I (not so) recently setup a VulnReport Docker container in my lab, and I wanted to share the process.
VulnReport Docker - Introduction
If you have never used it before, VulnReport is an, "Open-source pentesting management and automation platform by Salesforce Product Security".
I've pushed to use this at work as a vulnerability management and reporting platform. It makes life a bit easier on the reporting end, and allows for things like finding templates and report generation.
For more information, you can always visit the GitHub repository.
First, I setup a new Ubuntu server VM.
I went through the install using default settings for the most part, and finished the process.
Next, when that was complete, I updated all the already installed packages.
I also updated my distribution, since the ISO that I was using was only on 16.04.
When that finished, I installed Docker.
The Digital Ocean tutorial made it super easy, and I had Docker up and running fairly quickly.
VulnReport Docker - Installation
With my system and Docker installed, it was time to create the VulnReport container.
First, I pulled down the existing container. I know that this one is a bit old, but it makes life easier than creating one of my own for now.
Next, I ran the container, making sure to add the -t flag for a TTY.
I was then able to interact with my newly configured container.
Inside of the new container, I started up all the requisite services.
sudo /etc/init.d/redis-server start service postgresql start
Next, I ran the SEED script, to handle the first configuration. When that was complete, I was able to run nohup start.sh, and start the service!
With my service running, it was time to verify that the install was successful.
When I visited the IP of my virtual machine, I saw a VulnReport login page.
Using the default credentials of admin/admin, I was able to successfully login to the dashboard!
VulnReport Docker - Conclusion
While this post only covers the basic installation of VulnReport, I think it is useful to have in a lab environment.
We are not using this on my team at work, but we are moving towards this solution. That said, I'm hoping to use this setup for mock reports as well as various interviews/certifications/etc.
If you have any configuration tweaks or suggestions, or even another platform to check out, then please let me know!