Single-shot security scanning for code or web apps.
SimpleSecCheck runs security scans in Docker: either as a standalone scanner (one-shot CLI) or with the full platform (Web UI, API, queue, and database-backed settings).
Services are separate containers with clear roles:
| Component | Role |
|---|---|
| frontend | nginx — serves the SPA; proxies /api/* to the backend (not to the worker). |
| backend | FastAPI — REST API, WebSockets, auth, business logic, writes to PostgreSQL. |
| worker | Job runner — consumes Redis queue, starts ephemeral scanner containers via the Docker socket, shared results/ and uploads/ with the backend. Exposes :8081 for scanner discovery / worker API (internal to the compose network by default). |
| scanner (image) | Scan engine — scanner.core.orchestrator and plugins (SAST, SCA, DAST, …). In full compose, the scanner service is a long-lived helper (sleep infinity) so you can exec in; one-off scans run the same image with an explicit python3 -m scanner.core.orchestrator command (see CLI_DOCKER.md). |
| postgres | Persistent app data (users, scans, admin config). |
| redis | Queue and short-lived job state. |
flowchart LR
Browser --> frontend
frontend -->|"/api"| backend
backend --> postgres
backend --> redis
worker --> redis
worker --> postgres
worker -->|starts| scanner["scanner containers"]
- Single-shot (CLI): run once, get an HTML report under
results/. - Different modes: codebase, website, network or image scan.
- Docker-first: isolated, reproducible scans.
- Web UI (optional): queue scans, dashboards, Admin settings.
git clone https://github.com/fr4iser90/SimpleSecCheck.git
cd SimpleSecCheckdocker compose up --buildOpen http://localhost:80 — nginx serves the UI and proxies /api/ to the backend (backend:8080). The worker runs separately and does not terminate the browser traffic path.
The scanner service overrides the image command with sleep infinity; for a one-off scan you must invoke the orchestrator explicitly and set SCAN_TARGET (or SCAN_ID) plus SCAN_TYPE / COLLECT_METADATA as in CLI_DOCKER.md. Example — scan the compose-mounted repo at /project:
docker compose run --rm \
-e SCAN_TYPE=code \
-e TARGET_TYPE=local_mount \
-e SCAN_TARGET=/project \
-e TARGET_PATH_IN_CONTAINER=/project \
-e COLLECT_METADATA=true \
scanner python3 -m scanner.core.orchestratordocker compose run --rm \
-e SCAN_TYPE=website \
-e TARGET_TYPE=website \
-e SCAN_TARGET=https://example.com \
-e COLLECT_METADATA=true \
scanner python3 -m scanner.core.orchestratorResults appear in results/ as a timestamped folder with security-summary.html.
For TLS and a reverse proxy, use the Traefik overlay file (see docker-compose.traefik.yml and your DOMAIN / labels).
- Docker image scans can be restricted to Docker Hub only (
nginx:latestordocker.io/...) via app configuration where applicable. - Use HTTPS on the public edge.
- Legal: Scan only systems you own or have explicit permission to test.
- OWASP cache: When using Docker Compose, the cache is mounted automatically. For manual
docker run, mountscanner/plugins/owasp/data. - CLI / scanner-only: CLI & Docker examples. Extending the engine: scanner/README.md.
- Configuration (env, backend settings, Admin): Configuration.
- Roadmap (e.g. SonarQube, more tools): Roadmap.
- Configuration —
.env,backend/config/settings.py, Admin vs scanner env - Roadmap — planned integrations (e.g. SonarQube), platform ideas
- CLI & Docker examples — targets, env vars,
docker compose run/docker run - Scanner (architecture & plugins) — orchestrator, adding tools, manifests
- Frontend docs
- Development
- Tool list
- Legal considerations
- Third-party licenses
MIT. See LICENSE.