apPosture ASPM

Architecture

Assets and CI feed six engines and a local-LLM AI core; results deduplicate into one posture that the dashboard, gates and reports read. Nothing crosses your perimeter.

Deployment

Self-hosted via Docker Compose — Postgres, the warm scanner pool, the local DeepSeek LLM and the app, all containers you run and own. No SaaS account, no outbound dependency.

docker compose up -d postgres redis scanner ollama backend frontend
docker exec apposture-ollama ollama pull deepseek-coder-v2:16b   # one-time, local

Your first scan

1. Create an Application and add a Target (URL) or connect a repo on Integrations.
2. Run a scan (DAST for a URL; SAST/SCA/secrets/IaC for a repo) — or wire CI/CD.
3. Review findings in Vulnerabilities, let the AI prove & triage them, and gate your pipeline.

Applications

The top-level grouping. An application bundles targets/services and carries metadata used for prioritization: environment (prod/staging/dev), business_criticality, and owner_team. Each app gets its own risk score, grade and open/exploitable/SLA-breached counts. Microservice repos auto-create their own application from CI.

Targets & authentication

A target is a URL to scan. apPosture authenticates so it can test behind login:

• ✓ Auth types: form, bearer, header / API-key, cookie (credentials encrypted at rest).
• ✓ A second account for horizontal-access (IDOR/BOLA) testing.
• ✓ Hybrid AST: link a source_repo_path so DAST is source-informed; add business_logic_notes to steer the AI's test plan.

Discovery

Inventory your real attack surface — hosts, subdomains and APIs — with include/exclude scope controls (domains, IPs, TLDs). Newly appearing assets are flagged (shadow-IT diff) so nothing is scanned that you didn't intend, and nothing dangerous is missed.

SCM integrations

Connect GitHub or GitLab via OAuth or a personal access token, import a repo (cloned into a read-only sandbox), or upload a local folder. Tokens are stored encrypted; the connected repo becomes the source for SAST/SCA/secrets/IaC and the Hybrid-AST bridge for DAST.

Scans & profiles

Scans are queued and run by a concurrency-limited worker; you can pause, resume or stop them and watch a live phase timeline.

Options include scope exclusions, AJAX spider, graybox (source-informed) and authorized active exploitation (operator consent required). Incremental scans diff against a baseline_commit.

DAST

Dynamic testing with an OWASP-ZAP engine plus 9000+ Nuclei templates. The AI first reads your source (Hybrid AST), builds a threat model and an attack map, then the scanner spiders, runs an active scan against authenticated sessions, and verifies business-logic test steps the AI planned.

SAST

Static analysis with Semgrep-format rules and a Python AST taint engine (PHP, JS/TS supported too). Findings map to CWE and OWASP, include the vulnerable code snippet, and can be triaged by the local LLM to drop false positives before they reach your backlog.

SCA & supply chain

Dependency analysis across npm, PyPI, Composer, Go, Maven and RubyGems against an offline advisory database, with SBOM export. Three offline signals cut noise and catch supply-chain risk:

Secrets

Curated provider patterns + entropy detection; values are always masked, never stored. Plus:

IaC

Misconfiguration checks for Terraform, Kubernetes, CloudFormation and Dockerfiles (curated rules + Trivy) — insecure defaults, exposed services, missing encryption and over-broad IAM.

Containers

Image OS + language-package CVEs via Trivy. In CI the image is scanned on the runner and the SARIF is uploaded, so the image never leaves your network (see CI/CD → container).

Unified posture (Vulnerabilities)

Every engine writes into one Vulnerability store, deduplicated by a stable fingerprint so the same issue from DAST + SAST collapses into one. Each carries severity, CVSS, an EPSS band, KEV flag, reachable, exploit_confirmed, a composite priority score, owner, status lifecycle (new → triaged → resolved/accepted) and a full event history. Manage at scale with mutes, risk acceptances and Jira sync.

Exploit verification

The AI proves a finding is real with a safe reproduction against the live target — rate-limited and gated by operator authorization. Confirmed findings are marked exploit_confirmed and ranked first; unverifiable ones are deprioritized. Evidence is redaction-aware.

Attack map

A graph of the attack surface and chained paths — how an exposed entry point connects to sensitive functions and data — so you fix the links that actually create risk.

Threat models

The AI reconstructs your architecture from source and builds a STRIDE threat model, versioned over time, with coverage mapping back to findings — automated threat modeling instead of a whiteboard session.

ASPM coverage

A program-level view: security score & grade, open vs exploitable vs SLA-breached, MTTR, and 30-day trend / risk-burndown by severity — plus per-application risk ranking for where to focus.

Agentic AI engine

The local DeepSeek LLM drives autonomous agents that reason in a loop — plan, act, verify, correct. No data leaves your perimeter, no per-token bill.

AI assistant

Ask natural-language questions about your posture ("what's exploitable in payments?", "explain this finding", "draft a fix") — answered locally against your own data.

CI/CD pipelines

A portable agent runs in your pipeline, ships the source to the server, and relays the gate verdict as an exit code. Each microservice repo maps to its own application.

curl -fsSL https://aspm.apposture.com/api/v1/ci/agent.sh -o apposture && chmod +x apposture

./apposture test     --app payments --severity-threshold high --fail-on new   # gate a PR
./apposture monitor  --app payments                                           # baseline the default branch
./apposture container --image payments:$SHA --app payments                    # scan a built image
./apposture upload   --sarif results.sarif --app payments                     # bring your own SARIF

Copy-paste snippets for GitHub Actions, GitLab CI and Jenkins on the Setup page.

Gates

Break-the-build is owned by security, not the YAML. A deterministic rule engine + policy thresholds decide pass / warn / fail from severity, "new vs all", required scanners and accepted-risk waivers. Every evaluation is recorded as a GateRun for audit; the same call can post a PR/MR comment.

SCM webhooks (zero-pipeline)

Prefer not to edit each pipeline? Point a signature-verified webhook at apPosture and it clones + scans on push/PR automatically.

GitHub  → https://aspm.apposture.com/api/v1/scm/webhook/github   (HMAC-SHA256 secret)
GitLab  → https://aspm.apposture.com/api/v1/scm/webhook/gitlab   (secret token)

Push to the default branch records a baseline; a pull/merge request runs the gate and decorates the PR.

VS Code extension

Scan the open workspace from your editor; findings appear inline as diagnostics with one-click AI fixes. Set apposture.url + apposture.token, then run apPosture: Scan workspace. Talks only to your server.

API & tokens

Everything is under /api/v1, authenticated with a Bearer apt_… token (scoped, expiring, revocable). Interactive docs at /docs.

curl -X POST https://aspm.apposture.com/api/v1/ci/run \
  -H "Authorization: Bearer apt_…" \
  -F 'meta={"app":"payments","gate":{"fail_on_severity":"high","fail_on":"new"}}' \
  -F "source=@src.tar.gz"

Policies

Define organization rules once: severity thresholds, required scanners, environment-specific gates, auto-escalation (e.g. KEV/exploitable → critical) and exceptions. The same engine powers the dashboard, gates and SLAs.

Compliance & SBOM

Findings map to SOC 2, PCI DSS, HIPAA, NIST and GDPR controls; generate auditor-ready evidence on-prem. Export an SBOM in CycloneDX or SPDX per application.

SLA & tickets

Set remediation SLAs by severity; breaches surface on the dashboard and drive notifications. Push findings to Jira / GitLab / Azure DevOps and sync status back via signed webhooks. The AI can open an auto-fix PR with the patch.

Reports

Executive and operational reporting: posture trends, risk-by-application, scan history, and exportable run reports — plus shareable read-only report links secured by an expiring token.

Identity & access

• ✓ SSO (SAML / OIDC) + AD group → role mapping; RBAC with granular permissions.
• ✓ MFA / TOTP with backup codes; password policy + account lockout.
• ✓ API tokens (apt_…) for CI & automation, resolved to the owning user so RBAC still applies.
• ✓ Secrets encrypted at rest (Fernet); full audit trail.

Notifications

Email (SMTP), Slack, Telegram and generic webhook channels with per-user preferences, approved templates and a delivery log. Wire alerts for new criticals, gate failures, SLA breaches and health events. Dry-run mode renders without sending (offline-safe).

Audit log

Every privileged action — scans, gate runs, status changes, config edits, token use — is recorded with actor, IP and before/after state for incident review and compliance evidence.

Backups

Scheduled, encrypted database backups with automatic verify-restore into a scratch DB, a pre-restore safety snapshot, retention pruning, and off-site targets (local volume, S3/MinIO, SFTP, fileshare).

Health monitor

Watches the scanner pool, database, LLM and other services; alerts on down/recovery (e.g. via Telegram) with configurable thresholds and re-alert intervals — so a stuck scanner never silently fails scans.

Threat intel

A curated, offline threat-intel feed cross-references findings (CWE/CVE class, exploit-in-the-wild signals) to sharpen prioritization without calling out to the internet.

API Security platform

apPosture ships a second, independent product for runtime API protection (waf.apposture.com): continuous discovery of documented & shadow APIs, an AI-assisted WAF that blocks attacks inline, OWASP API Top 10 auditing (BOLA, BFLA, mass assignment), bot/abuse defense, rate limiting and schema validation. Separate app, separate data — run it alongside ASPM or on its own.