Home
Softono
chaca-scanner

chaca-scanner

Open source Rust
Website GitHub
42
Stars
2
Forks
0
Issues
0
Watchers
2 months
Last Commit
Video Conferencing Vulnerability Scanning

About chaca-scanner

Native desktop web security scanner for developers. OWASP Top 10, API exposure, CMS detection, target intelligence. Built with Tauri 2 + React 19 + Rust.

Platforms

Web Self-hosted

Languages

Rust

Links

Website Source Code
m
Published by
madebyaris
Visit View Profile

README.md

View on GitHub

Chaca — Web Security Scanner

A native desktop security scanner for vibe coders and developers

version tauri react rust

Fast, opinionated security audits of your web apps — no terminal required.

Support Chaca directly: buy Chaca Pro, support via GitHub, or send $100 founder support via PayPal to [email protected] and get your company logo listed here forever.

Screenshots

New Scan Dashboard Full Report
Chaca New Scan screen Chaca Dashboard Chaca vulnerability list
Configure target URL, scan mode (Passive/Active/Full), or scan a local folder Security score, vulnerability trend, target intelligence Filter by severity, CWE references, export to JSON/CSV/SARIF/PDF

What is Chaca?

Chaca = Chalim Scanner — a desktop app built with Tauri 2, React 19, and Rust that scans web applications for security issues. Designed for developers who want actionable results without learning Burp Suite or OWASP ZAP.

Features

Scanning Engine (Rust)

Category Capabilities
Passive Security headers, cookies, CORS, CSP, CSRF, clickjacking, JWT, rate limits, deserialization indicators
Active XSS (canary + attribute/event injection), SQLi, SSTI, open redirect, path traversal, CORS reflection, CSRF verification
CMS WordPress, Drupal, Joomla, Shopify, Magento fingerprinting + platform-specific checks
API 57+ sensitive path probes (/swagger.json, /env, /graphql, /wp-json/wp/v2/users, …)
Disclosure Stack traces, debug headers, file path leaks (Python, Java, PHP, .NET, Go, Ruby, Node.js)
Services Supabase, Firebase, PocketBase, admin panels (phpMyAdmin, Adminer, wp-login, debug consoles)
Recon IP, DNS, TLS, server fingerprinting, tech detection (frameworks, CDNs, WAFs, hosting), robots.txt / sitemap.xml / security.txt
Knowledge 50+ vulnerability definitions with CWE, CVSS severity, remediation, references
Quality Confidence scoring (Confirmed/Firm/Tentative), deduplication, category-capped security score (0–100)

Desktop App (React + Tailwind)

  • Monospace-first minimal UI
  • Real-time progress (crawl → passive → active)
  • Dashboard with score, charts, stats, target intelligence panel
  • Report viewer with CWE links and external references
  • Filter by severity and confidence
  • Export to JSON, CSV, SARIF, and PDF
  • Pro scan helpers: quick headers, login-first setup, branded PDF exports
  • Persistent scan history across app restarts
  • Scan presets (Quick passive, API audit, Full scan) + custom presets
  • Local folder scanning: secrets, config exposure, endpoint inventory (local-only)
  • Settings page (network, crawling, passive, active, data detection, export, presets) with persistent storage

Tech Stack

Layer Technology
Shell Tauri 2
Frontend React 19, TypeScript, Tailwind CSS v4
State Zustand, tauri-plugin-store
UI Radix UI, Lucide icons, Recharts
Backend Rust (reqwest, regex, tokio, serde, tracing, base64)

Getting Started

Prerequisites

Run

npm install
npm run tauri dev

Build

npm run tauri build

Output: src-tauri/target/release/bundle/

Release (GitHub)

Pre-built binaries for Windows (x64) and Linux (x64 AppImage) are published to GitHub Releases on each version tag. macOS builds currently require local compilation because Chaca is not yet signed/notarized with an Apple Developer account.

To cut a release:

  1. Bump version in package.json and src-tauri/tauri.conf.json
  2. Commit and push
  3. Create and push a version tag: git tag v0.6.0 && git push origin v0.6.0
  4. GitHub Actions builds all platforms and creates a draft release
  5. Edit the draft release, add release notes, and publish

Expected artifacts:

Platform Artifact Notes
macOS (Apple Silicon) Build locally For now, macOS developers should compile Chaca themselves with npm run tauri build
Windows (x64) Chaca_0.6.0_x64-portable.exe Run directly; requires WebView2 on Windows 10
Windows (x64) Chaca_0.6.0_x64-setup.nsis.exe Installer (includes WebView2)
Linux (x64) Chaca_0.6.0_amd64.AppImage Run directly

Note: Current releases are unsigned. Windows may show security warnings, and macOS public distribution is temporarily blocked until Chaca is signed/notarized. Ensure Settings → Actions → General → Workflow permissions is set to "Read and write permissions" so the release workflow can create releases.

macOS "Damaged" Warning

If macOS says "Chaca.app" is damaged and can't be opened, the app is usually being blocked by Gatekeeper because it is unsigned or was downloaded with a quarantine flag.

If you are a Mac developer, the most reliable option for now is to clone the repo and build locally:

npm install
npm run tauri build

Try these steps:

  1. Open the .dmg
  2. Drag Chaca.app into Applications
  3. In Finder, right-click Chaca.app and choose Open
  4. If macOS still blocks it, go to System Settings -> Privacy & Security and click Open Anyway

If that still does not work, remove the quarantine attribute manually:

xattr -dr com.apple.quarantine "/Applications/Chaca.app"

Then open the app again.

Usage

URL Scan

  1. Enter a target URL
  2. Choose Passive or Full scan
  3. Review dashboard — score, vulnerabilities, target intelligence
  4. Open findings for evidence, remediation, CWE references
  5. Export as JSON, CSV, SARIF, or PDF

Local Folder Scan (v0.6)

  1. Click SCAN FOLDER and select a project directory
  2. Chaca scans for: secrets (AWS, GitHub, Stripe, etc.), exposed config files (.env, CI, K8s), and endpoint patterns (Express, Next.js, FastAPI)
  3. All scanning is local-only; no content leaves your machine
  4. Results appear in the same dashboard; export as usual

Only scan targets you have explicit permission to test.

Project Structure

src/                    # React frontend
├── components/
│   ├── dashboard/      # Scan results, charts, target intelligence
│   ├── layout/         # App shell, sidebar, header
│   ├── settings/       # Settings page and controls
│   └── ui/             # Radix-based primitives
├── store/              # Zustand (scan state, settings)
└── utils/              # Export helpers

src-tauri/              # Rust backend
└── src/
    ├── scanner/
    │   ├── engine.rs       # Scan orchestrator
    │   ├── crawler.rs      # URL discovery
    │   ├── folder_scanner.rs # Local folder scan (secrets, config, endpoints)
    │   ├── passive.rs      # Passive checks
    │   ├── active.rs       # Active tests
    │   ├── cms.rs          # CMS detection
    │   ├── recon.rs        # Target intelligence
    │   └── rules/          # api_exposure, data_exposure, info_disclosure,
    │                       # exposed_services, vuln_db
    └── lib.rs          # Tauri commands & data structures

Support

Chaca Pro unlocks branded PDF export, unlimited history, scan profiles, quick auth headers, and login-first scanning. Get a license to support indie development.

If you want to directly support the work at the founder level, you can also contribute $100 via:

Founder-level supporters can have their company logo listed here as a permanent founding supporter of the repo.

If your subscription expires, you have 7 days to resubscribe before Pro features are disabled — no sudden interruptions.

Author

Aris Setiawan

Open-source. Use responsibly.