Repository files navigation

Open-ASPM is an open source Application Security Platform that provides comprehensive visibility and control, enabling developers to build securely and security teams to manage risk effectively.

The Open-ASPM project aims to democratize cybersecurity by providing enterprise-grade, easy-to-deploy, and intuitive security solutions. Our objective is to make state-of-the-art protection accessible to every business, regardless of size or budget.

  ●  Core functions  ●  Website / Support  ●  Installation  ●  Documentation  ●  Development  ●  Contributing
  ●  License

• Acomplete and robust application security posture management platform that can be deployed on-premise, in the cloud, or as a SaaS solution, suitable for organizations of all sizes.
• Secret Scanning, Platform utilises open source tools gitleaks and truffle-hog for detecting hardcoded secrets in the code.
• Software Composition Analysis (SCA), Platform utilises open source tools grype and syft for detecting vulnerabilities on dependencies in the code.
• Post-commit scanning, Automatically scans code and dependencies for vulnerabilities and secrets immediately after changes are committed to the repository, acting as a critical safety net in the development pipeline.
• Integrates seamlessly with your existing workflows, supporting GitHub, Bitbucket, and GitLab. Get critical alerts via Slack and Jira, ensuring your teams stay informed.
• Centralized Incident Management, Provides a unified, real-time overview of all cybersecurity incidents across diverse version control systems, repositories, teams, and projects, displaying status, priority, assignments, and resolution timelines.
• Comprehensive Asset Inventory, Provides a detailed and continuously updated catalog of all repositories, discovered secrets, and identified vulnerabilities across your entire ecosystem, offering a crucial foundation for risk assessment and management.
• Easily deploy Open-ASPM usingDocker Compose for local or self-hosted environments, or throughcloud marketplaces for streamlined integration with your existing cloud infrastructure.
• Empower your organization to define custom roles and manage access with precision usingAuthentication, Role-Based Access Control (RBAC), and simplified user authentication via Single Sign-On (SSO).
• Asset Grouping, Organize and monitor related assets collectively to streamline security monitoring, track group-level security scores, and simplify management for large-scale deployments or team-based security tracking.
• Dynamic Scoring and Risk-Based Prioritization, Open-ASPM automatically prioritizes security issues using an intelligent scoring engine that considers multiple risk factors, enabling security teams to focus on the most critical remediation tasks first.
• False Positive Management, Streamline your workflow and accelerate business-critical releases by easily managing false positives through one-click allowlisting at organizational or version control system levels, minimizing unnecessary delays.
• Rich API Support for Custom Automations, Our platform provides extensive API capabilities, empowering users to build custom automations and integrate Open-ASPM seamlessly into their unique security workflows.
• Gain a comprehensive, real-time overview of your security posture through intuitivedashboards, enabling effectivetracking of security incidents, monitoring of all assets, and efficient management of remediation efforts.
• Open-source commitment: With Open-ASPM, you get an unwavering commitment to open source. Our license ensures no single company can ever change its open model or license, guaranteeing the tool will always remain free and open, never becoming proprietary or semi-open.

The main benefit of using Open-ASPM is its ability to serve as acomprehensive and robust platform for application security, enabling organizations of all sizes to:

• Unified AppSec: A single platform to manage and streamline all application security efforts across your entire software development lifecycle.
• Cut Costs: Ditch expensive AppSec licenses.
• Lower Risk: Build secure from day one, reducing vulnerabilities.
• Boost Efficiency: Streamline security and empower your developers.
• Total Trust: Open-source code means full transparency and auditability.
• No Vendor Lock-In: Stay in control of your security infrastructure.
• Community Powered: Benefit from global expert contributions.

Checkout thewebsite for more information about Open-ASPM software, tools and communities.

Information, news and updates are also regularly posted on the Open-ASPM projectDiscord server,Linkedin account andnews page.

git clone https://github.com/Open-ASPM-Project/core-software.gitcd core-software

Create a.env file in the project root directory.

POSTGRES_USER=postgresPOSTGRES_PASSWORD=passwordPOSTGRES_DB=postgresBACKEND_DIR=./src/backendFRONTEND_DIR=./src/frontendFRONTEND_PORT=5173BACKEND_URL=http://localhost:80FRONTEND_URL=http://localhost:5173

To start all services:

docker-compose up

To run the services in detached mode:

docker-compose up -d

The application will be available athttp://localhost:80 through the NGINX reverse proxy.

DocumentationYoutubeAPI

To view logs for all services:

docker-compose logs -f

To view logs for a specific service:

docker-compose logs -f [service-name]

Example:

docker-compose logs -f assets

To stop all services:

docker-compose down

To stop and remove volumes (this will delete all data):

docker-compose down -v

If you make changes to the code, you'll need to rebuild the services:

docker-compose build

Or to rebuild a specific service:

docker-compose build [service-name]

Want to help build Open-ASPM? We welcome all contributions!

Check out ourcontributing page to see the many ways you can get involved. Please also review ourCode of conduct.

Feel free to fork our code, experiment, create patches, and send us pull requests through GitHubissues.

For any questions, remarks, or bug reports, don't hesitate to contact us or create anissue.

This software is licensed underGNU Affero General Public License version 3