v1.3.1 - Security Hardening

Scheduled backlog searching
for Sonarr

Sonarr's RSS feeds handle new releases, but your backlog just sits there. Splintarr searches it for you, a few items at a time, on a schedule, without getting you banned from indexers.

Get Started View on GitHub
Splintarr Dashboard showing search queues, analytics, completion progress, and indexer health

This is vibe-coded software

Every line of this project was generated by Claude Code. I'm a security engineer, not a software developer. I built this to scratch an itch with my own homelab and to learn what AI-assisted development can actually produce.

That said, I took security seriously throughout. The security model is defense-in-depth: encrypted database, encrypted credentials, Argon2id password hashing, SSRF protection, CSP nonces, rate limiting on every endpoint. The codebase has been through seven rounds of security review including SAST, manual code audit, and active penetration testing. Four security advisories were published and resolved. The full architecture and known limitations are documented.

Is this Huntarr all over again? No. The Huntarr incident wasn't just about specific bugs; it was about a development process with no code review, no security testing, and no way to catch problems before shipping. Splintarr has a security policy with private disclosure via GitHub Security Advisories, a dedicated security test suite, CodeQL scanning with zero open alerts, and documented accepted risks instead of ignored ones. When four vulnerabilities were found in v1.3.0, they were filed as advisories, fixed, and published within the same day. The full comparison maps all 21 Huntarr findings to Splintarr's approach.

It's still a homelab toy. Use it on your local network, not the open internet.

SQLCipher AES-256 Argon2id + Pepper Fernet Encryption CSP Nonces SSRF Protection Rate Limiting 7 Security Reviews 4 Advisories Resolved
What it does

How it works

🧠

Prioritization

Each run scores items by recency, past attempts, and time since last search. Content that never downloads gets searched less often. Content that just aired gets searched first.

⏱️

Scheduling

Every N hours, daily at a set time, or on specific days. Random jitter keeps queues from all firing at once. Batch sizes shrink when indexer budgets run low.

🔌

Prowlarr Integration

Connects to Prowlarr to see which indexers you have and how much API budget is left. Shows usage as progress bars on the dashboard. Groups missing episodes into season pack searches when it makes sense.

Live Dashboard

Watch searches run in real time. See which series are closest to complete. Check the last 7 days of search activity and grab rates. Updates over WebSocket, no refreshing.

🛡️

Security Focus

Encryption at rest, encrypted credentials, hashed passwords, SSRF protection, CSP nonces, rate limiting. Seven review cycles. Details in the security guide.

🐳

Single Docker Container

One container. No Redis, no Postgres, no separate workers. The database is a single encrypted file in a mounted volume. Runs as a non-root user with a read-only filesystem.

Interface

What it looks like

Create search queue with strategy selection and scheduling
Queue Creation
Weekly scheduling with day selection and jitter
Schedule Modes
Settings page with notifications and integrations
Settings
Login page with password reset hint
Login
Install

Three steps

Step 01

Clone & Setup

git clone https://github.com/menottim/splintarr.git cd splintarr ./scripts/setup.sh --auto-start
Step 02

Open the Wizard

open http://localhost:7337

Create an admin account, paste your Sonarr URL and API key, done.

Step 03

Create a Queue

Strategy: Missing Schedule: Daily at 02:00 Batch: 50 items

Pick a preset or set your own schedule. It runs in the background from there.

Full Getting Started Guide