first commit

Author: CSPF-Founder

.env.example

@@ -0,0 +1,69 @@
+# =============================================================================
+# API Scanner Configuration
+# Copy this file to .env and update the values before running docker compose up
+# =============================================================================
+
+# --- MariaDB ---
+MARIADB_ROOT_PASSWORD=change_me_root_password
+MARIADB_USER=api_scanner
+MARIADB_PASSWORD=change_me_db_password
+MARIADB_DATABASE=api_db
+
+# --- MongoDB ---
+MONGO_ROOT_USERNAME=root
+MONGO_ROOT_PASSWORD=change_me_mongo_root_password
+MONGO_DATABASE=apiscan_db
+MONGO_APP_USERNAME=apiscan_user
+MONGO_APP_PASSWORD=change_me_mongo_app_password
+
+# --- API Scanner ---
+SERVER_ADDRESS=0.0.0.0:443
+USE_TLS=true
+CERT_PATH=/app/certs/cert.pem
+KEY_PATH=/app/certs/key.pem
+CSRF_KEY=change_me_csrf_key_32_chars_long!
+CSRF_NAME=csrf_token
+ALLOWED_INTERNAL_HOSTS=localhost,127.0.0.1,api-scanner
+TRUSTED_ORIGINS=https://localhost:4455
+
+DBMS_TYPE=mysql
+# Note: 'mariadb' here refers to the docker-compose service name
+DATABASE_URI=api_scanner:change_me_db_password@tcp(mariadb:3306)/api_db?parseTime=True
+MIGRATIONS_PREFIX=/app/db/migrations
+
+PRODUCT_TITLE=API Scanner
+COPYRIGHT_FOOTER_COMPANY=CySecurity Pte Ltd
+CONTACT_ADDRESS=support@localhost
+
+# Note: 'mongodb' here refers to the docker-compose service name
+MONGO_DATABASE_URI=mongodb://apiscan_user:change_me_mongo_app_password@mongodb:27017/apiscan_db?authMechanism=SCRAM-SHA-256
+MONGO_DATABASE_NAME=apiscan_db
+
+WORK_DIR=/app/data/work_dir
+TEMP_UPLOADS_DIR=/app/data/temp_uploads
+
+LOG_LEVEL=info
+LOG_FILENAME=/app/logs/app.log
+
+# Required by manager config but unused in Docker mode
+SCANNER_DOCKER=unused
+FUZZER_IMAGE=unused
+MAIN_DOMAIN=localhost
+
+# Required by panel config but unused in community edition
+LICENSE_VALIDATION_API=http://localhost
+
+# Note: 'zap' here refers to the docker-compose service name
+ZAP_HOST=zap
+ZAP_PORT=8080
+ZAP_API_KEY=change_me_zap_api_key
+
+REMOTE_WORK_DIR=/app/data/work_dir/
+LOCAL_TEMP_DIR=/app/data/temp/
+
+CATS_BIN_PATH=/app/bin/cats
+REPORTER_BIN_PATH=/app/bin/reporter
+SCANNER_CMD=/app/bin/scanner
+
+# --- Timezone ---
+TZ=UTC

.gitignore

@@ -0,0 +1,2 @@
+.env
+certs/

README.md

@@ -0,0 +1,139 @@
+# API Scanner - Self-Hosted Deployment
+
+API Scanner is an automated API security testing tool that scans REST and SOAP APIs for vulnerabilities using OpenAPI/Swagger specifications and WSDL files.
+
+## Prerequisites
+
+- Docker Engine 20.10+
+- Docker Compose v2
+- Python 3.6+ (for setup script)
+- 8 GB RAM minimum (16 GB recommended)
+- 20 GB disk space
+
+## Quick Start
+
+1. **Clone this repository**
+
+```bash
+git clone https://github.com/cysecurity/api-scanner.git
+cd api-scanner
+```
+
+2. **Run setup**
+
+```bash
+python3 setup.py
+```
+
+The script will:
+- Generate secure random passwords for all services
+- Auto-detect your timezone
+- Generate a self-signed TLS certificate (or use your own if already in `./certs/`)
+- Write the `.env` configuration file
+- Offer to start the Docker Compose stack
+
+3. **Access the panel**
+
+Open `https://localhost:4455` in your browser.
+
+> If using a self-signed certificate, your browser will show a security warning — proceed to accept it.
+
+## Manual Setup
+
+If you prefer to configure manually instead of using the setup script:
+
+1. Copy the example environment file:
+
+```bash
+cp .env.example .env
+```
+
+2. Edit `.env` and update:
+   - All `change_me_*` passwords with strong random values
+   - `CSRF_KEY` with a random 32+ character string
+   - `ZAP_API_KEY` with a random string
+   - `TRUSTED_ORIGINS` with your domain (e.g., `https://scanner.yourcompany.com`)
+   - Ensure passwords in `DATABASE_URI` and `MONGO_DATABASE_URI` match the individual password variables
+
+3. Start the stack:
+
+```bash
+docker compose up -d
+```
+
+## Architecture
+
+| Service         | Image                              | Description                                        |
+|-----------------|------------------------------------|----------------------------------------------------|
+| **api-scanner** | `cysecurity/api-scanner:latest`    | Web panel + scan engine in a single container      |
+| **zap**         | `ghcr.io/zaproxy/zaproxy:stable`   | OWASP ZAP security scanner                         |
+| **mariadb**     | `mariadb:10.11`                    | User management and session storage                |
+| **mongodb**     | `mongo:4.4`                        | Scan data, results, and reports                    |
+
+## Configuration
+
+All configuration is done through the `.env` file. See `.env.example` for all available options.
+
+### Key Settings
+
+| Variable | Description |
+|----------|-------------|
+| `MARIADB_PASSWORD` | MariaDB application user password |
+| `MONGO_APP_PASSWORD` | MongoDB application user password |
+| `CSRF_KEY` | CSRF protection key (32+ characters) |
+| `ZAP_API_KEY` | ZAP API authentication key |
+| `TRUSTED_ORIGINS` | Allowed HTTPS origins for the panel |
+| `USE_TLS` | Enable HTTPS (default: `true`) |
+| `TZ` | Timezone (default: `UTC`) |
+
+## Data Persistence
+
+All data is stored in Docker named volumes:
+
+- `mariadb_data` — User accounts, roles, sessions
+- `mongodb_data` — Scan records, results, reports
+- `scanner_data` — Work files, uploaded specs, generated reports
+
+## Updating
+
+```bash
+docker compose pull
+docker compose up -d
+```
+
+## Stopping
+
+```bash
+docker compose down
+```
+
+To remove all data (destructive):
+
+```bash
+docker compose down -v
+```
+
+## Troubleshooting
+
+**Check logs:**
+
+```bash
+docker compose logs api-scanner
+docker compose logs zap
+```
+
+**Check service health:**
+
+```bash
+docker compose ps
+```
+
+**ZAP not starting:** Ensure at least 4 GB of free RAM. ZAP requires ~3 GB.
+
+**Panel not accessible:** Verify TLS certificates are in `./certs/` and `TRUSTED_ORIGINS` matches your URL including the port (e.g., `https://localhost:4455`).
+
+**Database connection errors:** Wait 30-60 seconds after first start for databases to initialize.
+
+## License
+
+Proprietary. See LICENSE file for details.

docker-compose.yml

@@ -0,0 +1,142 @@
+name: api-scanner
+
+services:
+
+  mariadb:
+    image: mariadb:10.11
+    container_name: api-scanner-mariadb
+    restart: always
+    environment:
+      MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
+      MARIADB_USER: ${MARIADB_USER}
+      MARIADB_PASSWORD: ${MARIADB_PASSWORD}
+      MARIADB_DATABASE: ${MARIADB_DATABASE}
+      TZ: ${TZ:-UTC}
+    volumes:
+      - mariadb_data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      start_period: 15s
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - api-scanner
+
+  mongodb:
+    image: mongo:4.4
+    container_name: api-scanner-mongodb
+    restart: always
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: ${MONGO_ROOT_USERNAME}
+      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_ROOT_PASSWORD}
+      MONGO_INITDB_DATABASE: ${MONGO_DATABASE}
+      MONGO_APP_USERNAME: ${MONGO_APP_USERNAME}
+      MONGO_APP_PASSWORD: ${MONGO_APP_PASSWORD}
+      TZ: ${TZ:-UTC}
+    volumes:
+      - mongodb_data:/data/db
+      - ./mongo-init.sh:/docker-entrypoint-initdb.d/mongo-init.sh:ro
+    healthcheck:
+      test: ["CMD", "mongo", "--eval", "db.adminCommand('ping')"]
+      start_period: 10s
+      interval: 10s
+      timeout: 5s
+      retries: 3
+    networks:
+      - api-scanner
+
+  zap:
+    image: ghcr.io/zaproxy/zaproxy:stable
+    container_name: api-scanner-zap
+    restart: always
+    command: >
+      zap.sh -daemon
+      -host 0.0.0.0
+      -port ${ZAP_PORT:-8080}
+      -config api.addrs.addr.name=.*
+      -config api.addrs.addr.regex=true
+      -config api.key=${ZAP_API_KEY}
+    mem_limit: 3g
+    cpus: 1.5
+    environment:
+      JAVA_OPTS: "-Xmx2400m"
+      TZ: ${TZ:-UTC}
+    volumes:
+      - scanner_data:/app/data:ro
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:${ZAP_PORT:-8080}/JSON/core/view/version/?apikey=${ZAP_API_KEY}"]
+      start_period: 30s
+      interval: 15s
+      timeout: 5s
+      retries: 5
+    networks:
+      - api-scanner
+
+  api-scanner:
+    image: cysecurity/api-scanner:latest
+    container_name: api-scanner
+    restart: always
+    ports:
+      - "4455:443"
+    environment:
+      # Panel
+      SERVER_ADDRESS: ${SERVER_ADDRESS}
+      USE_TLS: ${USE_TLS}
+      CERT_PATH: ${CERT_PATH}
+      KEY_PATH: ${KEY_PATH}
+      CSRF_KEY: ${CSRF_KEY}
+      CSRF_NAME: ${CSRF_NAME}
+      ALLOWED_INTERNAL_HOSTS: ${ALLOWED_INTERNAL_HOSTS}
+      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS}
+      DBMS_TYPE: ${DBMS_TYPE}
+      DATABASE_URI: ${DATABASE_URI}
+      MIGRATIONS_PREFIX: ${MIGRATIONS_PREFIX}
+      WORK_DIR: ${WORK_DIR}
+      TEMP_UPLOADS_DIR: ${TEMP_UPLOADS_DIR}
+      PRODUCT_TITLE: ${PRODUCT_TITLE}
+      COPYRIGHT_FOOTER_COMPANY: ${COPYRIGHT_FOOTER_COMPANY}
+      CONTACT_ADDRESS: ${CONTACT_ADDRESS}
+      LICENSE_VALIDATION_API: ${LICENSE_VALIDATION_API:-http://localhost}
+      # Engine (manager)
+      SCANNER_DOCKER: ${SCANNER_DOCKER:-unused}
+      FUZZER_IMAGE: ${FUZZER_IMAGE:-unused}
+      MAIN_DOMAIN: ${MAIN_DOMAIN:-localhost}
+      SCANNER_CMD: ${SCANNER_CMD}
+      # Engine (scanner)
+      DB_NAME: ${MONGO_DATABASE_NAME}
+      REMOTE_WORK_DIR: ${REMOTE_WORK_DIR}
+      LOCAL_TEMP_DIR: ${LOCAL_TEMP_DIR}
+      ZAP_HOST: ${ZAP_HOST}
+      ZAP_PORT: ${ZAP_PORT}
+      ZAP_API_KEY: ${ZAP_API_KEY}
+      CATS_BIN_PATH: ${CATS_BIN_PATH}
+      REPORTER_BIN_PATH: ${REPORTER_BIN_PATH}
+      # Shared
+      MONGO_DATABASE_URI: ${MONGO_DATABASE_URI}
+      MONGO_DATABASE_NAME: ${MONGO_DATABASE_NAME}
+      LOG_LEVEL: ${LOG_LEVEL}
+      LOG_FILENAME: ${LOG_FILENAME}
+      USE_DOTENV: "false"
+      TZ: ${TZ:-UTC}
+    volumes:
+      - scanner_data:/app/data
+      - ./certs:/app/certs:ro
+    depends_on:
+      mariadb:
+        condition: service_healthy
+      mongodb:
+        condition: service_healthy
+      zap:
+        condition: service_healthy
+    networks:
+      - api-scanner
+
+volumes:
+  mariadb_data:
+  mongodb_data:
+  scanner_data:
+
+networks:
+  api-scanner:
+    driver: bridge

mongo-init.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+mongo <<EOF
+db = db.getSiblingDB('${MONGO_INITDB_DATABASE}');
+
+db.createUser({
+    user: '${MONGO_APP_USERNAME}',
+    pwd: '${MONGO_APP_PASSWORD}',
+    roles: [
+        {
+            role: 'readWrite',
+            db: '${MONGO_INITDB_DATABASE}',
+        },
+    ],
+});
+EOF