PatchHound is a self-hosted vulnerability operations platform. It pulls security findings into one system, tracks remediation work, keeps an audit trail, and supports optional Microsoft Sentinel forwarding.
- Vulnerability and asset ingestion
- Multi-tenant remediation workflows
- Risk scoring across assets, software, and tenants
- Audit logging and background processing
- ASP.NET Core backend with a React frontend
Executive dashboard
Remediation workbench
Remediation workflow
- Backend: .NET, ASP.NET Core, EF Core, SignalR
- Frontend: React, TanStack Start, Vite
- Database: PostgreSQL
- Secrets: OpenBao
cp .env.example .env
docker compose up -d --buildSet the required values in .env before starting the stack. At minimum, local development needs:
POSTGRES_PASSWORDSESSION_SECRETAZURE_AD_CLIENT_IDAZURE_AD_AUDIENCEENTRA_CLIENT_SECRET
After startup:
- Frontend:
http://localhost:3000 - API:
http://localhost:8080
Backend:
dotnet build PatchHound.slnx
dotnet test PatchHound.slnx -v minimal
dotnet run --project src/PatchHound.Api
dotnet run --project src/PatchHound.WorkerFrontend:
cd frontend
npm install
npm run lint
npm run typecheck
npm test
npm run dev- Docs index
- Getting started
- Local development
- Create the Entra ID application
- Create an ingestion source
- Adding an ingestion source
- Risk score calculation
- Testing conventions
- Ingestion flow
- Remediation flow
- OpenBao deployment notes
To set up the Sentinel integration, first deploy the PatchHound data connector. Opening the link below will guide you through that deployment in Connector Studio.
PatchHound expects a KV v2 mount named patchhound and an application token with access to the full application data path:
path "patchhound/*" {
capabilities = ["create", "update", "read", "delete"]
}Set the resulting token in .env as OPENBAO_TOKEN.
See CONTRIBUTING.md.
See SECURITY.md.
Licensed under MIT.