Pentest — Clearwing Security Scanner
Authorized security testing using
clearwing.
Authorization Check
Before any scanning, confirm authorization with the user. Ask:
- Is this target owned by you or your organization?
- Do you have written authorization to test it?
- What is the scope (source code only, network, or both)?
If authorization is unclear, STOP and do not proceed.
Prerequisites
Check if clearwing is installed:
bash
command -v clearwing && clearwing --version
If not installed:
bash
uv tool install clearwing
clearwing setup # Interactive LLM provider configuration
Requires: Python 3.10+, uv, Rust toolchain (for native bridge).
Mode 1: Source Code Analysis
Hunt vulnerabilities in source code using the 11-stage pipeline:
bash
# Standard depth — recommended starting point
clearwing sourcehunt <path-to-repo> --depth standard
# Quick scan — faster, less thorough
clearwing sourcehunt <path-to-repo> --depth quick
# Deep scan — comprehensive, takes longer
clearwing sourcehunt <path-to-repo> --depth deep
The pipeline: preprocess → rank files → generate fuzzing harnesses → tiered hunt (6 specialists) → adversarial verification → patch oracle → variant loop → exploit triage → auto-patch → report.
Evidence levels (ascending confidence):
- — pattern match, needs investigation
- — confirmed by static analysis
- — fuzzer triggered a crash
- — mechanism understood
- — exploitability confirmed
- — fix verified
Mode 2: Network Scanning
Scan a live target for service vulnerabilities:
bash
# Single host
clearwing scan <target-ip-or-hostname>
# CIDR block (concurrent)
clearwing parallel <CIDR> --max-concurrent 5
Output
Results are stored in SQLite and exported as:
- SARIF — for GitHub Code Scanning integration
- Markdown — human-readable report
- JSON — machine-readable findings
Interactive Mode
For guided exploration:
bash
clearwing interactive
clearwing interactive --resume <session_id>
CI Integration
bash
clearwing ci --sarif-output results.sarif