Vulnerability Assessment & Management Tool
Jackhammer is a collaboration tool built with an aim of bridging the gap between Security team vs dev team , QA team and being a facilitator for TPM to understand and track the quality of the code going into production. It could do static code analysis and dynamic analysis with inbuilt vulnerability management capability. It finds security vulnerabilities in the target applications and it helps security teams to manage the chaos in this new age of continuous integration and continuous/multiple deployments.
It completely works on RBAC (Role Based Access Control). There are cool dashboards for individual scans and team scans giving ample flexibility to collaborate with different teams. It is totally built on pluggable architecture which can be integrated with any open source/commercial tool.
Jackhammer uses the OWASP pipeline project to run multiple open source and commercial tools against your code,webapp, mobile app, cms (wordpress), network.
Key Features:
Provides unified interface to collaborate on findings
Scanning (code) can be done for all code management repositories
Scheduling of scans based on intervals # daily, weekly, monthly
Advanced false positive filtering
Publish vulnerabilities to bug tracking systems
Keep a tab on statistics and vulnerability trends in your applications
Integrates with majority of open source and commercial scanning tools
Users and Roles management giving greater control
Configurable severity levels on list of findings across the applications
Built-in vulnerability status progression
Easy to use filters to review targetted sets from tons of vulnerabilities
Asynchronous scanning (via sidekiq) that scale
Seamless Vulnerability Management
Track statistics and graph security trends in your applications
Easily integrates with a variety of open source, commercial and custom scanning tools
Supported Vulnerability Scanners :
Static Analysis:
Brakeman
Bundler-Audit
Checkmarx**
Dawnscanner
FindSecurityBugs
Xanitizer*
NodeSecurityProject
PMD
Retire.js* license required** commercial license required
Finding hardcoded secrets/tokens/creds:
Trufflehog (Slightly modified/extended for better result and integration as of May 2017)
Webapp:
Arachni
Mobile App:
Androbugs (Slightly modified/extended for better result and integration as of May 2017)
Androguard (Slightly modified/extended for better result and integration as of May 2017)
WordPress:
WPScan (Slightly modified/extended for better result and integration as of May 2017)
Network:
Nmap
Adding Custom (other open source/commercial /personal) Scanners:
You can add any scanner to jackhammer within 10-30 minutes.
Default credentials:
username: admin@admin.com
password: admin@admin.com
Demo
Docs
Download