tpt-security-test
GoOpen-source security assessment and compliance audit platform. Scan, audit, and report for SOC 2, ISO 27001 & HIPAA — CLI + web UI.
Languages
TPT Security Platform
An open-source security assessment and compliance audit platform. Scan targets, audit your infrastructure via APIs, browse results in the built-in web UI, and generate HTML/PDF/JSON reports mapped to SOC 2, ISO 27001, and HIPAA controls.
# Start the web UI + API server
tpt serve
# Run a scan (web UI updates live)
tpt scan example.com --framework soc2,iso27001
# Audit your AWS account
tpt audit --provider aws --framework soc2,hipaa
# Generate a shareable PDF report
tpt report <job-id> --format html,pdf
Web UI
tpt serve starts a browser dashboard at http://localhost:4242 — dark-mode, no build step required.
| Dashboard | Job detail | Finding detail | |-----------|-----------|----------------| | All scan/audit jobs, open finding counts, framework coverage | Severity breakdown, filter by status, full findings table | Expandable evidence, remediation advice, compliance controls, inline status update |
The web UI uses HTMX for live updates (finding details expand inline, status changes save immediately) with Tailwind CSS + DaisyUI for styling.
Features
Scanning (tpt scan)
- Nuclei (embedded SDK) — template-based vulnerability detection
- Naabu — port scanning with compliance-aware severity
- OWASP ZAP — web app scanning via REST API (
--zap-url) - TLS inspector — cert expiry, weak ciphers, legacy protocol detection (
--scope tls) - Email security — SPF, DKIM, DMARC DNS checks (
--scope email) - Gitleaks — hardcoded secrets in source trees (
--secrets-dir) - govulncheck / osv-scanner — dependency CVEs (
--deps-dir) - Dalfox — active XSS and open redirect detection
File import (tpt import)
- Nessus (
.nessus), Burp Suite XML, OpenVAS/GVM XML
Internal audit (tpt audit)
| Category | Providers | |----------|-----------| | Cloud | AWS · GCP · Azure · DigitalOcean · Hetzner · Cloudflare · Vercel · Supabase · Wasabi · Backblaze | | Identity | Okta · Azure AD / Entra · Google Workspace · Auth0 · Keycloak · Active Directory / LDAP | | VCS | GitHub · GitLab · Bitbucket · Gitea / Forgejo | | Infrastructure | Linux (SSH) · Kubernetes |
Compliance frameworks
- SOC 2 Type II (Trust Services Criteria)
- ISO/IEC 27001:2022 (Annex A)
- HIPAA Security Rule (45 CFR §164.308 / §164.312)
Reporting (tpt report)
- HTML — self-contained, executive summary + control coverage matrix + findings detail
- PDF — go-pdf/fpdf, severity grid, tables
- JSON — machine-readable for compliance platform integrations
- AI-enhanced remediation advice (Anthropic / OpenAI / Grok / OpenRouter) with static fallback
REST API (tpt serve)
GET /api/jobs·GET /api/jobs/{id}/findings·GET /api/jobs/{id}/reportPATCH /api/findings/{id}/status— retest tracking
Installation
From source
git clone https://github.com/tpt-security/tpt.git
cd tpt
go build -o tpt ./cmd/tpt
./tpt --help
Requires Go 1.22+. No CGO — builds on all platforms.
Docker
docker compose up -d
# API available at http://localhost:4242
Quick start
# Scan a target and map to SOC 2 + ISO 27001
tpt scan example.com --framework soc2,iso27001 --scope web,network,tls
# Import an existing Nessus export
tpt import scan.nessus --framework soc2 --target "Internal network Q1"
# Audit your AWS account
tpt audit --provider aws --aws-profile prod --framework soc2,hipaa
# Audit a self-hosted Keycloak instance
tpt audit --provider keycloak \
--keycloak-url http://keycloak.internal:8080 \
--keycloak-realm master \
--keycloak-token <admin-token>
# Audit Linux server over SSH
tpt audit --provider linux \
--linux-host 10.0.0.5:22 \
--linux-user ubuntu \
--linux-key ~/.ssh/id_rsa \
--framework iso27001
# Generate reports (HTML + PDF, with AI enhancement if key is set)
tpt report <job-id> --format html,pdf --output reports/
# Start the REST API server
tpt serve --port 4242
AI-enhanced reports
Set any of the following environment variables to enable AI-generated executive summaries and per-finding remediation advice:
export ANTHROPIC_API_KEY=sk-ant-... # Claude Haiku (recommended)
export OPENAI_API_KEY=sk-... # GPT-4o mini
export GROK_API_KEY=... # Grok 3 mini
export OPENROUTER_API_KEY=... # Any model via OpenRouter
Use --no-ai to disable even when a key is set. Static remediation templates are always used as a fallback.
Supported scan scopes
| Flag value | What it activates |
|------------|-------------------|
| network | Naabu port scan + TLS inspector |
| web | Nuclei + Dalfox |
| api | Nuclei + Dalfox |
| tls | TLS inspector only |
| email | SPF / DKIM / DMARC check |
Nuclei templates
Compliance-focused templates ship with the platform in templates/:
| Template | Framework | What it detects |
|----------|-----------|-----------------|
| soc2/cc6.1-access-controls.yaml | SOC 2 | Access control misconfigurations |
| soc2/cc6.3-broken-auth.yaml | SOC 2 | JWT none-alg, insecure session cookies |
| soc2/cc6.6-cors-misconfig.yaml | SOC 2 | Wildcard / reflective CORS |
| soc2/cc6.7-crypto-transmission.yaml | SOC 2 | Weak TLS, missing HSTS |
| soc2/cc7.1-vulnerability-detection.yaml | SOC 2 | Vulnerability scanning indicators |
| soc2/cc9.2-api-exposure.yaml | SOC 2 | Swagger, GraphQL introspection |
| iso27001/a.5.17-auth-weakness.yaml | ISO 27001 | Default credentials, HTTP Basic |
| iso27001/a.8.8-technical-vulnerabilities.yaml | ISO 27001 | CVE detection |
| iso27001/a.8.9-configuration-management.yaml | ISO 27001 | Misconfiguration detection |
| iso27001/a.8.20-network-exposure.yaml | ISO 27001 | Exposed MongoDB, Redis, Elasticsearch |
| iso27001/a.8.24-cryptography.yaml | ISO 27001 | Crypto weakness |
| iso27001/a.8.25-ssdlc.yaml | ISO 27001 | Debug endpoints, stack traces, .env |
| iso27001/a.8.29-injection.yaml | ISO 27001 | SQLi indicators, SSTI |
Point --template-dir at any Nuclei templates directory to use your own.
Adding custom control mappings
Control mappings live in mappings/ as plain YAML files. The filename (minus .yaml) becomes the framework name. Add a new file to support any custom framework:
# mappings/pci-dss.yaml
- category: web
severity: [critical, high]
controls:
- id: "6.4"
name: Protect web-facing applications against known attacks
relevance: direct
Then use it with --framework pci-dss.
Architecture
cmd/tpt/ CLI entry point (cobra)
internal/
scan/ Scanner adapters (Nuclei, Naabu, ZAP, TLS, email, secrets, deps, Dalfox)
audit/ Internal audit providers
cloud/ AWS, GCP, Azure, DO, Hetzner, Cloudflare, Vercel, Supabase, Wasabi, Backblaze
idp/ Okta, Azure AD, Google Workspace, Auth0, Keycloak, LDAP
vcs/ GitHub, GitLab, Bitbucket, Gitea
infra/ Linux SSH, Kubernetes
importer/ File importers (.nessus, Burp XML, OpenVAS XML)
mapping/ YAML-based control mapping engine
report/ HTML, JSON, PDF report generators + methodology statement
remediation/ Static remediation template library
ai/ LLM client (Anthropic, OpenAI, Grok, OpenRouter)
api/ REST API server (stdlib net/http)
web/ Web UI — HTMX + Tailwind + DaisyUI, server-rendered templates
db/ SQLite storage (GORM, no CGO)
mappings/ soc2.yaml · iso27001.yaml · hipaa.yaml
templates/ Nuclei templates (soc2/ · iso27001/)
Documentation
| Doc | Contents | |-----|---------| | docs/architecture.md | System design, component diagram, data flow, extension points | | docs/deployment.md | Binary, Docker, Docker Compose, systemd service, nginx, CI/CD | | docs/configuration.md | All CLI flags for every command, API endpoints | | docs/frameworks.md | SOC 2, ISO 27001, HIPAA control mapping reference, custom framework YAML format |
Contributing
See CONTRIBUTING.md.
License
MIT — see LICENSE.