[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80877":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":13,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":13,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":16,"rankGlobal":9,"rankLanguage":9,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},80877,"PentestCompanion","Poellie01\u002FPentestCompanion","Poellie01","The ultimate pentesting companion. Keep all your pentesting artifacts in one place. ",null,"Python",41,10,1,0,7,44.32,"Other",false,"main",true,[],"2026-06-12 04:01:30","\u003Cdiv align=\"center\">\n\n# ⬡ Pentest Companion\n\n**A self-hosted pentest management workspace.**\nTrack engagements, run tools, auto-import findings, generate professional reports.\n\n**https:\u002F\u002Fceretrix.net\u002Ftools\u002F**\n\n[![License: AGPL v3](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-AGPLv3-blue.svg)](LICENSE)\n![Python 3.9+](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.9%2B-blue)\n![Tests](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Ftests-258%20passing-brightgreen)\n![Version](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fversion-0.2.0-orange)\n![Docker](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fdocker-ready-blue)\n\n\u003C\u002Fdiv>\n\n---\n\n![Pentest Companion](static\u002Fbanner_logo.png)\n\n![Dashboard](docs\u002Fdashboard.png)\n\n---\n\n## What is this?\n\nA self-hosted workspace for pentesters, red teamers, bug bounty hunters, and certification grinds (OSCP \u002F OSEP \u002F CRTP \u002F PNPT \u002F HTB). Run your tools from the UI, auto-import findings, track methodology phases, share results with clients, and generate a report when you're done — all from one place, on infrastructure you control.\n\nNo cloud. No SaaS. Your data stays on your server.\n\n---\n\n## Features\n\n\u003Ctable>\n\u003Ctr>\u003Cth align=\"left\">Area\u003C\u002Fth>\u003Cth align=\"left\">What's in there\u003C\u002Fth>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Engagements\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nTargets · open ports · PTES checklist (7 phases) · attack path tracker · credentials vault · timeline · time tracking · loot · archive + restore · \u003Ccode>.pcbundle\u003C\u002Fcode> export\u002Fimport\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Findings\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nCVSS v3.1 · comments · evidence uploads · status workflow · CVE lookup · per-engagement import\u002Fexport · 2400+ template library · bulk import from Nessus and Burp Suite XML · bulk operations (set severity \u002F status \u002F assignee · mark FP · delete)\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Tools Hub\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\n90+ tools across 10 categories · host-aware availability detection · install hints · live output streaming · auto-import findings · job persistence across reloads\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Web Scanner\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nTLS · security headers · cookies · CORS · HTTP methods · exposed files · tech fingerprint · HTML hygiene · scan diffing · SSRF guard · deep-scan mode\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Reporting\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nDOCX + PDF · branded cover page (logo, colour, footer) · executive summary · technical report · per-engagement redact and section toggles\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Client Portals\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nToken-based read-only links · optional password protection · optional expiry · view count tracking · share findings without giving clients access to the app\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Exam Mode\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nOSCP · OSEP · OSED · CRTP · PNPT · CPTS · Custom · live countdown in navbar · points tracker · screenshot slots · exam-style DOCX report\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Team & Auth\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nRoles (viewer \u002F operator \u002F admin \u002F owner) · invite links with email delivery · TOTP MFA · password reset via email · audit log · team branding settings\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Terminal Logging\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nPersonal API tokens · pipe any command output into an engagement session · ANSI viewer · \u003Ccode>pclog\u003C\u002Fcode> bash helper\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Workflow Playbooks\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nSequential multi-step scan pipelines · 5 built-in playbooks (External Recon, Web App, Network Discovery, AD\u002FSMB Enum, TLS Audit) · live step-by-step status page · cancel support · custom playbooks via CRUD\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Scheduled Scans\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nPer-target recurring scans · configurable tool + interval · background daemon scheduler (60 s tick) · results auto-imported into engagement\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Webhooks\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nSlack · Discord · Teams · Generic JSON · fires on auto-import and manual findings · delivery log + test-fire button · SSRF-guarded URL validation\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>REST API\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\n\u003Ccode>GET \u002Fapi\u002Fv1\u002Fengagements\u003C\u002Fcode> · \u003Ccode>GET \u002Fapi\u002Fv1\u002Fengagements\u002F<id>\u002Ffindings\u003C\u002Fcode> · paginated · severity + status filters · Bearer token auth\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003Ctr>\u003Ctd>\u003Cb>Utilities\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd>\nHash identifier · Base64 codec · command renderer · scratchpad with auto-parsing · Markdown notes with autosave · Obsidian vault import\n\u003C\u002Ftd>\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n---\n\n## Quick start (Docker — recommended)\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FPoellie01\u002FPentestCompanion.git\ncd PentestCompanion\ncp .env.example .env\n\n# Generate a real SECRET_KEY\npython3 -c \"import secrets; print(secrets.token_hex(32))\" \\\n | xargs -I {} sed -i 's\u002F^SECRET_KEY=$\u002FSECRET_KEY={}\u002F' .env\n\n# Set ADMIN_PASSWORD (and SMTP\u002FResend if you want email)\n$EDITOR .env\n\ndocker compose up -d\ndocker compose logs -f app\n```\n\nFirst run bootstraps an admin account and prints the credentials:\n\n```\n============================================================\n Bootstrapped admin account.\n username: admin\n password: changeme\n !! CHANGE THIS PASSWORD or set ADMIN_PASSWORD in .env\n============================================================\n```\n\nHit `http:\u002F\u002Flocalhost:5000`, sign in, change your password under **Account → Update Password**.\n\n## Quick start (Python)\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FPoellie01\u002FPentestCompanion.git\ncd PentestCompanion\npython3 -m venv venv && source venv\u002Fbin\u002Factivate\npip install -r requirements.txt\npython app.py\n```\n\n---\n\n## Engagements\n\n![Engagement](docs\u002Fengagement.png)\n\nFull engagement management — targets, ports, credentials, attack steps, PTES checklist, timeline, and time tracking in one view. Export any engagement as a `.pcbundle` and restore it on any Pentest Companion instance.\n\n---\n\n## Findings\n\n![Findings](docs\u002Ffindings.png)\n\nCVSS v3.1 scoring, evidence uploads, CVE lookup, remediation tracking, and a 40+ template library. Import findings from Nessus (`.nessus`) and Burp Suite (XML export) in one click.\n\n---\n\n## Tools Hub\n\n![Tools Hub](docs\u002Fkali-tools.png)\n\nThe tools hub discovers what's installed on the host and gives you a point-and-click interface for 50+ common tools. Running Pentest Companion on Kali Linux gives you the full set out of the box.\n\n**Categories:** Network · Web · AD\u002FWindows · Impacket · Password Attacks · DNS · SSL\u002FTLS · OSINT · Linux Enumeration · Custom\n\n| Category | Tools |\n|----------|-------|\n| Network | nmap (quick \u002F full \u002F vuln), masscan, netcat |\n| Web | nikto, gobuster (dir\u002Fdns\u002Fvhost), ffuf, whatweb, wafw00f, wpscan, sqlmap, feroxbuster, nuclei |\n| AD \u002F Windows | enum4linux-ng, smbmap, smbclient, netexec (SMB\u002FLDAP\u002FWinRM\u002FRDP\u002FMSSQL), ldapsearch, rpcclient, kerbrute |\n| Impacket | secretsdump, GetNPUsers, GetUserSPNs, psexec, wmiexec, getTGT |\n| Password | hydra, hashcat, john |\n| DNS | dnsenum, dnsrecon, fierce, amass, subfinder |\n| SSL\u002FTLS | sslscan, testssl.sh |\n| OSINT | theHarvester, searchsploit |\n| Linux | linpeas, pspy |\n| Custom | free-form shell command runner |\n\n### Auto-scan on target creation\n\nWhen you add a target to an engagement, expand **Auto-Scan** in the modal and tick the tools you want. Each selected tool runs in the background — findings land in the engagement automatically when the job completes.\n\n---\n\n## Web Scanner\n\n![Web Scanner](docs\u002Fscanner.png)\n\nPassive scanner — fires a small, fixed set of HTTP requests.\n\n| Category | Checks |\n|----------|--------|\n| TLS | Cert expiry, self-signed, TLS 1.0\u002F1.1, HTTP→HTTPS redirect |\n| Security headers | HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |\n| Cookies | Secure \u002F HttpOnly \u002F SameSite on every `Set-Cookie` |\n| CORS | Wildcard, origin reflection, `null` origin |\n| HTTP methods | TRACE \u002F TRACK \u002F PUT \u002F DELETE \u002F CONNECT |\n| Exposed files | `.git\u002Fconfig`, `.env`, `.DS_Store`, `phpinfo.php`, `server-status`, and more |\n| HTML hygiene | Mixed content, password autocomplete, forms missing CSRF tokens |\n| Tech fingerprint | nginx, Apache, IIS, Cloudflare, PHP, WordPress, React, Vue, Angular, and more |\n\n**Deep scan** adds directory enumeration and JS endpoint extraction. **Scan diffing** lets you compare two scans side-by-side. **Auto-promote** pushes scan findings into an engagement in one click.\n\n---\n\n## Terminal Logging\n\n![Terminal Logging](docs\u002Fterminal_log.png)\n\nPipe any command output into an engagement session and replay it later with full ANSI colour.\n\n**Step 1 — get a token:** Account → API Tokens → New Token\n\n**Step 2 — add to your shell config:**\n\n```bash\nPCLOG_TOKEN=\"pcsk_your_token_here\"\nPCLOG_BASE=\"http:\u002F\u002Flocalhost:5000\"\n\npclog() {\n local eid=$1; shift\n local name=\"${*:-$(date +%H:%M:%S)}\"\n local sid\n sid=$(curl -sf -X POST \"$PCLOG_BASE\u002Fapi\u002Fv1\u002Fterminal\u002Fstart\" \\\n -H \"Authorization: Bearer $PCLOG_TOKEN\" \\\n -H \"Content-Type: application\u002Fjson\" \\\n -d \"{\\\"engagement_id\\\":$eid,\\\"name\\\":\\\"$name\\\"}\" \\\n | python3 -c \"import sys,json; print(json.load(sys.stdin)['session_id'])\")\n while IFS= read -r line; do\n printf '%s\\n' \"$line\"\n printf '%s\\n' \"$line\" | curl -sf -X POST \"$PCLOG_BASE\u002Fapi\u002Fv1\u002Fterminal\u002Fappend\u002F$sid\" \\\n -H \"Authorization: Bearer $PCLOG_TOKEN\" \\\n -H \"Content-Type: application\u002Foctet-stream\" --data-binary @- > \u002Fdev\u002Fnull\n done\n curl -sf -X POST \"$PCLOG_BASE\u002Fapi\u002Fv1\u002Fterminal\u002Fclose\u002F$sid\" \\\n -H \"Authorization: Bearer $PCLOG_TOKEN\" > \u002Fdev\u002Fnull\n}\n```\n\n**Step 3 — use it:**\n\n```bash\nnmap -sV 10.10.10.1 | pclog 42 \"nmap initial\"\ngobuster dir -u http:\u002F\u002F10.10.10.1 -w \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fcommon.txt | pclog 42 \"gobuster web\"\n```\n\n---\n\n## Workflow Playbooks\n\nRun a sequenced chain of tools against a target in one click. Each step waits for the previous one to finish before launching.\n\n**Built-in playbooks:**\n\n| Playbook | Steps |\n|----------|-------|\n| External Recon | nmap → theHarvester → amass → whatweb |\n| Web App | nikto → gobuster → ffuf → sqlmap |\n| Network Discovery | masscan → nmap (full) → enum4linux-ng |\n| AD \u002F SMB Enum | netexec SMB → smbmap → ldapsearch → kerbrute |\n| TLS Audit | sslscan → testssl.sh |\n\nNavigate to **Playbooks** in the nav bar, pick a playbook, select a target, and watch each step advance in real time. You can cancel mid-run and create custom playbooks through the same UI.\n\n---\n\n## Scheduled Scans\n\nSet a tool to run against a target on a recurring schedule — every hour, every 6 hours, daily, or weekly. A background daemon claims and runs due jobs every 60 seconds; findings land in the engagement automatically.\n\n```\nTarget page → Scheduled Scans → Add Schedule → pick tool + interval\n```\n\n---\n\n## Webhooks\n\nGet notified in Slack, Discord, or Teams whenever a finding is created — either by an auto-import job or manually.\n\n**Supported formats:** Slack Block Kit · Discord embeds · Teams MessageCard · Generic JSON\n\n```\nTeam Settings → Webhooks → New Webhook → paste URL → Test\n```\n\nEach delivery is logged with status code and response body. Webhook URLs are validated against the SSRF block-list before saving.\n\n---\n\n## Bulk Operations on Findings\n\nSelect one or more findings with the row checkboxes (or **Select All**), then use the sticky bulk action bar to:\n\n- Set severity, status, or assignee across all selected findings in one click\n- Mark selected findings as False Positive\n- Delete selected findings\n\n---\n\n## REST API\n\nTwo read endpoints are available for external tooling and integrations. All requests require a `Bearer` token (create one under **Team Settings → API Tokens**).\n\n| Endpoint | Description |\n|----------|-------------|\n| `GET \u002Fapi\u002Fv1\u002Fengagements` | List all engagements for your team |\n| `GET \u002Fapi\u002Fv1\u002Fengagements\u002F\u003Cid>\u002Ffindings` | Paginated findings; filter by `severity` and `status` |\n\n```bash\ncurl -H \"Authorization: Bearer pcsk_yourtoken\" \\\n http:\u002F\u002Flocalhost:5000\u002Fapi\u002Fv1\u002Fengagements\u002F1\u002Ffindings?severity=critical&page=1\n```\n\n---\n\n## .pcbundle — portable engagement format\n\nExport any engagement as a `.pcbundle` file (a versioned ZIP containing all data and evidence files). Import it on any Pentest Companion instance — useful for sharing engagements between team members, archiving, or moving between instances.\n\n```\nEngagement → Export Bundle → client-engagement.pcbundle\n ↓\n Dashboard → Import Bundle\n (drag-and-drop, live preview)\n```\n\nFull format reference at `\u002Fbundle\u002Fhelp` when running the app.\n\n---\n\n## Client Portals\n\nShare findings with clients without giving them access to the app. Each portal link is token-based, optionally password-protected, and optionally set to expire.\n\n```\nEngagement → #portal → New Portal Link → send link to client\n```\n\nClients see: finding title, severity, description, remediation, CVSS score, and CVE ID. Nothing internal (credentials, attack steps, notes) is exposed.\n\n---\n\n## PTES Checklist\n\nEach target gets a structured checklist organised around PTES pentest phases:\n\n| Phase | Coverage |\n|-------|----------|\n| **Enumeration** | Port scan, service version, OS detection, DNS, SNMP, SMB shares, LDAP |\n| **Initial Access** | Exploit known CVEs, password spray, phishing, default creds, SQLi, web shells |\n| **Privilege Escalation** | SUID\u002FGUID, sudo misconfig, kernel exploits, token impersonation, ACL abuse |\n| **Lateral Movement** | Pass-the-hash, Pass-the-ticket, RDP, WMI, PSExec, SSH tunnelling |\n| **Data Exfiltration** | Sensitive file locations, credential files, DB dump, AD secrets |\n| **Persistence** | Cron jobs, startup items, registry run keys, golden ticket, new admin accounts |\n| **Reporting** | Screenshot collection, timeline review, cleanup verification |\n\n---\n\n## Exam Mode\n\nSupports: **OSCP · OSEP · OSED · CRTP · PNPT · CPTS · Custom**\n\n- Live countdown baked into the navbar\n- Per-machine tracking: type, points, flags, and screenshot slots\n- Pass\u002Ffail badge updates in real time as flags come in\n- Generate exam-style DOCX\u002FPDF report when done\n\n---\n\n## Environment variables\n\n| Variable | Default | Purpose |\n|----------|---------|---------|\n| `SECRET_KEY` | auto-generated | Session signing key — set explicitly in production |\n| `ADMIN_PASSWORD` | `changeme` | Bootstrapped admin password (first run only) |\n| `ADMIN_EMAIL` | `admin@example.com` | Bootstrapped admin email |\n| `APP_BASE_URL` | — | Public URL of your instance — required for correct links in emails |\n| `ALLOW_REGISTRATION` | `1` | Set to `0` for invite-only |\n| `FORCE_HTTPS` | `0` | Adds `Secure` cookie flag + HSTS header — set to `1` in production |\n| `MAX_UPLOAD_MB` | `25` | Evidence upload size cap |\n| `DATABASE_PATH` | `pentest.db` | SQLite file path |\n| `UPLOAD_FOLDER` | `static\u002Fuploads` | Evidence files and logos |\n| `HOST_PORT` | `5000` | Host-side port for Docker Compose |\n| `GUNICORN_WORKERS` | `4` | Gunicorn worker count |\n| `ALLOW_INTERNAL_SCANS` | `0` | Allow scanning RFC1918 \u002F loopback targets |\n\n### Email (password reset + invitations)\n\nWithout email config, reset links are printed to the server log — fine for local use.\n\n| Variable | Purpose |\n|----------|---------|\n| `RESEND_API_KEY` | Resend API key (recommended — sign up at resend.com) |\n| `SMTP_HOST` | Generic SMTP server hostname |\n| `SMTP_PORT` | SMTP port (default `587`) |\n| `SMTP_USER` | SMTP username |\n| `SMTP_PASS` | SMTP password |\n| `SMTP_FROM` | From address |\n| `SMTP_TLS` | Set to `0` to disable STARTTLS |\n\n---\n\n## Security model\n\n| Control | Implementation |\n|---------|----------------|\n| Sessions | HttpOnly + SameSite=Lax cookies; `FORCE_HTTPS=1` adds `Secure` |\n| Passwords | PBKDF2-SHA256 via `werkzeug.security` |\n| MFA | TOTP (RFC 6238) via `pyotp` — per-user, optional |\n| Password reset | Single-use time-limited tokens; username-enumeration-safe response |\n| CSRF | Flask-WTF on every form; AJAX auto-includes token via meta tag |\n| Cross-team isolation | Every `\u003Cint:id>` route goes through a `require_*` helper that 404s on cross-team access |\n| Evidence path traversal | Paths looked up in DB and served only when engagement belongs to your team |\n| Scanner SSRF | Blocks loopback, link-local, cloud metadata (169.254.169.254), and RFC1918 by default |\n| API tokens | `pcsk_` prefix, SHA-256 hashed at rest, per-token revocable |\n| Audit log | Security-relevant events logged to DB (login, role changes, member removal, portal creation) |\n\n---\n\n## Project layout\n\n```\napp.py # Flask application — core routes, models, init_db\nconfig.py # All env config + shared constants\ndatabase.py # DB layer: get_db(), init_db(), migrations, CVE sync\nhelpers.py # Auth guards, row fetchers, audit(), token_required\nscheduler.py # Consolidated kali + web-scanner scheduler daemon\nscanner.py # Web security scanner (pure stdlib)\nreporting.py # Report helpers: MITRE map, risk score, diff, roadmap\ncommands.py # Renderable pentest command templates\nrequirements.txt\nDockerfile\ndocker-compose.yml\n.env.example\n\nblueprints\u002F # Route blueprints (refactor in progress)\n auth.py # 20 auth routes\n team.py # 32 team + webhook + API-token routes\n reports.py # 23 report + bundle + client-portal routes\n scanner.py # Web scanner + terminal + playbooks + scheduled scans\n engagements.py # Engagements, targets, findings, sub-resources\n\ntools\u002F # Kali tool integration package\n manifest.py # 90+ tool definitions\n profiles.py # ScanProfile dataclass + build\u002Fparse logic\n generic_runner.py # subprocess + SSE streaming + auto-import\n generic_parser.py # Universal finding extractor (regex + JSON)\n base.py # ToolJobRunner ABC + job persistence\n playbook_engine.py # Sequential multi-step playbook executor\n webhooks.py # Slack \u002F Discord \u002F Teams \u002F JSON notifier\n trigger_engine.py # Finding triggers + FP triage\n auto_orchestrator.py # Auto-scan orchestration\n auto_discover.py # Host\u002Fservice auto-discovery\n\ntemplates\u002F # Jinja2 templates\nstatic\u002F\n style.css # Single stylesheet\n app.js\n\ntests\u002F # 258 tests\n conftest.py # App fixtures, auth helpers\n test_auth.py # Login, registration, SSRF guard\n test_routes.py # Route smoke tests\n test_leakage.py # Cross-team isolation on every \u003Cint:id> endpoint\n test_team.py # Role enforcement, invite flow, member management\n test_security.py # Security controls\n test_reporting.py # Reporting helpers\n test_webhooks.py # Webhook delivery + formatting\n test_playbook_engine.py # Playbook executor\n test_trigger_engine.py # Finding triggers\n test_generic_parser.py # Universal parser (97% coverage)\n test_auto_orchestrator.py # Auto-orchestration (73% coverage)\n```\n\n---\n\n## Testing\n\n```bash\npip install pytest\npytest # all tests\npytest tests\u002Ftest_leakage.py # cross-team isolation\npytest -v # verbose\n```\n\n---\n\n---\n\n## License\n\nLicensed under the [GNU Affero General Public License v3.0](LICENSE).\n\nFor commercial licensing (white-label, proprietary redistribution, or enterprise use) contact: **info@ceretrix.net** \n\n---\n\n\u003Cdiv align=\"center\">\n\nMade for pentesters, by a pentester. Have fun.\n\n\u003C\u002Fdiv>\n","PentestCompanion 是一个专为渗透测试人员设计的自托管工作空间,用于集中管理所有渗透测试相关的工作。其核心功能包括跟踪项目进度、运行各种安全工具、自动导入发现结果以及生成专业报告。技术特点上,它支持超过90种安全工具,并能够自动检测主机状态和流式传输实时输出;同时具备强大的发现管理能力,如CVSS评分、CVE查询等。此外,该工具还提供Web扫描、多格式报告生成及客户门户等功能。适用于需要对数据有完全控制权的安全团队或个人,特别是在进行红队演练、漏洞赏金狩猎或准备安全认证考试时。",2,"2026-06-11 04:02:39","CREATED_QUERY"]