An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.
- Multi-client Vulnerability Management
- Security Report Generation
- Jira Integration
- Team-based Roles Authorization
- API Key & Management
- Email Integration
- Markdown Support
Please keep in mind, this project is in early development.
- Install Docker
- Create a
.envfile and supply the following properties:
MYSQL_DATABASE="bulwark"
MYSQL_PASSWORD="bulwark"
MYSQL_ROOT_PASSWORD="bulwark"
MYSQL_USER="root"
MYSQL_DB_CHECK="mysql"
DB_PASSWORD="bulwark"
DB_URL="172.16.16.3"
DB_ROOT="root"
DB_USERNAME="bulwark"
DB_PORT=3306
DB_NAME="bulwark"
DB_TYPE="mysql"
NODE_ENV="production"
DEV_URL="http://localhost:4200"
SERVER_ADDRESS="http://localhost"
PORT=4500
JWT_KEY="changeme"
JWT_REFRESH_KEY="changeme"
CRYPTO_SECRET="changeme"
CRYPTO_SALT="changeme"
Build and start Bulwark containers:
docker-compose up
Start/Stop Bulwark containers:
docker-compose start
docker-compose stop
Remove Bulwark containers:
docker-compose down
Bulwark will be available at localhost:4500
$ git clone (url)
$ cd bulwark
$ npm install
Running npm install will install both server-side and client-side modules. Furthermore, it will run the script npm run config which will dynamically set the environment variables in addition to updating the Angular environment.
Set NODE_ENV="development"
$ npm run config
$ npm run start:dev
Set NODE_ENV="production"
Please note: npm install will automatically build in production mode
$ npm run config
$ npm run build:prod
$ npm start
Create a .env file on the root directory. This will be parsed with dotenv by the application.
DB_PASSWORD="somePassword"
Set this variable to database password
DB_USERNAME="foobar"
Set this variable to database user name
DB_URL=something-foo-bar.dbnet
Set this variable to database URL
DB_PORT=3306
Set this variable to database port
DB_NAME="foobar"
Set this variable to database connection name
DB_TYPE="mysql"
The application was developed using a MySQL database. See the typeorm documentation for more database options.
NODE_ENV=production
Set this variable to determine node environment
Used by Angular to build and serve the application
Update if a different server address is required
Update if a different server port is required
JWT_KEY="changeMe"
Set this variable to the JWT secret
JWT_REFRESH_KEY="changeMe"
Set this variable to the refresh JWT secret
CRYPTO_SECRET="randomValue"
Set this variable to the Scrypt password.
CRYPTO_SECRET="randomValue"
Set this variable to the Scrypt salt.
DB_PASSWORD=""
DB_URL=""
DB_USERNAME=""
DB_PORT=3306
DB_NAME=""
DB_TYPE=""
NODE_ENV=""
DEV_URL="http://localhost:4200"
SERVER_ADDRESS="http://localhost"
PORT=4500
JWT_KEY=""
JWT_REFRESH_KEY=""
CRYPTO_SECRET=""
CRYPTO_SALT=""
- Create the initial database migration
$ npm run migration:init
- Run the initial database migration
$ npm run migration:run
A user account is created on initial startup with the following credentials:
- email:
[email protected] - password:
changeMe
Upon first login, update the default user password under the profile section.
The application utilizes least privilege access with team-based authorization. Teams are assigned a role which determines the features available to that specific team. A user will inherit roles from team membership. Administrators have team management access and must assign users to teams. Initially, users are created with no team association and will not have access to any features in the application.
The three roles include:
- Admin
- Tester
- Read-Only
A team can only be associated to a single organization. However, a team can be associated to multiple assets within the same organization. A user can be a member of multiple teams. If a user is assigned to multiple teams of the same organization, the system will choose the highest authorized team.
Please note: The default user is automatically assigned to the Administrators team on initial startup
| Admin | Tester | Read-Only | |
|---|---|---|---|
| User-Profile Management | x | x | x |
| Team Management | x | ||
| User Management | x | ||
| Invite User | x | ||
| Create User | x | ||
| Email Settings Management | x | ||
| Jira Integration | x | ||
| Organization: Read | x | x | x |
| Organization: Full Write | x | ||
| Asset: Read | x | x | x |
| Asset: Full Write | x | ||
| Assessment: Read | x | x | x |
| Assessment: Full Write | x | x | |
| Vulnerability: Read | x | x | x |
| Vulnerability: Full Write | x | x | |
| Export Vulnerability to Jira | x | x | |
| Report Generation | x | x | x |
A user may generate a single API key which can be used in place of their authorization token. This API key allows for all actions against the application that the user is authorized for.
- Login to the application
- Navigate to the
User Profilesection - Select
Generate API Key
This action will generate a pair of keys:
Bulwark-Api-Key- This is a generated plaintext value to identify the user.
Bulwark-Secret-Key- This is a generated plaintext value to verify the user by comparing a Bcrypt hash stored in the database.
Write down the generated keys in a safe place. You will not be able to retrieve the keys at a later time.
The API key pair values must be matched and appended to the following HTTP request headers:
Bulwark-Api-KeyBulwark-Secret-Key
Example:
GET /api/assessment/1 HTTP/1.1
Host: localhost:4500
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Bulwark-Api-Key: {{changeMe}}
Bulwark-Secret-Key: {{changeMe}}
Origin: http://localhost:4200
Connection: close
Referer: http://localhost:4200/
Pragma: no-cache
Cache-Control: no-cache
- Typeorm - The ORM used
- Angular - The Angular Framework
- Express - A minimal and flexible Node.js web application framework
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. Read the contribution guidelines for more information.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent