detection-only · scope-aware

bounthunt  &  gqlhunter

Two focused security CLIs for bug bounty and API recon. Built to detect and report, never to exploit.

The tools

bounthunt
Scope-Aware Bug Bounty Orchestrator
Orchestrates subfinder, dnsx, httpx, naabu, nuclei and katana behind a YAML scope guard. SQLite history, checkpoint/resume, diff monitoring and Markdown/HTML reports.
Scope Guard Diff Monitoring Checkpoint/Resume SQLite Docker
v1.1.0
release
8
stages
7
tools
91
tests
gqlhunter
GraphQL Recon & Analysis CLI
Discovers GraphQL endpoints, runs introspection, classifies fields by risk, detects IDOR candidates by argument names, and diffs schema between runs. SARIF export and a local dashboard.
Introspection Auth Analysis Schema Diff IDOR Detection SARIF
v0.2.0
release
10
commands
18
paths
195
tests

Why these tools

Both tools share a single philosophy: detection only, never exploitation. They send recon and analysis requests, classify observations, and report. They do not send payloads, attempts, or exploit chains.

Every network action is gated by a YAML scope file — allow / deny for bounthunt, targets with ! deny patterns for gqlhunter. Anything out of scope is refused before a single request leaves the host.

Results land in SQLite, render to Markdown/HTML, and export to JSON or SARIF 2.1.0 — so findings drop straight into your existing triage workflow instead of a proprietary silo.

Two tools, two domains: bounthunt for infra/host recon and continuous monitoring, gqlhunter for GraphQL schema and authorization analysis. No overlap, no monolith.

Screenshots

bounthunt terminal
bounthunt — pipeline output
gqlhunter report
gqlhunter — HTML report

Quick install

bounthunt  — requires Go recon tools on PATH
# from source (Python >= 3.11)
git clone https://github.com/bess1lie/bounthunt.git
cd bounthunt && pip install .

# or docker (bundles subfinder/dnsx/httpx/naabu/nuclei/katana)
docker build -t bountyhunt .
docker run --rm -v $(pwd)/scope.yaml:/data/scope.yaml:ro bountyhunt --help
gqlhunter  — pure Python, no external binaries
# from source (Python >= 3.11)
git clone https://github.com/bess1lie/gqlhunter.git
cd gqlhunter && pip install .

# or docker
docker build -t gqlhunter .
docker run --rm -v $(pwd):/app gqlhunter --help