EliotSec (aka “Eliot”) is a full‑stack application for orchestrating safe, repeatable penetration tests. It provides a Next.js frontend for initiating scans and viewing results, a Go (Fiber v3) backend that controls ephemeral Kali containers via Docker, and a curated Kali image with common offensive security tools. The AI penetration testing agent runs inside Kali via Codex CLI using your Claude Pro plan — no API keys are required by the backend.
+--------------------+
| Next.js UI |
| (apps/web, Bun) |
+----------+---------+
|
HTTPS | JSON API
v
+--------+--------+
| Go API |
| Fiber v3, JWT |
| Rate limits |
| Security hdrs |
+----+-------+----+
| |
Docker | | Optional
(socket)| | Codex Agent
| (Codex CLI)
v v
+--------+-------+----------------------+
| Orchestrator: ephemeral Kali |
| - Pull/build image (mailshieldai/ |
| kali-pt:latest) |
| - Run tools (nmap, nikto, …) |
| - Collect artifacts |
+--------------------------------------+
+--------------------------+
| Storage (in‑memory now) |
| Results + progress |
+--------------------------+
- Frontend: Next.js App Router (apps/web) with WorkOS AuthKit auth.
- Backend: Go 1.22 + Fiber v3 with JWT auth (WorkOS), security headers, rate limiting, and input validation.
- Orchestrator: Uses Docker Engine to run ephemeral Kali containers preloaded with tools (nmap, nikto, etc.).
- AI Agent: Codex CLI running inside Kali drives reconnaissance and analysis autonomously (Full‑Access mode). No API keys are required by the backend.
- macOS/Linux with Docker Engine or Docker Desktop.
- Go 1.22+ (for local backend dev) and Bun or Node.js 20+ (for frontend dev).
- Optional: WorkOS keys for authentication. No OpenAI keys needed.
- Clone and prepare environment files
- Copy
.env.examplefiles to.envand fill in values as needed:- Project root:
.env(optional DevOps/AI keys) - Backend:
backend/.env - Frontend:
frontend/.envorfrontend/apps/web/.env
- Project root:
- Install dependencies
make setup
- Run development servers
make dev
- Frontend: http://localhost:3000 (or 3001 in dev, see scripts)
- Backend: http://localhost:8080
- Run tests
make test
The root docker-compose.yml orchestrates the full stack:
frontend: Next.js built image, served withnext start.backend: Go API running on port 8080. The Docker socket is mounted so the backend can create ephemeral Kali containers.kali: A long‑lived Kali service primarily to ensure the Kali image is built and for manual interactive use. The backend creates additional ephemeral containers from the same image for each scan.
Build and run:
docker compose build
docker compose up -d
# Frontend: http://localhost:3000
# Backend: http://localhost:8080
Backend (backend/.env):
-
PORT– API port (default 8080) -
AUTH_DISABLED– set totruefor local dev without JWT validation -
WORKOS_CLIENT_ID,WORKOS_JWKS_URL,WORKOS_ISSUER,WORKOS_AUDIENCE– JWT validation -
KALI_IMAGE– Docker image to use for scans (defaultmailshieldai/kali-pt:latest) -
CORS_ALLOW_ORIGINS– allowed origins for the UI
Frontend (frontend/.env or apps/web/.env):
NEXT_PUBLIC_API_URL– base URL of the backend API (e.g.,http://localhost:8080)- WorkOS keys:
WORKOS_CLIENT_ID,WORKOS_API_KEY,WORKOS_COOKIE_PASSWORD,NEXT_PUBLIC_WORKOS_REDIRECT_URI.
- Start the API, then point the UI to it via
NEXT_PUBLIC_API_URL. - Create a scan from the UI; the API validates input, queues a job, provisions an ephemeral Kali container, runs tools, collects results, and exposes them via
GET /api/scan/:id/results. - Iterate on parsing/analysis or UI display as needed. For deeper work, add tools to the Kali image under
backend/docker/kali/.
- Strict HTTP headers: HSTS (when behind HTTPS),
X-Content-Type-Options,X-Frame-Options,Referrer-Policy,Permissions-Policy. - CORS locked down via
CORS_ALLOW_ORIGINS. - Rate limiting applied globally with per‑minute thresholds.
- JWT auth via WorkOS by default; can be disabled in local dev with
AUTH_DISABLED=true. - Input validation:
target(domain/URL/IP) strictly validated server‑side.- Path params (e.g.,
id) validated for allowed characters.
- Docker hardening:
- Ephemeral containers (autoremove) with minimal capabilities inside the Kali image.
- When containerizing the backend, Docker socket is required; restrict access to trusted hosts only.
Base URL: http://localhost:8080
-
GET /api/health→{ status: "ok", time: string } -
POST /api/scan- Body:
{ "target": string, "depth": number } - 202 Accepted:
{ id, target, status, queuedAt, pollUrls: { status, results } }
- Body:
-
GET /api/scan/:id/status→ scan status and progress -
GET /api/scan/:id/results→ final results including tool artifacts and optional AIsummary
Integration tests live in backend/test/integration_test.go and cover the end‑to‑end flow using mocked Docker operations. JWT auth validation is covered in backend/test/auth_workos_test.go. Run them with:
make test
make setup– install backend and frontend dependenciesmake build– build backend binary and frontend Next.js appmake dev– run both dev servers (frontend + backend)make test– run backend testsmake docker– build Docker images via root docker‑composemake clean– remove build artifacts and caches
- The backend stores state in memory; for production you should replace the store with a persistent datastore.
- The Kali image is maintained under
backend/docker/kali. Add/upgrade tools there and rebuild. - For cloud deployments, run the backend on a secure host with access to a Docker Engine (or use dedicated runners) and put the API behind TLS.
This repo includes a Prometheus + Grafana stack with dashboards and alerts. See docs/monitoring.md for setup.