PhillipC05/tpt-security-test

# TPT Security Platform An open-source security assessment and compliance audit platform. Scan targets, audit your infrastructure via APIs, browse results in the built-in web UI, and generate HTML/PDF/JSON reports mapped to SOC 2, ISO 27001, and HIPAA controls. # Start the web UI + API server tpt serve # Run a scan (web UI updates live) tpt scan example.com --framework soc2,iso27001 # Audit your AWS account tpt audit --provider aws --framework soc2,hipaa # Generate a shareable PDF report tpt report --format html,pdf ### Web UI `tpt serve` starts a browser dashboard at `http://localhost:4242` — dark-mode, no build step required. | Dashboard | Job detail | Finding detail | |-----------|-----------|----------------| | All scan/audit jobs, open finding counts, framework coverage | Severity breakdown, filter by status, full findings table | Expandable evidence, remediation advice, compliance controls, inline status update | The web UI uses **HTMX** for live updates (finding details expand inline, status changes save immediately) with **Tailwind CSS + DaisyUI** for styling. ## Features **Scanning (`tpt scan`)** - Nuclei (embedded SDK) — template-based vulnerability detection - Naabu — port scanning with compliance-aware severity - OWASP ZAP — web app scanning via REST API (`--zap-url`) - TLS inspector — cert expiry, weak ciphers, legacy protocol detection (`--scope tls`) - Email security — SPF, DKIM, DMARC DNS checks (`--scope email`) - Gitleaks — hardcoded secrets in source trees (`--secrets-dir`) - govulncheck / osv-scanner — dependency CVEs (`--deps-dir`) - Dalfox — active XSS and open redirect detection **File import (`tpt import`)** - Nessus (`.nessus`), Burp Suite XML, OpenVAS/GVM XML **Internal audit (`tpt audit`)** | Category | Providers | |----------|-----------| | Cloud | AWS · GCP · Azure · DigitalOcean · Hetzner · Cloudflare · Vercel · Supabase · Wasabi · Backblaze | | Identity | Okta · Azure AD / Entra · Google Workspace · Auth0 · Keycloak · Active Directory / LDAP | | VCS | GitHub · GitLab · Bitbucket · Gitea / Forgejo | | Infrastructure | Linux (SSH) · Kubernetes | **Compliance frameworks** - SOC 2 Type II (Trust Services Criteria) - ISO/IEC 27001:2022 (Annex A) - HIPAA Security Rule (45 CFR §164.308 / §164.312) **Reporting (`tpt report`)** - HTML — self-contained, executive summary + control coverage matrix + findings detail - PDF — go-pdf/fpdf, severity grid, tables - JSON — machine-readable for compliance platform integrations - AI-enhanced remediation advice (Anthropic / OpenAI / Grok / OpenRouter) with static fallback **REST API (`tpt serve`)** - `GET /api/jobs` · `GET /api/jobs/{id}/findings` · `GET /api/jobs/{id}/report` - `PATCH /api/findings/{id}/status` — retest tracking ## Installation ### From source git clone https://github.com/tpt-security/tpt.git cd tpt go build -o tpt ./cmd/tpt ./tpt --help Requires Go 1.22+. No CGO — builds on all platforms. ### Docker docker compose up -d # API available at http://localhost:4242 ## Quick start # Scan a target and map to SOC 2 + ISO 27001 tpt scan example.com --framework soc2,iso27001 --scope web,network,tls # Import an existing Nessus export tpt import scan.nessus --framework soc2 --target "Internal network Q1" # Audit your AWS account tpt audit --provider aws --aws-profile prod --framework soc2,hipaa # Audit a self-hosted Keycloak instance tpt audit --provider keycloak \ --keycloak-url http://keycloak.internal:8080 \ --keycloak-realm master \ --keycloak-token # Audit Linux server over SSH tpt audit --provider linux \ --linux-host 10.0.0.5:22 \ --linux-user ubuntu \ --linux-key ~/.ssh/id_rsa \ --framework iso27001 # Generate reports (HTML + PDF, with AI enhancement if key is set) tpt report --format html,pdf --output reports/ # Start the REST API server tpt serve --port 4242 ## AI-enhanced reports Set any of the following environment variables to enable AI-generated executive summaries and per-finding remediation advice: export ANTHROPIC_API_KEY=sk-ant-... # Claude Haiku (recommended) export OPENAI_API_KEY=sk-... # GPT-4o mini export GROK_API_KEY=... # Grok 3 mini export OPENROUTER_API_KEY=... # Any model via OpenRouter Use `--no-ai` to disable even when a key is set. Static remediation templates are always used as a fallback. ## Supported scan scopes | Flag value | What it activates | |------------|-------------------| | `network` | Naabu port scan + TLS inspector | | `web` | Nuclei + Dalfox | | `api` | Nuclei + Dalfox | | `tls` | TLS inspector only | | `email` | SPF / DKIM / DMARC check | ## Nuclei templates Compliance-focused templates ship with the platform in `templates/`: | Template | Framework | What it detects | |----------|-----------|-----------------| | `soc2/cc6.1-access-controls.yaml` | SOC 2 | Access control misconfigurations | | `soc2/cc6.3-broken-auth.yaml` | SOC 2 | JWT none-alg, insecure session cookies | | `soc2/cc6.6-cors-misconfig.yaml` | SOC 2 | Wildcard / reflective CORS | | `soc2/cc6.7-crypto-transmission.yaml` | SOC 2 | Weak TLS, missing HSTS | | `soc2/cc7.1-vulnerability-detection.yaml` | SOC 2 | Vulnerability scanning indicators | | `soc2/cc9.2-api-exposure.yaml` | SOC 2 | Swagger, GraphQL introspection | | `iso27001/a.5.17-auth-weakness.yaml` | ISO 27001 | Default credentials, HTTP Basic | | `iso27001/a.8.8-technical-vulnerabilities.yaml` | ISO 27001 | CVE detection | | `iso27001/a.8.9-configuration-management.yaml` | ISO 27001 | Misconfiguration detection | | `iso27001/a.8.20-network-exposure.yaml` | ISO 27001 | Exposed MongoDB, Redis, Elasticsearch | | `iso27001/a.8.24-cryptography.yaml` | ISO 27001 | Crypto weakness | | `iso27001/a.8.25-ssdlc.yaml` | ISO 27001 | Debug endpoints, stack traces, .env | | `iso27001/a.8.29-injection.yaml` | ISO 27001 | SQLi indicators, SSTI | Point `--template-dir` at any Nuclei templates directory to use your own. ## Adding custom control mappings # mappings/pci-dss.yaml - category: web severity: [critical, high] controls: - id: "6.4" name: Protect web-facing applications against known attacks relevance: direct Then use it with `--framework pci-dss`. ## Architecture cmd/tpt/ CLI entry point (cobra) internal/ scan/ Scanner adapters (Nuclei, Naabu, ZAP, TLS, email, secrets, deps, Dalfox) audit/ Internal audit providers cloud/ AWS, GCP, Azure, DO, Hetzner, Cloudflare, Vercel, Supabase, Wasabi, Backblaze idp/ Okta, Azure AD, Google Workspace, Auth0, Keycloak, LDAP vcs/ GitHub, GitLab, Bitbucket, Gitea infra/ Linux SSH, Kubernetes importer/ File importers (.nessus, Burp XML, OpenVAS XML) mapping/ YAML-based control mapping engine report/ HTML, JSON, PDF report generators + methodology statement remediation/ Static remediation template library ai/ LLM client (Anthropic, OpenAI, Grok, OpenRouter) api/ REST API server (stdlib net/http) web/ Web UI — HTMX + Tailwind + DaisyUI, server-rendered templates db/ SQLite storage (GORM, no CGO) mappings/ soc2.yaml · iso27001.yaml · hipaa.yaml templates/ Nuclei templates (soc2/ · iso27001/) ## Documentation | Doc | Contents | |-----|---------| | [docs/architecture.md](docs/architecture.md) | System design, component diagram, data flow, extension points | | [docs/deployment.md](docs/deployment.md) | Binary, Docker, Docker Compose, systemd service, nginx, CI/CD | | [docs/configuration.md](docs/configuration.md) | All CLI flags for every command, API endpoints | | [docs/frameworks.md](docs/frameworks.md) | SOC 2, ISO 27001, HIPAA control mapping reference, custom framework YAML format | ## License MIT — see [LICENSE](LICENSE).

标签：EVTX分析