Docker-compose security stack — all tools running locally
Static Application Security Testing and code quality analysis. Detects bugs, vulnerabilities, and code smells across 30+ languages.
Dynamic Application Security Testing. Full ZAP desktop UI in your browser — spider, active scan, and intercept proxy built in.
Aggregate, deduplicate and track findings from all your security tools. Supports 180+ scanner import formats including ZAP and SonarQube.
Scan container images, filesystems, Git repos and IaC (Terraform, K8s) for CVEs, misconfigs, and secrets. Exposed as a REST API server.
Software Composition Analysis via CycloneDX SBOMs. Continuously monitors dependencies for known vulnerabilities using NVD, OSS Index and more.
Centralised secrets management — store API keys, DB passwords, TLS certs and dynamic credentials. Running in dev mode for easy local use.