Vulnerability scanner setup for website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
Vulnerability scanner setup for website
Medium
from 1 business day to 3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

Setting up vulnerability scanner for website

Automated vulnerability scanner checks the application for known CVEs, misconfigurations, and OWASP Top 10 vulnerabilities. Runs regularly in CI/CD pipeline or on schedule, ensuring continuous security monitoring.

Tools

DAST (dynamic scanning against running application):

  • OWASP ZAP — open, full-featured, CI/CD integration
  • Nuclei — fast, template-based, 7000+ checks
  • Nikto — specializes in web server configuration

SAST (static scanning by code):

  • Semgrep — multilingual, OWASP rules
  • SonarQube — complete static analysis with dashboard

SCA (dependencies):

  • npm audit, composer audit, pip-audit
  • Trivy — containers + dependencies
  • Snyk — commercial, deep GitHub integration

OWASP ZAP in CI/CD (GitHub Actions)

name: Security Scan

on:
  schedule:
    - cron: '0 3 * * 1'
  push:
    branches: [main]

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/[email protected]
        with:
          target: 'https://staging.example.com'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a -j'

      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: zap-report
          path: report_html.html

Nuclei — template scanning

go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

nuclei -update-templates

nuclei -u https://target.example.com \
    -t cves/ \
    -t misconfigurations/ \
    -t exposures/ \
    -severity critical,high \
    -o nuclei_report.json \
    -json

Semgrep SAST in CI/CD

- name: Semgrep SAST
  uses: semgrep/semgrep-action@v1
  with:
    config: >-
      p/owasp-top-ten
      p/php
      p/laravel
      p/javascript
  env:
    SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

Dependency Scanning

composer audit
npm audit --audit-level=high
npx audit-ci --high
pip-audit --output=json -o pip-audit.json

trivy image myapp:latest \
    --severity HIGH,CRITICAL \
    --format json \
    -o trivy-report.json

SonarQube — continuous SAST

services:
  sonarqube:
    image: sonarqube:community
    ports:
      - "9000:9000"
    environment:
      SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
    volumes:
      - sonar_data:/opt/sonarqube/data

sonar.projectKey=my-webapp
sonar.sources=app,resources/js
sonar.exclusions=**/vendor/**,**/node_modules/**
sonar.php.coverage.reportPaths=coverage.xml

Schedule and notifications

security-scan:
  stage: security
  image: owasp/zap2docker-stable
  script:
    - zap-baseline.py -t $STAGING_URL -r zap-report.html
  artifacts:
    paths: [zap-report.html]
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
  only:
    - schedules

Notifications in Slack/Telegram on Critical/High discovery:

CRITICAL=$(cat nuclei_report.json | jq '[.[] | select(.info.severity == "critical")] | length')

if [ "$CRITICAL" -gt "0" ]; then
    curl -X POST $SLACK_WEBHOOK \
        -H 'Content-type: application/json' \
        --data "{\"text\":\"Found ${CRITICAL} critical vulnerabilities\"}"
fi

Managing results (False Positives)

# .zap/rules.tsv
10016	IGNORE
10021	IGNORE
90033	IGNORE

Implementation Timeline

  • OWASP ZAP baseline in GitHub Actions: 1 day
  • Nuclei + notifications: 1 day
  • Semgrep SAST + Dependency scanning: 1–2 days
  • SonarQube full setup: 2–3 days