{"id":51549147,"url":"https://github.com/dyallab/henkaipan","last_synced_at":"2026-07-09T22:01:04.905Z","repository":{"id":365110462,"uuid":"1217361008","full_name":"Dyallab/HenKaiPan","owner":"Dyallab","description":"All in one AppSec Platform","archived":false,"fork":false,"pushed_at":"2026-07-04T06:01:10.000Z","size":29072,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-04T07:26:12.442Z","etag":null,"topics":["ai","docker","go","linux","nix","security"],"latest_commit_sha":null,"homepage":"https://henkaipan.dyallab.com.ar","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dyallab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-04-21T20:07:59.000Z","updated_at":"2026-07-04T06:01:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Dyallab/HenKaiPan","commit_stats":null,"previous_names":["dyallab/henkaipan"],"tags_count":42,"template":false,"template_full_name":null,"purl":"pkg:github/Dyallab/HenKaiPan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dyallab%2FHenKaiPan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dyallab%2FHenKaiPan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dyallab%2FHenKaiPan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dyallab%2FHenKaiPan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dyallab","download_url":"https://codeload.github.com/Dyallab/HenKaiPan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dyallab%2FHenKaiPan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35313756,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-09T02:00:07.329Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","docker","go","linux","nix","security"],"created_at":"2026-07-09T22:01:03.160Z","updated_at":"2026-07-09T22:01:04.888Z","avatar_url":"https://github.com/Dyallab.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HenKaiPan\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n[![Go Version](https://img.shields.io/badge/Go-1.26+-00ADD8?logo=go)](https://go.dev/)\n[![CI/CD](https://github.com/Dyallab/HenKaiPan/actions/workflows/ci-cd.yml/badge.svg)](https://github.com/Dyallab/HenKaiPan/actions/workflows/ci-cd.yml)\n\n**HenKaiPan** is an open-source ASPM (Application Security Posture Management) platform. It orchestrates security scanners, correlates findings across tools, provides AI-powered remediation, and helps teams track vulnerability posture over time.\n\n**Self-hosted, fully free, no restrictions.**\n\n- Deploy with Docker Compose or Kubernetes\n- All scanners bundled in the worker image (Semgrep, Trivy, Gitleaks, Checkov, Nuclei, and more)\n- AI features via Ollama (local), OpenRouter, or Cloudflare Workers AI\n- Public release: https://github.com/Dyallab/HenKaiPan-self-hosted\n- Landing page: https://henkaipan.dyallab.com.ar\n\n## Quick Start\n\n```bash\n# 1. Copy and edit the environment file\ncp .env.example .env\n\n# 2. Start Postgres + Redis + API + Worker\nmake up\n\n# 3. Open http://localhost:8080\n# Login with admin/admin (or your ADMIN_USER / ADMIN_PASS from .env)\n```\n\nSee the [self-hosted repo](https://github.com/Dyallab/HenKaiPan-self-hosted) for production deployment (Docker Compose + Kubernetes).\n\n## Product Model\n\n- **App** = optional business grouping\n- **Project** = primary technical unit that users create, connect, scan, and review\n- **Standalone projects** are allowed (`project.app_id = NULL`)\n- **Repository connections** live directly on projects (`repo_url`, `github_token_encrypted`)\n\n## Platform Features\n\n1. **Dashboard** — health metrics, onboarding wizard, and recent activity\n2. **Scans** — scanner status, logs, results, and cron-based scan scheduling\n3. **Findings** — filters, triage, SLA tracking, exports, cross-scan deduplication, comments, and analysis\n4. **Vulns** — grouped vulnerability inventory\n5. **Projects** — connect repos, manage GitHub tokens, track scan history\n6. **Knowledge** — remediation guides and AI-generated articles\n7. **Compliance** — SOC 2 / ISO 27001 / PCI-DSS frameworks, control mapping, TSV export\n8. **Settings** — integrations, security, policies, notifications, users, teams\n\n## Tech Stack\n\n- **Frontend:** Astro 6 + Tailwind v4\n- **API:** Go + chi\n- **Database:** PostgreSQL 17 + pgx v5\n- **Background jobs:** Redis 8 + Asynq\n- **Scanners:** Bundled binaries (Semgrep, Trivy, Gitleaks, Checkov, Nuclei, and more)\n- **AI features:** OpenRouter, Cloudflare Workers AI, and Ollama for remediation generation, finding validation, and summarization\n\n## Architecture Overview\n\nHenKaiPan is split into three main runtime layers:\n\n- **Frontend (`/frontend`)**: renders the UI and calls the backend API.\n- **API (`/cmd/api`)**: exposes REST endpoints, authenticates users, reads/writes data, and enqueues async work.\n- **Worker (`/cmd/worker`)**: consumes queued jobs, runs scanner binaries, parses results, stores findings, and triggers AI validation.\n\nPostgreSQL stores the platform state, while Redis/Asynq is used as the job queue between the API and the worker.\n\n## High-Level Architecture Diagram\n\n```mermaid\nflowchart LR\n    U[User] --\u003e F[Astro Frontend]\n    F --\u003e|HTTP / JSON| API[Go API]\n\n    API --\u003e|CRUD + queries| DB[(PostgreSQL)]\n    API --\u003e|enqueue scan / validation jobs| Q[(Redis + Asynq)]\n\n    Q --\u003e W[Worker]\n    W --\u003e|read / write| DB\n    W --\u003e|exec binary| S[Scanner Binaries]\n    S --\u003e|normalized findings| W\n\n    API --\u003e|AI requests| AI[AI Providers]\n    W --\u003e|validation requests| AI\n    AI --\u003e|analysis / remediation| API\n    AI --\u003e|validation results| W\n\n    API --\u003e|knowledge articles + findings + metrics| F\n```\n\n## Runtime Flow\n\n### 1. User-facing request flow\n\n```mermaid\nsequenceDiagram\n    participant User\n    participant Frontend as Astro Frontend\n    participant API as Go API\n    participant DB as PostgreSQL\n\n    User-\u003e\u003eFrontend: Open dashboard / login / projects / scans\n    Frontend-\u003e\u003eAPI: Call REST endpoints\n    API-\u003e\u003eDB: Read/write application data\n    DB--\u003e\u003eAPI: Results\n    API--\u003e\u003eFrontend: JSON response\n    Frontend--\u003e\u003eUser: Render updated UI\n```\n\n### 2. Scan execution flow\n\n```mermaid\nsequenceDiagram\n    participant Frontend as Astro Frontend\n    participant API as Go API\n    participant Queue as Redis + Asynq\n    participant Worker as Worker\n    participant Scanner as Scanner Binary\n    participant DB as PostgreSQL\n\n    Frontend-\u003e\u003eAPI: POST /api/scans\n    API-\u003e\u003eDB: Create scan record(s) for the selected target\n    API-\u003e\u003eQueue: Enqueue scan job per scanner\n    Queue-\u003e\u003eWorker: Deliver TypeScanRun job\n    Worker-\u003e\u003eScanner: Execute scanner binary\n    Scanner--\u003e\u003eWorker: Raw scan output\n    Worker-\u003e\u003eWorker: Parse + normalize findings\n    Worker-\u003e\u003eDB: Insert findings + update scan status\n    Worker-\u003e\u003eQueue: Enqueue finding validation / summary jobs (optional)\n```\n\n### 3. AI remediation and validation flow\n\n```mermaid\nflowchart TD\n    F[Finding stored in PostgreSQL] --\u003e V[Optional validator job]\n    V --\u003e AI[AI Providers]\n    AI --\u003e A[Confidence / FP likelihood]\n    A --\u003e DB[(PostgreSQL)]\n\n    F --\u003e R[User requests AI remediation]\n    R --\u003e API[API /api/knowledge/ai-remediate]\n    API --\u003e AI\n    AI --\u003e K[Markdown remediation article]\n    K --\u003e DB\n    DB --\u003e UI[Knowledge Center / Findings UI]\n```\n\n## Main Components\n\n- **Frontend** — Astro 6 + Tailwind v4; UI lives in `frontend/` and uses `frontend/src/lib/api.ts`.\n- **API** — `cmd/api/main.go` handles auth, CRUD endpoints, metrics, job enqueueing.\n- **Worker** — `cmd/worker/main.go` runs queued scans, validations, summaries, webhooks, emails, and periodic tasks (scan scheduler, digest generator).\n- **Scanning** — scanners are registered in `internal/scanner/registry.go` as named scanners grouped into packs (`sast`, `sca`, `secrets`, `iac`, `containers`). Scanner binaries are bundled in the worker image.\n- **Scheduling** — cron-based periodic scans managed by `internal/tasks/scan_scheduler.go`, configurable from the UI.\n- **Deduplication** — findings deduplicated across scans via SHA256 fingerprints (`scanner:rule_id:file_path:line`) with `ON CONFLICT DO NOTHING`.\n- **Digest** — weekly executive email digest (`internal/tasks/digest.go`) with severity breakdown, SLA report, and 7-day trend.\n- **Data** — PostgreSQL is the source of truth; repositories live under `internal/repository`. Database migrations auto-run on API startup via `internal/db/migrate.go`.\n- **AI \u0026 integrations** — OpenRouter / Cloudflare AI, GitHub, Jira, webhooks, and notifications.\n- **Onboarding** — guided wizard at `/dashboard/welcome` with 3-step flow (project → token → first scan) and first-run redirect.\n\n- **Notifications** — in-app notification system with unread tracking (`internal/handlers/notifications.go`).\n\n### Database Schema\n\n- PostgreSQL is the source of truth; schema changes live in `migrations/`.\n- Core entities: users, teams, apps, projects, scans, findings, knowledge articles, policies, suppressions, webhooks, scan schedules, integrations, and notifications.\n- Sensitive integration secrets are stored encrypted; user passwords remain hashed.\n- **Migrations auto-run** on API startup via `internal/db/migrate.go` — no manual intervention required.\n\n### Queue Layer\n\n- Redis is used by Asynq for background job transport.\n- Redis pub/sub relays SSE events from the worker to the API process so browser clients receive real-time updates.\n- Queue bootstrap lives in `internal/queue/queue.go`.\n- SSE bridge lives in `internal/events/redis_bridge.go`.\n- The API enqueues work; the worker consumes it.\n\n### AI Layer\n\n- Multiple AI providers supported:\n  - `internal/ai/openrouter.go` — OpenRouter integration\n  - `internal/ai/cloudflare.go` — Cloudflare Workers AI integration\n  - `internal/ai/provider.go` — Provider abstraction layer\n  - `internal/ai/notification.go` — AI-powered notification summaries (optional)\n- AI is used for:\n  - **Remediation generation** into knowledge articles\n  - **Finding validation** to estimate confidence and false-positive likelihood\n  - **Finding summaries** for repeated scanner results\n  - **Notification summaries** for human-readable alerts (optional)\n\n### Integrations\n\n- **GitHub Integration** (`internal/github/client.go`):\n  - GitHub App installation per org/repo\n  - Receive PR/webhook context\n  - Map scans to PRs\n  - Comment on PR with findings summary\n\n- **Jira Integration** (`internal/jira/client.go`):\n  - Create tickets from findings\n  - Link findings to Jira issues\n\n- **Webhook System** (`internal/webhook/dispatcher.go`):\n  - Custom webhook endpoints\n  - Event delivery with retries\n  - Configurable events (new findings, SLA breaches, etc.)\n\n- **Notifications**:\n  - Slack webhook integration\n  - Email notifications via SMTP\n  - Configurable notification rules\n\n### Findings + Knowledge Modules\n\n- `internal/findings/validation_agent.go` — AI validation flow for findings\n- `internal/findings/summary_agent.go` — AI summary generation for findings\n- `internal/findings/summarymeta/metadata.go` — summary fingerprint and metadata helpers\n- `internal/knowledge/articles.go` — article helpers, slug generation, and remediation article drafting\n\n## Source Tree\n\n```text\ncmd/           # API and worker entrypoints\nfrontend/      # Astro app and browser API client\ninternal/      # Auth, handlers, repository, scanner, tasks, integrations, db\nmigrations/    # Database schema and changes (auto-run on startup)\nscripts/       # Demo workspace seed\ndocker/        # Dockerfiles for API and worker (scanner binaries bundled in worker image)\ndocs/          # User guides and documentation\n```\n\n## Local Development\n\n### Prerequisites (automatic with Nix)\n\nThe recommended setup uses [Nix](https://nixos.org/) with [direnv](https://direnv.net/):\n\n```bash\ndirenv allow  # loads Nix dev shell + .env automatically\n```\n\nThis provides Go, Node.js, PostgreSQL, Redis, and all tooling — no manual installs needed.\n\n### Manual prerequisites (without Nix)\n\n- Go 1.26+\n- Node.js 24+\n- PostgreSQL 17+\n- Redis 8+\n- Scanner binaries on PATH (or use the worker Docker image which bundles them)\n\n### Start infrastructure only\n\n```bash\nnix run .#dev-infra\n```\n\n### Seed demo workspace (optional)\n\n```bash\ndocker compose exec -T postgres psql -U aspm -d aspm \u003c scripts/seed-demo.sql\n```\n\nCreates a sample project, scans (semgrep + trivy + gitleaks), and 9 findings with real CVE IDs for evaluation.\n\n### Start each service in separate terminals\n\n```bash\nmake dev-api         # API with hot-reload (air)\nmake dev-worker      # Worker with hot-reload (air)\nnix run .#dev-frontend  # Astro dev server\n```\n\n### Start the full stack with Docker Compose\n\n```bash\nmake up\n```\n\n## Environment\n\nCopy `.env.example` to `.env` and configure the required variables. With direnv, `.env` is loaded automatically — just run `direnv allow`. All available configuration options are documented in the `.env.example` file, including:\n\n- **Required**: Database, JWT secret, admin credentials\n- **Server**: Port, Redis configuration\n- **Integrations**: GitHub, SMTP/email\n- **AI**: OpenRouter, Cloudflare Workers AI, and/or Ollama configuration\n\nIf AI providers are not configured, AI remediation, validation, and summary features will be disabled.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdyallab%2Fhenkaipan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdyallab%2Fhenkaipan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdyallab%2Fhenkaipan/lists"}