Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/archerysec/archerysec
ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
https://github.com/archerysec/archerysec
asoc aspm devops devops-tools devsecops opensource pentesters pentesting scanning secdevops vulnerabilities vulnerability-assessment vulnerability-management
Last synced: 20 days ago
JSON representation
ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
- Host: GitHub
- URL: https://github.com/archerysec/archerysec
- Owner: archerysec
- License: gpl-3.0
- Created: 2017-12-04T12:42:54.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2024-09-05T04:58:36.000Z (about 2 months ago)
- Last Synced: 2024-10-01T11:43:01.128Z (about 1 month ago)
- Topics: asoc, aspm, devops, devops-tools, devsecops, opensource, pentesters, pentesting, scanning, secdevops, vulnerabilities, vulnerability-assessment, vulnerability-management
- Language: JavaScript
- Homepage: https://www.archerysec.com/
- Size: 66.6 MB
- Stars: 2,272
- Watchers: 95
- Forks: 504
- Open Issues: 38
-
Metadata Files:
- Readme: README.md
- Contributing: docs/CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md
- Security: SECURITY.md
- Roadmap: docs/roadmap.md
Awesome Lists containing this project
- awesome - archerysec - Centralize Vulnerability Assessment and Management for DevSecOps Team (JavaScript)
- awesome-hacking-lists - archerysec/archerysec - ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec. (JavaScript)
README
[](https://twitter.com/intent/user?screen_name=archerysec "Follow Archery on Twitter")
[](https://github.com/archerysec/archerysec/blob/master/LICENSE)  
[](https://bestpractices.coreinfrastructure.org/projects/5284)
[](https://github.com/archerysec/archerysec/projects/1) [](http://www.toolswatch.org/2018/05/black-hat-arsenal-usa-2018-the-w0w-lineup/) [](https://www.blackhat.com/asia-18/arsenal/schedule/#archery---open-source-vulnerability-assessment-and-management-9837) [](https://www.defcon.org/html/defcon-26/dc-26-demolabs.html#Archery)
## Support.
**Your generous donations will keep us motivated.**
*Paypal:* [](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=LZU8R3F76D3GN&source=url)
Archery
=================
- [Overview of the tool](#overview-of-the-tool)
- [Note](#note)
- [Requirements](#requirements)
- [OpenVAS](#openvas)
- [OWASP Zap](#owasp-zap)
- [Burp Scanner](#burp-scanner)
- [SSLScan](#sslscan)
- [Nikto](#nikto)
- [NMAP Vulners](#nmap-vulners)
- [Installation](#installation)
- [Windows Installation](#windows-installation)
- [Note on installation for developers and contributors](#note-on-installation-for-developers-and-contributors)
- [Note on manual and automated installation](#note-on-manual-and-automated-installation)
- [Docker Installation](#docker-installation)
- [Using ArcherySec through docker compose](#using-archerysec-through-docker-compose)
- [Setup third-party integrations](#setup-third-party-integrations)
- [ZAP running daemon mode](#zap-running-daemon-mode)
- [Zap Setting](#zap-setting)
- [OpenVAS Setting](#openvas-setting)
- [Road Map](#road-map)
- [Lead Developer](#lead-developer)
- [Contributors](#contributors)
- [Social Media](#social-media)
ArcherySec allow to interact with continuous integration/continuous delivery (CI/CD) toolchains to specify testing, and control the release of a given build based on results. Its include prioritization functions, enabling you to focus on the most critical vulnerabilities.
ArcherySec uses popular opensource tools to perform comprehensive scanning for web application and network. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.
### Documentation
* [Official Website & Documentation](https://archerysec.com/)
* [API Documentation](http://developers.archerysec.com/)
## Overview of the tool
* Perform Web and Network vulnerability Scanning using opensource tools.
* Correlates and Collaborate all raw scans data, show them in a consolidated manner.
* Perform authenticated web scanning.
* Perform web application scanning using selenium.
* Vulnerability Management.
* Enable REST API's for developers to perform scanning and Vulnerability Management.
* JIRA Ticketing System.
* Sub domain discovery and scanning.
* Periodic scans.
* Concurrent scans.
* Useful for DevOps teams for Vulnerability Management.
## Requirements
* Python 3.9 - [Python 3.9 Download](https://www.python.org/downloads/)
### OpenVAS
You can follow the instructions to install OpenVAS from [Hacker Target](https://hackertarget.com/openvas-9-install-ubuntu-1604/)
Note that, at this time, Archery generates a TCP connection towards the OpenVAS Manager (*not the GSA*): therefore, you need to update your OpenVAS Manager configuration to bind this port. Its default port (9390/tcp), but you can update this in your settings.
### OWASP Zap
Also known as Zaproxy. Simply download and install the matching package for your distro from the [official Github Page](https://github.com/zaproxy/zaproxy/wiki/Downloads).
Systemd service file is available in the project.
### Burp Scanner
Follow the instruction in order to enable Burp REST API.
* [Burp REST API](https://portswigger.net/blog/burps-new-rest-api)
Configure REST API endpoint in ArcherySec Settings
### SSLScan
Simply install SSLScan from your package manager.
### Nikto
Simply install Nikto from your package manager.
### NMAP Vulners
Simply get the NSE file to the proper directory:
```
cd /usr/share/nmap/scripts/
sudo wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
```
## ********* DO NOT EXPOSE PUBLICLY, INTERNAL USE ONLY **********
#### Restrict ArcherySec signup page on production.
- Edit file webscanners/web_views.py
- Search def signup function and comment @public decorator
- Edit file archeryapi/views.py
- Search def class CreateUsers and comment @public decorator
- Edit file archerysecurity/settings/base.py
- Search STRONGHOLD_PUBLIC_URLS
- Comment r'^/api/createuser/$',
## Installation
`export TIME_ZONE='Asia/Kolkata'`
[https://en.wikipedia.org/wiki/List_of_tz_database_time_zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
```
$ git clone https://github.com/archerysec/archerysec.git
$ cd archerysec
$ NAME=User [email protected] PASSWORD=admin@123A bash setup.sh
$ ./run.sh
```
## Windows installation
`set TIME_ZONE='Asia/Kolkata'`
[https://en.wikipedia.org/wiki/List_of_tz_database_time_zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
```
$ git clone https://github.com/archerysec/archerysec.git
$ cd archerysec
$ setup.bat
$ run.bat
```
## Note on installation for developers and contributors
If you wish to contribute to the project, make sure you are using requirements-dev.txt and run this command once you have installed the requirements
```
pre-commit install
```
This will automatically check for code linting and rules used on this project and if everything is correct, the commit will be made.
## Note on manual and automated installation
If you are running the code directly without setting **DJANGO_SETTINGS_MODULE**, this will default to using `archerysec.settings.base`. all defaults will be used in this case and for customizing options you can copy `local_settings.sample.py` to `local_settings.py`
Docker option should use environment variables to set different settings of the container.
## Docker Installation
ArcherySec Docker is available from [ArcherySec Docker](https://hub.docker.com/r/archerysec/archerysec/)
```
$ docker pull archerysec/archerysec
$ docker run -e NAME=user -e [email protected] -e PASSWORD=admin@123A -it -p 8000:8000 archerysec/archerysec:latest
# Docker Alpine image
$ docker pull archerysec/archerysec:alpine
$ docker run -e NAME=user -e [email protected] -e PASSWORD=admin@123A -it -p 8000:8000 archerysec/archerysec:alpine
# For persistence
docker run -it -p 8000:8000 -v :/archerysec archerysec/archerysec:latest
```
## Using ArcherySec through docker compose
This is the simplest way to get things running. For the time being the docker-compose.yml is focused on development configuration but with some changes you can get a production ready definition.
Running the following command will get you all the services up, creates a postgres db and connects ArcherySec with it.
```
$ docker-compose up -d
```
## Configure Serverless on AWS
[Deploy ArcherySec as a Serverless on AWS using Zappa](https://blog.archerysec.com/Deploy-ArcherySec-as-a-Serverless-on-AWS-using-Zappa/)
### Environment variables for this project
The following environment variables are used to change behaviour of the container settings
#### `TIME_ZONE`
`export TIME_ZONE='Asia/Kolkata'`
[https://en.wikipedia.org/wiki/List_of_tz_database_time_zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
#### `DB_PASSWORD`
Database password for the postgres db server
#### `DB_USER`
Database user for the postgres db server
#### `DB_NAME`
Database name for the postgres db server
#### `DJANGO_SETTINGS_MODULE`
Django setting to use. currently this can be set to `archerysecurity.settings.development` or `archerysecurity.settings.production` depending on your needs
#### `DJANGO_SECRET_KEY`
Always generate and set a secret key for you project. Tools like [this one](https://www.miniwebtool.com/django-secret-key-generator/) can be used for this purpose
#### `DJANGO_DEBUG`
Set this variable to `1` if debug should be enabled
#### `ARCHERY_WORKER`
This variable is used to tell the container it has to behave as a worker to process tasks
and not as a web server running on port 8000. Set it to `True` if you want to run on
this mode.
#### `EMAIL_HOST`
`export EMAIL_HOST='smtp.xxxxx.com'`
#### `EMAIL_USE_TLS`
`export EMAIL_USE_TLS=True`
Set this variable to `True` or `False`
#### `EMAIL_PORT`
`export EMAIL_PORT=587`
Set this variable to SMTP port.
#### `EMAIL_HOST_PASSWORD`
`export EMAIL_HOST_PASSWORD='password'`
Set this variable to SMTP Password.
#### `EMAIL_HOST_USER`
`export EMAIL_HOST_USER='[email protected]'`
Set this variable to SMTP Email.
## Setup third-party integrations
### ZAP running daemon mode
Locate your [ZAP startup script](https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline), and execute it using the options detailed below.
Windows :
```
zap.bat -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
```
Others :
```
zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
```
### Zap Setting
1. Go to Setting Page
2. Edit ZAP setting or navigate URL : [http://host:port/webscanners/setting_edit/](http://host:port/webscanners/setting/)
3. Fill below required information.
+ **Zap API Key**: Leave blank if you using ZAP as daemon `api.disablekey=true`
+ **Zap API Host**: Your zap API host ip or system IP Ex. `127.0.0.1` or `192.168.0.2`
+ **Zap API Port**: ZAP running port Ex. `8080`
### OpenVAS Setting
1. Go to setting Page
2. Edit OpenVAS setting or navigate URL: [http://host:port/networkscanners/openvas_setting](http://host:port/networkscanners/openvas_setting)
3. Fill all required information and click on save.
## Road Map
* Scanners parser & Plugin
- [x] Nessus (XML)
- [x] Webinspect (XML)
- [x] Acunetix (XML)
- [x] Netsparker (XML)
- [x] OWASP ZAP (XML) & (Plugin)
- [x] Burp Pro Scanner (XML)
- [x] Arachni (XML) & (Plugin)
- [x] OpenVAS (XML) & (Plugin)
- [x] Bandit Scan (XML)
- [x] Dependency Check (XML)
- [x] FindBugs (XML)
[More Scanners](https://github.com/archerysec/archerysec/issues/16)
## Lead Developer
[Anand Tiwari](https://github.com/anandtiwarics)
## Social Media
* [Official Website](https://archerysec.com/)
* [Twitter](https://twitter.com/archerysec)
* [Facebook](https://facebook.com/archerysec)