Intro

Modern organisations no longer "own" most of their code — they assemble it from:

• Open-source libraries (often 70–90% of codebases)
• Third-party components
• CI/CD pipelines
• SaaS / APIs

This creates a software supply chain attack surface.

Result:

• ~30% of breaches now involve supply chain vectors
• 70%+ of orgs experienced at least one supply chain incident
• Attacks are doubling in frequency and becoming systemic

Conclusion: Without automated vulnerability assessment (SCA + dependency analysis), you are blind to one of the fastest-growing attack paths.

Direct Impact

• Data breach costs (regulatory, legal)
• Incident response + recovery
• Ransomware/extortion

Indirect Impact

• Loss of customer trust
• Operational downtime
• Compliance violations (ISO 27001, SOC2, etc.)

Strategic Risk

• Third-party compromise → you are liable
• Increasing regulatory scrutiny on supply chain (SBOM requirements emerging)

In previous articles we had highlighted:

• SBOM (Software Bill of Materials) is a critical document that lists the components used in building a software application, including libraries, frameworks, and dependencies.
• The need for a Comprehensive Vulnerability Scanning tool once SBOM is built.

SOCFortress AppVa Overview

SOCFortress appva (Application Vulnerability Assessment) is a containerized SBOM tool and application vulnerability scanner. It leverages Syft for Software Bill of Materials (SBOM) generation and Grype for vulnerability scanning against known CVE databases.

Licensing

Free Tier vs. Licensed

All features are available on the free tier. The only restriction is the number of repositories that can be configured simultaneously.

Installation

appva is deployed exclusively via Docker. The container image bundles all dependencies (Python, Syft, Grype, WeasyPrint).

Requirements

· Docker and Docker Compose

Quick Start

# Clone this repository
git clone https://github.com/socfortress/appva-deploy.git
cd appva-deploy
# Set the initial admin password
export APPVA_ADMIN_PASSWORD=your_secure_password
#If this variable is not set, a random password is generated and printed to the container logs on first launch.
# Build and start
docker compose up -d

The web UI will be available at https://0.0.0.0:8443. Log in with username admin and the password you set.

Getting Started

1. Deploy with Docker

Follow the Installation steps to start the container. On first launch, an admin user is created automatically. Set the password via the environment variable, or check the container logs for the auto-generated password.

On first login you will be prompted to:

1. Change your password
2. Enrol in TOTP two-factor authentication (use any authenticator app — Google Authenticator, Authy, 1Password, etc.)

Roles & Permissions

2. Add a Repository

Go to Repositories and create a new repository. Choose from three source types:

· GitHub — Provide an HTTPS repository URL and optional branch/token

· Upload — Upload a ZIP archive containing your application source code

· Docker — Specify a Docker image name or upload a .tar/.tar.gz archive

3. Run a Scan

Go to Scan, select a repository from the dropdown, and click Trigger Scan. The real-time console will stream scan progress as it runs.

Scan Workflow

Each scan follows a four-phase pipeline. Progress is streamed in real time via Server-Sent Events (SSE) to the scan console.

View Results

Check Results for a full breakdown of SBOM components and vulnerability details. Use the search bar to filter by CVE, package name, or severity.

Remediation tracking

Track and manage vulnerability remediation across repositories

Web UI Guide

Dashboard

The dashboard provides an at-a-glance overview of your appva instance with aggregate statistics (total repositories, scans, components, vulnerabilities) and interactive charts visualizations. Use the scan selector dropdown to view charts for a specific scan.

· Vulnerability Severity — Doughnut chart showing Critical/High/Medium/Low/Negligible distribution

· Top Vulnerable Packages — Horizontal bar chart of the most affected packages

· License Distribution — Pie chart of SBOM component licenses

· Repository Overview — Stacked bar chart of vulnerability counts per repository

· Vulnerability Trends — Stacked area chart showing severity counts over time

Repository Management

The Repositories page lists all configured scan targets. Each repository has a source type (GitHub, Upload, or Docker), a name, and optional description. The detail page shows repository metadata and scan history.

· Create, edit, and delete repositories (requires operator or admin role)

· Deleting a repository also removes associated uploaded files from disk

Scanning

The Scan page lets you select a repository and trigger a scan. The real-time console displays log messages as the scan progresses through each phase. Only one scan can run at a time.

Scheduler

The scheduler page lets you define recurring scan schedules for any repository using standard cron expressions. Schedules are checked every 30 seconds by a background thread.

· Create — Select a repository and enter a 5-field cron expression (minute hour day month weekday)

· Toggle — Pause or resume individual schedules without deleting them

· Edit — Update the cron expression inline; the next run time is recalculated automatically

· Delete — Remove a schedule permanently

Scheduled scans appear in the scan history with the trigger label scheduler:<username>. If a scan is already running when a schedule fires, the scheduled scan is skipped until the next interval.

Notification Channels

Each repository can have one or more notification channels that automatically receive a scan summary (repository name, scan ID, finish time, component count, vulnerability count, and severity breakdown) when a scan completes. Both manual and scheduled scans trigger notifications.

Managing Channels

Navigate to a repository's detail page to manage its notification channels:

· Add — Click "+ Add Channel", choose a type, enter the configuration, and save

· Edit — Click "Edit" on an existing channel to update its name or configuration inline

· Test — Click "Test" to send a sample notification with dummy scan data to verify connectivity

· Enable / Disable — Toggle a channel on or off without removing its configuration

· Remove — Permanently delete a notification channel

A repository can have multiple channels of any type. For example, you can configure both a Teams webhook and a Slack webhook so that a completed scan sends notifications to both platforms simultaneously.

Results

The Results page lists all completed scans with severity badges and component/vulnerability counts. Click a scan to view the detail page with two tabs:

· Vulnerabilities — Table of CVEs with severity, affected package, installed/fix versions, and CVSS score. CVE IDs link to external advisory pages.

· SBOM Components — Full list of detected packages with name, version, type, and licenses

Use the search bar to filter by CVE ID, package name, or severity level.

PDF Reports

Export scan results as PDF reports from the Results detail page by clicking Download PDF. Reports include a summary card, full vulnerability table with severity badges, and SBOM component list.

Two-Factor Authentication (2FA)

appva supports TOTP-based two-factor authentication using apps like Google Authenticator, Authy, or 1Password.

· Setup: Navigate to Setup 2FA from the login menu. Scan the QR code with your authenticator app and enter the 6-digit code to verify.

· Login flow: After entering your password, you'll be prompted for a 6-digit TOTP code.

· Disable: Admins can reset a user's 2FA from the Users management page.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html