FoxNode ASPM

Open-source Application Security Posture Management Platform

Live Demo  ·  Quick Start  ·  Features  ·  Screenshots  ·  Scanners  ·  Architecture  ·  API Docs  ·  Contributing

---

What is FoxNode ASPM?

FoxNode ASPM is a modern, developer-friendly platform for managing application security vulnerabilities across your entire software portfolio. It aggregates findings from 16+ security scanners, deduplicates them intelligently, and provides actionable dashboards to track your security posture.

Built from the ground up with React 18, TailwindCSS with dark/light theme toggle, FastAPI async backend, and first-class integrations with Jira and Slack.

---

📸 Screenshots

Security Dashboard

Real-time overview of your application security posture with severity distribution, scanner breakdown, and risk trends.

Dark & Light Theme

Toggle between dark and light modes with a single click. Theme preference is persisted across sessions.

Scan Import — 16+ Scanner Support

Upload results from Trivy, Semgrep, Snyk, ZAP, Nuclei, Gitleaks, Bandit, Checkov, SonarQube, and more. Supports JSON, CSV, XML, JSONL, and SARIF formats.

AI Finding Triage

Intelligent prioritization engine with false positive detection, auto-grouping, and contextual scoring to surface what matters most.

Security Scorecard

Letter-grade (A–F) security posture scoring per product with org-wide overview, 30-day trend charts, and a product leaderboard.

Compliance Mapping

Map findings to OWASP Top 10, PCI-DSS, SOC 2, CIS Benchmarks, and ISO 27001 with detailed gap analysis and control-level pass/fail status.

SLA Tracker & Risk Heatmap

Monitor remediation timelines, track breach rates, and visualize risk concentration across products and severities.

Integrations — Jira & Slack

Create Jira issues directly from findings with auto-mapped severity. Get Slack alerts for new findings and scan completions.

Security Metrics & KPIs

Track MTTR, vulnerability aging, burndown charts, scan velocity, and executive-ready security KPI dashboards.

Attack Path Analysis

Visualize exploitable attack chains across your product portfolio with risk-scored paths and blast radius mapping.

AI Security Agent

Autonomous AI agent that analyzes products, identifies multi-step attack chains, and generates deep security reports.

SBOM & Supply Chain Security

Full software bill of materials with component inventory, license analysis, and supply chain risk scoring.

AI Remediation Copilot

Get AI-powered fix recommendations with vulnerable vs. fixed code examples, effort estimates, and prioritized remediation plans.

LLM/AI Security Scanner

Detect vulnerabilities in AI/ML code including prompt injection, data poisoning, and model supply chain risks mapped to OWASP LLM Top 10.

Settings & User Management

RBAC with Admin, Manager, Analyst, and Viewer roles. Configure Jira, Slack, and platform settings.

More Screenshots

Login

Products

Findings

Finding Detail

Engagements

---

✨ Features

Core Platform

	Feature	Description
🎨	Dark & Light Theme	React 18 + TailwindCSS — toggleable dark/light theme with localStorage persistence
🔍	16 Scanner Parsers	Semgrep, Trivy, Snyk, ZAP, Nuclei, Gitleaks, Bandit, Checkov, SonarQube, Prowler, tfsec, TruffleHog, Dependency-Check, SARIF, and more
🧬	Smart Deduplication	Hash-based dedup prevents duplicate findings across scans
📊	Real-time Dashboard	Severity distribution, scanner breakdown, risk trends, top vulnerable products
📦	Product Management	Organize findings by products, engagements, and test campaigns
🔗	Jira Integration	Create issues from findings with auto-mapped severity, label tagging, and bidirectional status sync
🔔	Slack Notifications	Alerts for new findings and scan completions with configurable severity thresholds
🛡️	RBAC	Admin, Manager, Analyst, and Viewer roles with granular permissions
🐳	Docker-Ready	One-command deployment with Docker Compose
⚡	REST API	Full API for CI/CD pipeline integration
🔄	GitHub Actions CI/CD	Built-in pipelines for lint, test, build, security scan, and Docker publish

Advanced Security Intelligence

	Feature	Description
🧠	AI Finding Triage	Intelligent prioritization with false positive detection, auto-grouping, and contextual scoring
🏆	Security Scorecard	Letter-grade (A–F) posture scores per product with trend tracking and leaderboard
📋	Compliance Mapping	Map findings to OWASP Top 10, PCI-DSS, SOC 2, CIS Benchmarks, and ISO 27001 with gap analysis
⏱️	SLA Tracker & Risk Heatmap	Monitor remediation timelines, breach rates, and risk concentration visualization
📈	Security Metrics & KPIs	MTTR, vulnerability aging, burndown charts, scan velocity, and executive dashboards
🕸️	Attack Path Analysis	Visualize exploitable attack chains with risk scoring and blast radius mapping
🤖	AI Security Agent	Autonomous agent for deep product analysis, attack chain discovery, and report generation
📦	SBOM & Supply Chain	Software bill of materials with component inventory, license tracking, and supply chain risk scoring
🔧	AI Remediation Copilot	AI-powered fix recommendations with code examples, effort estimates, and prioritized plans
🔬	LLM/AI Security Scanner	Detect AI/ML vulnerabilities including prompt injection and data poisoning, mapped to OWASP LLM Top 10

---

🚀 Quick Start

Using Docker Compose (Recommended)

git clone https://github.com/valinorintelligence/foxnode-aspm.git
cd foxnode-aspm
cp .env.example .env
docker compose up -d

The app will be available at:

Service	URL
Frontend	http://localhost
API Docs (Swagger)	http://localhost:8000/docs
API Docs (ReDoc)	http://localhost:8000/redoc
Health Check	http://localhost:8000/api/health

Local Development

Backend:

cd backend
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
uvicorn app.main:app --reload

Frontend:

cd frontend
npm install
npm run dev

Prerequisites:

• Python 3.12+
• Node.js 20+
• PostgreSQL 16+
• Redis 7+

---

🔍 Supported Scanners

FoxNode ASPM includes 16 built-in parsers covering every category of security scanning:

Category	Tools	Parser Key
SAST	Semgrep, SonarQube, Bandit	semgrep, sonarqube, bandit
DAST	OWASP ZAP, Nuclei	zap, nuclei
SCA	Trivy, Snyk, OWASP Dependency-Check	trivy, snyk, dependency_check
Cloud Security	Prowler	prowler
IaC	Checkov, tfsec	checkov, tfsec
Secrets	Gitleaks, TruffleHog	gitleaks, trufflehog
Universal	SARIF format (GitHub CodeQL, etc.)	sarif
Generic	Any tool via JSON/CSV	generic

---

📐 Architecture

foxnode-aspm/
├── backend/                  # FastAPI + SQLAlchemy async
│   ├── app/
│   │   ├── api/              # REST endpoints (auth, products, findings, scans, triage, scorecard, compliance, sla, metrics, attack-paths, agent, sbom, copilot, llm-scanner, jira, notifications, users)
│   │   ├── core/             # Config, DB, security, RBAC
│   │   ├── models/           # SQLAlchemy models (User, Product, Finding, Integration, ScanImport)
│   │   ├── parsers/          # 16 scanner result parsers + registry
│   │   ├── schemas/          # Pydantic request/response schemas
│   │   └── services/         # Jira, Notifications, AI Triage, Scorecard, Compliance, SLA, Metrics, Attack Paths, Security Agent, SBOM, Copilot, LLM Scanner services
│   └── requirements.txt
├── frontend/                 # React 18 + TypeScript + Vite + TailwindCSS
│   ├── src/
│   │   ├── components/       # Layout (Sidebar, Header), SeverityBadge
│   │   ├── pages/            # 19 pages: Dashboard, Products, Findings, Engagements, Integrations, ScanImport, Settings, AI Triage, Scorecard, Compliance, SLA Tracker, Metrics, Attack Paths, Security Agent, SBOM, Copilot, LLM Scanner, API Security
│   │   ├── services/         # Axios API client
│   │   └── store/            # Zustand auth + theme state management
│   └── package.json
├── docker/                   # Dockerfiles + nginx config
├── .github/workflows/        # CI/CD pipeline + release workflow
├── docker-compose.yml        # Full stack deployment
└── .env.example              # Configuration template

Tech Stack

Layer	Technology
Frontend	React 18, TypeScript, Vite, TailwindCSS, Recharts, Zustand, React Query
Backend	FastAPI, SQLAlchemy (async), Pydantic v2, Celery
Database	PostgreSQL 16
Cache	Redis 7
Auth	JWT (python-jose), bcrypt, RBAC
Deployment	Docker Compose, nginx, GitHub Actions

---

📡 API Documentation

Once running, visit the interactive API docs:

• Swagger UI: http://localhost:8000/docs
• ReDoc: http://localhost:8000/redoc

Key Endpoints

Method	Endpoint	Description
POST	/api/v1/auth/register	Create account
POST	/api/v1/auth/login	Get JWT access token
GET	/api/v1/dashboard/stats	Dashboard metrics & charts
GET/POST	/api/v1/products	Manage products
GET/POST	/api/v1/findings	Manage findings
GET	/api/v1/findings/:id	Finding detail with full context
POST	/api/v1/scans/import	Import scan results (multipart)
GET	/api/v1/scans/parsers	List supported parsers
POST	/api/v1/jira/create-issue/:findingId	Create Jira issue from finding
POST	/api/v1/notifications/test-slack	Test Slack webhook
GET/PATCH	/api/v1/users	User management (Admin)
POST	/api/v1/triage/analyze/:findingId	AI triage analysis for a finding
POST	/api/v1/triage/bulk-analyze	Bulk AI triage for a product
GET	/api/v1/triage/summary/:productId	Triage summary with priorities
GET	/api/v1/scorecard/overview	Org-wide security scorecard
GET	/api/v1/scorecard/trends	Score trend data (30 days)
GET	/api/v1/compliance/overview	All frameworks compliance overview
GET	/api/v1/compliance/report/:frameworkId	Detailed compliance report
GET	/api/v1/compliance/gaps/:frameworkId	Gap analysis for framework
GET	/api/v1/sla/status	SLA status summary
GET	/api/v1/sla/heatmap	Risk heatmap (products x severity)
GET	/api/v1/sla/breaches	SLA breached findings
GET	/api/v1/metrics/kpi	Security KPI metrics
GET	/api/v1/metrics/mttr	Mean time to remediate
GET	/api/v1/metrics/burndown	Vulnerability burndown chart
GET	/api/v1/metrics/executive-summary	Executive security summary
GET	/api/v1/attack-paths/overview	Org-wide attack path analysis
GET	/api/v1/attack-paths/graph/:productId	Attack path graph for a product
POST	/api/v1/agent/analyze/:productId	AI agent deep product analysis
POST	/api/v1/agent/chat	Chat with AI security agent
GET	/api/v1/sbom/overview	Org-wide SBOM overview
GET	/api/v1/sbom/product/:productId	SBOM for a product
POST	/api/v1/copilot/remediate/:findingId	AI remediation for a finding
POST	/api/v1/copilot/bulk-remediate	Bulk AI remediation
POST	/api/v1/llm-scanner/scan	Scan code for AI/ML vulnerabilities
GET	/api/v1/llm-scanner/overview	LLM scanner overview

---

🔌 CI/CD Integration

Import scan results directly from your pipeline:

# Import Trivy scan results
curl -X POST http://localhost:8000/api/v1/scans/import \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@trivy-results.json" \
  -F "scanner=Trivy" \
  -F "product_id=1"

# Import Semgrep results
curl -X POST http://localhost:8000/api/v1/scans/import \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@semgrep.json" \
  -F "scanner=Semgrep" \
  -F "product_id=1"

GitHub Actions Example

- name: Import scan results to Foxnode
  run: |
    curl -X POST ${{ secrets.FOXNODE_URL }}/api/v1/scans/import \
      -H "Authorization: Bearer ${{ secrets.FOXNODE_TOKEN }}" \
      -F "file=@trivy-results.json" \
      -F "scanner=Trivy" \
      -F "product_id=1"

---

⚙️ Environment Variables

Variable	Description	Default
DATABASE_URL	PostgreSQL connection string	postgresql+asyncpg://foxnode:foxnode@localhost:5432/foxnode_aspm
REDIS_URL	Redis connection string	redis://localhost:6379/0
SECRET_KEY	JWT signing key	change-me-in-production
CORS_ORIGINS	Allowed CORS origins	["http://localhost"]
JIRA_URL	Jira instance URL	—
JIRA_USERNAME	Jira account email	—
JIRA_API_TOKEN	Jira API token	—
SLACK_WEBHOOK_URL	Slack incoming webhook URL	—

---

🤝 Contributing

We welcome contributions! Please:

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Make your changes
4. Run tests (cd backend && pytest)
5. Submit a pull request

See our Contributing Guide for more details.

---

📄 License

MIT License — see LICENSE for details.

---

⭐ Star History

If you find FoxNode ASPM useful, please consider giving it a star! It helps others discover the project.

---

Built with ❤️ by the Valinor Intelligence team