Point it at your app, it tries to break it. A dynamic security scanner for localhost servers and Android APKs.
Project description
fya is an open-source, dynamic security scanner. Give it a running server
(localhost or a URL) or an Android .apk, and it detects what the target is,
fingerprints it, tunes its own scan parameters to fit, and runs a battery of
security checks mapped to the OWASP Top 10 and OWASP MASVS. It ships its own
fast, pure-Python checks and, when they are installed, orchestrates the
best-in-class tools (Nuclei, Nikto, sqlmap, nmap, testssl, MobSF, jadx,
apkleaks) instead of reinventing them.
Authorized testing only. Only scan systems you own or are explicitly authorized in writing to test. Scanning targets that are not local requires the
--i-am-authorizedflag. Unauthorized scanning may be illegal. You are responsible for how you use this tool.
Highlights
- One tool, two targets. Scan a running web server or an Android
.apkwith the same command. - Adaptive. Detects the stack, tunes payloads and request pacing, and runs only the checks that apply.
- 25 checks, OWASP-mapped. Web, API, TLS, and APK static analysis, each tagged to OWASP Top 10 / MASVS and CWE.
- Orchestrates, does not reinvent. Uses Nuclei, Nikto, sqlmap, nmap, and testssl when present; falls back to built-in checks when not.
- Safe by default. Non-destructive, no flooding, localhost allowed, remote requires explicit authorization.
- CI-ready reports. Console, JSON, SARIF, Markdown, and self-contained HTML, with
--fail-onexit codes.
Demo
fya breaking the bundled vulnerable app in one run: reflected XSS,
error-based SQLi, CORS reflecting an arbitrary origin with credentials, an
open redirect, and an exposed .env.
Static analysis of an Android APK, finding a hardcoded AWS key and cleartext endpoints:
Regenerate these locally with python examples/demo.py. A full HTML report is
saved to docs/sample-report.html.
Install
pip install -e ".[dev]" # from a clone, with test tooling
pip install fya # once published
pip install "fya[apk]" # add Android APK static analysis
Python 3.9+. Core dependencies are just requests and rich; everything
heavier is an optional extra or an external tool detected at runtime.
Quickstart
# scan a local dev server (no authorization flag needed for localhost)
fya scan http://127.0.0.1:5000
# read-only, then progressively heavier
fya scan http://127.0.0.1:5000 --profile passive
fya scan http://127.0.0.1:5000 --profile safe # default
fya scan http://127.0.0.1:5000 --profile aggressive
# analyze an Android app
fya scan ./app-release.apk
# write a shareable report; format is inferred from the extension
fya scan http://127.0.0.1:5000 -o report.html
fya scan http://127.0.0.1:5000 -o findings.sarif # for CI code scanning
fya scan http://127.0.0.1:5000 -o report.json
# fail a CI job if anything high or worse is found
fya scan http://127.0.0.1:5000 --fail-on high
# a non-local target requires explicit authorization
fya scan https://staging.example.com --i-am-authorized
# see which external tools fya can hand off to
fya tools
Try it against the bundled vulnerable app
python examples/vulnerable_app.py # starts on http://127.0.0.1:5001
fya scan http://127.0.0.1:5001 -o report.html
Profiles
| Profile | What it does |
|---|---|
passive |
Read-only. Headers, TLS, cookies, disclosure, fingerprinting. |
safe |
Non-destructive active probes. Reflection, error signatures, CORS. |
aggressive |
Heavier probing and external-tool handoff. Still non-destructive. |
fya never floods a target or runs denial-of-service payloads. Request pacing
adapts automatically: it slows down on errors, timeouts, and slow responses.
How it adapts per target
- Detect whether the target is a web server or an
.apk. - Fingerprint the tech stack (server, framework, cookies, whether it is a JSON API) from the first responses.
- Select only the checks that apply to that target kind and profile.
- Tune payloads, pacing, and concurrency to what the target tolerates.
- Normalize every finding to OWASP / CWE and de-duplicate.
- Report to console, JSON, SARIF, Markdown, or a self-contained HTML page.
Architecture
fya/
models.py finding, target, profile, scan-result data models
detect.py target-kind detection (web vs apk)
fingerprint.py web tech fingerprinting used to tune checks
http.py adaptive, self-throttling HTTP client
registry.py the Check base class and auto-discovery
engine.py orchestrator: fingerprint, plan, run in parallel, collect
authorization.py the scope and consent gate
tools.py detection and safe subprocess handoff to external tools
report.py console / json / sarif / markdown / html reporters
checks/ one file per area, auto-registered on import
Adding a check is one file dropped in fya/checks/:
from ..models import Finding, Severity, TargetKind
from ..registry import Check, register
@register
class MyCheck(Check):
name = "web.my_check"
target_kinds = (TargetKind.WEB,)
def run(self, ctx):
r = ctx.http.get(ctx.target.base_url())
if r is not None and "X-My-Header" not in r.headers:
yield Finding(check=self.name, title="...", severity=Severity.LOW,
description="...", target=ctx.target.label())
It is discovered automatically. No central registration list to edit.
External tools (optional)
If these are on your PATH, fya will use them and fold their results into a
single normalized report; if not, it silently falls back to built-in checks.
nuclei, nikto, sqlmap, nmap, testssl.sh, sslyze, jadx, apkleaks.
Contributing
Issues and PRs welcome. Run pytest and ruff check . before submitting. New
checks should be small, mapped to OWASP/CWE, and non-destructive by default.
License
MIT. See LICENSE.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fya-0.1.0.tar.gz.
File metadata
- Download URL: fya-0.1.0.tar.gz
- Upload date:
- Size: 55.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4813ac1ad855456bdf89d7c4c1bf914f4cfe73500be4a76a3b0b3405dcf3eee8
|
|
| MD5 |
4e691e92a331637c2cf5a32e53c04fad
|
|
| BLAKE2b-256 |
dd98033ee4969e2c7423b168299ddc9ed18352f797d5239bacfe112e946dc171
|
Provenance
The following attestation bundles were made for fya-0.1.0.tar.gz:
Publisher:
publish.yml on ayam04/fya
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fya-0.1.0.tar.gz -
Subject digest:
4813ac1ad855456bdf89d7c4c1bf914f4cfe73500be4a76a3b0b3405dcf3eee8 - Sigstore transparency entry: 2032051880
- Sigstore integration time:
-
Permalink:
ayam04/fya@1521d928df558d83a94599d9e66db952c916e484 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/ayam04
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@1521d928df558d83a94599d9e66db952c916e484 -
Trigger Event:
release
-
Statement type:
File details
Details for the file fya-0.1.0-py3-none-any.whl.
File metadata
- Download URL: fya-0.1.0-py3-none-any.whl
- Upload date:
- Size: 41.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ea21f36a2b0538b4ebdee584cbe43d858849fad9ba2965c73529e079ed3945e8
|
|
| MD5 |
23b7d8cee290999518d40bb8bbe10acc
|
|
| BLAKE2b-256 |
e593d792e931a4b325722576d7ba898e3f505a7ecf3e635c9e495d7ad3ebf162
|
Provenance
The following attestation bundles were made for fya-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on ayam04/fya
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fya-0.1.0-py3-none-any.whl -
Subject digest:
ea21f36a2b0538b4ebdee584cbe43d858849fad9ba2965c73529e079ed3945e8 - Sigstore transparency entry: 2032052172
- Sigstore integration time:
-
Permalink:
ayam04/fya@1521d928df558d83a94599d9e66db952c916e484 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/ayam04
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@1521d928df558d83a94599d9e66db952c916e484 -
Trigger Event:
release
-
Statement type: