns example.com -o text | grep \"^A \"\n```\n\n---\n\n## Bulk Input\n\nAny command accepts multiple targets as arguments or from stdin (one per line):\n\n```bash\n# Multiple arguments\ntrident dns example.com google.com cloudflare.com\n\n# From a file via stdin\ncat targets.txt | trident crtsh\n\n# Combine with other tools\ncat /etc/hosts | awk '{print $1}' | trident cymru\n\n# Control concurrency for large lists\ncat ips.txt | trident cymru --concurrency=20\n```\n\n---\n\n## PAP System\n\ntrident implements the [Permissible Actions Protocol (PAP)](https://www.misp-project.org/taxonomies.html#_pap)\nto prevent accidental active interaction with targets:\n\n| Level | Meaning | Permitted Services |\n|-------|---------|-------------------|\n| `red` | Offline/local only — non-detectable | `identify` |\n| `amber` | Limited 3rd-party APIs — no direct target contact | `identify` + Cymru, crt.sh, ThreatMiner, PGP, Quad9, apex |\n| `green` | Direct target interaction permitted | all AMBER + DNS, `detect` |\n| `white` | Unrestricted **(default)** | all |\n\nSet `--pap-limit` to block services above that level:\n\n```bash\n# Only use 3rd-party APIs (no direct DNS queries to the target)\ntrident --pap-limit=amber crtsh example.com\n\n# This will error — AMBER exceeds RED limit\ntrident --pap-limit=red cymru 8.8.8.8\n```\n\nAt AMBER and below, URLs and IPs in output are automatically defanged (e.g. `hxxp://`) unless\n`--no-defang` is passed.\n\n---\n\n## Configuration\n\nThe config file is created automatically at first run:\n\n| Platform | Default Path |\n|----------|-------------|\n| Linux | `$XDG_CONFIG_HOME/trident/config.yaml` (typically `~/.config/trident/config.yaml`) |\n| macOS | `~/Library/Application Support/trident/config.yaml` |\n| Windows | `%AppData%\\trident\\config.yaml` |\n\nUse `trident config set` to modify values without opening the file, or `trident config edit` to\nedit directly. The config file supports all global flags plus the `alias` block and\n`detect_patterns` section:\n\n```yaml\noutput: json\npap_limit: amber\nconcurrency: 20\nproxy: socks5://127.0.0.1:9050\ndetect_patterns:\n  url: https://example.com/custom-patterns.yaml  # optional: override download URL\n  file: /path/to/patterns.yaml                   # optional: use this file instead of defaults\nalias:\n  asn: cymru\n```\n\n\u003e **Note:** The `alias` block is config-file only — it has no corresponding flag or environment\n\u003e variable. Use `trident alias set` / `trident alias delete` to manage aliases, or edit the\n\u003e file directly.\n\n\u003e **Note:** When `detect_patterns.file` is not set, trident resolves patterns using the\n\u003e following lookup order and uses the first file found:\n\u003e\n\u003e 1. `\u003cconfig-dir\u003e/detect.yaml` — user-maintained override\n\u003e 2. `\u003cconfig-dir\u003e/detect-downloaded.yaml` — downloaded via `trident download detect`\n\u003e 3. Built-in embedded patterns — always available as the final fallback\n\u003e\n\u003e Run `trident config path` to find `\u003cconfig-dir\u003e` on your system.\n\nEnvironment variables override config file values using the `TRIDENT_` prefix:\n\n| Variable | Corresponding Flag / Key |\n|----------|--------------------------|\n| `TRIDENT_OUTPUT` | `--output` |\n| `TRIDENT_PAP_LIMIT` | `--pap-limit` |\n| `TRIDENT_PROXY` | `--proxy` |\n| `TRIDENT_USER_AGENT` | `--user-agent` |\n| `TRIDENT_CONCURRENCY` | `--concurrency` |\n| `TRIDENT_VERBOSE` | `--verbose` |\n| `TRIDENT_DEFANG` | `--defang` |\n| `TRIDENT_NO_DEFANG` | `--no-defang` |\n| `TRIDENT_DETECT_PATTERNS_URL` | `detect_patterns.url` |\n| `TRIDENT_DETECT_PATTERNS_FILE` | `--patterns-file` / `detect_patterns.file` |\n\nWhen `--proxy` / `TRIDENT_PROXY` is not set, trident honours the standard `HTTP_PROXY`,\n`HTTPS_PROXY`, and `NO_PROXY` environment variables automatically.\n\n---\n\n## Global Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--config` | platform config dir | Config file path |\n| `--verbose`, `-v` | `false` | Enable debug logging |\n| `--output`, `-o` | `table` | Output format: `table`, `json`, `text` |\n| `--concurrency`, `-c` | `10` | Worker pool size for bulk input |\n| `--proxy` | — | Proxy URL (`http://`, `https://`, `socks5://`) |\n| `--user-agent` | `trident/\u003cversion\u003e` | HTTP User-Agent header |\n| `--pap-limit` | `white` | PAP limit: `red`, `amber`, `green`, `white` |\n| `--defang` | `false` | Force output defanging |\n| `--no-defang` | `false` | Disable output defanging |\n| `--patterns-file` | — | Custom detect patterns file for `detect`, `apex`, and `identify` |\n\nUse `trident config show` to see the effective configuration.\n\n---\n\n## Commands Reference\n\n### `dns` — DNS Lookups\n\nResolves A, AAAA, MX, NS, and TXT records for a domain, or performs a reverse PTR lookup for an\nIP address. Makes direct queries to the configured DNS resolver (PAP: GREEN).\n\n```bash\ntrident dns example.com\ntrident dns 8.8.8.8\ntrident dns 2001:4860:4860::8888\n```\n\n### `cymru` — ASN Lookup\n\nLooks up ASN information for an IP address or ASN number via the Team Cymru DNS service. Supports\nboth IPv4 and IPv6 (PAP: AMBER).\n\n```bash\ntrident cymru 8.8.8.8\ntrident cymru AS15169\ntrident cymru 2001:4860:4860::8888\n```\n\n### `crtsh` — Certificate Transparency\n\nSearches [crt.sh](https://crt.sh) certificate transparency logs for subdomains of a domain\n(PAP: AMBER).\n\n```bash\ntrident crtsh example.com\n```\n\n### `threatminer` — Threat Intelligence\n\nQueries the [ThreatMiner](https://www.threatminer.org) API for contextual threat intelligence.\nAutomatically detects whether input is a domain, IP address, or file hash. Rate-limited to 1\nrequest/second with jitter to avoid triggering ThreatMiner's rate limits (PAP: AMBER).\n\n```bash\ntrident threatminer example.com\ntrident threatminer 198.51.100.1\ntrident threatminer d41d8cd98f00b204e9800998ecf8427e\n```\n\n### `pgp` — PGP Key Search\n\nSearches [keys.openpgp.org](https://keys.openpgp.org) for PGP keys by email address, name, or key\nfingerprint/ID using the HKP protocol (PAP: AMBER). Fingerprints and key IDs must be prefixed\nwith `0x`.\n\n```bash\ntrident pgp alice@example.com\ntrident pgp \"Alice Smith\"\ntrident pgp 0xDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF\n```\n\n### `quad9` — Quad9 Threat-Intelligence Check\n\nDetects whether [Quad9](https://www.quad9.net) has flagged a domain as malicious using threat\nintelligence from 19+ security partners (PAP: AMBER). Quad9 returns NXDOMAIN with an empty\nauthority section for known-malicious domains, providing a passive verdict without revealing\nthe query to the target domain.\n\n```bash\ntrident quad9 malicious.example.com\ntrident quad9 example.com malicious.example.com\ncat domains.txt | trident quad9\n```\n\n### `apex` — Aggregate DNS Recon\n\nPerforms parallel DNS reconnaissance for an apex domain via the [Quad9](https://www.quad9.net)\nDNS-over-HTTPS resolver (PAP: AMBER). Fans out queries across the apex domain and a large set\nof well-known derived hostnames — `www`, `autodiscover`, `mail`, `_dmarc`, `_domainkey`,\n`_mta-sts`, `_smtp._tls`, DKIM selectors (`google._domainkey`, `selector1/2._domainkey`),\nBIMI (`default._bimi`), and SRV prefixes for SIP and XMPP. Queried record types include A,\nAAAA, CAA, CNAME, DNSKEY, HTTPS, MX, NS, SOA, SSHFP, SRV, and TXT.\n\nAfter gathering records, `apex` runs all four provider detectors:\n- **CDN** — from CNAME targets (apex chain, www, and email-security subdomains)\n- **Email provider** — from MX records\n- **DNS hosting** — from NS records\n- **Email provider and verification tokens** — from TXT records across all queried hostnames\n\nFinally, it performs **ASN lookups** (via Team Cymru) for every unique IP found in A/AAAA records.\n\n```bash\ntrident apex example.com\ntrident apex example.com example.org\ncat domains.txt | trident apex\ntrident apex --output json example.com\n```\n\n### `detect` — Provider Detection\n\nDetects CDN, email, DNS hosting, and domain verification providers for one or more domains by\nquerying CNAME (apex and www), MX, NS, and TXT records and matching them against known provider\npatterns (PAP: GREEN). Unlike `identify`, this command makes live DNS queries to discover the\nrecords.\n\n```bash\ntrident detect example.com\ntrident detect example.com google.com\ncat domains.txt | trident detect\n\n# Use a custom patterns file for this invocation\ntrident detect --patterns-file /path/to/patterns.yaml example.com\n```\n\n### `identify` — Offline Provider Identification\n\nMatches CNAME, MX, NS, and TXT record values against known provider patterns to identify CDN,\nemail, DNS hosting, and domain verification providers. Unlike `detect`, no DNS queries are made\n— this operates entirely on record values you already have (PAP: RED).\n\n```bash\ntrident identify --cname abc.cloudfront.net\ntrident identify --domain example.com --ns ns1.cloudflare.com\ntrident identify --domain example.com --cname abc.cloudfront.net --mx aspmx.l.google.com --ns ns1.cloudflare.com\ntrident identify --txt \"v=spf1 include:_spf.google.com ~all\" --txt \"google-site-verification=abc123\"\n\n# Use a custom patterns file for this invocation\ntrident identify --patterns-file /path/to/patterns.yaml --cname abc.cloudfront.net\n```\n\n### `download detect` — Update Provider Patterns\n\nDownloads the latest provider detection patterns from a URL and saves them locally. The downloaded\nfile is stored as `detect-downloaded.yaml` in the config directory and is automatically picked up\nby `detect`, `apex`, and `identify` on the next run (PAP: AMBER). A user-maintained\n`detect.yaml` in the same directory takes priority over the downloaded file; the built-in embedded\npatterns serve as the final fallback when neither file exists. See the\n[Configuration](#configuration) section for the full lookup order.\n\n```bash\n# Download from the default URL (trident GitHub repository)\ntrident download detect\n\n# Download from a custom URL\ntrident download detect --url https://example.com/patterns.yaml\n\n# Save to a custom destination instead of the default config dir\ntrident download detect --dest /path/to/my-patterns.yaml\n\n# Configure a persistent custom URL\ntrident config set detect_patterns.url https://example.com/patterns.yaml\ntrident download detect\n```\n\n### `services` — List All Services\n\nLists every implemented service with its command group, minimum PAP level (MIN PAP), and maximum\nPAP level (MAX PAP).\n\nFor individual services the two PAP columns are always equal — the service either runs or is\nblocked by `--pap-limit`, with no partial behaviour.\n\nFor aggregate commands (such as `apex`), the two values may differ: MIN PAP is the lowest PAP\nlevel required to produce any useful output; MAX PAP is the highest level required by any\nsub-service. When `--pap-limit` falls between the two, the aggregate command runs but skips the\nsub-services whose level exceeds the limit, returning whatever it can gather at that PAP level.\n\n```bash\ntrident services\ntrident services -o json\ntrident services -o text\n```\n\n### `config` — Configuration Management\n\nRead and write config file values without opening the file by hand.\n\n| Subcommand | Description |\n|------------|-------------|\n| `config path` | Print the config file path |\n| `config show` | Display all effective config settings |\n| `config get \u003ckey\u003e` | Print the effective value of a single key |\n| `config set \u003ckey\u003e \u003cvalue\u003e` | Write a key–value pair to the config file |\n| `config edit` | Open the config file in `$EDITOR` |\n\n```bash\n# Print the path to the active config file\ntrident config path\n\n# Show all effective settings (merged defaults + env vars + file)\ntrident config show\ntrident config show -o json\n\n# Read a single setting\ntrident config get pap_limit\n\n# Persist a setting (hyphens and underscores both accepted)\ntrident config set output json\ntrident config set pap-limit amber\n\n# Open the config file in $EDITOR (falls back to vi)\ntrident config edit\n```\n\n**Limitations:**\n- `config show` and `config get` report *effective* values — the result of merging built-in\n  defaults, `TRIDENT_*` environment variables, and the config file. They do not show what is\n  literally written in the file.\n- `config set` writes to the file but takes effect on the **next invocation**; the current\n  process already loaded config at startup.\n- The `aliases` section is not managed by `config set` — use the `alias` subcommand instead.\n- Only known configuration keys are accepted (`output`, `pap_limit`, `proxy`, `user_agent`,\n  `concurrency`, `verbose`, `defang`, `no_defang`, `detect_patterns.url`, `detect_patterns.file`).\n\n### `alias` — Command Aliases\n\nDefine short names that expand to longer command strings. Aliases are stored in the config file\nand appear in `trident --help` under *Aliases:*.\n\n```bash\n# Create or update an alias\ntrident alias set asn cymru\n\n# Use the alias — extra arguments are appended after the expansion\ntrident asn 8.8.8.8\n\n# List all aliases\ntrident alias list\ntrident alias list -o json\n\n# Delete an alias\ntrident alias delete asn\n```\n\n**Limitations:**\n- Aliases are only expanded when they appear as the **first positional argument**. Running\n  `trident --verbose myalias` does **not** trigger expansion because `--verbose` precedes the\n  alias name.\n- Expansion splits the stored string on whitespace — argument values containing spaces cannot\n  be embedded in an alias expansion.\n- No shell features — environment variable substitution, pipes, globs, and quoting within\n  the expansion string are not interpreted.\n- Aliases do not expand recursively; an alias expansion cannot reference another alias.\n- Alias names cannot shadow built-in commands (`dns`, `cymru`, `crtsh`, `threatminer`, `pgp`, `quad9`, `detect`, `identify`, `apex`, `services`, `config`, `alias`, `download`, `version`, `completion`).\n- Alias names must not start with `-` or contain whitespace.\n- Changes take effect on the next invocation.\n\n---\n\n## Development\n\n### Requirements\n\n- Go 1.26+ (`go version`)\n- [golangci-lint](https://golangci-lint.run/) v2 (`golangci-lint version`)\n\n### Nix Dev Shell\n\nIf you use [Nix](https://nixos.org/), `nix develop` provides Go, golangci-lint, and goreleaser:\n\n```bash\nnix develop\n```\n\n### justfile\n\nA [justfile](https://github.com/casey/just) provides convenient targets for common tasks:\n\n```bash\n# Build \u0026 Test\njust build              # Build all packages\njust test               # Run all tests with coverage\njust test-pkg ./internal/services/dns/...  # Test a specific package\njust test-race          # Run all tests with race detector\njust fuzz ./internal/output/...            # Run fuzz tests for a package\njust coverage           # Check service coverage meets 80% threshold\n\n# Code Quality\njust fmt                # Format all Go files with gofmt\njust lint               # Run golangci-lint\njust tidy               # Tidy and verify modules\njust tidy-check         # Verify modules are tidy (fails if dirty)\njust vuln               # Run govulncheck\njust license-check      # Check dependency licenses against allowlist\n\n# CI\njust ci                 # Run all CI checks locally\n\n# Nix\njust flake-build        # Build the Nix package locally\njust flake-check        # Run Nix flake check\njust flake-update       # Update Nix flake inputs\n\n# Release\njust release            # Tag next version with svu and push\njust goreleaser-check   # Validate .goreleaser.yaml config\njust verify-release trident_Linux_x86_64.tar.gz  # Verify release artifact\n\n# Maintenance\njust upgrade-deps       # Upgrade direct dependencies and run tests\njust harden-repo        # Apply repository hardening settings\njust check-tool-versions  # Check pinned tool versions for updates\n```\n\n### Build \u0026 Test\n\n```bash\n# Build\ngo build ./...\n\n# Run all tests with coverage\ngo test ./... -coverprofile=coverage.out\ngo tool cover -func=coverage.out\n\n# Run tests for a specific service\ngo test ./internal/services/dns/... -v\n\n# Lint (strict)\ngolangci-lint run\n```\n\n### Project Structure\n\n```\ncmd/trident/        # Entry point — delegates to cli.Execute()\ncmd/docgen/         # Man pages + shell completions generator (cobra/doc)\ninternal/\n  cli/              # Cobra command tree, global flags, output wiring\n  config/           # Viper config loading and flag registration\n  httpclient/       # req.Client factory (proxy, UA rotation, debug tracing)\n  input/            # Line reader from io.Reader for stdin path\n  pap/              # PAP level constants and enforcement\n  doh/              # DNS-over-HTTPS client (Quad9 RFC 8484, shared by apex + quad9)\n  ratelimit/        # Token-bucket rate limiter with ±20% jitter\n  resolver/         # net.Resolver factory with SOCKS5 DNS-leak prevention\n  worker/           # Bounded goroutine pool for bulk input\n  services/         # One package per OSINT service\n    dns/            # DNS record lookups (net package, PAP: GREEN)\n    cymru/          # ASN lookups via Team Cymru DNS (PAP: AMBER)\n    crtsh/          # Certificate transparency via crt.sh (PAP: AMBER)\n    threatminer/    # Threat intel via ThreatMiner API (PAP: AMBER)\n    pgp/            # PGP key search via keys.openpgp.org (PAP: AMBER)\n    quad9/          # Quad9 threat-intelligence blocked check via DoH (PAP: AMBER)\n    detect/         # Active provider detection via DNS lookups (PAP: GREEN)\n    apex/           # Aggregate DNS recon via Quad9 DoH (PAP: AMBER)\n    identify/       # Offline provider detection from known record values (PAP: RED)\n  appdir/           # OS config-dir helpers: ConfigDir(), EnsureFile()\n  apperr/           # Shared error sentinels (leaf; no internal imports)\n  detect/           # Provider detection: CDN/Email/DNS/TXT (pure, no I/O); patterns.yaml embedded\n  output/           # Text (tablewriter), JSON, text formatters + defang\n  testutil/         # Shared test helpers (mock resolver, nop logger)\n  version/          # Build version info (ldflags + BuildInfo fallback)\n```\n\n---\n\n## Responsible Use\n\ntrident is designed for use in **authorised environments only** — internal security assessments,\nred team engagements you have permission to conduct, and OSINT research on infrastructure you\nown or have been explicitly authorised to investigate.\n\n**Malicious use is strictly prohibited.** Do not use trident to query systems or services\nwithout authorisation. Misuse may violate computer fraud laws and the terms of service of the\nqueried APIs.\n\nBy default trident identifies itself honestly with a `trident/\u003cversion\u003e` HTTP User-Agent so that\nserver operators can recognise and control its traffic.\n\n---\n\n## Contributing\n\nContributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, coding standards, and the pull request process.\n\n## Security\n\ntrident follows a defense-in-depth approach to supply chain security:\n\n- **Static analysis** — CodeQL SAST on every push/PR and weekly scans\n- **Vulnerability scanning** — govulncheck on every push/PR and daily scheduled scans\n- **OpenSSF Scorecard** — weekly independent assessment of security posture\n- **Release provenance** — GitHub Artifact Attestation (SLSA) for every release artifact\n- **SBOM** — CycloneDX software bill of materials included with every release\n- **VEX** — OpenVEX vulnerability assessment document included with every release (govulncheck reachability analysis)\n- **Hardened CI** — SHA-pinned GitHub Actions, least-privilege permissions, sandboxed steps\n- **Repository protection** — GitHub Rulesets for branch and tag integrity\n\nFor full details, see [docs/supply-chain-security.md](docs/supply-chain-security.md).\n\nTo report a vulnerability, see [SECURITY.md](SECURITY.md).\n\n## Code of Conduct\n\nThis project follows the Contributor Covenant v3.0. See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).\n\n## License\n\n[GPL-3.0](LICENSE.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftbckr%2Ftrident","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftbckr%2Ftrident","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftbckr%2Ftrident/lists"}