Vulnerability Management Scanner

Infrastructurev1.0.0

Enterprise vulnerability scanner with 820+ rules, 32,000+ CVE database, DAST capabilities, and 23 platform support across 6 CIS Benchmarks

820+
rules
32
cves
23
platforms

01Overview

Vulnerability Management Scanner is an open-source, authenticated active vulnerability scanner written in Python. Unlike static analyzers, it connects to live infrastructure over SSH, WinRM, Netmiko, SNMP, SMB and HTTP to read real configurations, enumerate installed software versions, probe services, and correlate everything against a local SQLite CVE database seeded from the NVD and CISA KEV feeds. In one CLI it unifies OS hardening review, network-device auditing, web-server and middleware assessment, database security review, and full DAST web-application testing.

The scanner spans nine active scan engines - Windows, Linux, Cisco IOS/IOS-XE/NX-OS, Palo Alto NGFW/Panorama, six web-server families, six middleware runtimes, three databases, an auto-discovery dispatcher, and a purpose-built DAST module. Findings flow through a single standardized Finding dataclass, so every check - whether a CIS benchmark item, a version-based CVE match, or a reflected-XSS proof-of-concept - lands in the same reporting, filtering, compliance-mapping and export pipeline.

It is built for security engineers, red/blue teams, and compliance auditors who need one tool that covers the infrastructure stack rather than a fleet of point products. Findings are enriched with CVSS, EPSS exploit-probability scores, CISA KEV flags, CWE tags, and mappings to NIST 800-53, ISO 27001, PCI DSS v4.0 and CIS Controls v8 - then exported as interactive Chart.js HTML, PDF, JSON, CSV, or SARIF v2.1.0 for GitHub Code Scanning.

Engineering rigor is a first-class feature: the core is stdlib-only with every transport dependency optional and gracefully degraded, a 1,000+ test pytest suite runs on a Python 3.9-3.12 CI matrix with ruff/mypy linting and dedicated CVE-seed integrity validation, and a plugin architecture lets teams add custom scanners via a simple decorator.

02Key Capabilities

Nine active scan engines

One CLI dispatches authenticated scans across Windows, Linux, Cisco, Palo Alto NGFW, web servers, middleware, databases, DAST, plus an auto-discovery orchestrator.

Auto-discovery and dispatch

Scans IP ranges (CIDR/range/list), fingerprints services by port and banner, classifies host type, and routes each host to the right scanner in parallel.

Full DAST web-app testing

A BFS crawler feeds 82 dynamic checks across 11 categories - injection, XSS, SSRF, XXE, JWT, API, access control, auth, file inclusion, info disclosure and misconfig.

Palo Alto NGFW auditing

92 PAN-OS rules over the XML API cover firewall CVEs (including CVE-2024-3400), policy hygiene, security-profile attachment, decryption, HA and management hardening.

Local CVE intelligence engine

SQLite-backed version matching against 32,000+ NVD CVEs with a 510-entry offline seed bundle, CISA KEV flags and FIRST.org EPSS exploit-probability overlay.

Six CIS benchmark packs

Bundled hardening checks for Windows, Linux, Cisco, Oracle DB, MySQL and MongoDB drive compliance-grade configuration review.

Compliance framework mapping

Opt-in --compliance enrichment maps findings via ~60 CWE and ~30 category rules to NIST 800-53 Rev 5, ISO 27001:2022, PCI DSS v4.0 and CIS Controls v8.

Multi-format reporting

Self-contained dark-theme HTML with a Chart.js dashboard, PDF, JSON, CSV, colored console, and SARIF v2.1.0 for GitHub Code Scanning and VS Code.

DAST safety controls

Mandatory scope allowlist, adaptive token-bucket rate limiting, hard request cap, circuit breaker, retry backoff and a pre-scan warning banner keep active testing in-bounds.

Baseline diff scanning

Compare a scan against a previous JSON baseline to track NEW, FIXED and UNCHANGED findings and measure remediation progress over time.

Scan profiles and config files

quick/standard/full/compliance/cve-only presets gate check categories, driven by YAML/TOML config files with CLI-override precedence and a built-in parser (no PyYAML).

Extensible plugin architecture

Register custom scanners with the @scanner_plugin decorator via auto-discovery, --plugin-dir, or entry points, validated against the ScannerBase contract.

03Architecture

A single argparse CLI (__main__) dispatches to nine scanner orchestrators that all extend a shared ScannerBase and emit a standardized Finding dataclass. Scanners talk to live hosts through six pluggable transports, enrich findings against a SQLite CVE database (synced from NVD 2.0 with CISA KEV and EPSS overlays), optionally attach compliance mappings, then feed one reporting pipeline that renders HTML/PDF/JSON/CSV/SARIF. The DAST module is a self-contained crawl-then-check engine with its own scope, rate-limiting and circuit-breaker safety layer.

1
CLI & orchestration (__main__)
Argparse entry point exposing 13 subcommands; wires config files, scan profiles, baseline diff, credentials and export flags into each scan run.
2
Core engine (core/)
Finding dataclass, ScannerBase ABC, six transports (SSH/WinRM/Netmiko/SNMP/SMB/HTTP), credential manager, discovery, CVE database + NVD/KEV/EPSS sync, compliance, config, baseline, scan profiles and plugin registry.
3
Active scanners (scanners/)
auto, windows, linux, cisco, paloalto, webserver, middleware, database and dast dispatchers that fingerprint targets and invoke the right check libraries in parallel.
4
Check libraries (webservers/ middleware/ databases/)
Per-platform modules with embedded CVE lists and configuration/hardening rules for IIS/Apache/Nginx/Tomcat/WebLogic/WebSphere, Java/.NET/PHP/Node/Laravel/Oracle, and Oracle DB/MySQL/MongoDB.
5
DAST engine (dast/)
WebCrawler, URL discovery, DastHTTPClient, ScopePolicy, adaptive RateLimiter, CircuitBreaker and WAF fingerprinting, driving 11 check-category modules with ThreadPoolExecutor dispatch and evidence capture.
6
CVE data & benchmarks (cve_data/ benchmarks/)
21 curated seed JSON files (510 CVEs), 47-string CPE mapping for NVD sync, and six CIS benchmark JSON definitions.
7
Reporting & export (core/reporting.py, templates/)
Self-contained Chart.js HTML dashboard, weasyprint PDF, JSON/CSV, colored console, and SARIF v2.1.0 with fingerprints, CWE tags and CVSS security-severity.

04Project Structure

vulnerability_management/__main__.pyArgparse CLI entry point registering all scan and CVE subcommands and dispatch logic.
vulnerability_management/core/Shared engine: Finding, ScannerBase, transports, CVE database + sync, compliance, config, baseline, profiles, plugins.
vulnerability_management/scanners/Nine scanner orchestrators including auto_scanner, paloalto_scanner and dast_scanner.
vulnerability_management/dast/DAST engine - crawler, http_client, config (scope/rate/circuit), waf_detect, and checks/ (11 categories).
vulnerability_management/webservers/Six web-server check modules: IIS, Apache, Nginx, Tomcat, WebLogic, WebSphere.
vulnerability_management/middleware/Six runtime check modules: Java, .NET, PHP, Node.js, Laravel, Oracle Middleware.
vulnerability_management/databases/Three database check modules: Oracle DB, MySQL/MariaDB, MongoDB.
vulnerability_management/cve_data/21 seed CVE JSON files, plus cpe_mappings.json (47 CPE strings) for NVD sync.
vulnerability_management/benchmarks/Six CIS benchmark JSON definitions: Windows, Linux, Cisco, Oracle DB, MySQL, MongoDB.
tests/pytest suite (1,000+ tests) across 40+ files covering core, scanners, DAST, compliance, SARIF and seed integrity.
.github/workflows/ci.ymlCI: Python 3.9-3.12 test matrix, ruff/format lint, and dedicated CVE-seed validation job.
pyproject.tomlpytest, ruff and mypy configuration; paired with setup.py extras for per-transport installs.

05Security Controls

Windows hardening
WinRM/SMB checks for missing patches, account and password policies, registry, services, firewall, audit policy and CIS Windows benchmark items (23 WIN rules).
Linux hardening
SSH-based review of sshd config, accounts, file permissions, sysctl, installed packages, kernel/package CVEs and CIS Linux benchmark items (29 LNX rules).
Cisco network audit
74 CISCO rules over Netmiko/SNMP covering AAA/authentication, SSH, VTY access, SNMP, unnecessary services, interfaces, L2 security, device CVEs and CIS Cisco benchmark.
Palo Alto NGFW audit
92 PAN rules via the PAN-OS XML API: 20 firewall CVEs (incl. CVE-2024-3400) plus policy hygiene, security-profile attachment, threat prevention, decryption, NAT, HA, GlobalProtect and management hardening.
Web server assessment
Version-based CVE matching and misconfiguration checks (32 WEB rules) for IIS, Apache HTTPD, Nginx, Tomcat, WebLogic and WebSphere - default pages, WebDAV, ServerTokens, manager apps, console exposure.
Middleware & runtime review
EOL and CVE detection for Java (Log4j CVE-2021-44228, Spring Actuator), .NET, PHP, Node.js, Laravel (.env/Ignition) and Oracle Middleware, plus config hardening (24 MW rules).
Database security
Oracle DB (sqlnet encryption, listener, REMOTE_OS_AUTHENT), MySQL/MariaDB (local_infile, bind-address, TLS, EOL) and MongoDB (auth, bindIp, TLS, unauthenticated access) checks (14 DB rules).
DAST web-application testing
82 dynamic rules across injection (SQL/cmd/SSTI/CRLF/NoSQL/XPath/LDAP/HPP), reflected/DOM/stored XSS, SSRF, XXE, JWT weaknesses, API/GraphQL DoS, access control, auth/session, file inclusion, info disclosure and misconfig - with request/response evidence capture.
CVE detection & prioritization
Version-based matching against a local SQLite database of 32,000+ NVD CVEs (2010-2025), overlaid with CISA KEV actively-exploited flags and FIRST.org EPSS exploit-probability scores.
Compliance & benchmarks
Six bundled CIS benchmarks plus CWE/category mapping of findings to NIST 800-53 Rev 5, ISO 27001:2022, PCI DSS v4.0 and CIS Controls v8 for audit-ready output.

06Technology Stack

Language
Python 3.9+ (3.10-3.12 recommended); stdlib-only core
Transports
paramiko (SSH), netmiko (Cisco), pysnmp-lextudio (SNMP), pywinrm (WinRM), impacket (SMB), requests (HTTP) - all optional, gracefully degraded
Data store
SQLite (stdlib) CVE database with NVD API 2.0, CISA KEV and FIRST.org EPSS feeds
Reporting
Inline Chart.js dashboard HTML, weasyprint PDF (optional), JSON/CSV, SARIF v2.1.0
Testing
pytest + pytest-cov, 1,000+ tests, dedicated seed-integrity validation
Linting
ruff (check + format) and mypy
CI
GitHub Actions - Python 3.9/3.10/3.11/3.12 matrix, lint, seed validation
Packaging
setup.py + pyproject.toml with per-transport extras ([linux], [cisco], [windows], [all])

07Quick Start

$ pip install -e ".[all]"  # install with all transport extras
$ python -m vulnerability_management cve-import  # load 510 bundled seed CVEs (168 KEV-flagged)
$ python -m vulnerability_management auto -r 192.168.1.0/24 -u admin -p secret  # auto-discover and scan a subnet
$ python -m vulnerability_management linux -t 10.0.1.50 -u root -p pass --html report.html --compliance
$ python -m vulnerability_management dast --target https://app.example.com --dast-accept-risk
$ python -m vulnerability_management cve-sync --api-key YOUR_NVD_API_KEY  # sync ~32,000 CVEs + EPSS + KEV

08Compliance & Frameworks

NIST SP 800-53 Rev 5
Findings mapped to AC, AU, CM, IA, SC, SI, SA and CP control families via CWE and category rules.
ISO 27001:2022
Annex A controls (A.5-A.8) referenced on enriched findings.
PCI DSS v4.0
Requirements 1-10 mapped for cardholder-environment audits.
CIS Controls v8
Controls 3-16 referenced per finding for control-to-issue traceability.
CIS Benchmarks
Six bundled benchmark packs: Windows, Linux, Cisco, Oracle DB, MySQL, MongoDB.
CISA KEV & EPSS
Actively-exploited KEV flags and FIRST.org EPSS exploit-probability scores drive risk prioritization.

09Integrations & Outputs

NVD API 2.0 (CVE sync, 47 CPE queries)CISA KEV catalog overlayFIRST.org EPSS APISARIF v2.1.0 for GitHub Code Scanning / VS CodeJSON & CSV export for SIEM/ticketing ingestionInteractive Chart.js HTML + weasyprint PDF reportsYAML/TOML config files with CLI override@scanner_plugin extensibility (dir + entry-points)

Explore Vulnerability Management Scanner

Full source, documentation, and deployment guides live on GitHub.