Scaffolded from one-multi-repos:
automated submodule setup + GitHub Actions for keep-up-to-date modules.
This is my personal companion repo I take with me on new machines where I need to perform security testing. As long as I pull this, I know it will have all other repos updated.
I called it "companion" as with it it brings hackers' most underrated friends: wordlists, payloads, dictionaries and so on.
Being public this is limited to public repositories only. If you like me need to have all your secret and private weapones as well, you can just apply this concept like I have.
Say you have custom dictionaries, payloads, exploits all sitting on private repositories, just repackage it all together in a "final companion" so it will have:
- all your private "companions"
- the "public" companion (for me, HackPanion)
Changelog
| Commit | Description | Files | Changes | Net |
|---|---|---|---|---|
797747f |
ci: run checkout on node24 in hackPanion | 1 | +4/−1 | 3 |
f6a7462 |
chore: update submodule pointers | 1 | +1/−1 | 0 |
11e4505 |
Auto-commit submodule changes in hackPanion | 6 | +6/−6 | 0 |
93c5039 |
chore: update submodule pointers | 7 | +7/−7 | 0 |
962a59a |
chore: update submodule pointers | 7 | +7/−7 | 0 |
8a30b9e |
chore: update submodule pointers | 6 | +6/−6 | 0 |
2e9dc54 |
chore: update submodule pointers | 7 | +7/−7 | 0 |
db2c53e |
chore: update submodule pointers | 7 | +7/−7 | 0 |
0eba49b |
chore: update submodule pointers | 6 | +6/−6 | 0 |
0447576 |
chore: update submodule pointers | 7 | +7/−7 | 0 |
c05e3aa |
chore: update submodule pointers | 6 | +6/−6 | 0 |
d8dd1d0 |
chore: update submodule pointers | 6 | +6/−6 | 0 |
c0eaa6d |
chore: update submodule pointers | 5 | +5/−5 | 0 |
b18637d |
Auto-commit submodule changes in hackPanion | 6 | +6/−6 | 0 |
1853d3e |
Auto-commit submodule changes in hackPanion | 6 | +6/−6 | 0 |
Auto-generated — last 15 commits.
git clone --recursive --depth 1 git@github.com:gosirys/hackPanion.git
cd hackPanion
git config core.hooksPath .config/hooks # enable automatic sparse checkout
.config/scripts/apply-sparse-checkout.sh # apply sparse checkout to selective-sync reposgit pull --recurse-submodules --depth=1Sparse checkout is automatically restored after pull/merge via git hooks.
Some submodules only sync specific files/directories instead of the full repo (see .config/sparse-checkout-config). This is handled automatically by git hooks after clone/pull. To manually re-apply:
.config/scripts/apply-sparse-checkout.shTo add a new selective-sync repo, edit .config/submodules.txt and run .config/scripts/init-submodules.sh.
Auto-updated daily by GitHub Actions. Sorted by last updated (most recent first).
| Repository | Path | Last Updated |
|---|---|---|
| trickest/wordlists | wordlists |
2026-05-31 |
| trickest/resolvers | resolvers |
2026-05-31 |
| projectdiscovery/nuclei-templates | nuclei-templates |
2026-05-31 |
| projectdiscovery/cdncheck | fingerprint/cdncheck |
2026-05-31 |
| arkadiyt/bounty-targets-data | bounty-targets-data |
2026-05-31 |
| 0x727/FingerprintHub | fingerprint/FingerprintHub |
2026-05-31 |
| danielmiessler/SecLists | SecLists |
2026-05-30 |
| chainreactors/fingers | fingerprint/fingers |
2026-05-30 |
| random-robbie/bruteforce-lists | bruteforce-lists |
2026-04-30 |
| swisskyrepo/PayloadsAllTheThings | PayloadsAllTheThings |
2026-04-22 |
| ayoubfathi/leaky-paths | leaky-paths |
2026-04-03 |
| many-passwords/many-passwords | many-passwords |
2024-09-06 |
| TheKingOfDuck/fuzzDicts | fuzzDicts |
2023-11-13 |
| EdgeSecurityTeam/EHole | fingerprint/EHole |
2023-06-14 |
All repos below use selective sync to only keep data files (no images, docs, scripts, etc). See .config/sparse-checkout-config for exact patterns.
| Repository | Synced | Description |
|---|---|---|
| swisskyrepo/PayloadsAllTheThings | txt, xml, xsl, php, html, py, json, yml, zip |
Payloads and bypasses for web application security testing. |
| danielmiessler/SecLists | txt, csv |
Comprehensive collection of wordlists for security assessments. |
| random-robbie/bruteforce-lists | full | Wordlists and data files tailored for brute-forcing various targets. |
| TheKingOfDuck/fuzzDicts | full | Ready-to-use dictionaries designed specifically for web application fuzzing. |
| ayoubfathi/leaky-paths | full | Known sensitive or misconfigured paths and endpoints for rapid content discovery. |
| many-passwords/many-passwords | csv |
Default and common credential lists for IoT devices, admin panels, and embedded systems. |
| trickest/resolvers | txt |
An exhaustive, validated list of reliable public DNS resolvers. |
| trickest/wordlists | txt |
A curated collection of real-world wordlists for reconnaissance and brute-forcing. |
| Repository | Synced | Description |
|---|---|---|
| chainreactors/fingers | resources/*.json.gz, *.yaml |
Pre-compiled fingerprint data (ehole, fingerprinthub, goby, wappalyzer, nmap, etc.) |
| 0x727/FingerprintHub | web_fingerprint_v3.json |
Web technology fingerprint definitions. |
| EdgeSecurityTeam/EHole | finger.json |
Fingerprint rules for identifying web frameworks and CMS. |
| projectdiscovery/cdncheck | sources_data.json |
CDN, WAF, and cloud provider IP ranges. |
| Repository | Synced | Description |
|---|---|---|
| projectdiscovery/nuclei-templates | yaml, json |
Community-curated vulnerability templates for the Nuclei scanner. |
| Repository | Synced | Description |
|---|---|---|
| arkadiyt/bounty-targets-data | data/*.json |
Per-platform bug bounty scope data with in/out-of-scope targets, asset types, wildcards, and reward info. Auto-updated every 30 min. |