JoshuaMart/WebSec0

GitHub: JoshuaMart/WebSec0

Stars: 0 | Forks: 0

![Image](https://github.com/user-attachments/assets/90d66777-7611-4bfc-994c-b4e5de1a469f)

CI CodeQL Go Report Card OpenSSF Scorecard

# WebSec0 **WebSec0** is an open-source, self-hostable, **passive** web security configuration scanner. In a single ~15 MB binary, it inspects a host's TLS configuration and HTTP security headers, runs a handful of custom checks (`security.txt`, `robots.txt`, …), and produces **actionable reports with copy-paste remediation snippets**. Built for **two audiences at parity**: - Humans — clear reports prioritized by ROI (security ÷ effort) - AI agents — every finding is self-sufficient (no external fetch needed), the catalog is exposed via `GET /api/v1/checks`, and a ready-to-use [`SKILL.md`](./skills/websec0/SKILL.md) is shipped ## Try it **Hosted instance:** [www.websec0.com](https://www.websec0.com) — no signup, no key, public. Or call the API directly: curl -sS -X POST https://www.websec0.com/api/v1/scan \ -H 'Content-Type: application/json' \ -d '{"host":"github.com"}' | jq . The full request/response contract, error envelope and grading model are documented in [`SKILL.md`](./skills/websec0/SKILL.md) — written for AI agents but human-readable. ## Self-host Pull and run the published multi-arch image. Defaults work out of the box: docker run --rm -p 8080:8080 ghcr.io/joshuamart/websec0:latest Open . The distroless image weighs ~15 MB and runs as a non-root user. To override the defaults (listen address, rate limits, SSRF policy, history retention), mount a config file: docker run --rm -p 8080:8080 \ -v "$(pwd)/websec0.yaml":/etc/websec0/websec0.yaml:ro \ ghcr.io/joshuamart/websec0:latest \ --config /etc/websec0/websec0.yaml Use [`websec0.yaml.example`](./websec0.yaml.example) as a starting point — every field is annotated.
Build the image yourself The repo ships two Dockerfiles. `Dockerfile` builds Go inside Docker and is what `make docker` invokes; `Dockerfile.goreleaser` is the minimal copy-only runtime used by the release pipeline. docker build -t websec0 . docker run --rm -p 8080:8080 websec0
From source Requires Go 1.26+, Node 22+, pnpm 10+, and rsync. make frontend-install make build ./dist/websec0 `make build` declares the embedded Astro bundle as a Make prerequisite, so it rebuilds the frontend (and rsyncs it into `internal/frontend/dist/` where `//go:embed` picks it up) iff a file under `web/` has changed. Iterative Go-only builds incur no frontend overhead.
## How it works flowchart LR User[Web UI · curl · agent] -->|POST /api/v1/scan| API[chi router + rate limit] API --> SSRF[safehttp gate
IP pin · no private · no rebind] SSRF --> Orch[Scanner orchestrator] Orch --> TLS[TLS probe] Orch --> HDR[Headers probe] Orch --> Custom[Custom checks] TLS --> Score[Scoring] HDR --> Score Score --> Result["scan.Result
(2 grades + findings)"] Custom --> Result Result --> User Every outbound request goes through **`safehttp`**: each target is pinned to a single IP at DNS-resolution time, RFC 1918 / loopback / link-local addresses are always refused, and the connection is rate-limited per host. Probes then fan out in parallel — a typical scan completes in ~10 seconds. ## License [MIT](./LICENSE) for the code. Reports generated by the public instance are published under [Creative Commons BY 4.0](https://creativecommons.org/licenses/by/4.0/).
标签:EVTX分析