Archery

Unified vulnerability scanner for CI/CD pipelines and DevOps teams

Application Security Testing (SAST/DAST/SCA)

ArcherySec aggregates open‑source scanners (OpenVAS, ZAP, Burp, Nmap, Nikto) into a single platform, offering REST APIs, JIRA integration, and CI/CD control for internal web and network vulnerability management.

Overview

Highlights

Aggregates multiple open‑source scanners into a unified dashboard

REST API and JIRA integration for automated remediation

Supports authenticated and Selenium‑driven web scans

Docker and serverless deployment options for CI/CD pipelines

Pros

Leverages proven scanners without reinventing detection logic
Extensible via REST API for custom automation
Docker images simplify environment setup
Built‑in prioritization helps focus on critical findings

Considerations

Requires manual configuration of each underlying scanner
Intended for internal use only; public exposure discouraged
Python 3.9 dependency may limit compatibility
Complex setup for production environments

Managed products teams compare with

When teams consider Archery, these hosted platforms usually appear on the same shortlist.

Acunetix

Web vulnerability scanner for automated security testing of websites and web apps

AppCheck

Automated web application and infrastructure vulnerability scanning platform

Burp Suite

Web application security testing platform

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

Security teams that need centralized management of internal scans
DevOps engineers integrating vulnerability checks into CI/CD pipelines
Organizations with existing OpenVAS, ZAP, or Burp installations
Teams requiring automated ticket creation in JIRA

Not ideal when

Public SaaS providers exposing the service to the internet
Small projects lacking expertise to configure multiple scanners
Environments that cannot run Docker or Python 3.9
Teams seeking a fully managed cloud vulnerability platform

How teams use it

CI/CD gate for web application releases

Automated scans block deployments when critical vulnerabilities are detected, preventing insecure code from reaching production.

Periodic internal network assessment

Scheduled Nmap and OpenVAS scans provide continuous visibility of asset exposure and generate consolidated reports.

Authenticated web scanning with Selenium

Deep testing of login‑protected areas uncovers privilege escalation and session management flaws.

JIRA ticket automation

Findings are automatically turned into JIRA issues, streamlining remediation tracking and assignment.

Tech snapshot

JavaScript38%

Python33%

HTML18%

CSS11%

Shell1%

Lua1%

Frequently asked questions

How do I install ArcherySec?

Clone the repository, run `setup.sh` on Linux/macOS or `setup.bat` on Windows, or use the provided Docker images (`archerysec/archerysec` or `archerysec/archerysec:alpine`).

Which scanners are integrated?

OpenVAS, OWASP ZAP, Burp Suite (via REST API), SSLScan, Nikto, and Nmap with the Vulners NSE script.

Can I run ArcherySec in a production environment?

Yes, but it is intended for internal use only. Secure the signup and API endpoints and avoid exposing the service publicly.

How does ArcherySec integrate with CI/CD pipelines?

Use the REST API or Docker‑Compose to trigger scans, retrieve results, and enforce build failures based on severity thresholds.

Is authenticated scanning supported?

Yes, ArcherySec can perform authenticated web scans and Selenium‑driven interactions to test protected resources.

Project at a glance

Stable

Visit site View repo

Stars: 2,428
Watchers: 2,428
Forks: 528

LicenseGPL-3.0

Repo age8 years old

Last commit7 months ago

Primary languageJavaScript

Last synced 13 hours ago