Welcome to Vulfio

Vulfio stands for Vulnerability finder orchestrator.

It is a platform to orchestrate and provide different kind of security tools in a central way with the possiblity to change underlying used tools at runtime without any effort. It also provides a common report, no matter which product is used. Means product results are compareable. It is also possible to use multiple products at the same time while triggering one scan.

This open source project enables small but also very large companies or even private persons to do security scans on their products/their environment without much effort or costs.

Depending on the purpose and desired scalability, Vulfio can be hosted on a wide variety of platforms. These range from local deployment on a VM or a dedicated server, to a global solution running on Kubernetes.

This inclucdes

• web scans (DAST)
• code scans (SAST, binary and source)
• secret scans
• …more…

The platform will provide

• Web user interface (web ui)
• Orchstration server
• Multiple security solutions
• IDE plugins (Eclipse, IntelliJ, VSCode/Eclipse Theia)
• GitHub action + Clients

About

The project

• is created by @de-jcup as a kind of successor of SecHub which has been archived at the end of 2025 and will no longer be maintained.
• will reuse concepts and parts of SecHub
• has its own domain vulfio.org
• shall be a community driven project
• is in a early startup phase
• currently most repositories are currently only private
• planned is that in 2026 the most parts become public available together with some videos and documentation

Comparision to SecHub

Why not a fork?

There were multiple reasons to not just do a fork, most important parts here:

• namespace
• legal parts
• possibliity to change license
• clear cut and possibility to redesign

What will be similar to SecHub?

• Easys to use
• configuration files have same syntax 98%

What will be diffeerent to SecHub?

• Community driven only
  • Not driven by a company, but just by enthusiasts
• Much easier to setup
  • Launcher
  • Marketplace approach
• Everything shall be managable by web ui (also admin tasks)
• Separation of concerns / Modularity
  • No longer a mono repository, but instead multiple repos
  • Each security solution will have its own repository and will be in charge of testing, stability etc. Means they are standalone testable.
  • Vulfio will only accept ONE self defined format for exchange between PDS instances - no longer product specific import logic inside the server
• Enhanceed concepts
  • Launcher way, Marketplace approach
  • Parallel execution of solutions
• Much simpler to maintain
  • Reduce or remove DDD approach inside server
  • Adapters are removed, instead only PDS way
  • Server does only do orchestration, no more logic
  • Solutions can be maintained, updated, written without any running server instances
  • Remove/reduce/simplify over-engineered parts
• Documentation
  • Lean / Less is more
  • YouTube videos with tutorials
• Clean up
  • Things which are not really necessary or no longer necessary will be removed
• Speedup builds
  • Use standard ways like maven central to separate builds and to only build things which are needed
  • For other parts - e.g. binary data use also other decentralized ways
• Focus on open source products
  • Because vulfio is a sole community approach, the existing commercial integrations can no longer be maintained/ensured that they are still working. For some parts there will be a solution repository, but it will be marked as “beta”
• … more

What will be a hard change compared to SecHub (incompatible)?

• Credential handling
  • Introduction of secrets (similar to GithHub secrets) which can be referenced by an ID. Those secrets will be stored encrypted inside Vulfio database.
  • job configuration files cannot contain any secret credentials inside (like in SecHub), but only secret references!
  • the encryption of job configuration will be removed because of this

This is a ongoing process, so please stay tuned