farhoodlabs/trebuchet
8
0
Fork 0
Code Issues Pull Requests 5 Actions Packages Projects Releases Wiki Activity

feat: backport config-driven run scoping and report filtering

Browse Source 
Cherry-pick of upstream Shannon PR #326. Adds vuln_classes subset
selection, exploit toggle, code_path avoid enforcement via SDK deny
rules, deterministic findings rendering when exploit is disabled,
report filtering (min_severity, min_confidence, guidance), and
rules_of_engagement config field.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-20 00:45:35 +00:00
committed by Hugh Commit [agent]
parent 70af2b12db
commit 85bcb27860
30 changed files with 1116 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/worker/prompts/exploit-ssrf.txt
+2
View File
@@ -92,6 +92,8 @@ After exhaustive bypass attempts, determine:
{{LOGIN_INSTRUCTIONS}}
</login_instructions>
@include(shared/_rules-of-engagement.txt)
<starting_context>
- Your **actionable exploitation queue** is located at `.shannon/deliverables/ssrf_exploitation_queue.json`. This is your to-do list, containing the precise targets identified by the analysis phase. You MUST process every vulnerability in this queue.