GoSec-ADK is an open-source, model-agnostic security tool built using the Google Agent Development Kit (ADK) pattern. It features a powerful Dual-Mode Architecture designed for both internal compliance auditing and external Bug Bounty hunting. By giving an AI agent "hands" (standard security tools) and "eyes" (a unified knowledge graph), it can autonomously perform tasks, analyze results, and chain vulnerabilities.
- Dual-Mode Profiles: Run in
compliancemode for internal hardening oroffensivemode for zero-day bug bounty hunting. - Model Agnostic: Supports Google Gemini, OpenAI GPT-4o, and Local Uncensored Models (via OpenAI compatible APIs like Ollama/Nvidia NIM).
- ReAct Pattern: The agent reasons about the user's request, selects the appropriate tool, executes it, and analyzes the output.
- Centralized Memory: All findings (subdomains, endpoints, vulnerabilities, compliance failures) are ingested into an in-memory graph database.
- Contextual Analysis: Links root domains to subdomains, web endpoints, and specific vulnerabilities.
- Attack Path Detection: Automatically identifies and traces paths an attacker could take from an external endpoint to a confirmed vulnerability.
Compliance Profile (--profile compliance)
- Nmap: Network reconnaissance and port scanning.
- Lynis: In-depth system hardening checks.
- Gitleaks: Hardcoded secret scanning.
Offensive Profile (--profile offensive)
- Subfinder: Subdomain enumeration.
- Httpx: Active service probing and technology detection.
- Katana: Deep SPA crawling and JavaScript analysis.
- Nuclei: Template-based vulnerability scanning.
- FFUF: Parameter and directory fuzzing.
- PoC Generator: Automated HackerOne markdown report generation.
- Policy as Code: Compliance standards defined in simple YAML profiles (HIPAA, PCI-DSS, GDPR, NIST, CIS).
- Go 1.21 or higher
- Git
For Compliance Mode (Nmap, Lynis, Gitleaks):
macOS: brew install nmap lynis gitleaks
Linux: sudo apt-get install nmap lynis git & download Gitleaks.
For Offensive Bug Bounty Mode (ProjectDiscovery + FFUF): Run these Go install commands to compile the required offensive tools:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/katana/cmd/katana@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/ffuf/ffuf/v2@latestNote: Ensure your Go bin directory is in your PATH (export PATH=$PATH:$(go env GOPATH)/bin).
# Clone the repository
git clone https://github.com/AbdulKhaliq293/GoSec.git
cd gosec-adk
# Install Go dependencies
go mod download
# Build the binary
go build -o gosec-adk cmd/main.goYou need an API key for at least one LLM provider (Gemini is the default).
-
Interactive Setup:
./gosec-adk config setup
Follow the prompts to enter your API keys.
-
Manual Configuration: Set environment variables:
export GOOGLE_API_KEY="your_gemini_key" # Optional export OPENAI_API_KEY="your_openai_key" export ANTHROPIC_API_KEY="your_anthropic_key"
Run directly with Go:
go run main.go interactive# For internal compliance audits
./gosec-adk interactive --profile compliance
# For external bug bounty hunting and recon
./gosec-adk interactive --profile offensiveBesides the interactive agent, you can use the CLI for configuration:
-
Setup Wizard (Configure LLM Providers like Gemini, OpenAI, Nvidia NIM):
go run main.go config setup
Tip: To use local models (Ollama) or Nvidia NIM, export
OPENAI_BASE_URLbefore running setup.
Compliance Profile Examples:
-
"Run a fast Nmap scan on localhost."
-
"Check if this system meets HIPAA requirements."
-
"How do I fix the SSH root login issue?"
Offensive Bug Bounty Profile Examples:
-
"Run subfinder on target.com and verify live endpoints with httpx."
-
"Crawl the discovered web endpoints deeply with katana."
-
"Perform an authorized parameter verification on https://target.com/api?id=FUZZ using FFUF."
-
"Scan the discovered endpoints with Nuclei and generate a HackerOne PoC report if vulnerabilities are found."
Contributions are welcome!
- Add new Compliance Profiles in
profiles/. - Add new Remediation Templates in
remediation_templates/. - Implement new Tool Wrappers in
pkg/wrappers/.
MIT