cariddi
Cariddi is a Go-based web crawler and security scanner designed for reconnaissance and bug bounty work. It takes a list of domains, crawls URLs, and detects exposed endpoints, secrets, API keys, file extensions, and tokens through pattern matching and regex-based scanning.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | edoardottt/cariddi |
| Owner | edoardottt |
| Primary language | Go |
| License | GPL-3.0 — OSI-approved |
| Stars | 3.4k |
| Forks | 294 |
| Open issues | 12 |
| Latest release | v1.4.6 (2026-03-29) |
| Last updated | 2026-07-03 |
| Source | https://github.com/edoardottt/cariddi |
What cariddi is
Go CLI tool that performs concurrent web crawling with configurable depth, proxy support (HTTP/SOCKS5), and modular scanning modes for secrets, endpoints, errors, and file metadata. Supports custom headers, user agents, output formats (JSON, HTML, TXT), and integrates with tools like Burp Suite via proxy configuration.
Get the cariddi source
Clone the repository and explore it locally.
git clone https://github.com/edoardottt/cariddi.gitcd cariddi# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Go ≥1.24.0 for building from source; pre-built binaries available via Homebrew, Snap, Pacman, NixOS, and Go install for faster deployment.
- Configure crawl concurrency (-c flag), timeout (-t), and delay (-d) to avoid overwhelming targets or triggering WAF/rate-limiting; start conservative (default c=20, t=10s) and tune incrementally.
- Use custom secrets regex file (-sf flag) and endpoint lists (-ef flag) tailored to target environment; default patterns may miss organization-specific secrets or undocumented endpoints.
- Proxy integration (BurpSuite via -proxy flag) requires OS-level certificate trust; follow documented steps to avoid TLS certificate validation failures when intercepting.
- Store and handle output securely; tool outputs raw secrets and API keys in plain text (JSON, HTML, TXT). Implement access controls, encryption at rest, and minimal retention policies for result files.
When to avoid it — and what to weigh
- Requires Production Scanning Without Explicit Authorization — GPL-3.0 license and offensive security nature demand legal authorization. Unauthorized scanning violates laws (CFAA, GDPR, etc.). Use only on owned/contracted infrastructure.
- Need for Real-Time Compliance Auditing — Cariddi is reconnaissance/scanning-focused, not a compliance or vulnerability management platform. No built-in audit logging, remediation tracking, or compliance reporting framework.
- Sensitive Data Handling in Output — Tool extracts and outputs raw secrets, API keys, and tokens. Lacks built-in encryption, masking, or secure storage for results. High risk if output files are not handled securely.
- Organization-Wide Deployment Without Risk Management — GPL-3.0 copyleft license binds derivative works and deployment contexts. Enterprise legal review required before distributed internal deployment; not suitable for closed-source commercial products without open-source licensing strategy.
License & commercial use
GPL-3.0 (GNU General Public License v3.0). Copyleft license requiring source code disclosure and GPLv3 licensing of derivative works or integrated products. Commercial use permitted only if derivative code is also GPLv3 licensed and source is distributed.
GPL-3.0 permits commercial use of unmodified binaries without restriction. If you modify the source code or distribute cariddi as part of a commercial product/service, all derivative work and combined code must be licensed under GPLv3 and source code must be provided. Consult legal counsel before integrating into closed-source commercial offerings or SaaS platforms. Using the unmodified tool for internal security assessments or consulting services does not require licensing concessions.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool is designed for authorized reconnaissance and may generate network traffic that triggers alarms or violates terms of service if used on unauthorized targets. It extracts and stores raw secrets/API keys in output files, creating high-risk data handling burden. User responsibility to operate within legal/ethical bounds and secure result artifacts. No built-in encryption of sensitive output; TLS support for outbound requests is assumed standard for Go HTTP client. No cryptographic vulnerabilities known from provided data, but security posture for handling discovered secrets should be independently assessed.
Alternatives to consider
Burp Suite Community / Professional
Full-featured web proxy with integrated crawler, scanner, and secret detection; steeper learning curve and cost, but more polished for penetration testing workflows with built-in reporting and collaboration.
OWASP ZAP
Open-source, free web application scanner with crawling and active scanning. Less focused on secret/API key detection; broader vulnerability scanning scope suitable for compliance-driven assessments.
Hakrawler
Lightweight Go crawler for endpoint discovery and URL extraction, often used in recon pipelines. Simpler scope than cariddi but may require chaining with other tools for secrets/errors detection.
Build on cariddi with DEV.co software developers
Cariddi accelerates reconnaissance and asset discovery for pentesting and bug bounty work. Review licensing obligations (GPL-3.0), ensure authorization, and secure result handling before deployment. Let our team help integrate cariddi into your security workflow.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
cariddi FAQ
Can I use cariddi on domains I do not own or have permission to scan?
Does cariddi modify or exploit discovered vulnerabilities?
How do I prevent false positives in secret detection?
Can cariddi be integrated into a CI/CD pipeline for automated security scanning?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like cariddi. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Need Authorized Security Reconnaissance?
Cariddi accelerates reconnaissance and asset discovery for pentesting and bug bounty work. Review licensing obligations (GPL-3.0), ensure authorization, and secure result handling before deployment. Let our team help integrate cariddi into your security workflow.