A local-first web application for automating authorized security scans on networks and hosts with intelligent result analysis.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ScanPanel System β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Next.js ββββββββΊβ FastAPI ββββββββΊβ Worker β β
β β Frontend β HTTP β API β β Service β β
β β (Port 3000) β β (Port 8000) β β β β
β ββββββββββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β β
β β β β β
β β βββββββββΌββββββββ βββββββββΌββββββββ β
β β β PostgreSQL β β Redis β β
β β β Database β β (Cache) β β
β β βββββββββββββββββ βββββββββββββββββ β
β β β
β β βββββββββββββββββ β
β ββββββββββββββββΊβ WebSocket β β
β β (Live Updates)β β
β βββββββββββββββββ β
β β
β External Services: β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Nmap β β Nuclei β β Nikto β β
β β (Scanner) β β (Scanner) β β (Scanner) β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ β
β β Local LLM β β Telegram β β
β β (gpt-oss 20b)β β Bot API β β
β ββββββββββββββββ ββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
/apps/web- Next.js frontend (App Router, TypeScript, Tailwind, shadcn/ui)/apps/api- FastAPI backend (REST API, SQLAlchemy, Pydantic)/apps/worker- Job runner for scheduled scans (APScheduler)/packages/shared- Shared types, constants, and utilities/infra- Docker Compose configuration and environment templates
- π Multiple scanning tools: Nmap, Nuclei, Nikto (extensible adapter pattern)
- πΎ Store raw outputs and parsed findings with deduplication
- β° Cyclical scans with scheduling (cron or interval-based)
- π± Telegram hooks for alerts and summaries
- π― Simple "Add target/device" flow with safety validations
- π€ Automatic result analysis using local LLM (gpt-oss 20b)
- ποΈ PostgreSQL database with optimized indexes
- π REST API + WebSocket for live scan progress
- π Safety guardrails to prevent misuse
TL;DR:
make dev # Start everything
make migrate # Setup database
make seed # Load demo data
# Open http://localhost:3000-
Start all services:
make dev
Or:
cd infra && docker-compose up -d -
Initialize database:
make migrate make seed
-
Open in browser:
- Frontend: http://localhost:3000
- API Docs: http://localhost:8000/docs
-
Optional - Generate demo scan:
make demo
That's it! See QUICK_START.md for more details.
For basic usage, default configs work. To customize:
cp infra/.env.example infra/.env
# Edit infra/.env if needed (LLM endpoint, Telegram, etc.)Default ports:
- Frontend: 3000
- API: 8000
- PostgreSQL: 5432
- Redis: 6379
The dashboard provides an overview of your security posture:
- Stat cards: Total targets, scans in last 24h, open findings by severity
- Recent scans: Latest scan activity with status and duration
- New findings: Critical and high severity findings that need attention
Manage your scanning targets:
- Add target: Click "Add Target" β Enter name, IP/hostname/URL, select type
- Public IP warning: System detects public IPs and requires confirmation
- Target detail: View scan timeline and open findings for each target
- Run scan: Click "Run Scan" button on any target
Configure scan settings:
- Create profile: Select tools (nmap/nuclei/nikto), configure arguments
- Schedule: Set up recurring scans (cron or interval)
- Auto-analyze: Enable automatic LLM analysis after scan completes
- Telegram thresholds: Configure notification triggers
Monitor scan execution:
- Scan list: Filter by target, status, date range
- Live progress: Real-time updates via WebSocket
- Scan detail: View tasks, artifacts, LLM summary, findings
- Artifacts: Download raw scanner outputs
Review and triage security findings:
- Global view: Filter by severity, status, tool, CVE/CWE
- Bulk triage: Update status for multiple findings
- Finding detail: View evidence, instances over time, LLM analysis
- Status workflow: open β triaged β accepted_risk / false_positive / fixed
make help # Show all available commands
make dev # Start all services
make test # Run all tests
make lint # Run linters
make format # Format code
make clean # Clean build artifactsmake dev-api
# Or manually:
cd apps/api
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8000make dev-web
# Or manually:
cd apps/web
npm install
npm run devmake dev-worker
# Or manually:
cd apps/worker
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python -m app.mainmake migrate # Run migrations
make migrate-create NAME=xyz # Create new migrationmake test # Run all tests
make test-api # Run API tests only
make test-worker # Run worker tests only- Adding a New Scanner - Guide to add scanning tools
- LLM Setup Guide - Connect local LLM endpoint
- Safety Implementation - Security guardrails
- Frontend Implementation - UI details
- Worker Implementation - Worker architecture
The application expects a local LLM endpoint compatible with OpenAI's API format. See LLM Setup Guide for details.
LLM_BASE_URL=http://localhost:8001
LLM_API_KEY=
LLM_MODEL=gpt-oss-20b
LLM_MAX_REQUESTS_PER_MINUTE=10To enable Telegram notifications:
TELEGRAM_BOT_TOKEN=your_bot_token
TELEGRAM_CHAT_ID=your_chat_idSee Telegram Implementation for details.
ScanningPanel/
βββ apps/
β βββ web/ # Next.js frontend
β β βββ src/
β β β βββ app/ # App Router pages
β β β βββ components/
β β β βββ lib/
β β βββ package.json
β βββ api/ # FastAPI backend
β β βββ app/
β β β βββ api/v1/ # API endpoints
β β β βββ db/ # Database models
β β β βββ schemas/ # Pydantic schemas
β β βββ alembic/ # Database migrations
β β βββ scripts/ # Utility scripts
β βββ worker/ # Job scheduler and scanner workers
β βββ app/
β β βββ scanners/ # Scanner adapters
β β βββ workers/ # Scan execution
β β βββ parsers/ # Finding parsers
β β βββ llm/ # LLM integration
β βββ tests/
βββ packages/
β βββ shared/ # Shared types and utilities
βββ infra/ # Docker Compose and infrastructure
βββ scripts/ # Development scripts
βββ docs/ # Documentation
βββ Makefile # Development commands
ScanPanel includes comprehensive safety guardrails:
- Input validation: IP, CIDR, hostname validation with public IP warnings
- Command safety: Strict argument allowlists, no shell injection
- Secret redaction: Automatic redaction of secrets in logs
- UI disclaimers: One-time modal and public IP confirmation
- Auth structure: Ready for future authentication
See Safety Implementation for details.
Generate demo scans without running real tools:
make demoThis creates:
- Demo targets and scan profiles
- Sample scan with fixtures
- Example findings for UI testing
- Database indexes: Optimized for common query patterns
- Eager loading: Prevents N+1 queries
- Pagination: All list endpoints support pagination
- Caching: Redis for future caching layer
- Add a new scanner: See Adding a New Scanner
- Run tests:
make test - Format code:
make format - Check linting:
make lint
MIT