Chaca — Web Security Scanner
A native desktop security scanner for vibe coders and developers
Fast, opinionated security audits of your web apps — no terminal required.
Support Chaca directly: buy Chaca Pro, support via GitHub, or send $100 founder support via PayPal to arissetia.m@gmail.com and get your company logo listed here forever.
| New Scan | Dashboard | Full Report |
|---|---|---|
 |
 |
 |
| Configure target URL, scan mode (Passive/Active/Full), or scan a local folder | Security score, vulnerability trend, target intelligence | Filter by severity, CWE references, export to JSON/CSV/SARIF/PDF |
Chaca = Chalim Scanner — a desktop app built with Tauri 2, React 19, and Rust that scans web applications for security issues. Designed for developers who want actionable results without learning Burp Suite or OWASP ZAP.
| Category | Capabilities |
|---|---|
| Passive | Security headers, cookies, CORS, CSP, CSRF, clickjacking, JWT, rate limits, deserialization indicators |
| Active | XSS (canary + attribute/event injection), SQLi, SSTI, open redirect, path traversal, CORS reflection, CSRF verification |
| CMS | WordPress, Drupal, Joomla, Shopify, Magento fingerprinting + platform-specific checks |
| API | 57+ sensitive path probes (/swagger.json, /env, /graphql, /wp-json/wp/v2/users, …) |
| Disclosure | Stack traces, debug headers, file path leaks (Python, Java, PHP, .NET, Go, Ruby, Node.js) |
| Services | Supabase, Firebase, PocketBase, admin panels (phpMyAdmin, Adminer, wp-login, debug consoles) |
| Recon | IP, DNS, TLS, server fingerprinting, tech detection (frameworks, CDNs, WAFs, hosting), robots.txt / sitemap.xml / security.txt |
| Knowledge | 50+ vulnerability definitions with CWE, CVSS severity, remediation, references |
| Quality | Confidence scoring (Confirmed/Firm/Tentative), deduplication, category-capped security score (0–100) |
- Monospace-first minimal UI
- Real-time progress (crawl → passive → active)
- Dashboard with score, charts, stats, target intelligence panel
- Report viewer with CWE links and external references
- Filter by severity and confidence
- Export to JSON, CSV, SARIF, and PDF
- Pro scan helpers: quick headers, login-first setup, branded PDF exports
- Persistent scan history across app restarts
- Scan presets (Quick passive, API audit, Full scan) + custom presets
- Local folder scanning: secrets, config exposure, endpoint inventory (local-only)
- Settings page (network, crawling, passive, active, data detection, export, presets) with persistent storage
| Layer | Technology |
|---|---|
| Shell | Tauri 2 |
| Frontend | React 19, TypeScript, Tailwind CSS v4 |
| State | Zustand, tauri-plugin-store |
| UI | Radix UI, Lucide icons, Recharts |
| Backend | Rust (reqwest, regex, tokio, serde, tracing, base64) |
- Node.js 18+
- Rust 1.77+
- Tauri prerequisites for your platform
npm install
npm run tauri devnpm run tauri buildOutput: src-tauri/target/release/bundle/
Pre-built binaries for Windows (x64) and Linux (x64 AppImage) are published to GitHub Releases on each version tag. macOS builds currently require local compilation because Chaca is not yet signed/notarized with an Apple Developer account.
To cut a release:
- Bump version in
package.jsonandsrc-tauri/tauri.conf.json - Commit and push
- Create and push a version tag:
git tag v0.6.0 && git push origin v0.6.0 - GitHub Actions builds all platforms and creates a draft release
- Edit the draft release, add release notes, and publish
Expected artifacts:
| Platform | Artifact | Notes |
|---|---|---|
| macOS (Apple Silicon) | Build locally | For now, macOS developers should compile Chaca themselves with npm run tauri build |
| Windows (x64) | Chaca_0.6.0_x64-portable.exe |
Run directly; requires WebView2 on Windows 10 |
| Windows (x64) | Chaca_0.6.0_x64-setup.nsis.exe |
Installer (includes WebView2) |
| Linux (x64) | Chaca_0.6.0_amd64.AppImage |
Run directly |
Note: Current releases are unsigned. Windows may show security warnings, and macOS public distribution is temporarily blocked until Chaca is signed/notarized. Ensure Settings → Actions → General → Workflow permissions is set to "Read and write permissions" so the release workflow can create releases.
If macOS says "Chaca.app" is damaged and can't be opened, the app is usually being blocked by Gatekeeper because it is unsigned or was downloaded with a quarantine flag.
If you are a Mac developer, the most reliable option for now is to clone the repo and build locally:
npm install
npm run tauri buildTry these steps:
- Open the
.dmg - Drag
Chaca.appintoApplications - In Finder, right-click
Chaca.appand chooseOpen - If macOS still blocks it, go to
System Settings -> Privacy & Securityand clickOpen Anyway
If that still does not work, remove the quarantine attribute manually:
xattr -dr com.apple.quarantine "/Applications/Chaca.app"Then open the app again.
- Enter a target URL
- Choose Passive or Full scan
- Review dashboard — score, vulnerabilities, target intelligence
- Open findings for evidence, remediation, CWE references
- Export as JSON, CSV, SARIF, or PDF
- Click SCAN FOLDER and select a project directory
- Chaca scans for: secrets (AWS, GitHub, Stripe, etc.), exposed config files (
.env, CI, K8s), and endpoint patterns (Express, Next.js, FastAPI) - All scanning is local-only; no content leaves your machine
- Results appear in the same dashboard; export as usual
Only scan targets you have explicit permission to test.
src/ # React frontend
├── components/
│ ├── dashboard/ # Scan results, charts, target intelligence
│ ├── layout/ # App shell, sidebar, header
│ ├── settings/ # Settings page and controls
│ └── ui/ # Radix-based primitives
├── store/ # Zustand (scan state, settings)
└── utils/ # Export helpers
src-tauri/ # Rust backend
└── src/
├── scanner/
│ ├── engine.rs # Scan orchestrator
│ ├── crawler.rs # URL discovery
│ ├── folder_scanner.rs # Local folder scan (secrets, config, endpoints)
│ ├── passive.rs # Passive checks
│ ├── active.rs # Active tests
│ ├── cms.rs # CMS detection
│ ├── recon.rs # Target intelligence
│ └── rules/ # api_exposure, data_exposure, info_disclosure,
│ # exposed_services, vuln_db
└── lib.rs # Tauri commands & data structures
Chaca Pro unlocks branded PDF export, unlimited history, scan profiles, quick auth headers, and login-first scanning. Get a license to support indie development.
If you want to directly support the work at the founder level, you can also contribute $100 via:
- GitHub Sponsors / GitHub profile
- PayPal:
arissetia.m@gmail.com
Founder-level supporters can have their company logo listed here as a permanent founding supporter of the repo.
If your subscription expires, you have 7 days to resubscribe before Pro features are disabled — no sudden interruptions.
Aris Setiawan
Open-source. Use responsibly.