A comprehensive website quality and penetration testing tool powered by OWASP ZAP technology. Designed to perform automated security assessments, identify vulnerabilities, and provide actionable remediation guidance.
- Automated Security Scanning: Comprehensive vulnerability detection using OWASP ZAP
- OWASP Top 10 Compliance: Check for the most critical web application security risks
- Spider Crawling: Automatic discovery of all accessible pages and endpoints
- Active & Passive Scanning: Both non-intrusive analysis and active vulnerability testing
- Technology Detection: Identify frameworks, libraries, and potential vulnerabilities
- Risk Scoring: Intelligent risk assessment with prioritized remediation guidance
- Project Organization: Organize security audits by project and client
- Scan History: Track all scans with vulnerability trends over time
- Client Management: Manage multiple clients and their projects
- Isolated Scanning: Each project has its own isolated scanning environment
- Custom Configurations: Per-project scan settings and authentication
- Professional Reports: Generate HTML, PDF, and JSON reports with executive summaries
- Vulnerability Analytics: Charts and graphs showing vulnerability distribution
- Export & Archive: Export project data and archive completed assessments
- Custom Branding: Add your logo and customize report templates
- Docker Support: Easy deployment with Docker Compose
- CLI Interface: Full-featured command-line interface
- Web Dashboard: Browser-based project management interface
- CI/CD Ready: GitHub Actions and Jenkins integration support
- API Access: RESTful API for automation
- Python 3.10 or higher
- Docker and Docker Compose
- 4GB RAM minimum (8GB recommended)
- Internet connection for package installation
# Clone the repository
git clone https://github.com/murr2k/linknode-security-tester.git
cd linknode-security-tester
# Run the setup script
chmod +x setup.sh
./setup.sh# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# Start OWASP ZAP
docker run -u zap -p 8080:8080 -d owasp/zap2docker-stable \
zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.key=changeme# Start all services
docker-compose up -d
# Run a scan
docker-compose exec linknode-tester python main.py scan https://example.com# Create a security audit project
python main.py project create \
--name "Q1 Security Audit" \
--client "ACME Corp" \
--url "https://acme.example.com" \
--description "Quarterly security assessment" \
--tags web --tags api
# List all projects
python main.py project list
# View project details
python main.py project info <project-id># Run a full security scan for a project
python main.py project scan <project-id> --type full
# Quick scan
python main.py project scan <project-id> --type quick
# Technology-aware scan
python main.py project scan <project-id> --type tech# Generate HTML report (default)
python main.py project report <project-id>
# Generate PDF report
python main.py project report <project-id> --format pdf
# Generate JSON report with custom output
python main.py project report <project-id> --format json --output /path/to/report.json# Add a new client
python main.py client add \
--name "ACME Corp" \
--email "security@acme.com" \
--company "ACME Corporation"
# List all clients
python main.py client list
# View client details and project history
python main.py client info "ACME Corp"
# Generate client security report
python main.py client report "ACME Corp" --format detailed# Scan a website
python main.py scan https://example.com
# Save results to file
python main.py scan https://example.com -o results.json
# Specify output format
python main.py scan https://example.com -o report.html -f html
# Check for OWASP Top 10 vulnerabilities
python main.py check-owasp https://example.com# Start the web interface
python main.py dashboard
# Access at http://localhost:8000
# View project dashboard, manage clients, and generate reports# Start ZAP daemon
python main.py start-zap
# Stop ZAP daemon
python main.py stop-zaplinknode-security-tester/
βββ src/
β βββ core/
β β βββ project_manager.py # Project & client management
β β βββ project_scanner.py # Project-aware scanning
β β βββ report_generator.py # Enhanced report generation
β βββ cli/
β β βββ project_commands.py # Project CLI commands
β β βββ client_commands.py # Client CLI commands
β βββ web/
β β βββ project_dashboard.py # Web dashboard
β βββ scanners/
β βββ security.py # Security scanning
β βββ technology_aware_scanner.py # Tech detection
βββ tests/
β βββ unit/ # Unit tests
β βββ integration/ # Integration tests
βββ docs/
β βββ ARCHITECTURE.md
β βββ PROJECT_MANAGEMENT.md
β βββ API.md
βββ examples/
βββ report_demo.py # Report generation examples
- High: Critical vulnerabilities requiring immediate attention
- Medium: Important issues that should be addressed soon
- Low: Minor issues and best practice recommendations
- Informational: Non-security findings for awareness
The tool calculates a risk score from 0-100 based on:
- Number of vulnerabilities found
- Severity of each vulnerability
- Confidence level of findings
- Historical trends (for projects)
{
"project": {
"name": "Q1 Security Audit",
"client": "ACME Corp",
"url": "https://acme.example.com"
},
"scan": {
"date": "2024-01-26T14:30:00",
"type": "full",
"duration": 1800.5,
"risk_score": 45.6,
"vulnerabilities": {
"High": 2,
"Medium": 5,
"Low": 8,
"Informational": 3
}
},
"summary": {
"total_vulnerabilities": 18,
"critical_findings": 2,
"technologies_detected": 5
}
}The tool follows a modular architecture with project isolation:
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β CLI ββββββΆβ Project ββββββΆβ Scanner β
βββββββββββββββ β Manager β βββββββββββββββ
β βββββββββββββββ β
β β βΌ
βΌ βΌ βββββββββββββββ
βββββββββββββββ βββββββββββββββ β ZAP Client β
β Web β β Report β βββββββββββββββ
β Dashboard β β Generator β
βββββββββββββββ βββββββββββββββ
zap:
api_key: "your-api-key"
host: "localhost"
port: 8080
scanning:
timeout: 300
max_depth: 10
threads: 5
reporting:
include_screenshots: true
risk_threshold: "medium"
project_management:
base_dir: "~/.linknode-security"
archive_completed: true
auto_backup: trueEach project can have its own scan_config.json:
{
"scan_defaults": {
"timeout": 600,
"max_depth": 15
},
"exclusions": ["*.pdf", "*.jpg", "/admin/*"],
"custom_headers": {
"Authorization": "Bearer token",
"X-Custom-Header": "value"
},
"authentication": {
"type": "form",
"login_url": "https://example.com/login",
"username": "testuser",
"password": "encrypted_password"
}
}We follow Semantic Versioning (SemVer): MAJOR.MINOR.PATCH
- MAJOR: Incompatible API changes
- MINOR: New functionality (backwards-compatible)
- PATCH: Bug fixes (backwards-compatible)
- β Real-time scan progress monitoring with phase tracking
- β Fixed ZAP integration and progress indicators
- β GitHub Security features integration (CodeQL, Dependabot)
- β Branch protection rules configuration
- β Vulnerability deduplication in reports
- β Improved scan phase detection (Spider, AJAX, Passive, Active)
- β Fixed async/threading issues in dashboard
- β Enhanced error handling and timeout management
- β Complete project management system
- β Client management capabilities
- β Enhanced report generation (HTML/PDF/JSON)
- β Project-based scanning with isolation
- β Web dashboard for project overview
- β Comprehensive test suite
- β CI/CD integration
- β Technology-aware scanning
- β Phase 1 tools integration (WhatWeb, Nikto)
- β Free security API integrations
- β Docker infrastructure improvements
- β Docker Compose support
- β Modular architecture refactoring
- β Enhanced CLI interface
- β Basic API structure
- β OWASP ZAP integration
- β Basic security scanning
- β CLI interface
- β JSON output format
- β Risk scoring system
- Custom report templates
- Email report delivery
- Vulnerability trending graphs
- Compliance mapping (PCI-DSS, HIPAA)
- Scheduled scanning
- Slack/Teams notifications
- JIRA integration
- API authentication methods
- Multi-user support with roles
- SSO integration
- Distributed scanning
- Custom vulnerability rules
- AI-powered vulnerability analysis
- Automated remediation suggestions
- Integration with WAF solutions
- Mobile app security testing
Run the comprehensive test suite:
# Run all tests
python run_tests.py
# Run with coverage report
python run_tests.py --coverage
# Run specific test module
python -m pytest tests/unit/test_project_manager.py -vContributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Write tests for your changes
- Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
See CONTRIBUTING.md for detailed guidelines.
- Architecture Overview
- Project Management Guide
- API Reference
- Security Best Practices
- Troubleshooting
This tool is designed for security testing of web applications you own or have explicit permission to test. Using this tool against websites without permission is illegal and unethical.
Always ensure you have proper authorization before scanning any website.
This project is licensed under the MIT License - see the LICENSE file for details.
Murray Kopit
- GitHub: @murr2k
- Email: murr2k@gmail.com
- OWASP ZAP - The world's most widely used web app scanner
- Linknode - Energy monitoring platform used as test target
- Security community for feedback and contributions
- Built with AI-assisted development using Claude
Found a security issue? Please email security@linknode-security.com instead of using the issue tracker.
Note: This tool is actively maintained and used in production environments. For enterprise support or custom features, please contact the author.