Vulnreport is a platform for managing penetration tests and generating well-formatted, actionable findings reports without the normal overhead that takes up security engineer’s time. It is designed to accelerate management of penetration tests and security code reviews/audits, as well as generation of useful vulnerability reports. Using Vulnreport, security researchers can automate almost all of the overhead involved with penetration testing so that they can devote more time to the fun stuff – finding vulns. Vulnreport takes care of tracking vulnerabilities on your tests, providing a simple UI for managing them, and running analytics on what you’re finding and where you’re spending your time. Vulnreport is also a platform that can be extended and hooked into whatever other management and vulnerability assessment tools are part of your process. Hook it up to your automated testing frameworks and watch the vuln data flow into your reports like magic.
Vulnreport was built by the Salesforce Product Security team as a way to get rid of the time we spent writing, formatting, and proofing reports for penetration tests. The goal was and continues to be to build great security tools that let pentesters and security engineers focus on finding and fixing vulns. It was open-sourced at Black Hat USA 2016’s Arsenal and will remain available and regularly-updated for anyone in the security community to use and modify, contribute to, or just play around with.
Vulnreport uses a Ruby/Rack app that uses the Sinatra DSL framework. If you’re installing Vulnreport locally or on your own VM/server, the dependancies you’ll need installed are:
Clone the repo and open up the .env file, updating it as necessary. The run
bundle install . You’ll probably want to modify
start.sh to make it work for your environment – the one included in the repo is intended to be used for local use during debugging/development. You should also create a .env file based on .env.example, or set the same ENV variables defined in .env in your environment.
Before attempting to login to Vulnreport and start using it, you’ll need to run a one-time seed script to configure the database and initial settings. This script is found in the root of the repo as
SEED.rb . To run locally, simply execute
./SEED.rb . If you’re deploying on Heroku, you’ll run it as
heroku run ./SEED.rb -a [Vulnreport App] . If you used the automated ‘Deploy to Heroku’ feature, this step should have been handled for you automatically.
When you run the seed script, the process should go something like this:
Running ./SEED.rb on ⬢ my-vr-test... up, run.8035 Vulnreport 3.0.0.alpha seed script WARNING: This script should be run ONCE immediately after deploying and then DELETED Setting up Vulnreport now... Setting up the PostgreSQL database... Done Seeding the database... Done User ID 1 created for you ALL DONE! :) Login to Vulnreport now and go through the rest of the settings!
Once Vulnreport is deployed and the seed script has been run, you’re ready to do final configuration live in the app. First, you should delete the seed script. Then, login to your new Vulnreport instance with the default admin user – username
admin . This should be immediately rotated and/or SSO should be configured.
Your first stop once you’ve logged in should be to Settings > VR Settings (/admin/settings). Here you should set up your name and authentication settings. After that, you can reconfigure your user settings and set up Users, Organizations, Record Types, Vuln Types, etc. for your use case. Please see the Admin section of the documentation below for more information about configuring Vulnreport.