Skip to content

xalgord/xalgorix

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

497 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Xalgorix — AI Autonomous Penetration Testing Platform

Go License Platform Hosted GitHub stars GitHub forks GitHub release

Ask DeepWiki

xalgord/xalgorix | Trendshift

Xalgorix — Open-source AI pentester that proves vulnerabilities

Most scanners detect. Xalgorix proves. An autonomous LLM agent works a full pentest methodology, then an independent verifier re-exploits every finding before it's reported — so you get proof, not a pile of maybes to triage. Self-hosted, private, and bring-your-own-LLM. Built in Go + TypeScript.

Quick Start · Why Xalgorix · Features · Use Cases · Hosted Cloud · Docs


Quick Start

Install (one line):

curl -sSL https://www.xalgorix.com/install | bash

This downloads the prebuilt binary for your platform (Linux amd64/arm64) from the latest release. Then point it at your LLM provider in ~/.xalgorix.env:

XALGORIX_LLM=minimax/MiniMax-M3
XALGORIX_API_KEY=your_provider_api_key

Launch the dashboard and open http://127.0.0.1:9137:

xalgorix --web

Or run with Docker — batteries included, no toolchain needed:

docker run --rm -p 9137:9137 \
  -v xalgorix-data:/data \
  xalgord/xalgorix:latest

Open http://localhost:9137. You don't need an LLM key to start — the dashboard launches without one; set the model + API key under Settings → LLM (it persists to the /data volume). If you don't pass XALGORIX_USERNAME/XALGORIX_PASSWORD, a random admin password is generated and printed to the container logs on first run.

Easiest — Docker Compose (maps the port + a persistent volume for you):

curl -sSLO https://raw.githubusercontent.com/xalgord/xalgorix/main/docker-compose.yml
docker compose up -d
docker compose logs -f   # shows the generated admin password on first start

The image ships an extensive offensive-security toolset preinstalled (nmap, nuclei, httpx, subfinder, katana, ffuf, gobuster, sqlmap, masscan, dalfox, feroxbuster, and more) and keeps every package manager (apt, go, cargo, pipx, npm) available so the agent can still auto-install anything missing at runtime. It runs as root inside the container by design — treat the container as a disposable, network-isolated scanning sandbox and never expose the dashboard without auth. (amd64 image; the installer above covers arm64.)

Or build from source (needs Go 1.25+ and Node.js):

git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorix

Tip

Prefer zero setup? A fully managed version runs at www.xalgorix.com — click-to-scan, no install or API keys required.

Review pull requests automatically — free GitHub App

Want a security review on every pull request with zero setup? Install the Xalgorix GitHub App. It reads each PR's diff and comments a security review — injection, broken auth/IDOR, SSRF, secrets, unsafe patterns — right on the pull request. Updates in place on new commits, and you can comment @xalgorix review to re-run on demand. No workflow file, no API key, no account — and it's free.

For merge gating and full exploit-verified pentests in CI, use the hosted scanner or the GitHub Action.

Important

Use Xalgorix only on systems you own or have explicit permission to test.

Tip

Prefer not to self-host? A fully managed version is available at www.xalgorix.com — click-to-scan, no install or API keys required.

Contents

Overview

Xalgorix is a self-hosted AI penetration testing platform for authorized security testing, vulnerability assessment, and bug bounty workflows. It combines an LLM-driven autonomous agent, browser automation, terminal tooling, a comprehensive 22-phase testing methodology, live WebSocket telemetry, finding management with CVSS scoring, branded PDF report generation, and integrations for AgentMail, Discord, and Telegram.

Unlike cloud-only DAST scanners, Xalgorix runs entirely on your machine. You bring your own LLM provider (OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, MiniMax) and control the model, reasoning effort, rate limits, and proxy configuration. No scan data, API keys, or target information leaves your infrastructure.

The default experience is the Web UI. From one local dashboard you can start scans, monitor active runs, inspect findings, configure model/provider settings, manage environment variables, generate branded PDF reports, and delete or resume historical scans.

Why Xalgorix

Most scanners detect. Xalgorix proves. An autonomous agent works through a 22-phase methodology, then an independent verifier re-tests every candidate finding before it is reported — so you get exploit-verified results with evidence, not a wall of "maybes" to triage.

  • 🧠 An AI agent, not a template engine — reasons about auth flows, business logic, IDOR/BOLA, and chained exploits that signature scanners miss.
  • Exploit-verified findings — a separate verifier independently reproduces each finding; inconclusive ones are flagged for review, never dressed up as confirmed.
  • 🔒 Self-hosted and private — runs on your machine with your own LLM key; no target data, keys, or findings leave your infrastructure.
  • 🧩 Bring your own LLM — OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, or MiniMax — or any OpenAI-compatible gateway like LiteLLM (GitHub Copilot, Codex, OpenRouter, Azure). You control model, reasoning effort, and cost.
  • 📄 Audit-ready reports — branded PDFs with CVSS scores, proof-of-concept, and remediation.

How it compares

Xalgorix Template scanners (e.g. Nuclei) Crawling scanners (e.g. OWASP ZAP) Commercial DAST
Approach Autonomous AI agent Signatures / templates Spider + active rules Signatures + heuristics
Business logic / IDOR / auth-bypass coverage Limited Limited Partial
Exploit-verified (proves impact) ✅ independent verifier Partial
False-positive load Low (proven) Template-dependent High Medium
Self-hosted / data stays local Usually cloud
Bring-your-own LLM
Branded PDF reports Basic
Cost Open source + your LLM Free Free $$$

Directional comparison — Nuclei and ZAP are excellent at what they do. Xalgorix adds the reasoning-heavy discovery and exploit-verification layer on top.

If Xalgorix saves you a triage cycle, please ⭐ star the repo — it genuinely helps others find it.

Use Cases

Use Case How Xalgorix helps
Penetration testing Run a full 22-phase methodology against authorized targets. The AI agent handles reconnaissance, vulnerability discovery, injection testing, SSRF, IDOR, auth bypass, race conditions, and more — then verifies findings before reporting.
Bug bounty hunting Point Xalgorix at an in-scope target and let the agent enumerate the attack surface, test for common vulnerability classes, and surface verified findings with CVSS scores and proof-of-concept evidence.
Red team operations Use wildcard and multi-target scan modes to map an organization's external attack surface. Browser-assisted DAST handles auth flows, forms, and runtime behavior that static scanners miss.
Security research The novel-vulnerability-discovery phase pushes the agent beyond known template matching. Bring your own LLM (OpenAI, Anthropic, DeepSeek, Gemini, Ollama, MiniMax) to control reasoning depth and cost.
Continuous security testing Run as a system service with xalgorix --start. Scan on a schedule, stream findings to Discord or Telegram, and generate branded PDF reports for stakeholders.
DAST automation Browser-driven testing for web applications — auth flows, forms, JavaScript-rendered content, and runtime behavior. Integrates with Caido for proxy traffic inspection.

Screenshots

Overview dashboard Scan detail Findings
Xalgorix overview dashboard Xalgorix scan detail Xalgorix findings

Features

Area Capabilities
Dashboard Local Web UI on 127.0.0.1:9137 by default, scan management, live status, bulk scan actions, and historical scan recovery.
Scanning Single target, DAST, wildcard, and multi-target flows with selectable methodology phases.
Live telemetry Tool calls, agent messages, findings, errors, HTTP activity, and LLM activity over WebSockets.
Findings Scan detail pages, severity filters, CVSS details, finding index, and verified finding workflows.
Reporting Branded PDF reports with target/company name, uploaded logo, report list, open/download/delete actions.
Integrations AgentMail test inboxes, verification emails, OTP flows, email triage events, Discord and Telegram notifications.
Configuration Dashboard settings for LLM, AgentMail, Discord, Telegram, proxy, runtime, browser, auth, rate limits, and resources.
Runtime safety Resource-aware instance limits and loopback-only binding unless external access is explicitly configured with auth.

Installation

The fastest paths need no toolchain at all.

One-line install (prebuilt binary)

curl -sSL https://www.xalgorix.com/install | bash

Downloads the latest release binary for your platform (Linux amd64/arm64) and installs it to /usr/local/bin (or ~/.local/bin without sudo). Override with XALGORIX_INSTALL_DIR or pin a version with XALGORIX_VERSION=vX.Y.Z.

Docker

docker run --rm -p 9137:9137 \
  -e XALGORIX_LLM=minimax/MiniMax-M3 \
  -e XALGORIX_API_KEY=your_provider_api_key \
  -v xalgorix-data:/data \
  ghcr.io/xalgord/xalgorix:latest

The image is batteries-included: an extensive offensive-security toolset is preinstalled (nmap, nuclei, httpx, subfinder, dnsx, naabu, katana, ffuf, gobuster, dalfox, feroxbuster, sqlmap, masscan, nikto, whatweb, hydra, and more), plus Chromium for browser-assisted DAST. It also keeps the full package-manager set (apt, go, cargo, pipx, npm) available, so the agent auto-installs anything missing at runtime. Scan data persists to the /data volume, and the server binds 0.0.0.0 inside the container — set XALGORIX_USERNAME/XALGORIX_PASSWORD before exposing it beyond localhost.

The container runs as root by design (the engine only enables runtime auto-install for uid 0, and apt/go/cargo installs need system write access). Treat it as a disposable, network-isolated scanning sandbox. It's published for amd64; use the one-line installer for arm64 hosts.

On first run, if you don't set dashboard auth the container generates a random admin password and prints it to the logs (the image binds 0.0.0.0, which the engine won't do without auth). Set XALGORIX_USERNAME + XALGORIX_PASSWORD (or XALGORIX_PASSWORD_HASH) to use your own. The binary never self-updates inside the container (XALGORIX_NO_AUTO_UPDATE=1) — pull a new image tag to upgrade.

Requirements (build from source)

Requirement Notes
Linux Primary supported platform.
Go 1.25 or newer.
Node.js + npm Required when building the bundled React Web UI from source.
Security tools Installed on demand only when auto-install is enabled.

Check your Go version:

go version

Build From Source

git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorix

make build builds the React Web UI into internal/web/static, then builds the Go binary.

Install With Go

GOPROXY=direct GOSUMDB=off go install github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest

Configuration

Xalgorix loads configuration in this order. Later sources override earlier ones.

Order Source
1 /etc/xalgorix.env
2 /home/<sudo-user>/.xalgorix.env when launched through sudo
3 ~/.xalgorix.env
4 Environment variables already present in the process

Create the local environment file:

nano ~/.xalgorix.env

Minimal Config

XALGORIX_LLM=minimax/MiniMax-M3
XALGORIX_API_KEY=your_provider_api_key

Provider Examples

OpenAI:

XALGORIX_LLM=openai/gpt-5.4
XALGORIX_API_KEY=sk-...

Custom OpenAI-compatible provider:

XALGORIX_LLM=custom/security-model
XALGORIX_API_BASE=https://your-provider.example/v1
XALGORIX_API_KEY=your_provider_api_key

LiteLLM / OpenAI-compatible gateways (GitHub Copilot, Claude Opus, Codex, OpenRouter, Azure, local models)

Because XALGORIX_API_BASE accepts any OpenAI-compatible /v1/chat/completions endpoint, Xalgorix works with a LiteLLM proxy out of the box — no Xalgorix-side changes needed. LiteLLM handles the upstream provider auth (Copilot device login, Azure keys, OpenRouter, Ollama, etc.); Xalgorix just talks OpenAI to the gateway.

Run LiteLLM (example config.yaml):

model_list:
  - model_name: claude-opus-4-8
    litellm_params:
      model: github_copilot/claude-opus-4.8   # or openrouter/…, azure/…, ollama/…
general_settings:
  master_key: sk-local-litellm-key

Point Xalgorix at it — use the custom/ prefix so the model name is sent verbatim and the OpenAI chat-completions protocol is used:

XALGORIX_LLM=custom/claude-opus-4-8            # the LiteLLM model_name
XALGORIX_API_BASE=http://localhost:4000/v1     # your LiteLLM proxy
XALGORIX_API_KEY=sk-local-litellm-key          # LiteLLM master_key / virtual key

The same pattern covers GitHub Copilot Business/CLI, Claude Opus, Codex-style models, OpenRouter, Azure OpenAI, and local Ollama models — anything LiteLLM can route. Keep the custom/ (or openai/) prefix and a non-Anthropic/Gemini XALGORIX_API_BASE so Xalgorix uses the standard OpenAI request shape that LiteLLM expects.

Optional Integrations

GEMINI_API_KEY=AIza...
AGENTMAIL_POD=am_us_pod_47
AGENTMAIL_API_KEY=ak_...
XALGORIX_DISCORD_WEBHOOK=https://discord.com/api/webhooks/...
XALGORIX_DISCORD_MIN_SEVERITY=high

Dashboard Authentication

XALGORIX_USERNAME=admin
XALGORIX_PASSWORD=change-this-password

Tip

Prefer XALGORIX_PASSWORD_HASH for production deployments.

Upgrading from previous versions

This release ships a stability and workspace-isolation pass with one breaking change and a few new knobs worth knowing about.

Breaking change: default workspace moved to ~/.xalgorix/data/

Scan output, notes, schedules, and other generated artefacts now live under ~/.xalgorix/data/ instead of $CWD (the directory the binary was launched from).

To retain the previous behavior, point XALGORIX_DATA_DIR at your current working directory:

export XALGORIX_DATA_DIR=$(pwd)

A [MIGRATION] warning is emitted at startup when legacy markers (notes.json, _schedules/, vulnerabilities.json, or YYYY-MM-DD/scan-* directories) are detected in $CWD and XALGORIX_DATA_DIR is unset. Xalgorix never reads, copies, or deletes those legacy files automatically; the warning is informational and only fires once per process.

New environment variable

Variable Default Description
XALGORIX_LLM_MAX_INFLIGHT 4 × EffectiveMaxInstances Caps simultaneous outbound LLM calls across all running scans. Minimum 1. Cancelled waiters do not consume a slot.

New health endpoint counters

GET /api/status now exposes:

Field Meaning
panics_recovered Goroutine, HTTP handler, and tool panics that were recovered without crashing.
path_rejections Filesystem writes refused by Path_Policy (outside data_dir / ~/.xalgorix/ / /tmp).
watchdog_kills Subprocesses terminated by the per-tool hard-timeout watchdog.
admission_refusals Scan admission requests denied due to the concurrency ceiling.
llm_inflight_cap Effective XALGORIX_LLM_MAX_INFLIGHT value for this process.
data_dir Resolved Data_Dir in use.
allow_list Filesystem roots accepted by Path_Policy.

Running

Web UI

xalgorix --web

Open:

http://127.0.0.1:9137

Use a different port:

xalgorix --web --port 8080

External Access

Bind to another interface only after enabling dashboard authentication:

XALGORIX_USERNAME=admin XALGORIX_PASSWORD=change-this xalgorix --web --bind 0.0.0.0

Warning

The server refuses external binding without dashboard authentication.

CLI Scan

xalgorix --target https://example.com

With custom instructions:

xalgorix --target https://app.example.com --instruction "Focus on SQL injection, IDOR, and auth bypass. Avoid destructive tests."

Service Mode

Install and start as a system service:

sudo xalgorix --start

Manage the service:

sudo xalgorix --restart
sudo xalgorix --stop
sudo xalgorix --uninstall

View logs:

journalctl -u xalgorix -f

Remote Service Access

Expose the service to remote browsers only after enabling dashboard auth:

sudo tee -a /root/.xalgorix.env >/dev/null <<'EOF'
XALGORIX_BIND=0.0.0.0
XALGORIX_USERNAME=admin
XALGORIX_PASSWORD=change-this
EOF

sudo xalgorix --restart

Then open http://<server-ip>:9137.

If the process is listening but the page still does not load remotely, allow TCP port 9137 in the server firewall or cloud security group.

Web UI Workflow

  1. Open the dashboard at http://127.0.0.1:9137.
  2. Go to Settings and confirm the LLM provider, API key, rate limits, and optional integrations.
  3. Create a scan from New Scan.
  4. Choose a scan mode.
  5. Select methodology phases when you want a focused run.
  6. Set severity filters when only certain severities should be reported live. The filter affects the real-time dashboard feed and notifications only; the PDF report and /api/findings always include every vulnerability the agent discovered.
  7. Add company name and upload a logo for branded reports.
  8. Monitor progress from Overview, Scan Detail, or Live Feed.
  9. Open finding details, download reports, or manage historical scans from Scans and Reports.

Scan Modes

Mode Best for
Single target Testing one known URL or host.
Wildcard / multi Enumerating related targets and scanning the discovered attack surface.
DAST Browser-assisted testing for web apps, auth flows, forms, and runtime behavior.

Scan Your Code (no target needed)

Point Xalgorix at a codebase — a Git URL, a local path, or an uploaded zip — and it scans the source directly. No deployed URL, no infrastructure to stand up.

# Source review (SAST): audit the code, no running target required
xalgorix --source ./my-app --code-scan review

# Provision + DAST: build & run the app locally, then pentest the running instance
xalgorix --source https://github.com/org/app.git --code-scan provision
Code-scan mode What it does Verification level
review Reads the source, traces user input from entry point → dangerous sink, and reports reachable vulnerabilities. No live target. Source-verified — proven reachable in code (clearly labeled as not runtime-exploited).
provision Inspects the repo, builds and runs the app on a loopback port, then runs whitebox-guided DAST against the running instance. Falls back to review if the app can't be built. Exploit-verified — reproduced against the running app.
  • --source accepts a Git URL (shallow-cloned), a local directory, or a path to an uploaded/extracted archive. In the Web UI / hosted app you can also upload a .zip of your codebase (POST /api/upload-source).
  • You can still combine a repo and a live target for classic whitebox augmentation — that path is unchanged. Code-scan modes are for when the codebase is the whole subject.

Provision mode runs your app's build/start commands in the agent's sandbox and only pentests the single loopback port it stood the app up on — the dashboard and everything else on the machine stay out of scope.

Methodology

Xalgorix organizes autonomous testing into 22 phases.

Phase Focus
1 Reconnaissance
2 Manual vulnerability discovery
3 Directory and file discovery
4 CORS and cookie analysis
5 Authentication and session testing
6 Injection testing
7 SSRF testing
8 IDOR and broken access control
9 API and GraphQL testing
10 File upload testing
11 Deserialization and RCE
12 Race conditions and business logic
13 Subdomain takeover
14 Open redirect testing
15 Email security testing
16 Cloud and infrastructure
17 WebSocket testing
18 CMS-specific testing
19 Broken link hijacking and content spoofing
20 Exploit verification
21 Novel vulnerability discovery
22 Final report

Phase selection in the Web UI lets you run every phase or only the subset needed for a specific engagement.

Reports

Reports are generated as PDF files and can include:

Section Included content
Summary Executive summary, target metadata, scan metadata, and severity overview.
Findings Verified findings, CVSS details, technical analysis, and exploitation proof.
Evidence Proof of concept commands, scripts, payload notes, and supporting observations.
Remediation Fix guidance and prioritized next steps.
Branding Company/target name and uploaded logo.

Reports are available from the scan detail page and the Reports page. Report rows support opening, downloading, and deletion.

Settings

Most operational settings can be changed from the Web UI under Settings.

Area Examples
Engagement Dashboard request rate limits
LLM Model, API key, API base, reasoning effort, retries, max iterations
AgentMail Pod and API key
Notifications Discord webhook and minimum severity, Telegram bot token, chat ID, and minimum severity
Proxy Proxy URL, proxy file, rotation, TLS verification
Runtime Workspace, browser path, auto-install controls
Security Dashboard username, password, password hash, bind address
Resources CPU/RAM/disk thresholds and scan concurrency budget

Some settings require a restart because they affect process startup or server binding. The UI marks those fields.

Environment Variables

Core

Variable Default Description
XALGORIX_LLM none Provider-native model ID used for LLM requests.
XALGORIX_LLM_PROVIDER none Provider selected by the dashboard, stored separately from the model ID.
XALGORIX_API_KEY none Required LLM provider API key.
XALGORIX_API_BASE provider default Custom OpenAI-compatible API base URL.
XALGORIX_REASONING_EFFORT high Reasoning effort: low, medium, high, or xhigh.
XALGORIX_LLM_MAX_RETRIES 5 Retry count for transient LLM failures.
XALGORIX_MEMORY_COMPRESSOR_TIMEOUT 30 Timeout in seconds for context compression.
XALGORIX_MAX_ITERATIONS 0 Agent iteration cap. 0 means unlimited.
GEMINI_API_KEY none Optional Gemini key for web-search enrichment.

Web and Security

Variable Default Description
XALGORIX_BIND 127.0.0.1 Web server listen address.
XALGORIX_USERNAME none Dashboard username.
XALGORIX_PASSWORD none Dashboard password.
XALGORIX_PASSWORD_HASH none Preferred bcrypt password hash.
XALGORIX_WORKSPACE current directory Workspace root for scan execution.

Integrations

Variable Default Description
AGENTMAIL_POD none AgentMail pod identifier.
AGENTMAIL_API_KEY none AgentMail API key.
XALGORIX_DISCORD_WEBHOOK none Global Discord webhook.
XALGORIX_DISCORD_MIN_SEVERITY none Minimum severity sent to Discord.
XALGORIX_TELEGRAM_BOT_TOKEN none Telegram bot token from @BotFather.
XALGORIX_TELEGRAM_CHAT_ID none Telegram chat/channel ID (numeric or @username).
XALGORIX_TELEGRAM_MIN_SEVERITY none Minimum severity sent to Telegram.
CAIDO_PORT 0 Caido proxy port. 0 means auto-detect.
CAIDO_API_TOKEN none Caido API token.

Rate Limits, Proxy, and Runtime

Variable Default Description
XALGORIX_RATE_LIMIT_REQUESTS 60 Dashboard requests per window.
XALGORIX_RATE_LIMIT_WINDOW 60 Dashboard rate-limit window in seconds.
XALGORIX_RATE_RPS 10 Sustained outbound request rate.
XALGORIX_RATE_BURST 20 Outbound burst size.
XALGORIX_USE_PROXY false Enable proxy routing.
XALGORIX_PROXY_URL none Single proxy URL. Overrides proxy file.
XALGORIX_PROXY_FILE none File containing one proxy per line.
XALGORIX_PROXY_ROTATION roundrobin Proxy rotation strategy: roundrobin or random.
XALGORIX_TLS_SKIP_VERIFY false Skip TLS verification for testing traffic.
XALGORIX_DISABLE_BROWSER false Disable browser automation.
XALGORIX_BROWSER_PATH auto Custom Chrome/Chromium executable path.
XALGORIX_ALLOW_AUTO_INSTALL root only Permit automatic package installation.
XALGORIX_AUTO_INSTALL_SUDO false Permit sudo-prefixed auto-installs.

Provider Prefixes

When XALGORIX_API_BASE is empty, Xalgorix infers provider defaults from the model prefix.

Prefix Default API base
openai/ https://api.openai.com/v1
anthropic/ https://api.anthropic.com
deepseek/ https://api.deepseek.com/v1
groq/ https://api.groq.com/openai/v1
google/ https://generativelanguage.googleapis.com/v1
gemini/ https://generativelanguage.googleapis.com/v1
ollama/ http://localhost:11434/v1
minimax/ https://api.minimax.io/v1

Model names are not hard-coded to this list. The Settings page accepts typed model IDs so newer provider models can be used without waiting for a UI dropdown update.

CLI Reference

Flag Alias Description
--web -w Start the Web UI.
--port <port> -p Web UI port. Default: 9137.
--bind <addr> none Bind address. Default: 127.0.0.1.
--target <target> -t Target URL, host, IP, or path. Repeatable.
--instruction <text> -i Custom scan instructions.
--model <model> -m Override XALGORIX_LLM for this run.
--update -up Update to the latest release.
--version -v Print version.
--start none Install and start the system service.
--stop none Stop the system service.
--restart none Restart the system service.
--uninstall none Remove the system service.
--help -h Show help.

API Summary

Method Endpoint Purpose
POST /api/scan Start or save a scan.
POST /api/stop Stop all running scans.
GET /api/status Current global status.
GET /api/scans List scans.
GET /api/scans/:id Get scan detail.
DELETE /api/scans/:id Delete a scan and its report data.
GET /api/findings List all findings (deduplicated across scans).
GET /api/findings/summary Severity tally across all scans.
GET /api/report/:id Download a PDF report.
GET /api/instances List live and historical instances.
GET /api/instances/:id/events Get buffered event history.
POST /api/instances/:id/stop Stop a specific instance.
POST /api/instances/:id/start Start a saved or completed scan as a new run.
POST /api/instances/:id/restart Restart with the same configuration.
POST /api/instances/:id/pause Pause a running scan.
POST /api/instances/:id/resume Resume a paused scan.
POST /api/upload-logo Upload a report logo.
POST /api/upload-targets Upload a target list.
GET /api/settings/environment List editable environment settings.
POST /api/settings/environment Save environment settings.
GET /api/settings/llm Get LLM settings.
POST /api/settings/llm Save LLM settings.
GET /api/settings/agentmail Get AgentMail settings.
POST /api/settings/agentmail Save AgentMail settings.
GET /ws WebSocket live event stream.

Data Storage

Web-mode scan data is stored under:

~/xalgorix-data/
|-- _saved/
|-- logos/
|-- queue_state.json
`-- <target>/
    `-- <date>/
        `-- <scan-id>/
            |-- scan.json
            `-- report.pdf

The server keeps historical scan records on disk so the UI can recover after refresh or restart.

Development

Task Command
Install Web UI dependencies make webui-install
Build everything make build
Run tests go test ./...
Run Web UI from source go run ./cmd/xalgorix --web
Run frontend dev server make webui-dev

Safety Notes

  • Use Xalgorix only against authorized targets.
  • Do not run active testing against third-party systems without permission.
  • Review scan instructions before launching.
  • Configure rate limits and proxy settings to match engagement rules.
  • Exposing the dashboard externally requires authentication.
  • Auto-install is disabled by default for non-root users and should be enabled only when you trust the environment.

License

Xalgorix is released under the MIT License. See LICENSE.

Links

Resource Link
Hosted (Cloud) www.xalgorix.com
Documentation docs.xalgorix.com
Issues github.com/xalgord/xalgorix/issues
Support buymeacoffee.com/xalgord