VulnForge
Container security insights for your homelab
What is VulnForge?
VulnForge is a self-hosted dashboard that keeps homelab operators on top of container security. It combines Trivy, Docker Bench, Dockle, and Dive to surface vulnerabilities, configuration drift, and image hygiene issues in one placeβall without relying on external SaaS services.
The project focuses on reliability and clarity for home environments: simple deployment, a lightweight SQLite datastore, ntfy notifications, offline-friendly scanners, and tooling that explains what to fix next. Whether you are running a single-node lab or a rack of services, VulnForge turns nightly scans into actionable chores instead of noisy reports.
Technology Stack
Backend
- β Python 3.14 + FastAPI + Granian ASGI server
- β SQLAlchemy 2.x + aiosqlite with WAL mode
- β Docker SDK, APScheduler, and Pydantic 2.x
- β Trivy, Docker Bench, Dockle, Dive integrations
- β ntfy notifications and CISA KEV enrichment
Frontend
- β React 19 + TypeScript 5.9 with Vite 7
- β TanStack Query for server state and caching
- β React Router v7 single-page navigation
- β Tailwind CSS 4 + Zod schema validation
- β Recharts, Lucide icons, and Sonner toasts
Project Statistics
Version History
Track the evolution of VulnForge through its version releases. Each release includes new features, improvements, and bug fixes.
v3.3.0 2025-11-28
β¨ Added
- β’ **Multi-Service Notification System** - Expanded notification support beyond ntfy to 7 services β ntfy (existing, refactored to new architecture) β Gotify push notifications with priority mapping β Pushover with emergency priority support β Slack webhook integration with attachments β Discord webhook integration with embeds β Telegram bot API with HTML formatting β Email via SMTP with TLS support
- β’ **Notification Dispatcher** - Centralized event routing with priority-based retry logic β Service-specific retry delay multipliers (Discord/Slack more conservative) β High-priority events (urgent/high) get automatic retry on failure β Lower-priority events use single-attempt delivery
- β’ **Frontend Notification UI** - Complete settings interface for all 7 services β Service sub-tabs with enabled indicators β Per-service configuration forms with test buttons β Event notification toggles organized by category β Expandable/collapsible event groups
π Changed
- β’ **Notification Architecture** - Migrated from single NtfyService to NotificationDispatcher β All notification call sites updated to use dispatcher β Existing ntfy settings preserved (backward compatible) β Event types mapped to priority levels and tags
v3.2.0 2025-11-26
π Changed
- β’ **Error Handling Standardization** - Comprehensive error handling improvements across backend and frontend β Replaced generic `except Exception` handlers with specific exception types in API endpoints β Added specific handlers for `TimeoutError`, `PermissionError`, `ConnectionError`, `OSError`, β Backend now returns structured error responses with `detail`, `suggestions`, and `is_retryable` fields β All remaining generic handlers in API layer documented with `# INTENTIONAL:` comments β Integrated `ScanErrorClassifier` for user-friendly scan error messages
β¨ Added
- β’ **Frontend Error Handling Utilities** β New `errorHandler.ts` with `handleApiError()`, `getStatusMessage()`, `formatErrorDetails()`, `isRetryableError()` β New `ApiError` class with typed error properties (`status`, `detail`, `suggestions`, `isRetryable`) β Updated all page components and mutations to use new error handling
- β’ **Enhanced ErrorBoundary Component** β Dev/prod mode toggle for technical details (auto-expanded in dev mode) β "Copy Error" button generates shareable error report with timestamp, URL, user agent β Displays suggestions from API errors β Shows retryable indicator for temporary errors β Collapsible stack trace and component stack sections
- β’ **Zod Validation Schemas** β New `schemas/shared.ts` with reusable validation helpers (`safeParseInt`, `coerceToNumber`, `cronExpression`, etc.) β New `schemas/settings.ts` with settings-specific validators and `parseSettingInt()` helper
π Fixed
- β’ **Safe Integer Parsing in Settings** - Replaced 12 unsafe `parseInt()` calls with `parseSettingInt()` β Prevents NaN values from invalid input in settings fields β Affected fields: scan_timeout, parallel_scans, notification thresholds, data retention, KEV cache hours, scanner offline resilience settings β All numeric settings now have proper default value fallbacks
v3.1.0 2025-11-26
β¨ Added
- β’ **Light/Dark Theme Support** - New theming system with light mode as default β `ThemeContext.tsx` for theme state management β Dual persistence: localStorage (instant) + backend API (cross-device) β FOUC prevention script in `index.html` β Theme toggle in Settings with Sun/Moon icons β CSS custom properties via Tailwind v4 `@theme` directive
- β’ **CVE Delta Tracking** - Track CVE changes between scans for TideWatch integration β New `cves_fixed` and `cves_introduced` columns in scans table β Automatic delta calculation comparing current scan to previous β New API endpoint: `GET /api/v1/scans/cve-delta` β Supports filtering by time range and container name
π Changed
- β’ **Larger Header & Navigation** - Improved visual hierarchy β App title: `text-xl` β `text-2xl` β Nav tabs: `text-sm` β `text-base` with larger padding β Shield icon: `w-7` β `w-9`
- β’ **Standardized Button Colors** - All primary buttons now use blue theme β Send Test Notification: purple β blue β Create Backup: purple β blue β Discover Containers: matches Scan All button
- β’ **Docker Connection** - Simplified configuration β Now uses `DOCKER_HOST` environment variable from compose β Removed Docker Connection card from Settings > System
π Fixed
- β’ **Light Mode Visibility** - Fixed text colors throughout UI β Replaced hardcoded `text-white` with `text-vuln-text` β Active navigation tabs now show white text on blue background β Filter badges display correctly in both themes β Chart titles and numbers visible in light mode
ποΈ Removed
- β’ Docker Socket Proxy setting from Settings Manager defaults
v3.0.0 2025-11-15
π Changed
- β’ **MAJOR:** Migrated from uvicorn to Granian ASGI server β Updated `Dockerfile` to use Granian with single worker configuration β Changed logger filter in `backend/app/main.py` from `uvicorn.access` to `granian.access` β Granian provides ~15-20% memory reduction and better async handling β Rust-based architecture with auto-tuned thread configuration
- β’ **MAJOR:** Migrated from Tailwind CSS v3 to v4 β Updated PostCSS configuration to use `@tailwindcss/postcss` plugin β Migrated CSS imports from `@tailwind` directives to `@import "tailwindcss"` β Moved configuration from JavaScript to CSS-based `@theme` directive β Custom color theme now defined as CSS custom properties β Removed `tailwind.config.ts` (no longer needed in v4)
- β’ **Updated to Python 3.14** - Latest Python release with performance improvements
- β’ **Updated to React 19.2** - Latest React with concurrent features
- β’ Updated backend dependencies to latest stable versions: β `fastapi`: β 0.121.2 β `sqlalchemy`: β 2.0.44 (improved async support) β `pydantic`: β 2.12.0 (minor behavior changes in dataclass Field handling) β `apscheduler`: β 3.11.1 β `bcrypt`: β 5.0.0 (breaking: 72-byte password limit enforced)
- β’ Updated frontend dependencies: β `@tanstack/react-query`: β 5.90.9 β `react-router-dom`: β 7.9.6 β `recharts`: β 3.4.1 β `lucide-react`: β 0.553.0 (1,647 icons) β `sonner`: β 2.0.7 β `tailwind-merge`: β 3.4.0 (Tailwind v4 compatible) β `typescript`: β 5.9.3 β `eslint`: β 9.39.1
β‘ Performance
- β’ **79% reduction in initial bundle size** - 885 KB β 187 KB through optimizations β Route-based code splitting with React.lazy() β Vite manual chunks for vendor bundling β Memoization for expensive operations
- β’ **70% reduction in network requests** - React Query staleTime configuration
- β’ **60% faster Time to Interactive** - 2.5s β <1s
- β’ Reduced memory footprint with Granian (159 MiB average)
- β’ Sub-5ms health check response times
π Technical Notes
- β’ Single worker required due to stateful APScheduler service
- β’ Granian is fully ASGI-compliant and a drop-in replacement for uvicorn
- β’ Tailwind v4 requires modern browsers (Safari 16.4+, Chrome 111+, Firefox 128+)
- β’ bcrypt v5 raises ValueError for passwords >72 bytes (defensive validation added)
v2.7.0 2025-11-12
ποΈ Removed
- β’ **Grype vulnerability scanner** - Removed redundant Grype scanner integration β Grype provided 100% overlapping functionality with Trivy β Removed Grype service and health monitoring β Removed Grype API endpoints β Removed Grype UI components and settings β Removed scanner consensus/comparison features β Streamlined to Trivy-only vulnerability scanning
- β’ **Scanner consensus logic** - No longer needed with single scanner
β¨ Added
- β’ **CHANGELOG.md** - Version history tracking in Keep a Changelog format
- β’ **README.md** - Project documentation with quick start guide
π Changed
- β’ **Simplified vulnerability scanning** - Now using Trivy exclusively β Faster scan times (eliminated dual-scanner overhead) β Cleaner codebase with reduced complexity β All vulnerabilities marked with `scanner="trivy"`
- β’ **Updated Scanner Statistics UI** - Replaced scanner comparison chart with Trivy severity breakdown
- β’ **Updated dev-sop.md** - Added TypeScript type checking to pre-commit checklist
π Fixed
- β’ **Frontend build script** - Removed `tsc &&` prefix from build command β Prevents TypeScript strict checking from blocking CI/CD builds β Follows dev-sop standards for build pipeline β Type checking should be done via linting, not build gates
v2.6.0 2025-11-XX
π Features (Inherited)
- β’ Trivy vulnerability scanning with KEV tagging
- β’ Grype vulnerability scanning (now removed in v2.7)
- β’ Docker Bench compliance scanning
- β’ Dockle image linting
- β’ Dive layer efficiency analysis
- β’ Real-time scan progress with SSE
- β’ False positive pattern management
- β’ CISA KEV integration
- β’ ntfy notification system
- β’ Activity logging
- β’ SQLite WAL persistence
- β’ Responsive dashboard
- β’ Secret scanning with triage workflow
Key Features
β Scanning & Detection
- β Trivy vulnerability scanning with CISA KEV tagging, CVSS scoring, and per-container history
- β Secret detection workflow with false-positive triage and accepted-risk tracking
- β Real-time SSE scan progress, retry controls, and classified error guidance for every job
β Compliance & Image Hygiene
- β Docker Bench scheduling with weekly reports, CSV export, and historical trend charts
- β Dockle image compliance dashboard with on-demand scans and remediation tips
- β Dive integration for layer efficiency analysis and wasted-byte insights per image
β Automation for Homelabs
- β Cron-style scheduling, automatic container discovery, and image batch scanning
- β Multi-service notifications (ntfy, Gotify, Pushover, Slack, Discord, Telegram, Email) with priority-based routing
- β Offline resilience with cached scanner databases and intelligent fallbacks
β Data & Workflow
- β SQLite WAL persistence with backup/restore, download, and safety snapshots
- β CSV exports, drill-down findings, and timeline of homelab activity
- β Responsive dashboard widgets tuned for desktop dashboards and tablet control rooms
Dashboard & Insights
Visual Analytics
7 interactive Recharts including severity distribution, fixable vs non-fixable comparison, top vulnerable containers, and scan & remediation trends
Remediation Groups
Package-based grouping showing which updates fix multiple CVEs with impact visualization and severity breakdowns
Real-time Progress
Live streaming scan updates over Server-Sent Events with container-level feedback and auto-refresh when scans complete
Homepage Widgets
Four API endpoints for Homepage dashboard integration: summary, critical focus, top containers, and remediation actions
Use Cases
Vulnerability Management
Scan 50-60+ Docker containers, prioritize fixable vulnerabilities, and track remediation progress with historical trends
Compliance Monitoring
Weekly Docker Bench reports for CIS benchmark compliance with pass/fail breakdowns and Dockle image hygiene checks
Automated Scanning
Cron-based scheduled scans with multi-service notifications, container discovery, and intelligent retry controls for failed jobs
Secret Detection
Identify exposed secrets in containers with triage workflow for false positives and accepted-risk tracking
Screenshots
Dashboard
At-a-glance security posture with severity breakdown, scan trends, KEV alerts, and remediation priorities.
Containers
All running containers with vulnerability counts, last scan time, and quick-scan controls.
Container Overview
Individual container detail with image info, vulnerability summary, and navigation to detailed findings.
Container Vulnerabilities
Detailed CVE listing with severity, CVSS scores, fix versions, and KEV tagging for exploited vulnerabilities.
Scan History
Historical scan results with trend visualization showing vulnerability counts over time.
Secret Detection
Exposed secrets found in container images with triage workflow for false positives and accepted risks.
Secrets Overview
Fleet-wide secret detection summary across all containers with severity breakdown.
Docker Bench Compliance
CIS Docker Benchmark compliance checks with pass/fail breakdown and historical trends.
Image Security
Dockle image linting results with best practice recommendations and Dive layer efficiency analysis.
Activity Log
Complete audit trail of scans, configuration changes, and system events.
Notification Settings
Multi-service notification configuration with 7 supported services: ntfy, Gotify, Pushover, Slack, Discord, Telegram, and Email.
