English | Italiano
Learn web security hands-on and run professional assessments — from a single web dashboard.
VAP is two tools in one: a didactic platform that explains every choice and finding step‑by‑step, and a professional scanner that orchestrates 25+ industry tools, correlates findings and generates audit‑ready reports.
⚠️ Legal Disclaimer: Use this platform only on systems you own or for which you have explicit written authorization. Unauthorized scanning is illegal in most jurisdictions.
VAP adapts to your experience level. You pick the mode in Step 1 of the guided wizard (field "Livello di esperienza"). Server‑side safety guardrails stay active in every mode.
| 🎓 Didactic mode | 🛠️ Professional mode | |
|---|---|---|
| For | Students, juniors, anyone learning | Analysts, pentesters, security teams |
| Level | Beginner |
Analyst / Expert |
| Risk | High‑risk modules disabled, conservative limits | Full module control, extended limits |
| Help | Per‑parameter explanations, glossary, learning blocks | Concise, automation‑oriented |
| Output | Guided interpretation of every finding | PDF reports, remediation roadmap, REST API, audit trail |
➡️ The in‑app Guida (/guida) is a full learning hub: scan catalog, learning paths, glossary and safe‑usage rules.
# 1) Clone
git clone <repository-url> VAP && cd VAP
# 2) Install (see per-OS instructions below)
# Linux/macOS: ./installer.sh Windows: .\installer.ps1
# 3) Configure
cp .env.example .env # then edit secrets (see "Configuration")
# 4) Run
source venv/bin/activate
python3 app.pyThen open http://localhost:8000 and use the top navigation: Nuova scansione · Storico · Guida.
This project is not a single‑file app: it installs once, then everyday use is straightforward. The guided installers create a Python virtual environment and install dependencies.
git clone <repository-url> VAP
cd VAP
chmod +x installer.sh
./installer.sh # creates venv + installs dependencies
source venv/bin/activate
cp .env.example .envSupported: Ubuntu/Debian/Kali/Fedora/RHEL‑like/Arch/openSUSE and macOS 11+.
Set-ExecutionPolicy Bypass -Scope Process -Force
.\installer.ps1 # creates venv + installs dependencies
.\venv\Scripts\Activate.ps1
copy .env.example .envWSL2 is also fully supported — follow the Linux instructions inside your WSL distro.
Optional frontend build: the dashboard CSS ships pre‑built. To rebuild Tailwind after editing the UI:
npm install && npm run build:css.
Edit .env and set at least:
VAP_ENV=production
VAP_CSRF_SECRET=<hex-32-bytes>
VAP_JWT_SECRET=<hex-32-bytes>
VAP_API_KEY=<strong-random-key>
VAP_REQUIRE_HTTPS=trueGenerate strong secrets with:
openssl rand -hex 32source venv/bin/activate
python3 app.py# Terminal A
redis-server
# Terminal B
source venv/bin/activate
celery -A celery_app worker --loglevel=info
# Terminal C
source venv/bin/activate
python3 app.pyOpen http://localhost:8000.
- Open the dashboard and read the Guida (
/guida) if it's your first time. - In Step 1, choose your experience level (Beginner / Analyst / Expert) and enter an authorized target.
- In Step 2, pick the scan type (
light,full,wordpress, or a tool‑specific scan) and the scanner modules. - Review impact, risk and the compliance checklist (Steps 3–5), then start the scan.
- Watch real‑time progress, then review findings — with learning blocks, remediation roadmap and trend — and download the PDF report.
- ✅ Guided 5‑step scan wizard with real‑time validation and accessibility (keyboard, skip links, ARIA live regions)
- ✅ Didactic modes (Beginner / Analyst / Expert) with per‑parameter explanations and a built‑in glossary
- ✅ In‑app learning hub (
/guida): scan catalog, learning paths, glossary, safe‑usage rules - ✅ Multi‑scanner orchestration from one interface (Nmap, Nuclei, ZAP, SQLMap, WPScan, and 20+ more)
- ✅ Scan profiles (
light,full,wordpress) and tool‑specific scans - ✅ Finding enrichment (CVE/CWE/CVSS, NVD, ExploitDB, OWASP & MITRE ATT&CK mapping)
- ✅ Learning blocks on every finding (junior explanation, business risk, manual verification, next skill)
- ✅ Remediation roadmap ordered by impact × effort, plus historical trend per target
- ✅ False‑positive scoring and confidence rubric
- ✅ PDF report generation and scan history
- ✅ REST API for automation
- ✅ Security controls: CSRF, JWT/API key, hardened headers, rate limiting, audit logging
- ✅ Extensible plugin architecture for new scanner adapters
| Path | Description |
|---|---|
app.py |
FastAPI app — dashboard UI + REST API |
scanner_engine.py |
Scan orchestration and target validation |
scanners/ |
Tool‑specific scanner plugins |
templates/ + static/ |
Dashboard UI (shared nav, guided wizard, scan detail, Guida) |
report_generator.py |
PDF reporting pipeline (Inter font, page-safe layout) |
enrichment_engine.py |
CVE/NVD/ExploitDB correlation |
assets/fonts/ |
Bundled Inter font used by the PDF reports |
tests/ |
Regression and security‑focused tests |
installer.sh / installer.ps1 |
Guided installers (Linux/macOS, Windows) |
docker-compose.yml |
Redis helper service for async workers |
docs/ |
Architecture, security, operations, scan playbooks, learning paths |
Runtime: Python 3.10–3.12 · Redis 6/7 (async workers) · Go ≥ 1.19 (selected tools) · Node.js/npm (frontend build/tests only)
Supported OS: ✅ Linux · ✅ macOS 11+ · ✅ Windows 10/11 (native PowerShell or WSL2)
Recommended resources: CPU 2 cores (4+ for concurrent scans) · RAM 4 GB min (8+ GB for heavy scans) · Disk 2 GB + scan/report artifacts
Results depend on installed tools and permissions. Some scanners need external binaries (e.g., Nmap, Nuclei, WhatWeb); enterprise scanners (Acunetix/Nessus) need valid API credentials. Without optional tools, VAP runs reduced‑coverage flows.
| Symptom | Likely cause | Fix |
|---|---|---|
ModuleNotFoundError |
venv not active / deps missing | source venv/bin/activate && pip install -r requirements.txt |
| Celery jobs don't start | Redis down / bad broker URL | start redis-server, verify .env, restart the worker |
| Empty/partial findings | tool missing / target unreachable | check scanner binary, verify reachability, try the light profile |
| UI loads but styling is broken | wrong working dir / static mapping | run from the repo root; verify static/ is served |
- ✅ Secrets via environment variables (
.env) - ✅ Security middleware and hardened response headers
- ✅ Input validation and target sanitation
- ✅ Optional JWT / API‑key protections for the API
- ✅ Audit logging for security‑relevant actions
docs/user-manual.md— detailed user manualdocs/learning-paths/— beginner / analyst / professional pathsdocs/scan-playbooks/— per‑scanner playbooksdocs/glossary-faq.md— glossary and FAQdocs/architecture.md,docs/security.md,docs/deployment.md— operations
Distributed under the terms of the license in LICENSE.
English | Italiano
Impara la sicurezza web sul campo e conduci assessment professionali — da un'unica dashboard web.
VAP è due strumenti in uno: una piattaforma didattica che spiega passo‑passo ogni scelta e ogni risultato, e uno scanner professionale che orchestra oltre 25 tool, correla i findings e genera report pronti per l'audit.
⚠️ Disclaimer legale: usa la piattaforma solo su sistemi di tua proprietà o con autorizzazione scritta esplicita. Le scansioni non autorizzate sono illegali.
VAP si adatta al tuo livello. La modalità si sceglie nello Step 1 del wizard guidato (campo "Livello di esperienza"). I guardrail di sicurezza lato server restano sempre attivi.
| 🎓 Modalità didattica | 🛠️ Modalità professionale | |
|---|---|---|
| Per chi | Studenti, junior, chi sta imparando | Analyst, pentester, team di sicurezza |
| Livello | Beginner |
Analyst / Expert |
| Rischio | Moduli ad alto rischio disabilitati, limiti conservativi | Controllo completo dei moduli, limiti estesi |
| Aiuto | Spiegazione di ogni parametro, glossario, learning blocks | Conciso, orientato all'automazione |
| Output | Interpretazione guidata di ogni finding | Report PDF, remediation roadmap, API REST, audit trail |
➡️ La Guida integrata (/guida) è un hub didattico completo: catalogo scansioni, percorsi di apprendimento, glossario e regole d'uso legale.
# 1) Clona
git clone <repository-url> VAP && cd VAP
# 2) Installa (istruzioni per OS qui sotto)
# Linux/macOS: ./installer.sh Windows: .\installer.ps1
# 3) Configura
cp .env.example .env # poi modifica i segreti (vedi "Configurazione")
# 4) Avvia
source venv/bin/activate
python3 app.pyApri http://localhost:8000 e usa la barra di navigazione in alto: Nuova scansione · Storico · Guida.
L'applicazione richiede un'installazione iniziale (non è un file standalone). Gli installer guidati creano un ambiente virtuale Python e installano le dipendenze.
git clone <repository-url> VAP
cd VAP
chmod +x installer.sh
./installer.sh # crea venv + installa dipendenze
source venv/bin/activate
cp .env.example .envSupportati: Ubuntu/Debian/Kali/Fedora/RHEL‑like/Arch/openSUSE e macOS 11+.
Set-ExecutionPolicy Bypass -Scope Process -Force
.\installer.ps1 # crea venv + installa dipendenze
.\venv\Scripts\Activate.ps1
copy .env.example .envWSL2 è pienamente supportato — segui le istruzioni Linux dentro la tua distro WSL.
Build frontend opzionale: la CSS della dashboard è già pre‑compilata. Per ricompilare Tailwind dopo modifiche all'UI:
npm install && npm run build:css.
Nel file .env imposta almeno:
VAP_ENV=production
VAP_CSRF_SECRET=<hex-32-byte>
VAP_JWT_SECRET=<hex-32-byte>
VAP_API_KEY=<chiave-random-forte>
VAP_REQUIRE_HTTPS=trueGenera segreti robusti con:
openssl rand -hex 32source venv/bin/activate
python3 app.py# Terminale A
redis-server
# Terminale B
source venv/bin/activate
celery -A celery_app worker --loglevel=info
# Terminale C
source venv/bin/activate
python3 app.pyApri http://localhost:8000.
- Apri la dashboard e, se è la prima volta, leggi la Guida (
/guida). - Nello Step 1 scegli il livello di esperienza (Beginner / Analyst / Expert) e inserisci un target autorizzato.
- Nello Step 2 scegli il tipo di scansione (
light,full,wordpresso uno scan mirato) e i moduli scanner. - Verifica impatto, rischio e checklist compliance (Step 3–5), poi avvia.
- Monitora il progresso realtime, poi analizza i findings — con learning blocks, remediation roadmap e trend — e scarica il report PDF.
- ✅ Wizard guidato in 5 step con validazione realtime e accessibilità (tastiera, skip link, ARIA live region)
- ✅ Modalità didattiche (Beginner / Analyst / Expert) con spiegazione di ogni parametro e glossario integrato
- ✅ Hub didattico integrato (
/guida): catalogo scansioni, percorsi, glossario, regole d'uso legale - ✅ Orchestrazione multi‑scanner da un'unica interfaccia (Nmap, Nuclei, ZAP, SQLMap, WPScan e oltre 20 altri)
- ✅ Profili di scansione (
light,full,wordpress) e scan mirati per singolo tool - ✅ Enrichment dei findings (CVE/CWE/CVSS, NVD, ExploitDB, mapping OWASP e MITRE ATT&CK)
- ✅ Learning blocks su ogni finding (spiegazione junior, rischio business, verifica manuale, skill successiva)
- ✅ Remediation roadmap ordinata per impatto × effort e trend storico per target
- ✅ Scoring falsi positivi e rubrica di affidabilità
- ✅ Generazione report PDF e storico scansioni
- ✅ API REST per automazione
- ✅ Controlli di sicurezza: CSRF, JWT/API key, header hardenizzati, rate limiting, audit log
- ✅ Architettura a plugin estendibile a nuovi scanner
| Percorso | Descrizione |
|---|---|
app.py |
App FastAPI — UI dashboard + API REST |
scanner_engine.py |
Orchestrazione scansioni e validazione target |
scanners/ |
Plugin scanner per singolo strumento |
templates/ + static/ |
Interfaccia (nav condivisa, wizard guidato, dettaglio scan, Guida) |
report_generator.py |
Pipeline report PDF (font Inter, layout page-safe) |
enrichment_engine.py |
Correlazione CVE/NVD/ExploitDB |
assets/fonts/ |
Font Inter bundlato usato dai report PDF |
tests/ |
Test di regressione e sicurezza |
installer.sh / installer.ps1 |
Installer guidati (Linux/macOS, Windows) |
docker-compose.yml |
Servizio Redis per worker async |
docs/ |
Architettura, sicurezza, operations, playbook, percorsi |
Runtime: Python 3.10–3.12 · Redis 6/7 (worker async) · Go ≥ 1.19 (tool specifici) · Node.js/npm (solo build/test frontend)
Sistemi operativi: ✅ Linux · ✅ macOS 11+ · ✅ Windows 10/11 (PowerShell nativo o WSL2)
Risorse consigliate: CPU 2 core (4+ per scansioni concorrenti) · RAM 4 GB min (8+ GB per carichi pesanti) · Disco 2 GB + artefatti scansione/report
La copertura dipende dai tool installati e dai permessi. Alcuni scanner richiedono binari esterni (Nmap, Nuclei, WhatWeb…); gli scanner enterprise (Acunetix/Nessus) richiedono API key valide. Senza i componenti opzionali, VAP opera con copertura ridotta.
| Sintomo | Causa probabile | Soluzione |
|---|---|---|
ModuleNotFoundError |
venv non attivo / dipendenze mancanti | source venv/bin/activate && pip install -r requirements.txt |
| Job Celery non partono | Redis spento / broker URL errato | avvia redis-server, verifica .env, riavvia il worker |
| Findings vuoti/parziali | tool mancante / target irraggiungibile | controlla il binario, verifica raggiungibilità, prova il profilo light |
| UI senza stile | working dir errata / mapping static | esegui dalla root del repo; verifica che static/ sia servito |
- ✅ Segreti in variabili d'ambiente (
.env) - ✅ Middleware e security header hardenizzati
- ✅ Validazione input e sanitizzazione target
- ✅ Protezioni API opzionali (JWT/API key)
- ✅ Audit logging per azioni sensibili
docs/user-manual.md— manuale utente dettagliatodocs/learning-paths/— percorsi beginner / analyst / professionaldocs/scan-playbooks/— playbook per singolo scannerdocs/glossary-faq.md— glossario e FAQdocs/architecture.md,docs/security.md,docs/deployment.md— operations
Distribuito secondo la licenza indicata in LICENSE.
© Chiara Berti 13 - 2026