Skip to content

FrodeHus/PatchHound

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

751 Commits
.github
.github
 
 
benchmarks/PatchHound.IngestionBenchmark
benchmarks/PatchHound.IngestionBenchmark
 
 
deploy/openbao
deploy/openbao
 
 
docs
docs
 
 
frontend
frontend
 
 
images
images
 
 
src
src
 
 
tests/PatchHound.Tests
tests/PatchHound.Tests
 
 
.dockerignore
.dockerignore
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
CLAUDE.md
CLAUDE.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Directory.Build.props
Directory.Build.props
 
 
INGESTION_FLOW.md
INGESTION_FLOW.md
 
 
LICENSE
LICENSE
 
 
PatchHound-project.json
PatchHound-project.json
 
 
PatchHound.slnx
PatchHound.slnx
 
 
README.md
README.md
 
 
REMEDIATION_FLOW.md
REMEDIATION_FLOW.md
 
 
SECURITY.md
SECURITY.md
 
 
SETTING_UP_AI_PROFILE.md
SETTING_UP_AI_PROFILE.md
 
 
docker-compose.yml
docker-compose.yml
 
 
package-lock.json
package-lock.json
 
 

Repository files navigation

PatchHound

PatchHound is a self-hosted vulnerability operations platform for turning security findings into tracked remediation work. It ingests vulnerability and asset data, normalizes software exposure, prioritizes risk across tenants, supports AI-assisted vulnerability assessments, and keeps an auditable workflow from detection through closure.

Features

  • Vulnerability and asset ingestion from tenant-configured sources, with checkpointed runs, staged merges, device activity refresh, and enrichment jobs.
  • Authenticated scan runner support for collecting host-level software evidence through the PatchHound.Puppy runner and folding those results into the same inventory and exposure model.
  • Canonical software exposure modeling that links installed software, vulnerability applicability, affected devices, version cohorts, and remediation cases.
  • Risk scoring across vulnerabilities, devices, software, remediation cases, teams, and tenants, including threat and exposure signals such as CVSS, EPSS, exploit indicators, device criticality, and remediation posture.
  • AI-supported vulnerability assessments that evaluate patch urgency, recommend emergency or normal patching timelines, capture confidence and rationale, list similar vulnerabilities, suggest compensating controls, and preserve references for analyst review.
  • Emergency patch workflows that surface AI assessment results in remediation context, apply urgency-aware risk floors, and notify security and technical managers when immediate action is required.
  • Multi-tenant remediation workflows with stage ownership, approvals, recurrence handling, patching tasks, risk acceptance, alternate mitigation, and auto-closure when exposure is resolved.
  • Executive and operational dashboards for tenant risk, new and resolved vulnerabilities, aging, software exposure, remediation status, and risk-change summaries.
  • Audit and notification pipeline with optional Microsoft Sentinel forwarding through the Logs Ingestion API.
  • Secret-backed operations using OpenBao for source credentials, AI provider configuration, notification delivery secrets, and scan credentials.

Screenshots

Executive dashboard

Executive dashboard

Remediation workbench

Remediation workbench

Remediation workflow

Remediation workflow

Software exposure

Software view

Operations dashboard

Operations dashboard

Stack

  • Backend: .NET, ASP.NET Core, EF Core, SignalR
  • Worker: .NET background services for ingestion, enrichment, vulnerability assessment, SLA checks, workflows, authenticated scans, and NVD synchronization
  • Runner: PatchHound.Puppy for tenant-side authenticated scanning
  • Frontend: React 19, TanStack Start/Router, TanStack Query, Vite, Radix UI, Tailwind CSS
  • Database: PostgreSQL
  • Identity: Microsoft Entra ID
  • Secrets: OpenBao KV v2
  • Integrations: Microsoft Defender-style ingestion sources, NVD enrichment, AI providers, Microsoft Sentinel forwarding

Quick Start

cp .env.example .env
docker compose up -d --build

Set the required values in .env before starting the stack. At minimum, local development needs:

  • POSTGRES_PASSWORD
  • SESSION_SECRET
  • AZURE_AD_CLIENT_ID
  • AZURE_AD_AUDIENCE
  • ENTRA_CLIENT_SECRET

After startup:

  • Frontend: http://localhost:3000
  • API: http://localhost:8080

Local Development

Backend:

dotnet build PatchHound.slnx
dotnet test PatchHound.slnx -v minimal
dotnet run --project src/PatchHound.Api
dotnet run --project src/PatchHound.Worker

Runner:

dotnet run --project src/PatchHound.Puppy

Frontend:

cd frontend
npm install
npm run lint
npm run typecheck
npm test
npm run dev

Documentation

Microsoft Sentinel Integration

To set up the Sentinel integration, first deploy the PatchHound data connector. Opening the link below will guide you through that deployment in Connector Studio.

Open in Connector Studio

OpenBao Policy

PatchHound expects a KV v2 mount named patchhound and an application token with access to the full application data path:

path "patchhound/*" {
  capabilities = ["create", "update", "read", "delete"]
}

Set the resulting token in .env as OPENBAO_TOKEN.

Contributing

See CONTRIBUTING.md.

Security

See SECURITY.md.

License

Licensed under MIT.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

12 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages