A lot many good things are being done in Docker. Jackhammer is another good example of this. The authors have gone ahead and put almost everything you would need for vulnerability assessment and vulnerability management, dockerized it, made it an all-in-one tool and put it up for us to use! A few other security related docker projects can be found here.
What is Jackhammer?
Jackhammer is an open source security, vulnerability assessment and vulnerability management tool, that helps bridge the gap between security team, development and the QA team. It also facilitates the TPM to help understand and track the quality of the code going into production – not just one, but many supported languages. It completely works on RBAC (Role Based Access Control) and helps you perform static code analysis or dynamic analysis with inbuilt vulnerability management capability. It can also help you find security vulnerabilities in the target applications.
Features of Jackhammer:
- Provides unified interface to collaborate on findings
- Scanning (code) can be done for all code management repositories
- Scheduling of scans based on intervals – daily, weekly, monthly
- Advanced false positive filtering
- Publish vulnerabilities to bug tracking systems
- Keep a tab on statistics and vulnerability trends in your applications
- Integrates with majority of open source and commercial scanning tools
- Users and Roles management giving greater control
- Configurable severity levels on list of findings across the applications
- Built-in vulnerability status progression
- Easy to use filters to review targeted sets from tons of vulnerabilities
- Asynchronous scanning (via sidekiq) that scale
- Seamless Vulnerability Management
- Track statistics and graph security trends in your applications
- Easily integrates with a variety of open source, commercial and custom scanning tools.
For static analysis, this open source tool integrates with Brakeman, Bundler-Audit, Checkmarx, Dawnscanner, FindSecurityBugs, Xanitizer, NodeSecurityProject, PMD and Retire.js. If you are looking to find hard coded secrets/tokens/credentials, then Jackhammer uses Trufflehog. The base of all scans is a Nmap scan. For web application scanning, it uses Arachni and WPScan. Mobile scanning is also supported with Androbugs and Androguard. Not only that, you can also add new scanners within a few minutes. This is a nice user guide which tells you how to do it. Not only that, you can also import results from other scanners such as – Nmap, Burp Suite, ZAP, Nessus, QualysGuard, OpenVAS, Metasploit, Nexpose, Arachni, IBMApp, Fortify, SkipFish, W3af and Acunetix.
Installation of Jackhammer is pretty easy. All you need is to clone to repository and build the tool. Detailed information is available here.