Skip to content

nuclide-research/VisorLog

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
alert
alert
 
 
cmd
cmd
 
 
store
store
 
 
web
web
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

VisorLog

Lifecycle-tracked findings ledger for AI infrastructure OSINT.

release license go NuClide

FeaturesInstallationUsageLifecycleSchemaScope

VisorLog is a single Go binary that holds findings from across the NuClide toolchain in one append-only SQLite store. Tools like aimap, VisorGoose, and ollama-recon write events into it. Each finding then moves through a defined lifecycle (open, disclosed, acknowledged, remediated, verified, archived) with every status change timestamped and appended as a note. Records are never mutated.

The schema is ECS-inspired and keyed to AI infrastructure recon: host, org, sector, country, tags, CVE IDs, source tool, lifecycle status. Output goes to VisorScuba for compliance scoring, to disclosure reports, and to the alert rules that flag stale criticals and new takeover findings.

Features

  • Single Go binary, embedded SQLite, no external services
  • Eight subcommands: ingest, status, query, update, add, alert, report, serve
  • Append-only event log. Status transitions are notes, not row rewrites. Full history preserved
  • Ingest adapters for VisorGoose state, ollama-recon state, and universal NDJSON
  • Multi-tag OR filter, date-range filter, table / JSON / CSV / Markdown output
  • Built-in alert rules: new-takeover, new-critical, stale-critical (>7d), stale-high (>14d)
  • Web dashboard at :8765 via visorlog serve
  • Feeds VisorScuba compliance scoring directly off the same database

Installation

go install -v github.com/nuclide-research/visorlog@latest

Or build from source:

git clone https://github.com/nuclide-research/visorlog
cd visorlog
go build -o visorlog .

Requires Go 1.21 or later.

Usage

# severity histogram + sector breakdown
visorlog --db nuclide.db status

# ingest findings from existing tools
visorlog --db nuclide.db ingest --from visorgoose-state.json --format visorgoose
visorlog --db nuclide.db ingest --from findings.ndjson

# query
visorlog --db nuclide.db query --severity critical --status open
visorlog --db nuclide.db query --tags SUB2API,SETUP-OPEN --format md

# update lifecycle
visorlog --db nuclide.db update 4 --status disclosed --note "emailed kominfo@jatengprov.go.id"

# alerts and reports
visorlog --db nuclide.db alert
visorlog --db nuclide.db report --out open-findings.md

# web dashboard
visorlog --db nuclide.db serve
Query flags
Flag What it filters
--sector sector (government, university, healthcare, commercial)
--severity critical / high / medium / low / info
--status lifecycle stage
--tag <X> single tag substring (legacy)
--tags X,Y,Z multi-tag OR (any-match)
--country ISO 3166 alpha-2
--source discovering tool
--tld top-level domain match
--since YYYY-MM-DD events at or after
--until YYYY-MM-DD events at or before
--limit N max results (default 100)
--format <fmt> table, json, csv, md
--json shortcut for --format json

Lifecycle

open -> disclosed -> acknowledged -> remediated -> verified -> archived

Every transition is timestamped and appended as a note on the original event. Nothing is overwritten. A finding's full disclosure history reads top to bottom.

Schema

ECS-inspired, keyed to AI infrastructure recon:

Field Description
event.category discovery, disclosure, remediation, regression
event.severity critical, high, medium, low, info
host.ip / host.hostname target identity
org.name / org.country organization
nuclide.sector government, university, healthcare, commercial, isp
nuclide.tags freeform (TAKEOVER, CVE-2025-63389, CLOUD, RAG, DISTILLED)
nuclide.source discovering tool
lifecycle.status current stage
vuln.ids CVE IDs

Alert rules

[new-takeover] TAKEOVER open: 103.107.245.11 (sijoli-11-245-107.jatengprov.go.id) [government]
[stale-critical] STALE critical: 16.64.116.67 open for >7 days, disclose?

Rules live in alert/rules.go. Add new rules by extending the slice.

Where it sits in the chain

VisorGoose  -+
aimap       -+--> visorlog ingest --> nuclide.db --> visorlog query / alert / report
ollama-recon-+                                 \
                                                +--> visorscuba assess --> 0-10 scores

Scope

VisorLog is a passive data store. It does not scan, probe, or authenticate to anything. It records what the upstream tools found. Only ingest data from systems you own or have explicit written authorization to assess.

Our other projects

  • aimap — AI/ML infrastructure fingerprint scanner, primary ingest source
  • VisorScuba — OPA compliance scoring over the VisorLog database
  • VisorCAS — content-addressed false-positive ledger, the inverse of VisorLog
  • VisorGraph — cert-pivot recon engine, feeds findings into the ledger
  • scanner — fast active-banner stage between passive discovery and deep enum

License

MIT. Part of the NuClide toolchain. Contact: nuclide-research.com

About

Lifecycle-tracked findings ledger for AI infrastructure OSINT. Append-only SQLite store with ECS-inspired schema. Feeds VisorScuba.

nuclide-research.com

Topics

cli golang security osint sqlite ecs ledger bug-bounty compliance nuclide visor security-tools ai-security ml-security llm-security ai-infrastructure findings-management claude-code lifecycle-tracking nicholas-kloster

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages