This is your work, valued
Too slow for formal verification, got almost enough neurons for static analysis.
Hacking-with-Go. Golang for Security Professionals
★ 1.8kHugo-Octopress. Port of the classic Octopress theme to Hugo
★ 169Hugo-Shortcodes. Parsia's Hugo Shortcodes
★ 110Go-Security. My Go security projects
★ 49eslinter. Manual JavaScript Linting is a Bug
★ 48Parsia-Clone. Clone me and get your own authentic Parsia-Clone today.
★ 45golnk. Golang package for parsing Windows shell link binary (lnk or Windows shortcut) files.
★ 38Parsia-Code. Contains random code and some of my older projects
★ 28evil-electron. Backdoored Electron app.asar
★ 17parsiya.net. Source for my personal website
★ 13extract-sni. Extracts SNIs from a pcap and generates output usable in `etc/hosts` file and Burp config for proxying non-proxy-aware thick clients using HTTPs.
★ 12SSH-Scanner. Simple SSH vulnerability scanner based on SSH Harvester
★ 12bug-diaries. A extension for Burp's free edition that mimics the pro edition's custom scan issues.
★ 9personal-semgrep-server. Personal Semgrep Server for learning Rust.
★ 9looking-glass. A Burp extension to store all traffic in a sqlite database for logging or discovering insights.
★ 9Presentations. Presentation videos and slides.
★ 6semgrep-hotspots. Repository for my Semgrep hot spot rules
★ 5EvilSwing. Pseudo-backdoored Jar File
★ 5borrowedtime. Borrowed Time is a project and note management tool.
★ 5fearless-concurrency. Fight the Borrow Checker. Don't succumb to its tyranny.
★ 4code-wsl-rce. Proof of Concept for CVE-2021-43891
★ 3burp-sample-extension-java. Sample Burp Extension in Java
★ 3burputils. A work-in-progress collection of utilities for creating Burp extensions in Python.
★ 3tlsdump. Learning Golang by creating a TLS terminating proxy
★ 3malwareadventure. Small python game written in PAWS
★ 2go-helpers. My Go utility code.
★ 2parsiya.fa. Source for my Farsi blog.
★ 2knee-deep-tree-sitter. Code for "Knee Deep in tree-sitter" blog posts.
★ 2net-remoting. C#
★ 2message-analyzer-docs-pr. Microsoft Message Analyzer documentation and binaries
★ 1belkin_F9K1116. Belkin F9K1116 Firmware Repository & Reversing
★ 1Octopress-Blog. Source for my old Octopress website
★ 1Hugo-Octopress-Test. Demo website of vanilla Hugo-Octopress
★ 1codeql-zero-to-hero. CodeQL zero to hero blog post series challenges
★ 1yaml-wrangling-with-rust. YAML Wrangling with Rust
★ 1begbounty.com. Source for begbounty.com
★ 1parsiya.io. parsiya.io modified layout
★ 1semgrep-rs. Rust library crate to interact with Semgrep.
★ 1gonepm. Golang package to detect backdoored packages in alternate npm registries.
★ 1sublime-config. Instruction and config files for my Sublime Text setup - deprecated - use the URL instead
★ 1get-progamming-with-node-js. Code for "Get Programming with Node.js" book
★ 1EvE-3D-Printing.
★ 475spec-kit. 💫 Toolkit to help you get started with Spec-Driven Development
★ 120kvisa-vulnerability-agentic-harness. Visa Vulnerability Agentic Harness
★ 679liteparse. A fast, helpful, and open-source document parser
★ 11kredai. AI-driven vulnerability discovery and live validation
★ 331graphify. AI coding assistant skill (Claude Code, Codex, OpenCode, Cursor, Gemini CLI, and more). Turn any folder of code, SQL schemas, R scripts, shell scripts, docs, papers, images, or videos into a queryable knowledge graph. App code + database schema + infrastructure in one graph.
★ 82kironcurtain. A secure* runtime for autonomous AI agents. Policy from plain-English constitutions. (*https://ironcurtain.dev)
★ 553copilot-second-opinion. OpenCode skill + MCP server that runs an automated GitHub Copilot PR review loop: request review, wait, triage, push fixes, reply, resolve, repeat.
★ 1mythos-bench. Jagged Frontier: LLM vulnerability detection benchmark harnesses (API + Claude Code agentic)
★ 16skills. Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows
★ 6.1ktrailmark. Build and query a graph database representation of source code
★ 437proofofthought. Proof of thought : LLM-based reasoning using Z3 theorem proving with multiple backend support (SMT2 and JSON DSL)
★ 374secure-sw-dev-fundamentals. Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
★ 203flawfinder. a static analysis tool for finding vulnerabilities in C/C++ source code
★ 574BinCodeQL. Python
★ 37OpenAnt. OpenAnt from Knostic is the leading open source LLM-based vulnerability discovery product, helping defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real.
★ 672go-sitter-forest. Where a Gopher meets lots of 🌳 Sitters
★ 56ACER. ACER is an AST-based Callgraph Generator Development Framework
★ 41Vulnhalla. Python
★ 197stack-graphs. Rust implementation of stack graphs
★ 875montoya-kotlin-utilities. Kotlin
★ 2go-tree-sitter. Go bindings for tree-sitter
★ 275aider. aider is AI pair programming in your terminal
★ 47kcode-graph-rag. The ultimate RAG for your monorepo. Query, understand, and edit multi-language codebases with the power of AI and knowledge graphs
★ 2.3khound. Language-agnostic AI auditor that autonomously builds and refines adaptive knowledge graphs for deep, iterative code reasoning.
★ 785gateway. A blazing fast AI Gateway with integrated guardrails. Route to 1,600+ LLMs, 50+ AI Guardrails with 1 fast & friendly API.
★ 12kbuttercup. Buttercup finds and patches software vulnerabilities
★ 1.6kfraim. A flexible framework for security teams to build and deploy AI-powered workflows that complement their existing security operations.
★ 158osv-scalibr. OSV-SCALIBR: A library for Software Composition Analysis
★ 622repeat-strike. Java
★ 39Pishi. Pishi is a code coverage tool like kcov for macOS.
★ 76PPspliT. A PowerPoint add-in that splits slides according to slideshow-time animation effects
★ 430golem. Golem automates C/C++ vulnerability discovery with SemGrep+LLVM+LLM
★ 101Burp-Montoya-Utilities. A collection of utilities for building extensions using Burp's Montoya API
★ 52LoggerPlusPlus. Advanced Burp Suite Logging Extension
★ 709LAST. Use AI to Scan Your Code from the Command Line for security and code smells. Bring your own keys. Supports OpenAI and Gemini
★ 186playwright-mcp. Playwright MCP server
★ 35kBFScan. Tool for finding URLs, paths, secrets and generating raw HTTP requests and OpenApi specifications from config files and annotations used in JAR / WAR / APK applications.
★ 256verizon_burp_extensions_ai. Verizon Burp Extensions: AI Suite
★ 144dusseldorf. Dusseldorf is an out-of-band security tool to help in security research.
★ 74DeepSeek-V3. Python
★ 104kRFID-Tag-Guide. Instructions on how to read out the bambulab nfc tags
★ 1.7kUNO-R4-WiFi-freedom. UNO R4 WiFi set free!
★ 38WuppieFuzz. A coverage-guided REST API fuzzer developed on top of LibAFL
★ 213PowerGlove. A project to convert your Powerglove into a USB Joystick
★ 13bbrf-client. The Bug Bounty Reconnaissance Framework (BBRF) can help you coordinate your reconnaissance workflows across multiple devices
★ 647jwt-reauth. Java
★ 106CodeGeeX. CodeGeeX: An Open Multilingual Code Generation Model (KDD 2023)
★ 8.8kwhisper.cpp. Port of OpenAI's Whisper model in C/C++
★ 52kfoundry-toolkit.
★ 2kllm.c. LLM training in simple, raw C/CUDA
★ 31kz3. The Z3 Theorem Prover
★ 12ktree-sitter-graph. Construct graphs from parsed source code
★ 338snapshot. WinDbg extension written in Rust to dump the CPU / memory state of a running VM
★ 138Crassus. C#
★ 631rust-code-analysis. Library to analyze and collect metrics on source code
★ 422type-sitter. generate typed wrappers for tree-sitter grammars from node-types.json and queries
★ 46chumsky. [Chumsky has moved to Codeberg!] Write expressive, high-performance parsers with ease.
★ 4.5krust-sitter. Use Tree Sitter to parse your own languages in Rust
★ 718twinny. The most no-nonsense, locally or API-hosted AI code completion plugin for Visual Studio Code - like GitHub Copilot but 100% free.
★ 3.6kdatadog-static-analyzer. Datadog Static Analyzer
★ 135tavor. A generic fuzzing and delta-debugging framework
★ 246numbat. Library to manipulate and create Sourcetrail databases
★ 24fuzzomatic. Automatically fuzz Rust projects from scratch
★ 59clap. A full featured, fast Command Line Argument Parser for Rust
★ 17kmagika. Fast and accurate AI powered file content types detection
★ 17klocalllm. Python
★ 1.5ksymbolic-execution-tutorial. Tutorial on Symbolic Execution. Hands-on session is based on the angr framework.
★ 134codeql-zero-to-hero. CodeQL zero to hero blog post series challenges
★ 174oss-fuzz-gen. LLM powered fuzzing via OSS-Fuzz.
★ 1.4kpyt. A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
★ 2.2kLLMs-from-scratch. Implement a ChatGPT-like LLM in PyTorch from scratch, step by step
★ 99kProton. Compatibility tool for Steam Play based on Wine and additional components
★ 32kfrown. frown (frida-own) – an instrumentation challenge
★ 25testo. Test framework for OCaml
★ 39weggli-patterns. A collection of my weggli patterns to facilitate vulnerability research.
★ 158llm-course. Course to get into Large Language Models (LLMs) with roadmaps and Colab notebooks.
★ 81kfrinet. Frida-based tracer for easier reverse-engineering on Android, iOS, Linux, Windows and most related architectures.
★ 614ollama. Get up and running with Kimi-K2.6, GLM-5.1, MiniMax, DeepSeek, gpt-oss, Qwen, Gemma and other models.
★ 176kllama-cookbook. Welcome to the Llama Cookbook! This is your go to guide for Building with Llama: Getting started with Inference, Fine-Tuning, RAG. We also show you how to solve end to end problems using Llama model family and using them on various provider services
★ 18ktextgen. Open-source desktop app for local LLMs. Text, vision, tool-calling, OpenAI/Anthropic-compatible API. 100% private.
★ 47kcrawlee. Crawlee—A web scraping and browser automation library for Node.js to build reliable crawlers. In JavaScript and TypeScript. Extract data for AI, LLMs, RAG, or GPTs. Download HTML, PDF, JPG, PNG, and other files from websites. Works with Puppeteer, Playwright, Cheerio, JSDOM, and raw HTTP. Both headful and headless mode. With proxy rotation.
★ 25kllamafile. Distribute and run LLMs with a single file.
★ 25kgenerative-ai-for-beginners. 21 Lessons, Get Started Building with Generative AI
★ 113klegba. The fastest and more comprehensive multiprotocol credentials bruteforcer / password sprayer and enumerator. 🥷
★ 1.9kopenapi-changes. The world's most powerful OpenAPI breaking changes detector. Discover what changed between two OpenAPI specs, or a single spec over time. Supports OpenAPI 3.2, 3.1 and 3.0
★ 353saleae-importer. A library for reading and writing Saleae Logic 2 binary capture data
★ 9rust_tips_and_tricks. Rust For Windows Cheatsheet
★ 121centipede. C++
★ 79starhook. Manage & Analyze repositories at scale
★ 102openapi-devtools. Browser extension that generates API specs for any app or website
★ 4.3kStartup-CTO-Handbook. The Startup CTO's Handbook, a book covering leadership, management and technical topics for leaders of software engineering teams
★ 14kwzg-icarus-balance-overhaul.
★ 28attacking-llms. Repo of common LLM attacks
★ 3logrus. Structured, pluggable logging for Go.
★ 26kPIPE. Prompt Injection Primer for Engineers
★ 602humanify. Deobfuscate Javascript code using ChatGPT
★ 3.2klo. 💥 A Lodash-style Go library based on Go 1.18+ Generics (map, filter, contains, find...)
★ 21knoir. Hunt every Endpoint in your code, expose Shadow APIs, map the Attack Surface.
★ 1.3kllama-gpt. A self-hosted, offline, ChatGPT-like chatbot. Powered by Llama 2. 100% private, with no data leaving your device. New: Code Llama support!
★ 11kTypeChat. TypeChat is a library that makes it easy to build natural language interfaces using types.
★ 8.7kx8. Hidden parameters discovery suite
★ 2.1kBChecks. BChecks collection for Burp Suite Professional and Burp Suite DAST
★ 787private-gpt. Complete API layer for private AI applications on local models: RAG, skills, tools, MCP, text-to-sql, and more. Works with any OpenAI-compatible inference server.
★ 57kast-grep. ⚡A CLI tool for code structural search, lint and rewriting. Written in Rust
★ 15kbearer. Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
★ 2.7kFlipperNested. Recover Mifare Classic keys on Flipper Zero
★ 379flipperzero-mayhem. Perfect companion for your Flipper Zero. ESP32 with WiFi, BT/BLE, micro-SD, camera+PSRAM, flashlight and extras: NRF24/CC1101, 3V/5V sensors
★ 715ghastoolkit. GitHub Advanced Security Python Toolkit
★ 14thoughtloom. ThoughtLoom is a powerful tool designed to foster creativity and enhance productivity through the use of LLMs directly from the command line. It facilitates rapid development and integration of LLM-based tools into various workflows, empowering individuals and teams to experiment, collaborate, and ultimately streamline their daily tasks.
★ 25supercharger. Supercharge Open-Source AI Models
★ 348turbopilot. Turbopilot is an open source large-language-model based code completion engine that runs locally on CPU
★ 3.8kdolly. Databricks’ Dolly, a large language model trained on the Databricks Machine Learning Platform
★ 11kAutoGPT. AutoGPT is the vision of accessible AI for everyone, to use and to build on. Our mission is to provide the tools, so that you can focus on what matters.
★ 185ksecuritree.nvim. SecuriTree - Security Research Tool
★ 30dxsonnet. Just another Jsonnet library: a collection of generic jsonnet functions
★ 5NSwag. The Swagger/OpenAPI toolchain for .NET, ASP.NET Core and TypeScript.
★ 7.3kllama.cpp. LLM inference in C/C++
★ 120kopenplayground. An LLM playground you can run on your laptop
★ 6.4kfuzzing. Tutorials, examples, discussions, research proposals, and other resources related to fuzzing
★ 3.8kgpt4all. GPT4All: Run Local LLMs on Any Device. Open-source and available for commercial use.
★ 77kopcua_network_fuzzer. Python
★ 116langchain. The agent engineering platform.
★ 142ksecure-code-game. Learn to code securely while having fun through our popular open source in-editor experience, designed for developers, students, and anyone curious about security. Get started for free in under 2 minutes, playing right from your browser.
★ 2.8kbindgen-tutorial-bzip2-sys. A tutorial/example crate for generating C/C++ bindings on-the-fly with libbindgen
★ 79typst. A markup-based typesetting system that is powerful and easy to learn.
★ 55kdiscourse. A platform for community discussion. Free, open, simple.
★ 47kllama. Inference code for Llama models
★ 60kdalai. The simplest way to run LLaMA on your local machine
★ 13kAPI-Security. OWASP API Security Project
★ 2.3krust-course.
★ 118rails-rest-api. A simple RoR 6 REST API demo with JWT authentication.
★ 32box-openapi. OpenAPI 3.0 Specification for the Box APIs
★ 101dynamic-analysis. ⚙️ A curated list of dynamic analysis tools and linters for all programming languages, binaries, and more.
★ 1.1kakto. Proactive, Open source API security → API discovery, API Security Posture, Testing in CI/CD, Test Library with 1000+ Tests, Add custom tests, Sensitive data exposure
★ 1.5klibopenapi. libopenapi is a fully featured, high performance OpenAPI 3.2, 3.1, 3.0, Overlays and Arazzo parser, library, validator and toolkit for go applications.
★ 857pocs. Proof of Concepts (PE, PDF...)
★ 1.6krestish. Restish is a CLI for interacting with REST-ish HTTP APIs with some nice features built-in
★ 1.3kgo-backend-clean-architecture. A Go (Golang) Backend Clean Architecture project with Gin, MongoDB, JWT Authentication Middleware, Test, and Docker.
★ 6.1khackvertor. Java
★ 248grepmarx. A source code static analysis platform for AppSec enthusiasts.
★ 277Burp-Suite-Certified-Practitioner-Exam-Study. Burp Suite Certified Practitioner Exam Study
★ 1.4kpanwriter. Markdown editor with pandoc integration and paginated preview.
★ 1.3kcapital. A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.
★ 332nickdesaulniers.github.com. My personal blog
★ 15RpcInvestigator. Exploring RPC interfaces on Windows
★ 364nevod. Nevod is a language and technology for pattern-based text search.
★ 222antlr4. ANTLR (ANother Tool for Language Recognition) is a powerful parser generator for reading, processing, executing, or translating structured text or binary files.
★ 19kgrammars-v4. Grammars written for ANTLR v4; expectation that the grammars are free of actions.
★ 11kexploitation-course. Offensive Software Exploitation Course
★ 2.5kdev-random. short experiments
★ 4comprehensive-rust. This is the Rust course used by the Android team at Google. It provides you the material to quickly teach Rust.
★ 33kguarddog. :snake: :mag: GuardDog is a CLI tool to Identify malicious PyPI and npm packages
★ 1.2kawesome-fuzzing. A curated list of awesome Fuzzing(or Fuzz Testing) for software security
★ 979agollo. 🚀Go client for ctrip/apollo (https://github.com/apolloconfig/apollo)
★ 778security-study-plan. Complete Practical Study Plan to become a successful cybersecurity engineer based on roles like Pentest, AppSec, Cloud Security, DevSecOps and so on...
★ 5ksilverbullet. An open source personal productivity platform built on Markdown, turbo charged with the scripting power of Lua
★ 5.6kjaeles. The Swiss Army knife for automated Web Application Testing
★ 2.4kSandboxSecurityTools. Security testing tools for Windows sandboxing technologies
★ 189fq. jq for binary formats - tool, language and decoders for working with binary and text formats
★ 11kgo-restful. package for building REST-style Web Services using Go
★ 5.1kpublic-apis. A collective list of free APIs
★ 449kdefi-threat. a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations on decentralized finance
★ 501go-tree-sitter. Golang bindings for tree-sitter https://github.com/tree-sitter/tree-sitter
★ 559go-tools. Staticcheck - The advanced Go linter
★ 6.8kgokart. A static analysis tool for securing Go code
★ 2.2kFridaScripts. JavaScript
★ 615cherrybomb. Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
★ 1.2kmegalinter. 🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
★ 2.5kkin-openapi. OpenAPI 3.0 and 3.1 (and Swagger v2) implementation for Go (parsing, converting, validation, and more)
★ 3.3ksemgrep-interfaces. Store the ATD/openapi/protobuf/... interfaces between semgrep components
★ 20LaPreprint. 📝 A nicely formatted LaTeX preprint template
★ 584atd. Static types for JSON APIs
★ 353weggli-examples. Examples of weggli queries
★ 7API-Security-Checklist. Checklist of the most important security countermeasures when designing, testing, and releasing your API
★ 23ksemgrep-rules. Custom rules for semgrep.dev
★ 5codevigilant_semgrep_rules. We use semgrep rules to hunt for bugs in source code. This repository will keep list of rules we have in public
★ 8semgrep-hotspots. Repository for my Semgrep hot spot rules
★ 5my-semgrep-rules. my-semgrep-rules
★ 10semgrep-rules. Custom semgrep rules registry
★ 14sarif-rs. A group of Rust projects for interacting with the SARIF format
★ 133openapi-diff. Utility for comparing two OpenAPI specifications.
★ 1.1kexpress-openapi-validator. 🦋 Auto-validates api requests, responses, and securities using ExpressJS and an OpenAPI 3.1.x or 3.0.x specification
★ 1koasdiff. OpenAPI Diff and Breaking Changes
★ 1.3klaravel-openapi. Generate OpenAPI specification for Laravel Applications
★ 462response2schema. A quick and easy tool for generating OpenAPI schemas.
★ 91chrome-har. Create HAR files from Chrome Debugging Protocol data
★ 166openapi-to-postman. Plugin for converting OpenAPI 3.0 specs to the Postman Collection (v2) format
★ 1.1kcats. CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.
★ 1.4kavantation. Build OpenAPI3.0 specification from HAR.
★ 91har2openapi. Generate openapi spec api documentation from captured har files
★ 162har2requests. Generate Python Requests code from your browser activity 🤖
★ 122mitmproxy2swagger. Automagically reverse-engineer REST APIs via capturing traffic
★ 9.5ksemgrep-rules. A collection of my Semgrep rules
★ 54fuzzable. Framework for Automating Fuzzable Target Discovery with Static Analysis.
★ 550typify. compiler from JSON Schema into idiomatic Rust types
★ 873jsonnet. Jsonnet - The data templating language
★ 7.5ksemgrep-server-rules. Go
★ 18feroxbuster. A fast, simple, recursive content discovery tool written in Rust.
★ 7.9karcherysec. ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
★ 2.5k