reaper
Reaper is a man-in-the-middle HTTPS proxy tool designed for application security testing. It intercepts and logs web traffic to a local database, offering a CLI for searching and inspecting captured requests and responses, with built-in support for AI agent integration.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ghostsecurity/reaper |
| Owner | ghostsecurity |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 873 |
| Forks | 92 |
| Open issues | 0 |
| Latest release | v3.0.0 (2026-02-13) |
| Last updated | 2026-03-24 |
| Source | https://github.com/ghostsecurity/reaper |
What reaper is
Go-based MITM proxy that captures in-scope HTTPS traffic, persists requests/responses to a local database, and provides CLI tooling for traffic inspection and search. Integrates with AI agents via the Ghost Security Skills framework for automated security testing workflows.
Get the reaper source
Clone the repository and explore it locally.
git clone https://github.com/ghostsecurity/reaper.gitcd reaper# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires HTTPS certificate installation on test clients to intercept encrypted traffic; plan for client configuration and trust store setup.
- Stores all captured traffic in a local database; define retention policies and disk space requirements based on expected traffic volume and test duration.
- CLI-driven interface expects user or agent familiarity with command-line tools; no built-in graphical UI mentioned in provided data.
- Scoping of traffic (in-scope filtering) must be configured explicitly to avoid capturing unintended network activity.
- Integration with AI agents requires Ghost Security Skills framework setup; verify compatibility with your intended agentic security tools.
When to avoid it — and what to weigh
- Production Traffic Inspection Without Isolation — Reaper is a MITM proxy; deploying it in live production environments without network segmentation introduces risk of traffic exposure and potential performance impact on critical services.
- High-Volume, Real-Time Traffic Analysis — If you require analytics-grade processing of millions of requests per hour with sub-millisecond latency, Reaper's local database approach may become a bottleneck; consider dedicated traffic analytics platforms.
- No Native Cloud or Distributed Deployment — Reaper is designed for Linux and macOS with local database storage; if you need horizontal scaling, multi-region deployment, or cloud-native architecture, this tool is not architected for that.
- Cross-Platform Windows Support Required — Official support is limited to Linux and macOS. If your testing environment is primarily Windows-based, you will need Docker or alternative tooling.
License & commercial use
Licensed under Apache License 2.0, a permissive open-source license that allows commercial use, modification, and distribution with attribution and liability disclaimers.
Apache 2.0 is permissive for commercial use. No license restrictions on using Reaper in commercial security testing services. However, verify that any bundling or redistribution of Reaper complies with Apache 2.0 attribution requirements, and confirm whether commercial support or indemnification is available from Ghost Security (not stated in provided data).
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Reaper is a MITM proxy that decrypts and logs HTTPS traffic. Key considerations: (1) Trust and integrity of Reaper binary and source code; (2) confidentiality of captured secrets (credentials, tokens, keys) in local database; (3) physical/filesystem access controls to local database; (4) certificate pinning in target applications may prevent interception; (5) no claims about secure key management or encryption of stored traffic provided—assume plaintext unless verified. Use only in isolated test environments with non-production credentials.
Alternatives to consider
OWASP ZAP (Zed Attack Proxy)
Mature, widely-adopted open-source proxy with GUI, automated scanning, and extensive community support. More heavyweight but established baseline for web app security testing.
Burp Suite Community / Professional
Industry-standard commercial proxy for security testing with GUI, advanced features (intruder, repeater, scanner), and vendor support. Steeper learning curve and cost for professional edition.
mitmproxy
Lightweight, open-source Python-based MITM proxy with CLI and programmatic API. Simpler than Reaper for basic traffic inspection; less integrated with AI agent workflows.
Build on reaper with DEV.co software developers
Reaper integrates with AI agents for autonomous vulnerability discovery. Evaluate how it fits your testing workflow, security posture, and team tooling. Review certificate management and database isolation requirements before deployment.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
reaper FAQ
Can Reaper decrypt HTTPS traffic?
Where is captured traffic stored?
Is there a graphical user interface?
How do I integrate Reaper with an AI agent?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like reaper. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Ready to Automate Security Testing?
Reaper integrates with AI agents for autonomous vulnerability discovery. Evaluate how it fits your testing workflow, security posture, and team tooling. Review certificate management and database isolation requirements before deployment.