Chaca — Web Security Scanner
A native desktop security scanner for vibe coders and developers
Fast, opinionated security audits of your web apps — no terminal required.
| New Scan | Dashboard | Full Report |
|---|---|---|
 |
 |
 |
| Configure target URL, scan mode (Passive/Active/Full), and launch | Security score, vulnerability trend, target intelligence | Filter by severity, CWE references, export to JSON/CSV |
Chaca = Chalim Scanner — a desktop app built with Tauri 2, React 19, and Rust that scans web applications for security issues. Designed for developers who want actionable results without learning Burp Suite or OWASP ZAP.
| Category | Capabilities |
|---|---|
| Passive | Security headers, cookies, CORS, CSP, CSRF, clickjacking, JWT, rate limits, deserialization indicators |
| Active | XSS (canary + attribute/event injection), SQLi, SSTI, open redirect, path traversal, CORS reflection, CSRF verification |
| CMS | WordPress, Drupal, Joomla, Shopify, Magento fingerprinting + platform-specific checks |
| API | 57+ sensitive path probes (/swagger.json, /env, /graphql, /wp-json/wp/v2/users, …) |
| Disclosure | Stack traces, debug headers, file path leaks (Python, Java, PHP, .NET, Go, Ruby, Node.js) |
| Services | Supabase, Firebase, PocketBase, admin panels (phpMyAdmin, Adminer, wp-login, debug consoles) |
| Recon | IP, DNS, TLS, server fingerprinting, tech detection (frameworks, CDNs, WAFs, hosting), robots.txt / sitemap.xml / security.txt |
| Knowledge | 50+ vulnerability definitions with CWE, CVSS severity, remediation, references |
| Quality | Confidence scoring (Confirmed/Firm/Tentative), deduplication, category-capped security score (0–100) |
- Monospace-first minimal UI
- Real-time progress (crawl → passive → active)
- Dashboard with score, charts, stats, target intelligence panel
- Report viewer with CWE links and external references
- Filter by severity and confidence
- Export to JSON and CSV
- Settings page (network, crawling, passive, active, data detection, export) with persistent storage
| Layer | Technology |
|---|---|
| Shell | Tauri 2 |
| Frontend | React 19, TypeScript, Tailwind CSS v4 |
| State | Zustand, tauri-plugin-store |
| UI | Radix UI, Lucide icons, Recharts |
| Backend | Rust (reqwest, regex, tokio, serde, tracing, base64) |
- Node.js 18+
- Rust 1.77+
- Tauri prerequisites for your platform
npm install
npm run tauri devnpm run tauri buildOutput: src-tauri/target/release/bundle/
- Enter a target URL
- Choose Passive or Full scan
- Review dashboard — score, vulnerabilities, target intelligence
- Open findings for evidence, remediation, CWE references
- Export as JSON or CSV
Only scan targets you have explicit permission to test.
src/ # React frontend
├── components/
│ ├── dashboard/ # Scan results, charts, target intelligence
│ ├── layout/ # App shell, sidebar, header
│ ├── settings/ # Settings page and controls
│ └── ui/ # Radix-based primitives
├── store/ # Zustand (scan state, settings)
└── utils/ # Export helpers
src-tauri/ # Rust backend
└── src/
├── scanner/
│ ├── engine.rs # Scan orchestrator
│ ├── crawler.rs # URL discovery
│ ├── passive.rs # Passive checks
│ ├── active.rs # Active tests
│ ├── cms.rs # CMS detection
│ ├── recon.rs # Target intelligence
│ └── rules/ # api_exposure, data_exposure, info_disclosure,
│ # exposed_services, vuln_db
└── lib.rs # Tauri commands & data structures
Aris Setiawan
Open-source. Use responsibly.