内容摘录
Zen-AI-Pentest
!Repository Status
🛡️ **Professional AI-Powered Penetration Testing Framework**
Tests
codecov
Python 3.11+
License: MIT
Security Scan/badge.svg)
Cloudflare Pages
OpenSSF Best Practices
**Guest Control**: Execute tools inside isolated VMs
🌐 Live Demo
**Frontend**: https://zen-ai-pentest.pages.dev - React Dashboard
**API**: https://zen-ai-pentest.workers.dev - Cloudflare Workers API
**Login**: admin / admin ( für Demo-Zwecke)
🚀 Modern API & Backend
**FastAPI**: High-performance REST API
**PostgreSQL**: Persistent data storage
**WebSocket**: Real-time scan updates
**JWT Auth**: Role-based access control (RBAC)
**Background Tasks**: Async scan execution
📊 Reporting & Notifications
**PDF Reports**: Professional findings reports
**HTML Dashboard**: Interactive web interface
**Slack/Email**: Instant notifications
**JSON/XML**: Integration with other tools
🐳 Easy Deployment
**Docker Compose**: One-command full stack deployment
**CI/CD**: GitHub Actions pipeline
**Production Ready**: Optimized for enterprise use
---
🎯 Real Data Execution - No Mocks!
Zen-AI-Pentest executes **real security tools** - no simulations, no mocks, only actual tool execution:
✅ **Nmap** - Real port scanning with XML output parsing
✅ **Nuclei** - Real vulnerability detection with JSON output
✅ **SQLMap** - Real SQL injection testing with safety controls
✅ **FFuF** - Blazing fast web fuzzer
✅ **WhatWeb** - Technology detection (900+ plugins)
✅ **WAFW00F** - WAF detection (50+ signatures)
✅ **Subfinder** - Subdomain enumeration
✅ **HTTPX** - Fast HTTP prober
✅ **Nikto** - Web vulnerability scanner
✅ **Multi-Agent** - Researcher & Analyst agents cooperate
✅ **Docker Sandbox** - Isolated tool execution for safety
📖 **Enhanced Tools:** README_ENHANCED_TOOLS.md
All tools run with **safety controls**:
Private IP blocking (protects internal networks)
Timeout management (prevents hanging)
Resource limits (CPU/memory constraints)
Read-only filesystems (Docker sandbox)
📖 **Details:** IMPLEMENTATION_SUMMARY.md
---
🚀 Quick Start
Version
Python
License
Commits
Phase
PyPI
Docker
Tests
CI
Security
codecov
Discord
Docs
Roadmap
OpenSSF
Marketplace
Authors
---
📚 Table of Contents
Overview
Features
For AI Agents
Quick Start
Installation
Usage
Architecture
API Reference
Project Structure
Configuration
Secret Management
Testing
Docker Deployment
Safety First
Documentation
Contributing
Community & Support
License
---
🎯 Overview
**Zen-AI-Pentest** is an autonomous, AI-powered penetration testing framework that combines cutting-edge language models with professional security tools. Built for security professionals, bug bounty hunters, and enterprise security teams.
Key Highlights
🤖 **AI-Powered**: Leverages state-of-the-art LLMs for intelligent decision making
🔒 **Security-First**: Multiple safety controls and validation layers
🚀 **Production-Ready**: Enterprise-grade with CI/CD, monitoring, and support
📊 **Comprehensive**: 72+ integrated security tools
🔧 **Extensible**: Plugin system for custom tools and integrations
☁️ **Cloud-Native**: Deploy on AWS, Azure, or GCP
📱 **Quick Access**: Scan QR codes for instant mobile access
<p align="center">
<a href="docs/qr_codes/index.html">
<img src="docs/qr_codes/qr_grid_preview.png" alt="QR Codes" width="600">
</a>
<br>
<sub>☝️ Click to view all QR codes or scan with your phone!</sub>
</p>
---
✨ Features
🤖 Autonomous AI Agent
**ReAct Pattern**: Reason → Act → Observe → Reflect
**State Machine**: IDLE → PLANNING → EXECUTING → OBSERVING → REFLECTING → COMPLETED
**Memory System**: Short-term, long-term, and context window management
**Tool Orchestration**: Automatic selection and execution of 72+ pentesting tools
**Self-Correction**: Retry logic and adaptive planning
**Human-in-the-Loop**: Optional pause for critical decisions
🎯 Risk Engine
**False Positive Reduction**: Multi-factor validation with Bayesian filtering
**Business Impact**: Financial, compliance, and reputation risk calculation
**CVSS/EPSS Scoring**: Industry-standard vulnerability assessment
**Priority Ranking**: Automated finding prioritization
**LLM Voting**: Multi-model consensus for accuracy
🔒 Exploit Validation
**Sandboxed Execution**: Docker-based isolated testing
**Safety Controls**: 4-level safety system (Read-Only to Full)
**Evidence Collection**: Screenshots, HTTP captures, PCAP
**Chain of Custody**: Complete audit trail
**Remediation**: Automatic fix recommendations
📊 Benchmarking
**Competitor Comparison**: vs PentestGPT, AutoPentest, Manual
**Test Scenarios**: HTB machines, OWASP WebGoat, DVWA
**Metrics**: Time-to-find, coverage, false positive rate
**Visual Reports**: Charts and statistical analysis
**CI Integration**: Automated regression testing
🔗 CI/CD Integration
**GitHub Actions**: Native action support
**GitLab CI**: Pipeline integration
**Jenkins**: Plugin and pipeline support
**Output Formats**: JSON, JUnit XML, SARIF
**Notifications**: Slack, JIRA, Email alerts
**Exit Codes**: Pipeline-friendly status codes
🧠 AI Persona System
**11 Specialized Personas**: Recon, Exploit, Report, Audit, Social, Network, Mobile, Red Team, ICS, Cloud, Crypto
**CLI Tool**: Interactive and one-shot modes (k-recon, k-exploit, etc.)
**REST API**: Flask-based API with WebSocket support
**Web UI**: Modern browser interface with screenshot analysis
**Context Preservation**: Multi-turn conversations with memory
**Screenshot Analysis**: Upload and analyze images with AI personas
🛡️ Security Guardrails
**IP Validation** - Blocks private networks (10.x, 192.168.x, 172.16-31.x)
**Domain Filtering** - Prevents localhost/internal domain scanning
**Risk Levels** - 4 levels (SAFE → AGGRESSIVE) with tool restrictions
**Rate Limiting** - Prevents accidental DoS
🤖 Multi-Agent System
**Workflow Orchestrator** - Manages complex pentest workflows
**Task Distribution** - Assigns tasks to available agents
**Real-time Updates** - WebSocket communication
**Result Aggregation** - Collects and analyzes findings
🔒 VPN Integration (Opt…