Skip to content

Shannon Quick Start

There are two ways to run Shannon: the npx workflow (fastest, no clone) and a build from source using a local clone. Pick a tab below. Your choice is remembered across every page on this site.

  • Docker: required for the worker container.
  • Node.js 18+: required for the npx workflow.
  • pnpm: required for a build from source.
  • AI provider credentials: Anthropic is recommended. AWS Bedrock, Google Vertex AI, and compatible proxy setups are documented in AI Providers.
  1. Configure credentials with the interactive wizard:

    Terminal window
    npx @keygraph/shannon setup
  2. Run a pentest against a source-available target:

    Terminal window
    npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo

Shannon pulls the worker image from Docker Hub, starts the required local infrastructure, mounts the target repository read-only inside an ephemeral worker container, and writes results to a local workspace.

The -u flag is the target URL. The -r flag is the path to the target’s source repository (mounted read-only inside the worker).

Shannon runs autonomously through pre-reconnaissance, reconnaissance, per-class vulnerability analysis, exploitation, and reporting. A full run typically takes roughly 1 to 1.5 hours and may incur LLM API costs depending on model pricing and application complexity.

Stream logs or check status from another terminal:

Terminal window
npx @keygraph/shannon logs <workspace>
npx @keygraph/shannon status

For detailed, per-step monitoring, open the Temporal Web UI:

Terminal window
open http://localhost:8233

Results are saved to the workspaces directory: ~/.shannon/workspaces/ in npx mode, or ./workspaces/ in source-build mode. The final report is surfaced at the workspace root:

workspaces/{hostname}_{sessionId}/Security-Assessment-Report.md

Run internals (deliverables, logs, prompts, and session state) live under a hidden .shannon/ directory inside the workspace. Use the -o <path> flag to copy deliverables to a custom output directory after a run completes.

Terminal window
npx @keygraph/shannon stop # Stop the running scan and infrastructure.
npx @keygraph/shannon stop --clean # Stop and clean up (confirms first; add --yes to skip).
npx @keygraph/shannon uninstall # Remove Shannon's local infrastructure (confirms first; add --yes to skip).