ENScan_GO
ENScan_GO is a Go-based OSINT tool for aggregating company information from multiple Chinese business data sources (AiqiCha, Tianyancha, Kuaiza, Finbird). It collects ICP registrations, apps, WeChat accounts, and corporate relationships in a single pass, designed for security research and penetration testing workflows.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | wgpsec/ENScan_GO |
| Owner | wgpsec |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 4.5k |
| Forks | 431 |
| Open issues | 26 |
| Latest release | v2.0.5 (2026-03-28) |
| Last updated | 2026-03-30 |
| Source | https://github.com/wgpsec/ENScan_GO |
What ENScan_GO is
Written in Go, the tool queries multiple third-party APIs via cookie-based authentication to aggregate and filter corporate entity data. It supports batch processing, hierarchical company relationship traversal, regex filtering, MCP server mode, and REST API exposure for tool integration.
Get the ENScan_GO source
Clone the repository and explore it locally.
git clone https://github.com/wgpsec/ENScan_GO.gitcd ENScan_GO# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Go 1.22.1+ required; prebuilt binaries available on GitHub releases but must verify checksum and origin.
- Initial setup requires extracting and configuring HTTP-only cookies from multiple Chinese business lookup sites (manual, browser-dependent).
- Tool maintains local cache (`enscan.gob`) between runs; must manually delete to refresh data for the same entity.
- Implements request delay mechanism (`-delay` flag) to mitigate rate limiting; default behavior may trigger account 'abnormality' warnings from data providers.
- MCP server mode (localhost:8080) enables integration with Claude/Cherry Studio but should never be exposed to untrusted networks.
When to avoid it — and what to weigh
- No Chinese business data access requirement — Tool is purpose-built for Chinese domestic companies (ICP, Baidu-indexed data, Chinese app stores). Ineffective outside that context.
- Adversarial authentication or anti-automation defenses required — Tool relies on third-party API cookies and may trigger rate limiting or account suspension. Documentation notes accounts may become 'abnormal' from usage.
- Minimal API token/credential management — Requires manual cookie extraction and configuration for each data source (AiqiCha, Tianyancha, etc.). Significant operational overhead in credential rotation.
- Real-time or SLA-bound integrations — Data sources are external and subject to availability. No guaranteed uptime, SLA, or support model documented.
License & commercial use
Apache License 2.0 (SPDX: Apache-2.0). Permissive OSI-approved license allowing commercial use, modification, and distribution under same terms; reproduction of license and copyright notice required.
Apache-2.0 is OSI-approved and permits commercial use. However, use is subject to terms of service of underlying data sources (AiqiCha, Tianyancha, etc.), which are proprietary APIs not controlled by this project. Legal review of TOS is essential before production deployment. Any account suspension or data access denial is beyond the project's control.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool aggregates data from external APIs using user-supplied cookies; credentials stored in plaintext config file on disk. Account compromise risk if config leaked. Project disclaimer states tool is for 'learning/security purposes only' and warns users may face 'account abnormality' from provider rate limiting. MCP server mode (localhost:8080) must be isolated from untrusted networks. No audit logs, no request signing, no integrity verification of responses. Supply chain risk: depends on Go standard library and third-party data sources.
Alternatives to consider
Shodan / Censys
Global OSINT platforms for IP/domain/certificate intelligence; not Chinese-focused but broader scope and higher data freshness.
TheHarvester / Maltego
Open-source and commercial OSINT frameworks with plugin architecture; more flexible but require manual Chinese API integration.
In-house web scraper / Bright Data
Custom scraping solution or commercial proxy service for direct API queries; higher cost but avoids cookie management and provider TOS risk.
Build on ENScan_GO with DEV.co software developers
Review the GitHub repository, test with a small batch of company names, and confirm compatibility with your data source accounts. Verify TOS compliance before production use.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
ENScan_GO FAQ
What data sources does ENScan_GO query?
Will using this tool get my account suspended?
Can I run this in production as a microservice?
Is this tool legal to use?
Custom software development services
Adopting ENScan_GO is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.
Evaluate ENScan_GO for Your Red Team or OSINT Workflow
Review the GitHub repository, test with a small batch of company names, and confirm compatibility with your data source accounts. Verify TOS compliance before production use.