Heavy scanning is part of every bug bounty hunter's workflow—whether it's subdomain enumeration, live host filtering, or full automation pipelines. But let's face it:
- 💻 Running massive scans on your personal machine eats up CPU, RAM, and bandwidth
- 🌐 In Bangladesh (and many other regions), network lag and instability make it worse
- ⚡ Keeping your machine powered for hours means you often end up paying more for electricity than you earn from the bounty itself
Of course, you could rent a VPS or RDP. But:
- 💰 Even a moderate VPS costs money
- 💳 Payments often require international cards or services that aren't always available
So, what's the fix? You can't just stop hunting.
That's why GOAT exists—your game-changer.
GOAT lets you offload heavy scans to GitHub Actions instead of burning your system resources.
With GitHub Actions, you get up to 6 hours of runtime per workflow, and GOAT makes it simple to chain your favorite recon tools into fully automated pipelines.
| Tool | Purpose | Status |
|---|---|---|
| 🔍 subfinder | Subdomain enumeration | ✅ Ready |
| 🌐 httpx | HTTP probing | ✅ Ready |
| 🎯 nuclei | Vulnerability scanning | ✅ Ready |
| 📱 notify | Telegram notifications | ✅ Ready |
Everything is customizable—you decide what to run, how to run it, and GOAT delivers results straight to your Telegram.
- Fork this repository (drop a ⭐ if you like this poor hacker's project)
- Create a Telegram bot and grab:
API Key- Your personal
Chat ID
- In your forked repo, go to:
Add the following secrets:
Settings → Secrets → Actions → New repository secretTELEGRAM_API_KEY TELEGRAM_CHAT_ID
- From GitHub
Settings → Developer settings, generate a Personal Access Token (repo scope)- Classic or fine-grained tokens both work
- Clone the repo to your machine and set the token:
Or edit it inside the goat file directly.
export GITHUB_TOKEN=xxxxxxxx
- For global usage, move the binary to:
/usr/local/bin # or $HOME/.local/bin
goat -f wildcards.txt -c 'subfinder -nW -all -t100'goat -f targets.txt -c 'httpx | nuclei -t ~/nuclei-templates/http/ -es info -c 10000 -bs 500'📱 Results will be sent to your Telegram automatically.
| Feature | Description |
|---|---|
| 🏗️ Resource Offloading | Move scans from your system to GitHub's infrastructure |
| ⚡ Cost Effective | Save electricity costs and prevent system overload |
| ⏰ Extended Runtime | Run any chain of tools for up to 6 hours per workflow |
| 🔄 Parallel Processing | Split files or launch multiple scans in parallel |
| 📱 Instant Notifications | Telegram notifications with results for easy access |
Warning
- Running too many heavy scans may trigger GitHub to disable or delete your repo
- For long-term stability, use a private repository
- Public repos can also work, but at your own risk
We welcome contributions! Feel free to:
- 🐛 Report bugs
- 💡 Suggest new features
- 🔧 Submit pull requests
- 📚 Improve documentation
This project is licensed under the MIT License - see the LICENSE file for details.
Made with ❤️ by bug bounty hunters, for bug bounty hunters
If this tool helped you land a bounty, consider buying me a coffee ☕