Fast, OSS-only web vulnerability scanner with an enterprise-grade UX.
Paste a URL, prove you own it, and get a prioritized list of findings — CVE-enriched, KEV-flagged, with remediation — in minutes.
- Single-tenant; basic auth.
- Scanners: Naabu (port discovery), httpx (service fingerprint), Nuclei (vuln checks).
- Target verification: HTTP file upload at
/.well-known/cyberscan-<token>.txt. - Findings enriched with NVD + CISA KEV; composite risk score.
- Frontend: Next.js. Backend: FastAPI. Queue: Redis+Celery. DB: PostgreSQL. Storage: MinIO.
- Local dev: docker-compose with OWASP Juice Shop as a pre-wired test target.
- Multi-tenant: tenants table;
tenant_idon assets / scans / findings / audit log; Postgres RLS scoped viaapp.tenant_idGUC. - RBAC:
owner>admin>analyst>viewer; enforced viarequire_role()on write endpoints. - More scanners:
sslyzefor TLS deep inspection, ZAP baseline (with a built-in fallback header check when ZAP isn't on PATH). - EPSS ingestion + lookup feeds the composite risk score.
- Notifications: Email (SMTP) + Slack incoming webhook + MS Teams webhook with per-channel
min_severityfilter. - Helm: per-pool worker deployments (
recon,vuln,tls,passive,feeds).
make up # build images, start the stack + juice-shop
make seed # run migrations + ingest cached NVD/KEV fixtures
make e2e # run the end-to-end test
open http://localhost:3000Login: admin@example.com / admin (default seed account).
See docs/architecture.md. Top-level:
apps/frontend— Next.js 15apps/backend— FastAPIapps/worker— Celery workers wrapping scanner CLIspackages/risk-engine— scoring + dedupe + diffingpackages/compliance-map— CWE → OWASP/PCI/NIST/CIS lookupcharts/cyberscan— Helm umbrella chart (stub at v0.1)deploy/kind— k8s-on-kind bootstraptests/{integration,e2e,fixtures}
Phased delivery is documented in docs/architecture.md.
MIT — see LICENSE.