GIOR Pentest Framework— Open Source

Full-chain pentest
automation for OpenCode.

From recon to report — 15 phases of automated exploitation with AI-powered intelligence. No API keys. No external services.

Get Started Download v1.0.0

Phases

250+

Playbooks

109

Tools

Intel DBs

gitest — zsh

$ oc /gitest https://target.com

[GITEST] Loading 18 intelligence databases...

[GITEST] 251 skill playbooks available

[PHASE 01A] Recon: scanning target.com

→ Port 80 open (HTTP — envoy)

→ Port 443 open (HTTPS)

→ WAF: Not detected

→ .env file exposed!

[PHASE 02A] SQLi scan on 3 endpoints

→ Parameter 'artist' might not be injectable

→ Testing XSS vectors...

✅ Report generated — 6 findings (2 CRITICAL, 2 HIGH, 1 MED, 1 LOW)

Features

Built for real exploitation

Not another scanner. gitest executes payloads, chains attacks, and simulates what a real competitor would do.

Full-Chain Exploitation

15 phases from recon to persistence — real exploitation with payloads, not just scanning.

250+ Attack Playbooks

Web, API, mobile, AD, cloud, CTF, forensics — categorized and ready to execute.

AI-Native Intelligence

18 JSON intel files for attack chaining, CVE correlation, pattern matching, and WAF bypass.

Multi-Vector Approach

OSINT, source code analysis, supply chain, API abuse, business logic, and cloud attacks.

Competitor Simulation

Report generation with CVSS scoring, simulating what a real competitor would do.

Zero External Dependencies

Runs on OpenCode's built-in model. No API keys, no external services needed.

Pipeline

15 phases. End to end.

From environment setup to final report — every phase is automated with real exploitation, not just scanning.

Env Setup00

Intel loading & tool verification

Recon01A

Subdomain, port, service enumeration

Source Code01B

Git dump, backup files, JS secrets

OSINT01C

People, email, GitHub recon

Web Vuln02A

SQLi, XSS, directory fuzzing

Supply Chain02B

CDN, dependency confusion

Spider02C

Full site crawling

API Abuse03

JWT, GraphQL, IDOR, rate limit

Auth Attacks04

Brute, spray, default creds

Business Logic05

Race conditions, workflow flaws

Cloud06

Subdomain takeover, S3 buckets

Data Exfil07

PII, financial data, credentials

Persistence08

Admin creation, webshell

Provider09

SSO, OAuth, webhook security

Report10

CVSS scoring, competitor simulation

Intelligence

AI-native intelligence stack

18 JSON databases powering attack chaining, pattern matching, WAF bypass, and CVE correlation.

attack_chains

.json

cve_correlations

.json

patterns

.json

waf_signatures

.json

waff_bypass

.json

port_correlations

.json

tech_correlations

.json

endpoint_patterns

.json

escalation_patterns

.json

file_extensions

.json

fuzzer_data

.json

vuln_ontology

.json

unified_patterns

.json

ab_signals

.json

verification_patterns

.json

skills

.json

tools

.json

tools_meta

.json

Quick Start

Install in 2 commands

Clone, install, and run. No API keys, no config.

// Clone the framework

$ git clone https://github.com/GiorMalik/gitest.git

// Install & verify tools

$ cd gitest && bash setup.sh

// Full-chain exploitation

$ oc /gitest https://target.com

Open Source · GPL-3.0

Start your first full-chain pentest

Clone the repo, run the command, and watch gitest execute 15 phases of automated exploitation.

Read the Docs View on GitHub

Full-chain pentest automation for OpenCode.

Built for real exploitation

Full-Chain Exploitation

250+ Attack Playbooks

AI-Native Intelligence

Multi-Vector Approach

Competitor Simulation

Zero External Dependencies

15 phases. End to end.

AI-native intelligence stack

Install in 2 commands

Start your first full-chain pentest

Full-chain pentest
automation for OpenCode.