Reproducibility
How to reproduce these results
Every page on this site is generated from a deterministic harness. The same Docker invocation that we run weekly in CI will reproduce the numbers in Benchmarkand Security on any machine with Docker and roughly 4 GB of RAM.
§1.Install GitHacker itself
To use GitHacker against a remote target — separate from the benchmark harness — either run the Docker image or install from PyPI:
Docker
docker run \
-v $(pwd)/results:/tmp/githacker/results \
wangyihang/githacker \
--output-folder /tmp/githacker/results \
--url http://target/.git/pip
pip install GitHacker
githacker \
--url http://target/.git/ \
--output-folder resultAdd --brute to brute-force branch and tag names when directory listing is disabled on the target.
§2.Re-run the benchmark
The full performance suite (7 tools × 5 web-server scenarios) runs from this repo:
git clone https://github.com/WangYihang/GitHacker
cd GitHacker
pip install gitpython semver coloredlogs
python -m benchmark runOutput writes to docs/public/data/benchmark.json; rebuild this site to view. The test repository is generated from a fixed random seed (seed=0), so all numbers are deterministic. Full configuration: benchmark/.
§3.Re-run the security suite
The adversarial scenarios (15 tests × 7 tools, malicious server vs. pillager) ship as a sibling command:
python -m benchmark securityResults land in docs/public/data/security.json. The runner enforces a 90-second per-tool timeout and tears down each Docker container between cases.
§4.Pinned environment
- Docker 24+ (BuildKit enabled)
- Python 3.10+ for the runner
- ~4 GB RAM and one CPU core per concurrent tool slot
- Internet access for the initial tool-image builds (none required afterwards)
Tool versions and the harness commit are recorded in themetadata block of each JSON output, so any plot you see on this site can be traced back to an exact reproducible configuration.