DEV.co
Open-Source Security · edoardottt

cariddi

Cariddi is a Go-based web crawler and security scanner designed for reconnaissance and bug bounty work. It takes a list of domains, crawls URLs, and detects exposed endpoints, secrets, API keys, file extensions, and tokens through pattern matching and regex-based scanning.

Source: GitHub — github.com/edoardottt/cariddi
3.4k
GitHub stars
294
Forks
Go
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryedoardottt/cariddi
Owneredoardottt
Primary languageGo
LicenseGPL-3.0 — OSI-approved
Stars3.4k
Forks294
Open issues12
Latest releasev1.4.6 (2026-03-29)
Last updated2026-07-03
Sourcehttps://github.com/edoardottt/cariddi

What cariddi is

Go CLI tool that performs concurrent web crawling with configurable depth, proxy support (HTTP/SOCKS5), and modular scanning modes for secrets, endpoints, errors, and file metadata. Supports custom headers, user agents, output formats (JSON, HTML, TXT), and integrates with tools like Burp Suite via proxy configuration.

Quickstart

Get the cariddi source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/edoardottt/cariddi.gitcd cariddi# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Bug Bounty Reconnaissance

Quickly enumerate endpoints, API keys, and secrets across multiple target domains to identify initial attack surface and low-hanging vulnerabilities for bounty submissions.

Security Penetration Testing Scope

Automated crawling and secret detection to support scope definition and asset discovery phases in authorized penetration tests against client infrastructure.

Red Team Infrastructure Mapping

Parallel domain scanning with customizable crawl depth and ignore patterns to map organizational web footprint, extract endpoints, and detect exposed credentials or configuration artifacts.

Implementation considerations

  • Requires Go ≥1.24.0 for building from source; pre-built binaries available via Homebrew, Snap, Pacman, NixOS, and Go install for faster deployment.
  • Configure crawl concurrency (-c flag), timeout (-t), and delay (-d) to avoid overwhelming targets or triggering WAF/rate-limiting; start conservative (default c=20, t=10s) and tune incrementally.
  • Use custom secrets regex file (-sf flag) and endpoint lists (-ef flag) tailored to target environment; default patterns may miss organization-specific secrets or undocumented endpoints.
  • Proxy integration (BurpSuite via -proxy flag) requires OS-level certificate trust; follow documented steps to avoid TLS certificate validation failures when intercepting.
  • Store and handle output securely; tool outputs raw secrets and API keys in plain text (JSON, HTML, TXT). Implement access controls, encryption at rest, and minimal retention policies for result files.

When to avoid it — and what to weigh

  • Requires Production Scanning Without Explicit Authorization — GPL-3.0 license and offensive security nature demand legal authorization. Unauthorized scanning violates laws (CFAA, GDPR, etc.). Use only on owned/contracted infrastructure.
  • Need for Real-Time Compliance Auditing — Cariddi is reconnaissance/scanning-focused, not a compliance or vulnerability management platform. No built-in audit logging, remediation tracking, or compliance reporting framework.
  • Sensitive Data Handling in Output — Tool extracts and outputs raw secrets, API keys, and tokens. Lacks built-in encryption, masking, or secure storage for results. High risk if output files are not handled securely.
  • Organization-Wide Deployment Without Risk Management — GPL-3.0 copyleft license binds derivative works and deployment contexts. Enterprise legal review required before distributed internal deployment; not suitable for closed-source commercial products without open-source licensing strategy.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). Copyleft license requiring source code disclosure and GPLv3 licensing of derivative works or integrated products. Commercial use permitted only if derivative code is also GPLv3 licensed and source is distributed.

GPL-3.0 permits commercial use of unmodified binaries without restriction. If you modify the source code or distribute cariddi as part of a commercial product/service, all derivative work and combined code must be licensed under GPLv3 and source code must be provided. Consult legal counsel before integrating into closed-source commercial offerings or SaaS platforms. Using the unmodified tool for internal security assessments or consulting services does not require licensing concessions.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool is designed for authorized reconnaissance and may generate network traffic that triggers alarms or violates terms of service if used on unauthorized targets. It extracts and stores raw secrets/API keys in output files, creating high-risk data handling burden. User responsibility to operate within legal/ethical bounds and secure result artifacts. No built-in encryption of sensitive output; TLS support for outbound requests is assumed standard for Go HTTP client. No cryptographic vulnerabilities known from provided data, but security posture for handling discovered secrets should be independently assessed.

Alternatives to consider

Burp Suite Community / Professional

Full-featured web proxy with integrated crawler, scanner, and secret detection; steeper learning curve and cost, but more polished for penetration testing workflows with built-in reporting and collaboration.

OWASP ZAP

Open-source, free web application scanner with crawling and active scanning. Less focused on secret/API key detection; broader vulnerability scanning scope suitable for compliance-driven assessments.

Hakrawler

Lightweight Go crawler for endpoint discovery and URL extraction, often used in recon pipelines. Simpler scope than cariddi but may require chaining with other tools for secrets/errors detection.

Software development agency

Build on cariddi with DEV.co software developers

Cariddi accelerates reconnaissance and asset discovery for pentesting and bug bounty work. Review licensing obligations (GPL-3.0), ensure authorization, and secure result handling before deployment. Let our team help integrate cariddi into your security workflow.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cariddi FAQ

Can I use cariddi on domains I do not own or have permission to scan?
No. Unauthorized network scanning violates laws (CFAA in the US, Computer Misuse Act in the UK, GDPR in EU, etc.). Use only on owned infrastructure or with explicit written authorization from the owner. The tool is designed for authorized penetration testing and bug bounty work.
Does cariddi modify or exploit discovered vulnerabilities?
No. Cariddi is a reconnaissance and detection tool only. It crawls, extracts, and reports endpoints/secrets/errors but does not attempt exploitation, payload delivery, or system modification. It is passive/non-intrusive relative to active exploitation.
How do I prevent false positives in secret detection?
Use custom secrets regex file (-sf flag) tailored to actual secret patterns in your environment. Start with default patterns and refine based on false positives observed. Note that pattern-based detection has inherent limits; manual review of results is recommended.
Can cariddi be integrated into a CI/CD pipeline for automated security scanning?
Technically yes (stdin/stdout CLI, JSON output), but requires careful planning: strong authorization controls, secure handling of secret-containing output, integration with SIEM/ticketing for alerts, and compliance review of GPL-3.0 licensing implications. Not designed as a first-class CI/CD scanner; consider dedicated SAST/DAST tools for that workflow.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like cariddi. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Need Authorized Security Reconnaissance?

Cariddi accelerates reconnaissance and asset discovery for pentesting and bug bounty work. Review licensing obligations (GPL-3.0), ensure authorization, and secure result handling before deployment. Let our team help integrate cariddi into your security workflow.