Running CVEScan Web
This documentation provides a reference example and may not fit your specific requirements or infrastructure. You are encouraged to adapt the deployment to your needs.
Also, as CVEScan will store sensitive data, please ensure that you follow best practices for securing your deployment, such as using strong admin credentials, enabling TLS with a modern configuration (e.g., using strong ciphers, disabling outdated protocols, etc.), and restricting access to the Keycloak admin console.
Prerequisites
Please ensure you have the following tools installed on your machine:
- Git. This guide was tested with Git version 2.43.0.
- Docker. This guide was tested with Docker version 28.2.2, build e6534b4.
1. Cloning the Repository
The first step is to clone the CVEScan Web repository using the following command:
You will be prompted for your GitLab credentials. As your repository access is managed through an access token, you may enter any value for the username, but you must provide your personal access token as the password to authenticate successfully.
Once cloned, navigate to the project directory using:
2. Configuring NGINX Reverse Proxy
A sample nginx.conf file is provided in the root directory of the CVEScan Web repository. This configuration file must be customized to match your specific environment and serves as the NGINX reverse proxy configuration for the CVEScan Web application.
For production environments, you will need to configure a domain name and enable SSL/TLS to ensure secure communication between clients and the server.
To set up SSL/TLS, update the nginx.conf file with your domain name and the paths to your SSL certificate and key. Please refer to the NGINX documentation for detailed instructions.
The provided nginx.conf file includes lines with comments beginning with # TODO. These lines require customization to match your specific environment configuration.
Important
The provided nginx.conf file grants access to all Keycloak endpoints including the admin console. However, for security reasons, it is highly recommended to restrict access to the Keycloak admin console to specific IP addresses or networks.
Please refer to the Keycloak documentation for guidance on which endpoints should be exposed, and consult the NGINX access module documentation for instructions on configuring access controls.
Local setup
If you want to test the application locally, you can replace the content of the nginx.conf file with the following minimal configuration. This configuration is suitable for local development and testing purposes, allowing you to run the application without a domain name or SSL/TLS. However, please note that this configuration is not secure and should NEVER be used in production environments. It is intended for local testing only.
server {
listen 80;
server_name localhost;
location /webui/ {
proxy_pass http://webui:80/webui/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location /api/ {
proxy_pass http://api:3100/api/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location /auth/ {
proxy_pass http://keycloak:8080/auth/;
proxy_buffer_size 32k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
#? Redirect /webui and / to /webui/
location = /webui {
return 301 /webui/;
}
location = / {
return 301 /webui/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Not using Keycloak as the identity provider
CVEScan supports using Okta and Microsoft Entra ID as alternatives to Keycloak for authentication.
If you are not using Keycloak, please remove the location /auth/ block from nginx.conf.
3. Setting Up Environment Variables
CVEScan Web relies on environment variables for its configuration. To set these up, create a .env file in the root of your project and add the variables listed below. Docker Compose will use this file to configure the application services.
COMPOSE_PROJECT_NAME=cvescan_web
# This is an intermediary variable used to build other environment variables to avoid repetition:
CVESCAN_HOST="https://your_domain_name" # Specify the protocol and don't end with /
CVESCAN_DB_ADMIN_USER="postgres"
CVESCAN_DB_ADMIN_PASSWORD="CHANGE_ME"
CVESCAN_API_EXPOSE_SWAGGER=false # Default: false
CVESCAN_API_DB_NAME="cvescan_api"
CVESCAN_API_DB_USER="cvescan_api_user"
CVESCAN_API_DB_PASSWORD="CHANGE_ME"
CVESCAN_API_ADMIN_EMAIL="CHANGE_ME"
CVESCAN_API_ADMIN_PASSWORD="CHANGE_ME"
CVESCAN_WEBUI_HOST_URL="${CVESCAN_HOST}" # don't end with /
# authentication
CVESCAN_KEYCLOAK_DB_NAME="cvescan_keycloak"
CVESCAN_KEYCLOAK_DB_USER="cvescan_keycloak_user"
CVESCAN_KEYCLOAK_DB_PASSWORD="CHANGE_ME"
CVESCAN_KEYCLOAK_ADMIN="CHANGE_ME"
CVESCAN_KEYCLOAK_ADMIN_PASSWORD="CHANGE_ME"
CVESCAN_KEYCLOAK_HOST="${CVESCAN_HOST}" # don't end with /
CVESCAN_KEYCLOAK_REALM="cvescan"
CVESCAN_JWT_AUDIENCE="cvescan_web"
Important
- Please replace all
CHANGE_MEvalues before running the application. These values are critical for the security and functionality of the system. - All admin credentials specified in the
.envfile like theCVESCAN_API_ADMIN_EMAIL,CVESCAN_API_ADMIN_PASSWORD,CVESCAN_KEYCLOAK_ADMIN,CVESCAN_KEYCLOAK_ADMIN_PASSWORDand DB users and passwords are used only on the first run of the application. Changing these values after the initial setup will have no effect. - You can optionally set
CVESCAN_DB_CA_B64to pass a Base64-encoded CA certificate for the API database TLS connection. This variable is read only by the API service. In most deployments, an external SSO is used as the identity provider. If you use Keycloak instead and need TLS for its database connection, additional Keycloak configuration is required and is not covered in this guide.
Note
- The
CVESCAN_HOSTvariable is used to set the base URL for the API, Keycloak and the WebUI. Make sure to replaceyour_domain_namewith your actual domain name. - The
CVESCAN_API_EXPOSE_SWAGGERvariable is used to enable or disable exposing the openapi documentation for the API service. By default, it is set tofalse. If you want to expose the API documentation, set it totrue. The API documentation will be available at the/api/openapiendpoint. - The
CVESCAN_API_ADMIN_EMAILandCVESCAN_API_ADMIN_PASSWORDvariables are used to create the initialsystem adminuser for the API server. You will use these credentials to log in to the WebUI and manage the application. - The
CVESCAN_KEYCLOAK_ADMINandCVESCAN_KEYCLOAK_ADMIN_PASSWORDvariables are used to create the initial Keycloak admin user. This user will be used to access the Keycloak admin console.
Not using Keycloak as the identity provider
Notes:
- CVEScan does not manage non keycloak users. This means that creating, editing or deleting users in CVEScan will not impact their account in the identity provider.
- CVEScan does not grant access to every user registered in the identity provider. A system administrator must add authorized users and assign them roles from the users page at
https://your_domain_name/webui/-/users.
If you want to use Okta or Microsoft Entra ID instead of Keycloak, follow the subsection for your provider as described below.
Okta
-
Register an Application
Create an application in Okta by navigating to the Applications section and clicking on "Create App Integration". Configure the application with the following settings:
Setting Value Sign-in method OIDC - OpenID Connect Application type Single Page Application App integration name Provide a name for your application (e.g. "CVEScan Web") Grant type Authorization code & Refresh token Sign-in redirect URI https://your_cvescan_domain_name/webui/loginSign-out redirect URI https://your_cvescan_domain_name/webui/loginAssignments (Controlled access) Configure this the way it suits your needs -
Register an Authorization Server
Create an Authorization Server in Okta by navigating to the API section under Security and clicking on "Add Authorization Server". Configure the Authorization Server with the following settings:
Setting Value Name Provide a name for your application (e.g. "CVEScan Web API") Audience Provide a meaningful unique audience for the authorization server (e.g. "cvescan_web" or the URL of CVEScan API) Description Provide a description for the authorization server (e.g. "Authorization server for CVEScan Web") Once the Authorization Server is created, navigate to the Access policies section and click on "Add Access Policy". Configure the access policy with the following settings:
Setting Value Name Provide a name for your access policy (e.g. "CVEScan Web Policy") Description Provide a description for your access policy (e.g. "Access policy for CVEScan Web") Assign to Choose "The following clients" and type the name of the application you created in the previous step After creating the access policy, a rule must be created using the "Add Rule" button.
Setting Value Rule name Provide a name for your rule (e.g. "CVEScan Web Rule") Grant type Authorization code User is You can opt for "Any user assigned the app" and manage the users from the application settings Scopes requested The following scopes: openid,emailandoffline_access -
Edit the
.envfile- Set
CVESCAN_API_ADMIN_EMAILto the email address of the user who will be the initial system administrator. - Remove
CVESCAN_API_ADMIN_PASSWORDfrom your.envfile, as it is not needed. The initial admin will log in using their Okta account (with the email specified above). - Replace the entire authentication section in your .env file with the values below, and substitute CHANGE_ME with the corresponding values (all values can be found in the Okta Applications and API pages):
# authentication CVESCAN_API_IDP="okta" CVESCAN_OKTA_CLIENT_ID="CHANGE_ME" # Client ID of the Okta application created in step 1 CVESCAN_OKTA_AUTH_SERVER_ISSUER_URI="CHANGE_ME" # The issuer URI of the authorization server created in step 2 CVESCAN_JWT_AUDIENCE="CHANGE_ME" # The audience value from the authorization server created in step 2 CVESCAN_JWT_ISSUER="${CVESCAN_OKTA_AUTH_SERVER_ISSUER_URI}" # no need to change this CVESCAN_JWT_CLIENT_ID="${CVESCAN_OKTA_CLIENT_ID}" # no need to change this CVESCAN_JWKS_URL="${CVESCAN_OKTA_AUTH_SERVER_ISSUER_URI}/v1/keys" # no need to change this - Set
Microsoft Entra ID
-
Register the application in Entra ID
-
Edit the
.envfile- Set
CVESCAN_API_ADMIN_EMAILto the email address of the user who will be the initial system administrator. - Remove
CVESCAN_API_ADMIN_PASSWORDfrom your.envfile, as it is not needed. The initial admin will log in using their Microsoft account (with the email specified above). - Replace the entire authentication section in your .env file with the values below, and substitute CHANGE_ME with the corresponding values from your Entra ID application:
# authentication CVESCAN_API_IDP="entra-id" CVESCAN_ENTRA_ID_TENANT_ID="CHANGE_ME" # Tenant ID of your Entra ID application CVESCAN_ENTRA_ID_CLIENT_ID="CHANGE_ME" # Client ID of your Entra ID application CVESCAN_ENTRA_ID_TENANT_URL="https://login.microsoftonline.com/${CVESCAN_ENTRA_ID_TENANT_ID}" CVESCAN_JWT_AUDIENCE="${CVESCAN_ENTRA_ID_CLIENT_ID}" CVESCAN_JWT_ISSUER="${CVESCAN_ENTRA_ID_TENANT_URL}/v2.0" CVESCAN_JWT_CLIENT_ID="${CVESCAN_ENTRA_ID_CLIENT_ID}" CVESCAN_JWKS_URL="${CVESCAN_ENTRA_ID_TENANT_URL}/discovery/v2.0/keys" - Set
Local setup
If you want to test the application locally, please set the CVESCAN_HOST variable to http://localhost
Max incoming request body size
In addition to NGINX's client_max_body_size setting, the API server enforces its own maximum on incoming request body size: 200mb by default, measured after decompression. To change this value, set the CVESCAN_API_INCOMING_REQUEST_MAX_BODY_SIZE environment variable using a numeric value followed by kb, mb, or gb (e.g. 100mb, 200mb, 1gb).
4. Setting Up Optional Features
In addition to its core features, CVEScan offers optional (non-essential) features that can be enabled as needed.
Currently, the only available optional feature is the Jira integration. For detailed instructions on how to enable it, please refer to the Jira Integration Installation Guide.
5. Setting Up Docker Volumes
Inside the docker-compose.yml file, you will find a number of volumes defined for the services. These volumes are used to persist data across container restarts and to share data between the host and the containers or the containers themselves.
While the docker-compose.yml file already defines all the necessary volumes, you may want to customize the volumes paths to suit your environment. For example, you may change the paths to store the data in a specific directory on your host machine. You can refer to the Docker compose volumes documentation for more information on how to configure volumes.
6. Starting Services
Once all configurations steps are complete, you can start all services using Docker Compose. Depending on your access to the CVEScan Web repository, you can either build the images from source code or use pre-built images from the registry.
-
Building from source code: If you want to build the images from source code, you can use one of the following commands:
- If you are using Keycloak as the identity provider, you can use the following command:
- If you are not using Keycloak as the identity provider (e.g. Okta or Microsoft Entra ID), you can use the following command:
-
Using pre-built images: If you want to use the pre-built images, you will need to add the following variables to the
.envfile:CVESCAN_REGISTRY=registry.gitlab.com/witekio/rnd/theembeddedkit/cvescan/cvescan-web CVESCAN_IMAGE_TAG=2.5.0 # You can change this to the desired version tag available in the registryThen login to the registry using:
You will be prompted for your GitLab credentials. As your repository access is managed through an access token, you may enter any value for the username, but you must provide your personal access token as the password to authenticate successfully.
Then you can start the services using one of the following commands:
- If you are using Keycloak as the identity provider, you can use the following command:
- If you are not using Keycloak as the identity provider (e.g. Okta or Microsoft Entra ID), you can use the following command:
Please be patient as this process may take some time, especially if it is the first time you are running the application. You need to wait until you see the api service logs indicating:
Info
- You will see some warnings in the logs related to the Keycloak service, stating the detection of a non-secure context. This is expected as the API service is communicating directly with Keycloak over HTTP within the Docker network as illustrated in the services overview.
- The provided
docker-compose.ymlfile is configured to automatically restart the services in case of failure or Docker daemon restart. This is done using therestart: alwaysdirective in thedocker-compose.ymlfile. - The provided
docker-compose.ymlfile is configured so that the database is not accessible from outside the compose network. If you want to access the database from outside the compose network, you will need to expose the database port in thedocker-compose.ymland add thecvescan-externalnetwork to the database service. Another possibility is to adapt the NGINX configuration to proxy the database requests.
Important
Although the Keycloak Configurator is designed to apply an effective configuration on the first deployment, you may need to manually adjust more advanced settings in Keycloak, such as configuring OTP (One-Time Password) for two-factor authentication, setting up identity federation for external identity providers, or adding a brute-force protection policy. These configurations are not handled by the Keycloak Configurator as they can vary significantly based on your specific security requirements and deployment context.
For more information on these advanced configurations, refer to the Keycloak documentation.
Depending on your domain name, the protocol you are using (HTTP/HTTPS), the NGINX configuration, and the CVESCAN_API_EXPOSE_SWAGGER environment variable value, you can access the services at:
- WebUI:
(protocol)://(domain_name)/webui - API documentation (if exposed):
(protocol)://(domain_name)/api/openapi - Keycloak Admin Console (if exposed):
(protocol)://(domain_name)/auth/admin/
For example, if you are using HTTP and you are running the application on your local machine with the domain name localhost, you can access the services at:
- WebUI: http://localhost/webui
- API documentation (if exposed): http://localhost/api/openapi
- Keycloak Admin Console (if exposed): http://localhost/auth/admin/
7. Setting Up Runners (optional)
Your CVEScan Web instance is up and running. You can already manage vulnerabilities by importing scan reports through the WebUI or the HTTP API. To go further and let CVEScan Web run the scans for you, on a schedule or on demand via the WebUI or the HTTP API, install one or more runners by following the Setting Up Runners guide.