Running a real security baseline on a small web project means standing up seven or eight specialised tools, deduplicating their findings by hand, and translating generic remediation advice ("Add an HSTS header") into the specific change required by your stack (Cloudflare, Vercel, an Astro _headers file, or nginx). The workflow around the tools is the mess, not the tools themselves.
We built a Click-based CLI plus a FastAPI dashboard that wraps nuclei, nmap, sslyze, subfinder, httpx, OWASP ZAP, semgrep, trivy, and gitleaks. Each scanner subclasses a BaseScanner, declares its risk level and required external tool, and writes Findings into a common schema. Risk gating is centralised in the runner so the CLI, dashboard, and bundled GitHub Action share the same checks. Reports render to HTML (Jinja2), Markdown, and JSON from one data shape. A two-layer remediation system enriches every finding: a curated static database for free, plus optional AI-tailored fixes via Claude that include the project's actual config or the lines of code around the finding. Findings are cached by hash so re-scans don't re-bill the API. Distributed as a PyPI package, a self-hosting Docker image, and a drop-in GitHub Action.
- Published on PyPI as secscan-tool, MIT-licensed and reusable across projects
- Docker image bundles seven external scanners; one command stands up the dashboard at localhost:8765
- GitHub Actions workflow runs weekly plus on-demand, opens issues automatically on new High or Critical findings
- AI-tailored remediation costs cents per scan and is cached by finding hash to avoid re-billing on repeated runs