01Overview
Vulnerability Management Scanner is an open-source, authenticated active vulnerability scanner written in Python. Unlike static analyzers, it connects to live infrastructure over SSH, WinRM, Netmiko, SNMP, SMB and HTTP to read real configurations, enumerate installed software versions, probe services, and correlate everything against a local SQLite CVE database seeded from the NVD and CISA KEV feeds. In one CLI it unifies OS hardening review, network-device auditing, web-server and middleware assessment, database security review, and full DAST web-application testing.
The scanner spans nine active scan engines - Windows, Linux, Cisco IOS/IOS-XE/NX-OS, Palo Alto NGFW/Panorama, six web-server families, six middleware runtimes, three databases, an auto-discovery dispatcher, and a purpose-built DAST module. Findings flow through a single standardized Finding dataclass, so every check - whether a CIS benchmark item, a version-based CVE match, or a reflected-XSS proof-of-concept - lands in the same reporting, filtering, compliance-mapping and export pipeline.
It is built for security engineers, red/blue teams, and compliance auditors who need one tool that covers the infrastructure stack rather than a fleet of point products. Findings are enriched with CVSS, EPSS exploit-probability scores, CISA KEV flags, CWE tags, and mappings to NIST 800-53, ISO 27001, PCI DSS v4.0 and CIS Controls v8 - then exported as interactive Chart.js HTML, PDF, JSON, CSV, or SARIF v2.1.0 for GitHub Code Scanning.
Engineering rigor is a first-class feature: the core is stdlib-only with every transport dependency optional and gracefully degraded, a 1,000+ test pytest suite runs on a Python 3.9-3.12 CI matrix with ruff/mypy linting and dedicated CVE-seed integrity validation, and a plugin architecture lets teams add custom scanners via a simple decorator.
02Key Capabilities
Nine active scan engines
One CLI dispatches authenticated scans across Windows, Linux, Cisco, Palo Alto NGFW, web servers, middleware, databases, DAST, plus an auto-discovery orchestrator.
Auto-discovery and dispatch
Scans IP ranges (CIDR/range/list), fingerprints services by port and banner, classifies host type, and routes each host to the right scanner in parallel.
Full DAST web-app testing
A BFS crawler feeds 82 dynamic checks across 11 categories - injection, XSS, SSRF, XXE, JWT, API, access control, auth, file inclusion, info disclosure and misconfig.
Palo Alto NGFW auditing
92 PAN-OS rules over the XML API cover firewall CVEs (including CVE-2024-3400), policy hygiene, security-profile attachment, decryption, HA and management hardening.
Local CVE intelligence engine
SQLite-backed version matching against 32,000+ NVD CVEs with a 510-entry offline seed bundle, CISA KEV flags and FIRST.org EPSS exploit-probability overlay.
Six CIS benchmark packs
Bundled hardening checks for Windows, Linux, Cisco, Oracle DB, MySQL and MongoDB drive compliance-grade configuration review.
Compliance framework mapping
Opt-in --compliance enrichment maps findings via ~60 CWE and ~30 category rules to NIST 800-53 Rev 5, ISO 27001:2022, PCI DSS v4.0 and CIS Controls v8.
Multi-format reporting
Self-contained dark-theme HTML with a Chart.js dashboard, PDF, JSON, CSV, colored console, and SARIF v2.1.0 for GitHub Code Scanning and VS Code.
DAST safety controls
Mandatory scope allowlist, adaptive token-bucket rate limiting, hard request cap, circuit breaker, retry backoff and a pre-scan warning banner keep active testing in-bounds.
Baseline diff scanning
Compare a scan against a previous JSON baseline to track NEW, FIXED and UNCHANGED findings and measure remediation progress over time.
Scan profiles and config files
quick/standard/full/compliance/cve-only presets gate check categories, driven by YAML/TOML config files with CLI-override precedence and a built-in parser (no PyYAML).
Extensible plugin architecture
Register custom scanners with the @scanner_plugin decorator via auto-discovery, --plugin-dir, or entry points, validated against the ScannerBase contract.
03Architecture
A single argparse CLI (__main__) dispatches to nine scanner orchestrators that all extend a shared ScannerBase and emit a standardized Finding dataclass. Scanners talk to live hosts through six pluggable transports, enrich findings against a SQLite CVE database (synced from NVD 2.0 with CISA KEV and EPSS overlays), optionally attach compliance mappings, then feed one reporting pipeline that renders HTML/PDF/JSON/CSV/SARIF. The DAST module is a self-contained crawl-then-check engine with its own scope, rate-limiting and circuit-breaker safety layer.
04Project Structure
vulnerability_management/__main__.pyArgparse CLI entry point registering all scan and CVE subcommands and dispatch logic.vulnerability_management/core/Shared engine: Finding, ScannerBase, transports, CVE database + sync, compliance, config, baseline, profiles, plugins.vulnerability_management/scanners/Nine scanner orchestrators including auto_scanner, paloalto_scanner and dast_scanner.vulnerability_management/dast/DAST engine - crawler, http_client, config (scope/rate/circuit), waf_detect, and checks/ (11 categories).vulnerability_management/webservers/Six web-server check modules: IIS, Apache, Nginx, Tomcat, WebLogic, WebSphere.vulnerability_management/middleware/Six runtime check modules: Java, .NET, PHP, Node.js, Laravel, Oracle Middleware.vulnerability_management/databases/Three database check modules: Oracle DB, MySQL/MariaDB, MongoDB.vulnerability_management/cve_data/21 seed CVE JSON files, plus cpe_mappings.json (47 CPE strings) for NVD sync.vulnerability_management/benchmarks/Six CIS benchmark JSON definitions: Windows, Linux, Cisco, Oracle DB, MySQL, MongoDB.tests/pytest suite (1,000+ tests) across 40+ files covering core, scanners, DAST, compliance, SARIF and seed integrity..github/workflows/ci.ymlCI: Python 3.9-3.12 test matrix, ruff/format lint, and dedicated CVE-seed validation job.pyproject.tomlpytest, ruff and mypy configuration; paired with setup.py extras for per-transport installs.05Security Controls
06Technology Stack
- Language
- Python 3.9+ (3.10-3.12 recommended); stdlib-only core
- Transports
- paramiko (SSH), netmiko (Cisco), pysnmp-lextudio (SNMP), pywinrm (WinRM), impacket (SMB), requests (HTTP) - all optional, gracefully degraded
- Data store
- SQLite (stdlib) CVE database with NVD API 2.0, CISA KEV and FIRST.org EPSS feeds
- Reporting
- Inline Chart.js dashboard HTML, weasyprint PDF (optional), JSON/CSV, SARIF v2.1.0
- Testing
- pytest + pytest-cov, 1,000+ tests, dedicated seed-integrity validation
- Linting
- ruff (check + format) and mypy
- CI
- GitHub Actions - Python 3.9/3.10/3.11/3.12 matrix, lint, seed validation
- Packaging
- setup.py + pyproject.toml with per-transport extras ([linux], [cisco], [windows], [all])
07Quick Start
$ pip install -e ".[all]" # install with all transport extras $ python -m vulnerability_management cve-import # load 510 bundled seed CVEs (168 KEV-flagged) $ python -m vulnerability_management auto -r 192.168.1.0/24 -u admin -p secret # auto-discover and scan a subnet $ python -m vulnerability_management linux -t 10.0.1.50 -u root -p pass --html report.html --compliance $ python -m vulnerability_management dast --target https://app.example.com --dast-accept-risk $ python -m vulnerability_management cve-sync --api-key YOUR_NVD_API_KEY # sync ~32,000 CVEs + EPSS + KEV
08Compliance & Frameworks
09Integrations & Outputs
Explore Vulnerability Management Scanner
Full source, documentation, and deployment guides live on GitHub.