Skip to main content

Riciplay Security Platform — Autonomous AI-driven bug-bounty CLI

Project description

riciplay-cli

Riciplay Security Platform — Command-line Interface

An autonomous AI-driven bug bounty hunting agent for web applications and codebases. Runs local investigations with an LLM-in-a-loop leader that orchestrates specialists, probes endpoints, verifies findings, and chains vulnerabilities.

Features

  • Autonomous DAST (Dynamic Application Security Testing) — Web app vulnerability scanning with automatic attack-surface enumeration, multi-class injection probing (XSS / SQLi / IDOR / open-redirect / SSRF), and interception-driven recon through miniproxy + headless browser.

  • Autonomous SAST (Static Application Security Testing) — Code audit with semgrep, code search, and AI-guided data-flow tracing. Finds injection sinks, hardcoded secrets, weak crypto, and path traversal.

  • Manual-analysis mode — Human-pentester-style workflow: observe through browser, take notebook notes, register accounts, test cross-account, reason and iterate.

  • Specialist orchestration — Parallel execution of domain specialists (Recon, Web, API, Auth, Cloud, Business Logic) with shared findings, cross-specialist corroboration, and compound attack chaining.

  • Coverage gates — Deterministic finish-time enforcement ensures every discovered endpoint×parameter×attack-class combination is attempted before the investigation concludes.

  • Two-identity IDOR testing — Automatic account registration/login and cross-account replay for authorization bypass detection.

  • Phase-separated investigation — DISCOVER (breadth-first surface mapping and probing) followed by REPORT (impact verification, chaining, and quality gating).

Installation

pip install riciplay-cli

Requires Python 3.10+, mitmdump (for proxy capture), and optionally Chromium (via Playwright) for browser-based discoveries.

Quick Start

# Authenticate against the Riciplay backend
riciplay auth set-key <your-api-key>

# Run a DAST investigation against a target
riciplay scan investigate https://example.com --budget 12

# Run a SAST code audit
riciplay scan investigate ./my-project --mode sast --budget 8

# Manual-analysis mode
riciplay scan investigate https://example.com --mode manual --budget 15

Configuration

  • riciplay auth status — Check authentication and tier
  • riciplay auth whoami — Show current account info
  • riciplay review <path> — Code review with markdown output
  • riciplay --help — Full command reference

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

riciplay_cli-1.7.30.tar.gz (334.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

riciplay_cli-1.7.30-py3-none-any.whl (375.3 kB view details)

Uploaded Python 3

File details

Details for the file riciplay_cli-1.7.30.tar.gz.

File metadata

  • Download URL: riciplay_cli-1.7.30.tar.gz
  • Upload date:
  • Size: 334.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for riciplay_cli-1.7.30.tar.gz
Algorithm Hash digest
SHA256 405793dd54e01d80f0296d44027f89b04dde1b734e43a3950b9d3f511cc2db2c
MD5 cfefb6ef8d75e76bae4df0eca2755c64
BLAKE2b-256 2002672bcce4d4de8edc82d086da32d6d2a3ef1c16d88fee2f3823d0b3799a25

See more details on using hashes here.

File details

Details for the file riciplay_cli-1.7.30-py3-none-any.whl.

File metadata

  • Download URL: riciplay_cli-1.7.30-py3-none-any.whl
  • Upload date:
  • Size: 375.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for riciplay_cli-1.7.30-py3-none-any.whl
Algorithm Hash digest
SHA256 dd2b9f4c065de7341b360f63c26c67da6d748e7b94a5bf46110df2e7550f0f0c
MD5 ce1c2756bc47210779b234d055626f19
BLAKE2b-256 7a75e491e63c67209a523dd90cb441db9cc7aba911cc64d7e44fb5c26c2894aa

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page