Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more
3.4k
Stars
295
Forks
12
Open issues
11
Contributors
AI Analysis
Cariddi is a Go-based web crawler and security scanner designed for reconnaissance during bug bounty hunts and penetration testing. It crawls URLs from input domains and scans for exposed endpoints, secrets, API keys, tokens, and other sensitive data. This tool is specifically built for security professionals and red teamers performing offensive reconnaissance—not suitable for general-purpose web crawling or for those without security expertise.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Web crawler and secret scanner for security researchers; narrow but focused scope in bug bounty and reconnaissance workflows
Cariddi is a Go-based web crawler and endpoint scanner designed for security researchers to hunt for exposed secrets, API keys, file extensions, and misconfigured endpoints across domain lists. Built by edoardottt, it targets bug bounty hunters and penetration testers who need lightweight, command-line-driven reconnaissance. The tool occupies a specific niche: post-subdomain discovery, pre-exploitation scanning. Adoption appears concentrated within the infosec community rather than mainstream DevOps or infrastructure roles.
Cariddi was created in April 2021 as part of edoardottt's broader security toolkit ecosystem (alongside scilla, a DNS tool). It emerged during the rise of bug bounty platforms and increased automation demand in reconnaissance workflows. The project reflects a trend toward modular, specialized Go-based security scanners over monolithic frameworks.
The project accumulated 3,449 stars over roughly 5 years, averaging ~690 stars annually in its early phase, but growth has plateaued significantly (only 1 star in the last 7 days as of 2026-07-10). However, the most recent commit is from 2026-07-04, indicating active maintenance despite low recent star velocity. The project appears to have reached a stable, niche maturity rather than experiencing abandonment.
Adoption not verified. README does not cite known deployments, organizations, or use cases. No mention of integration into commercial tools or widespread adoption in bug bounty platforms. Project is available via multiple package managers (Homebrew, Snap, Pacman, NixOS) suggesting some downstream adoption, but scale is unclear. GitHub metadata alone does not confirm production usage.
Likely a single-purpose crawler with modular scanning modes (secrets, endpoints, errors, file extensions, custom patterns). Based on README, it supports configurable concurrency, custom headers, proxy routing, and multiple output formats (JSON, HTML, TXT). Architecture appears designed for CLI-first, pipeline-compatible usage rather than library integration.
Not documented in README. No mention of testing strategy, CI/CD test runs, or coverage metrics provided.
Active: last push on 2026-07-04 (6 days before analysis date). Go report card badge visible, CI workflows present. However, issue and PR activity not visible from metadata; low recent star growth may indicate attention from author is maintenance-mode rather than feature-development. Appears well-maintained but not rapidly evolving.
ADOPT IF: you are a penetration tester or bug bounty researcher needing lightweight, scriptable web crawling with pattern-based secret/endpoint detection, and you want something that integrates into CLI pipelines. AVOID IF: you need a comprehensive security platform, GUI-driven workflow, or widespread vendor support and documentation. MONITOR IF: you are building internal reconnaissance automation and want to evaluate whether cariddi's feature stability and maintenance level justify integration, or if emerging alternatives offer better extensibility.
Independent dimensions
Mainstream potential
3/10
Technical importance
6/10
Adoption evidence
2/10
- Adoption not verified: no public evidence of production use at scale; community feedback loop may be thin.
- Limited documentation: README covers usage flags but lacks troubleshooting, tuning guidance, or real-world examples beyond basic invocation.
- Narrow feature set: focused specifically on crawling + secrets/endpoints; does not attempt API testing, vulnerability scanning, or exploitation automation, limiting utility for teams seeking consolidation.
- Single maintainer (edoardottt): project continuity depends on one individual; no visible core team or organizational backing reduces resilience.
- Pattern-based detection: secret/endpoint hunting relies on regex and keyword matching; may produce false positives or miss obfuscated or novel patterns without manual rule updates.
Cariddi will likely remain a stable, niche tool for security researchers who prefer modular, command-line-driven reconnaissance. Growth is unlikely to accelerate absent ecosystem integration (e.g., native support in bug bounty platforms) or feature expansion. Most probable outcome: slow, steady maintenance with occasional feature additions and dependencies updates.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Website
- https://edoardottt.com/
- Language
- Go
- License
- GPL-3.0
- Last updated
- 7d ago
- Created
- 63mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Top contributors
Recent releases
Similar repos
edoardottt/awesome-hacker-search-engines
A curated collection of search engines and tools for security professionals...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
3.4k | +1 | Go | 7/10 | 7d ago |
|
|
1.2k | — | Go | 7/10 | 7d ago |
|
|
10.9k | — | Shell | 7/10 | 4d ago |
|
|
1.5k | — | Go | 7/10 | 2w ago |
|
|
14k | — | Go | 8/10 | 2d ago |
Subfinder (13,984 stars) focuses on subdomain enumeration; cariddi handles post-discovery crawling and secret scanning. Different stages of the same workflow; complementary rather than competing.
Sister project by same author; scilla is DNS/reconnaissance focused. Cariddi adds web crawling and content scanning; both serve different phases of reconnaissance.
ScopeSentry (1,526 stars) also covers scope and endpoint discovery. Comparable adoption; differences in feature sets not determinable from metadata alone.
ProjectDiscovery's nuclei is a more general-purpose vulnerability scanner; cariddi is narrower (focused on crawling and pattern matching). Nuclei likely has broader adoption and feature richness.
Unlike commercial or heavier tools, cariddi is CLI-first and integrable into automation pipelines; trades UI richness for scriptability.
