SecMan is a comprehensive security scanning platform that integrates multiple industry-standard security scanners into a unified dashboard, providing real-time vulnerability assessment and management.
- Node.js (v14+) for frontend
- Go (v1.22.5+) for backend
- PostgreSQL database
- Redis for token management
- Modern web browser
- Access to security scanner APIs (ZAP, Acunetix, Semgrep)
- Clone the repository
git clone https://github.com/grealyve/secman.git
cd secman- Install dependencies
go mod tidy
npm install- Start the development server
npm run dev- Start the backend server
go run main.go- OWASP ZAP - Web application security scanner for detecting vulnerabilities in web applications
- Acunetix - Automated web vulnerability scanner for comprehensive web security assessment
- Semgrep - Static code analysis tool for finding bugs and enforcing code standards
- Real-time vulnerability metrics and statistics from a dedicated dashboard API
- Interactive charts for vulnerability distribution
- Scanner-specific data visualization in a tabbed interface
- Comprehensive scan history and reporting with filtering capabilities
- Start scans directly from the interface with multi-URL support
- Configure scan parameters for each scanner
- Bulk URL scanning capability via file upload
- Detailed scan monitoring and control (pause, abort, delete)
- Multi-company support with isolation between organizations
- Role-based access control system with granular permissions
- User registration and authentication with JWT token
- Company-specific scan isolation and reporting
SecMan uses a modern Go backend with the following components:
- Web Framework: Gin-Gonic for high-performance REST API
- Database: PostgreSQL with GORM ORM for data persistence
- Authentication: JWT-based authentication with Redis blacklisting for token invalidation
- Security: Role-based middleware authorization for all endpoints
- Models: Structured data models for Users, Companies, Scans, Findings, and Reports
- Framework: React with React Router for navigation
- UI Library: Bootstrap for responsive design
- State Management: Context API for authentication and app state
- API Integration: Fetch API with Bearer token authentication
The application automatically migrates the following models:
- Companies
- Users
- Scans
- Findings
- Reports
- ScannerSettings
The application offers a clean, organized routing structure:
- Dashboard:
/- Main dashboard with summary statistics - OWASP ZAP:
/owasp-zap/scans- Manage ZAP scans/owasp-zap/findings- View scan findings/owasp-zap/reports- Access and download reports/owasp-zap/generate-report- Create new reports
- Acunetix:
/acunetix/assets- Manage assets/targets/acunetix/scans- Manage scans/acunetix/findings- View vulnerabilities/acunetix/reports- Access reports/acunetix/generate-report- Generate new reports
- Semgrep:
/semgrep/scans- Manage code scans/semgrep/findings- View findings/semgrep/deployments- Manage deployments
- Administration:
/admin- Admin panel/user-creation- Create new users/company-relation- Manage company relations
- User Settings:
/settings- Scanner configuration/profile-settings- User profile management
- Help:
/help- Documentation and user assistance
The system supports the following user interactions:
- Login to the system
- View scan results
- Start, stop, and delete scans
- Insert, edit, and delete assets
- Create and download reports
- All user operations
- Create, delete and manage users
- Manage authorization and permissions
- Edit system configuration
The application implements several security measures:
- JWT-based authentication with token blacklisting
- Role-based access control for all endpoints
- Authorization middleware to protect resources
- Token invalidation on logout
- Password hashing for user credentials
Administrators can manage companies and users through dedicated admin panels:
- Create and manage companies
- Add users to companies
- Register new users
- Promote/demote user roles
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
For questions or support, please contact ysf.yildiz11@gmail.com).
2025 SecMan Security Platform. All rights reserved.
SecMan is a comprehensive security management platform that integrates multiple vulnerability scanners including Acunetix, OWASP ZAP, and Semgrep.
- Multi-Scanner Integration: Supports Acunetix, OWASP ZAP, and Semgrep
- Vulnerability Management: Centralized vulnerability tracking and reporting
- User Management: Role-based access control with company isolation
- Dashboard: Real-time security metrics and analytics
- Report Generation: Automated security reports
- Backend: Go (Gin framework)
- Frontend: React (Vite)
- Database: PostgreSQL
- Cache: Redis
- Containerization: Docker & Docker Compose
- Docker
- Docker Compose
- Clone the repository:
git clone <repository-url>
cd secman- Start the application:
docker-compose up -d- Access the application:
- Application: http://localhost:4040
- Health Check: http://localhost:4040/health
The Docker setup includes a single all-in-one container:
- secman_all_in_one: Contains all services in one container
- Port 4040: Main application (Go backend + React frontend)
- Port 5432: PostgreSQL database with pre-loaded data
- Port 6379: Redis cache for session management
The database is automatically initialized with:
- Schema creation with UUID support
- Sample companies, users, and scanner settings
- Historical scan data and findings
After deployment, you can use these default accounts:
- Admin: admin@admin.com / admin123
- User: ysf.yildiz11@gmail.com / password
The application supports the following environment variables:
DB_HOST: Database host (default: localhost)DB_PORT: Database port (default: 5432)DB_USER: Database user (default: lutenix)DB_PASSWORD: Database password (default: lutenix)DB_NAME: Database name (default: lutenix_db)REDIS_URL: Redis connection string (default: localhost:6379)PORT: Application port (default: 4040)
The application configuration is managed through config.yaml. Update scanner API keys and endpoints as needed:
acunetix_ip: "192.168.1.6"
acunetix_port: 3443
acunetix_apikey: "your-acunetix-api-key"
zap_apikey: "your-zap-api-key"
semgrep_apikey: "your-semgrep-api-key"The all-in-one container includes comprehensive health checks:
- Database: PostgreSQL ready check
- Redis: Ping check
- Application: HTTP health endpoint
- Uses supervisord to manage all services
Application logs are stored in the app_logs Docker volume and can be accessed with:
docker-compose logs -f secmanOr check individual service logs:
# View all logs
docker exec secman_all_in_one tail -f /var/log/supervisor/*.log
# View app logs
docker exec secman_all_in_one tail -f /var/log/supervisor/secman-app.log
# View database logs
docker exec secman_all_in_one tail -f /var/log/supervisor/postgresql.log
# View Redis logs
docker exec secman_all_in_one tail -f /var/log/supervisor/redis.logdocker-compose downTo remove all data (including database):
docker-compose down -vFor development with hot reloading:
# Backend development
go run main.go
# Frontend development
npm run dev- Port conflicts: Ensure ports 4040, 5432, and 6379 are available
- Permission issues: Make sure Docker has appropriate permissions
- Database connection: Check if PostgreSQL service is healthy
- Redis connection: Verify Redis service is running
The API endpoints are grouped under /api prefix:
/api/auth/*- Authentication endpoints/api/dashboard/*- Dashboard data/api/acunetix/*- Acunetix scanner integration/api/zap/*- OWASP ZAP scanner integration/api/semgrep/*- Semgrep scanner integration/api/admin/*- Admin management
Visit /health for application health status.