# KeygraphHQ/shannon **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/keygraphhq-shannon).** 23,766 stars · 2,348 forks · TypeScript · agpl-3.0 ## Links - GitHub: https://github.com/KeygraphHQ/shannon - Homepage: https://keygraph.io/ - awesome-repositories: https://awesome-repositories.com/repository/keygraphhq-shannon.md ## Topics `penetration-testing` `pentesting` `security-audit` `security-automation` `security-tools` ## Description Shannon is an integrated security platform designed for autonomous penetration testing, static and dynamic analysis, and automated vulnerability remediation within self-hosted, private infrastructure. It functions as a unified security suite that orchestrates the entire lifecycle of vulnerability management, from initial discovery and reachability prioritization to the generation and verification of code-level patches. The platform distinguishes itself through its agentic approach to security, deploying autonomous agents to execute both black-box and white-box exploits against running applications to confirm vulnerabilities. It utilizes graph-based data flow analysis to trace execution paths from user inputs to sensitive sinks, ensuring that security findings are based on reachable threats rather than raw scan results. By operating in isolated or air-gapped environments, the system maintains strict data sovereignty and residency, ensuring that source code and sensitive analysis data remain within the local perimeter. Beyond core testing, the platform provides comprehensive security observability and supply chain auditing. It correlates static code analysis with dynamic runtime exploitation to provide a unified view of risk, while automatically deduplicating findings to reduce alert noise. The system also supports the software supply chain by generating compliant manifests and inspecting container images without requiring a local container runtime. The platform integrates directly into existing development workflows, delivering verified patches to source control and synchronizing remediation status with external project management tools. It includes robust support for compliance reporting, audit trails, and risk acceptance management to meet regulatory requirements. ## Tags ### Security & Cryptography - [Penetration Testing Platforms](https://awesome-repositories.com/f/security-cryptography/penetration-testing-platforms.md) — Provides an integrated security suite for autonomous penetration testing, static analysis, and vulnerability remediation in private environments. ([source](https://keygraph.io/agentic-whitebox-pentester.html)) - [Security Orchestration](https://awesome-repositories.com/f/security-cryptography/security-orchestration.md) — Orchestrates security findings by consolidating scanners, deduplicating alerts, and correlating static analysis with dynamic runtime exploitation. - [Self-Hosted Security Tools](https://awesome-repositories.com/f/security-cryptography/self-hosted-security-tools.md) — Provides a self-hosted security platform for air-gapped or private cloud environments to ensure data sovereignty. - [Security Information Management](https://awesome-repositories.com/f/security-cryptography/security/operations-and-incident-response/security-information-management.md) — Consolidates and deduplicates security findings from multiple scanners into a single dashboard to track risk and compliance. - [Reachability Prioritizers](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/reachability-prioritizers.md) — Adjusts vulnerability severity scores based on execution path analysis to focus remediation on confirmed threats. ([source](https://keygraph.io/sca.html)) - [Credential Remediation Workflows](https://awesome-repositories.com/f/security-cryptography/credential-remediation-workflows.md) — Generates verified code patches and integrates them directly into development workflows to resolve security flaws. - [Data Residency Controls](https://awesome-repositories.com/f/security-cryptography/data-residency-controls.md) — Restricts data processing and storage to specific geographic regions to ensure compliance with data residency requirements. ([source](https://keygraph.io/code-security-posture.html)) - [Dependency Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/dependency-vulnerability-scanners.md) — Identifies security flaws in third-party dependencies and determines reachability from attacker-controlled inputs. ([source](https://keygraph.io/index.html)) - [Software Supply Chain Security](https://awesome-repositories.com/f/security-cryptography/software-supply-chain-security.md) — Identifies reachable vulnerabilities in third-party dependencies and container images to secure the software supply chain. - [Inline Risk Analysis](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing/security-analysis-tools/inline-risk-analysis.md) — Correlates static code analysis with dynamic runtime exploitation to provide a unified view of reachable security risks. ([source](https://keygraph.io/keygraph-vs-semgrep.html)) - [Business Logic Security](https://awesome-repositories.com/f/security-cryptography/business-logic-security.md) — Analyzes application code to detect business logic deviations like broken access controls and improper state transitions. ([source](https://keygraph.io/business-logic-testing.html)) - [Infrastructure as Code Scanners](https://awesome-repositories.com/f/security-cryptography/infrastructure-as-code-scanners.md) — Analyzes infrastructure-as-code files to identify security risks like public exposure and IAM misconfigurations. ([source](https://keygraph.io/iac-scanning.html)) - [Private Data Processing Environments](https://awesome-repositories.com/f/security-cryptography/private-data-processing-environments.md) — Deploys security testing tools within isolated environments to keep sensitive source code and analysis data within the local perimeter. - [Secret Detection](https://awesome-repositories.com/f/security-cryptography/secret-detection.md) — Scans code and commit history to identify and prioritize leaked credentials, API keys, and tokens. ([source](https://keygraph.io/index.html)) - [Identity Provider Integrations](https://awesome-repositories.com/f/security-cryptography/identity-provider-integrations.md) — Integrates with SAML and OIDC identity providers to automate user access management and provisioning. ([source](https://keygraph.io/enterprise.html)) ### Artificial Intelligence & ML - [Automated Code Remediation](https://awesome-repositories.com/f/artificial-intelligence-ml/ai-coding-assistants/automated-code-remediation.md) — Generates, validates, and delivers verified code patches directly into development workflows to resolve security flaws. - [Autonomous Agents](https://awesome-repositories.com/f/artificial-intelligence-ml/autonomous-agents.md) — Deploys autonomous agents to execute black-box and white-box exploits for security vulnerability verification. - [AI Model Management](https://awesome-repositories.com/f/artificial-intelligence-ml/agentic-systems-frameworks/model-integration-serving/ai-model-management.md) — Provides configuration management for self-hosted and cloud-based AI models to control data processing and usage. ([source](https://keygraph.io/enterprise.html)) ### DevOps & Infrastructure - [Air-Gapped Deployments](https://awesome-repositories.com/f/devops-infrastructure/infrastructure-deployment/infrastructure-deployment/air-gapped-deployments.md) — Operates entirely within private, air-gapped infrastructure to ensure data sovereignty and security. - [Daemonless Container Engines](https://awesome-repositories.com/f/devops-infrastructure/daemonless-container-engines.md) — Inspects container image layers as raw archives without requiring a local container runtime daemon. ### Software Engineering & Architecture - [Static Analysis Engines](https://awesome-repositories.com/f/software-engineering-architecture/static-analysis-engines.md) — Implements a security engine that traces data flows and executes exploits to confirm reachable vulnerabilities. - [Automated Remediation Strategies](https://awesome-repositories.com/f/software-engineering-architecture/automated-remediation-strategies.md) — Generates and validates code patches by re-running exploit signals to ensure fixes resolve vulnerabilities before developer review. - [Automated Fix Verifiers](https://awesome-repositories.com/f/software-engineering-architecture/reproducibility-verifiers/automated-fix-verifiers.md) — Generates and verifies code-level patches by re-running exploit signals to ensure fixes resolve vulnerabilities. ([source](https://keygraph.io/code-security-posture.html)) - [Security Finding Deduplicators](https://awesome-repositories.com/f/software-engineering-architecture/hash-tables/deduplication-algorithms/security-finding-deduplicators.md) — Merges redundant security findings from multiple scanners into single canonical records using content hashing and machine learning. - [Supply Chain Security](https://awesome-repositories.com/f/software-engineering-architecture/supply-chain-security.md) — Produces compliant software manifests for scanned images to support supply chain transparency. ([source](https://keygraph.io/container-scanning.html)) - [Compliance Reporting](https://awesome-repositories.com/f/software-engineering-architecture/compliance-reporting.md) — Generates exportable compliance reports aligned with industry standards like CIS, NIST, and HIPAA. ([source](https://keygraph.io/iac-scanning.html)) - [Deduplication Algorithms](https://awesome-repositories.com/f/software-engineering-architecture/hash-tables/deduplication-algorithms.md) — Collapses redundant exploit findings into canonical records using content hashing and semantic analysis. ([source](https://keygraph.io/index.html)) ### Development Tools & Productivity - [Control Flow Analysis](https://awesome-repositories.com/f/development-tools-productivity/code-quality-analysis/static-analysis-engines/static-analysis-tools/control-flow-analysis.md) — Traces execution paths from user inputs to sensitive sinks using graph-based data flow analysis to identify reachable vulnerabilities. - [Issue Tracking Integrations](https://awesome-repositories.com/f/development-tools-productivity/issue-tracking-integrations.md) — Synchronizes security findings and remediation status bidirectionally with external project management and issue tracking tools. ([source](https://keygraph.io/reporting-and-analytics.html)) - [Platform Workflow Integrations](https://awesome-repositories.com/f/development-tools-productivity/platform-workflow-integrations.md) — Integrates directly into source control to deliver verified patches and synchronize remediation status with issue trackers. ([source](https://keygraph.io/code-remediation.html)) ### Testing & Quality Assurance - [Static Analysis](https://awesome-repositories.com/f/testing-quality-assurance/code-quality-review/static-analysis.md) — Performs static analysis using data-flow context to identify security flaws within application codebases. ([source](https://keygraph.io/index.html)) ### System Administration & Monitoring - [Execution Path Visualization](https://awesome-repositories.com/f/system-administration-monitoring/execution-path-visualization.md) — Renders complete execution chains from source to sink with line-by-line code context for vulnerability analysis. ([source](https://keygraph.io/agentic-sast.html)) - [Security Audit Logs](https://awesome-repositories.com/f/system-administration-monitoring/security-audit-logs.md) — Records system actions, scan results, and status changes into searchable logs for compliance and incident analysis. ([source](https://keygraph.io/enterprise.html)) - [Metric Dashboards](https://awesome-repositories.com/f/system-administration-monitoring/metric-dashboards.md) — Visualizes security posture through dashboards monitoring mean time to remediation and discovery velocity. ([source](https://keygraph.io/reporting-and-analytics.html)) ### Networking & Communication - [Security Workflow Synchronizers](https://awesome-repositories.com/f/networking-communication/distributed-systems-p2p/distributed-computing/data-synchronization-consistency/security-workflow-synchronizers.md) — Maintains consistent security status by automatically syncing findings and remediation progress between scanning tools and external issue trackers. ### Scientific & Mathematical Computing - [Vulnerability Suppressions](https://awesome-repositories.com/f/scientific-mathematical-computing/risk-assessment-metrics/risk-assessment/vulnerability-suppressions.md) — Manages risk acceptance by allowing temporary suppression of vulnerabilities with automated expiration and re-opening. ([source](https://keygraph.io/reporting-and-analytics.html))