84 security plugins Β· 30+ recon tools Β· OWASP 2025 Β· CVSS v4.0 Β· PDF/MD/JSON reports
One command to enumerate, scan, exploit, analyze, and generate compliance-ready pentest reports.
Built for red teamers, bug bounty hunters, and DevSecOps engineers.
πΊπΈ English Β· π§π· PortuguΓͺs (Brasil)
Website Β· Install Β· Why Cascavel Β· Architecture Β· Plugins Β· CLI Β· Reports Β· Security Β· Contributing
Cinematic boot sequence Β· Auto-detects 30+ tools Β· Preloader with security intel tips
Split-screen live dashboard Β· Real-time severity tracking Β· Rotating security intelligence
Most pentest workflows involve 20+ separate tools, each with its own syntax, output format, and report style. You manually merge results, format reports, and lose hours to context-switching.
Cascavel replaces the entire workflow:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β $ python3 cascavel.py -t target.com --pdf β
β β
β ββββββββββββ ββββββββββ ββββββββββββ ββββββββββββ β
β β DISCOVER ββ β PROBE ββ β ATTACK ββ β ANALYZE β β
β ββββββββββββ ββββββββββ ββββββββββββ ββββββββββββ β
β Subdomains Ports XSS,SQLi JWT,CORS β
β DNS,WHOIS Banners SSRF,RCE CSP,CSRF β
β Cloud enum Headers SSTI,XXE OAuth,IDOR β
β β
β ββββββββββββ ββββββββββββββββββββββββββββββββββββββββ β
β β DETECT ββ β REPORT (PDF/MD/JSON) β β
β ββββββββββββ ββββββββββββββββββββββββββββββββββββββββ β
β Docker,K8s CVSS v4.0 Β· OWASP Β· PTES Β· LGPD β
β Redis,S3 Legal disclaimers Β· SHA-256 integrity β
β CI/CD Compliance mapping Β· Risk matrix β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Capability | Cascavel | Other Tools |
|---|---|---|
| Unified pipeline | 84 plugins + 30 tools in one command | Fragmented scripts |
| Live dashboard | Split-screen with real-time stats + intel | No live feedback |
| PDF reports | 12 legal disclaimers, CVSS v4.0, PTES | Manual formatting |
| Terminal UX | Cinematic preloader, fade animations | Plain stdout |
| Security hardening | ANSI sanitizer, plugin sandboxing | Trust all output |
| Zero-config | install.sh handles everything |
Manual dependency hell |
| Requirement | Minimum | Why |
|---|---|---|
| Python | 3.12+ | LTS until 2028 Β· importlib.metadata, typed generics |
| requests | 2.32.4 | GHSA-9hjg β .netrc credential leak + TLS verify bypass |
| pyOpenSSL | 25.0.0 | GHSA-5pwr β buffer overflow + unhandled callback bypass |
| dnspython | 2.7.0 | GHSA-3rq5 β TuDoor DNS resolution disruption |
| PyJWT | 2.12.0 | CVE-2022-29217 β algorithm confusion attack |
| ReportLab | 3.6.13 | CVE-2023-33733 β RCE via rl_safe_eval |
Note
The installer automatically enforces these minimum versions and runs pip-audit post-install. Manual installs should verify with pip list | grep -iE 'requests|pyopenssl|dnspython|pyjwt|reportlab'.
curl -fsSL https://raw.githubusercontent.com/glferreira-devsecops/Cascavel/main/install.sh | bashOne command. That's it. Works on macOS, Linux (Debian/Ubuntu/Kali/Parrot/Fedora/Arch/Alpine/SUSE), WSL2, and Docker. The installer auto-detects your OS, installs git + python3 if missing, clones the repo, creates a venv, installs all 84 plugins + 30 tools, and registers the cascavel global command. Zero manual steps.
Tip
No curl? Use wget -qO- https://raw.githubusercontent.com/glferreira-devsecops/Cascavel/main/install.sh | bash
π Alternative methods (git clone, Docker, manual)
# Git clone
git clone https://github.com/glferreira-devsecops/Cascavel.git && cd Cascavel && bash install.sh
# Download tarball (no git needed)
curl -fsSL https://github.com/glferreira-devsecops/Cascavel/archive/main.tar.gz | tar xz && cd Cascavel-main && bash install.sh
# Docker (isolated)
docker run -it --rm python:3.12-slim bash -c "apt update && apt install -y git && git clone https://github.com/glferreira-devsecops/Cascavel.git /app && cd /app && bash install.sh"
# Manual
git clone https://github.com/glferreira-devsecops/Cascavel.git && cd Cascavel
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt && python3 cascavel.py -t target.comThe installer v2.3.0 includes 15 security hardenings: trap cleanup, mktemp -d TOCTOU isolation, anti-symlink lock, SHA-256 requirements.txt integrity, CVE version enforcement (6 packages), umask 077, PATH prefix sanitization (rejects . and relative paths), container detection (Docker/Podman/LXC), WSL2 kernel detection, Python ssl module verification, stale venv recovery, chmod 700/600 on sensitive paths, GOPATH/GOBIN export validation, locale UTF-8 enforcement, and absolute paths for critical binaries.
cascavel.py (2800+ lines) report_generator.py (1400+ lines)
βββ ANSI Escape Sanitizer βββ _NumberedCanvas (two-pass "Page X of Y")
β βββ Blocks CSI/OSC/DCS injection βββ Diagonal "CONFIDENCIAL" watermark
βββ Preloader Engine βββ QR Code β rettecnologia.org
β βββ 5-stage cinematic boot βββ Widows/orphans paragraph control
βββ Plugin Orchestrator βββ Table splitOn + repeatRows=1
β βββ Dynamic load, SIGALRM timeout βββ Risk Matrix (5Γ5 heat map)
βββ Split-Screen Dashboard βββ 9 compliance frameworks
β βββ Rich Live (scan + intel panel) βββ 20-term security glossary
βββ External Tools Pipeline βββ Prioritized remediation summary
β βββ 30+ tools, shlex.quote() βββ SHA-256 document integrity
βββ Report Engine (PDF/MD/JSON)
βββ Signal Handler (async-signal-safe)
| # | Protection | Implementation |
|---|---|---|
| 1 | Terminal height detection | _get_terminal_height() β POSIX fallback for headless/pipe |
| 2 | Logo fade term detection | Skips cursor manipulation on terminals < 20 rows |
| 3 | Cursor safety clamp | _clear_block β never moves cursor beyond boundaries |
| 4 | Preloader fallback | try/except wrapper for CI/pipe/dumb terminals |
| 5 | Typewriter interrupt | Guarantees newline before SIGINT propagation |
| 6 | Boot line stdout | Eliminates Rich/stdout buffer race condition |
| 7 | 256-color gradient | Cobra green_ramp palette (22β46) |
| 8 | Progress pacing | Variable speed with TimeElapsedColumn |
| 9 | Percentage clamping | _build_table caps at 100% |
| 10 | ANSI sanitizer | Strips CSI/OSC/DCS from plugin output, preserves SGR |
| 11 | Stat fallback | Accurate dashboard even when Rich Live crashes |
Enterprise-grade reports signed by RET Tecnologia, compliant with Brazilian and international frameworks:
| Section | Content |
|---|---|
| Cover | Logo, target, report ID (CSR-YYYYMMDD-HHMMSS), QR code β rettecnologia.org |
| Legal Disclaimers | 12 frameworks: NDA, LGPD, Marco Civil, Art. 154-A, PL 4752/2025, ISO 27001, PCI DSS v4.0, NIST SP 800-115, OWASP Testing Guide v5, CVSS v4.0, SOC 2, HIPAA |
| Executive Summary | Dynamic severity posture badge with traffic-light scoring |
| Risk Matrix | 5Γ5 heat map with CVSS v4.0 color-coded severity |
| Detailed Findings | OWASP 2025 mapping, evidence, remediation steps |
| Compliance Mapping | 9 international frameworks with gap analysis |
| Prioritized Remediation | Findings sorted by CVSS score with effort estimates |
| Glossary | 20 security terms with definitions |
| PTES Methodology | 5-phase pentest documentation |
| Revision History | Version tracking with author and date |
| Signature Page | SHA-256 document integrity hash |
Report features: "PΓ‘gina X de Y" two-pass numbering Β· diagonal CONFIDENCIAL watermark Β· widows/orphans paragraph control Β· intelligent table splitting with repeatRows=1 Β· clickable links to rettecnologia.org on every page.
cascavel -t target.com --pdf # Generate PDF report
cascavel -t target.com -o json # JSON output for CI/CD pipelines
cascavel -t target.com -o md # Markdown for documentationZero false-positive tolerance. Standardized run() interface. Each plugin returns structured results with severity classification.
xss_scanner Β· sqli_scanner Β· ssti_scanner Β· rce_scanner Β· blind_rce Β· nosql_scanner Β· cve_2021_44228_scanner
ssrf_scanner Β· xxe_scanner Β· lfi_scanner Β· path_traversal
jwt_analyzer Β· oauth_scanner Β· csrf_detector Β· idor_scanner Β· session_fixation Β· password_policy
http_smuggling Β· http2_smuggle Β· websocket_scanner Β· grpc_scanner
cors_checker Β· csp_bypass Β· clickjacking_check Β· host_header_injection Β· web_cache_poison Β· rate_limit_check Β· waf_bypass
graphql_probe Β· graphql_injection Β· api_enum Β· api_versioning
mass_assignment Β· race_condition Β· prototype_pollution Β· deserialization_scan Β· open_redirect Β· crlf_scanner
docker_exposure Β· k8s_exposure Β· redis_unauth Β· mongodb_unauth Β· elastic_exposure Β· cicd_exposure Β· cloud_metadata Β· cloud_enum
subdomain_hunter Β· subdomain_takeou Β· dns_deep Β· dns_rebinding Β· network_mapper Β· email_harvester Β· email_spoof_check Β· shodan_recon Β· wayback_enum Β· whois_recon Β· traceroute_mapper
tech_fingerprint Β· js_analyzer Β· param_miner Β· info_disclosure Β· secrets_scraper Β· git_dumper Β· admin_finder
dir_bruteforce Β· nikto_scanner Β· katana_crawler Β· http_methods Β· wps_scanmini Β· nuclei_scanner Β· fast_webshell
s3_bucket Β· saml_scanner
ssl_check Β· waf_detec Β· profiler_bundpent Β· nmap_advanc Β· auto_exploit
ssh_brute Β· ftp_brute Β· smb_ad Β· smpt_enum Β· heartbleed_scanner Β· domain_transf
π Full documentation: PLUGINS.md
python3 cascavel.py -t example.com # Full scan (all plugins + tools)
python3 cascavel.py # Interactive mode
python3 cascavel.py -t example.com --pdf # Generate PDF report
python3 cascavel.py -t example.com -o json # JSON output (CI/CD integration)
python3 cascavel.py -t example.com -q # Quiet mode (no animations)
python3 cascavel.py --plugins-only # Skip external tools
python3 cascavel.py --list-plugins # List all 84 plugins
python3 cascavel.py --check-tools # Check installed tools| Flag | Description |
|---|---|
-t TARGET |
Target domain or IP |
-q |
Suppress animations and preloader |
-o FORMAT |
Output format: md / json / pdf |
--pdf |
Shorthand for -o pdf |
--timeout N |
Per-tool timeout in seconds (default: 90) |
--plugins-only |
Run internal plugins only, skip external tools |
--check-tools |
Display status of 30+ external tools |
--list-plugins |
List all available plugins |
--no-preloader |
Skip cinematic boot animation |
--no-notify |
Disable desktop notifications |
-v |
Display version |
All optional β Cascavel auto-detects and skips missing tools gracefully.
| Category | Tools |
|---|---|
| Recon | subfinder Β· amass Β· dnsx Β· fierce Β· dnsrecon Β· whois |
| Web Probing | httpx Β· nikto Β· katana Β· feroxbuster Β· ffuf Β· gobuster |
| Port Scanning | nmap Β· naabu |
| Vulnerability | nuclei Β· sqlmap |
| OSINT | shodan Β· gau Β· waybackurls Β· asnmap Β· mapcidr |
| WAF Detection | wafw00f |
| Network | traceroute Β· dig Β· tshark |
| Crypto/TLS | sslscan |
| CMS | wpscan Β· whatweb |
| Brute Force | hydra Β· john |
π‘
install.shdetects your OS and installs all available tools automatically.
Cascavel is hardened against modern attack vectors targeting security tools themselves:
| Vector | Mitigation |
|---|---|
| Terminal injection (CSI/OSC/DCS) | _sanitize_output() strips dangerous ANSI escapes from all plugin output, preserving only SGR color codes |
| Plugin timeout | SIGALRM-based enforcement prevents plugins from hanging indefinitely |
| Signal handler deadlock | SIGINT handler uses os.write() (async-signal-safe) instead of print()/logging |
| Process zombie leak | os.killpg() kills entire process groups on timeout |
| Input injection | All external tool targets sanitized with shlex.quote() |
| # | Vector | Mitigation |
|---|---|---|
| 1 | TOCTOU race | mktemp -d for unique temporary directories |
| 2 | Parallel execution | Lock file + anti-symlink check prevents concurrent installs |
| 3 | Supply chain | SHA-256 hash verification on requirements.txt |
| 4 | Known CVEs | Version enforcement for 6 packages (PyJWT, ReportLab, requests, pyOpenSSL, dnspython) |
| 5 | Permission escalation | umask 077, chmod 700/600 on sensitive files and directories |
| 6 | Cleanup failure | trap cleanup on EXIT/INT/TERM/HUP ensures temp removal |
| 7 | PATH injection | Strips . and relative paths from $PATH at startup |
| 8 | Binary hijacking | Uses absolute paths for mkdir, rm, cat, date, uname |
| 9 | Container detection | Detects Docker, Podman, LXC, cgroup-based containers |
| 10 | WSL2 detection | Identifies WSL kernel for network scan adjustments |
| 11 | Stale venv | Detects corrupted/moved Python binary and recreates venv |
| 12 | SSL module check | Verifies Python ssl module availability for pip HTTPS |
| 13 | Locale enforcement | Forces LC_ALL=en_US.UTF-8 to prevent encoding bugs |
| 14 | GOPATH validation | Exports and validates GOPATH/GOBIN for Go tool installs |
| 15 | Disk space check | Warns if < 500MB available before starting install |
Cascavel/
βββ cascavel.py # Core engine (2800+ lines)
βββ report_generator.py # PDF reports (ReportLab Platypus)
βββ install.sh # Universal installer (v2.3.0, 15 hardenings)
βββ plugins/ # 84 security plugins
β βββ xss_scanner.py # βββ Standardized run() interface
β βββ jwt_analyzer.py
β βββ ...
βββ docs/ # Screenshots and assets
βββ reports/ # Generated reports (auto-created)
βββ exports/ # Exported data (auto-created)
βββ wordlists/ # Fuzzing wordlists
βββ nuclei-templates/ # Custom Nuclei templates
βββ requirements.txt # Python dependencies
βββ PLUGINS.md # Full plugin documentation
βββ CONTRIBUTING.md # Contribution guide
βββ CHANGELOG.md # Version history
βββ SECURITY.md # Vulnerability disclosure policy
βββ LICENSE # MIT
Cascavel ships with 6 GitHub Actions workflows enforcing security on every push and PR:
| Workflow | Jobs | Tools | Output |
|---|---|---|---|
| CI | Lint Β· Compile Β· Test Β· Security Β· Release Draft | Ruff 0.15.7 Β· py_compile Β· pytest Β· Bandit 1.9.4 | SARIF artifacts |
| Security CI | Syntax Β· Bandit SAST Β· Semgrep SAST Β· CVE Audit Β· Secrets | Bandit Β· Semgrep Β· pip-audit Β· Gitleaks | SARIF β Security Tab |
| CodeQL | Python semantic analysis | GitHub CodeQL | SARIF β Security Tab |
| Fuzzing | Atheris fuzzing (100K runs) | Google Atheris (libFuzzer) | Crash detection |
| Scorecard | OpenSSF supply-chain audit | OSSF Scorecard | Badge + SARIF |
| Dependabot | Automated dependency updates | GitHub Dependabot | PRs for pip + actions |
Tip
SARIF results from Bandit, Semgrep, CodeQL, and Scorecard appear directly in the Security tab β no extra dashboard needed.
Important
All GitHub Actions are pinned by SHA (not tag), and all workflows use least-privilege permissions: {} by default.
Cascavel handles Unix signals for robust operation in all environments:
| Signal | Behavior | Use Case |
|---|---|---|
SIGINT (Ctrl+C) |
Async-signal-safe shutdown via os.write() β exit 130 |
Interactive terminal |
SIGTERM |
Same handler β exit 143 | Docker/K8s graceful shutdown |
SIGPIPE |
Restored to SIG_DFL |
Clean pipe termination (| head) |
BrokenPipeError |
Caught + os._exit(141) |
Fallback for SIGPIPE edge cases |
See CONTRIBUTING.md for the full guide.
Plugin interface β drop a file in plugins/ and it's auto-discovered:
def run(target: str, ip: str, open_ports: list, banners: dict) -> dict:
"""
Args:
target: Domain or IP being scanned
ip: Resolved IPv4/IPv6 address
open_ports: List of open port numbers (from naabu)
banners: Dict mapping port -> banner string
Returns:
{
"plugin": "my_plugin",
"resultados": [...], # Findings list or summary string
"severidade": "ALTO", # CRITICO | ALTO | MEDIO | BAIXO | INFO
}
"""
return {"plugin": "my_plugin", "resultados": "Limpo", "severidade": "INFO"}| Resource | Description |
|---|---|
| CHANGELOG.md | Version history and release notes |
| SECURITY.md | Vulnerability disclosure policy (GPG key included) |
| PLUGINS.md | Full plugin documentation, techniques, and bypass research |
| CONTRIBUTING.md | Contribution guide with plugin interface spec |
| CODE_OF_CONDUCT.md | Contributor Covenant v2.1 |
| LICENSE | MIT License (SPDX: MIT) |
| OpenSSF Scorecard | Supply-chain security score |
| OpenSSF Best Practices | Gold badge compliance |
| RET Tecnologia | Company website |
MΓTODO CASCAVELβ’
A product of RET Tecnologia β Engenharia de Software & CiberseguranΓ§a Ofensiva
Gabriel L. Ferreira Β· Fundador & DevSecOps Lead
π cascavel.pages.dev Β· π’ rettecnologia.org
Making the web safer, one target at a time. π