TPT Security Platform – Open Source Security Assessment & Compliance Audit | TPT Solutions

open source — tpt solutions

🛡️

TPT Security Platform

A free, open-source security assessment and compliance audit platform. Scan targets for vulnerabilities, audit your cloud infrastructure and identity providers via API, then generate HTML, PDF, or JSON reports mapped directly to SOC 2, ISO 27001, and HIPAA controls — all from a single Go binary with a built-in web UI.

Go 1.22+ HTMX SOC 2 ISO 27001 HIPAA CLI + Web UI Single Binary MIT License

View on GitHub ← All Projects

What is TPT Security Platform?

TPT Security Platform combines vulnerability scanning, cloud infrastructure auditing, and compliance reporting in one tool. Rather than running separate scanners and manually mapping results to compliance frameworks, it handles the entire workflow: scan or audit your environment, then immediately generate an audit-ready report showing which SOC 2, ISO 27001, or HIPAA controls pass, fail, or need review.

It embeds Nuclei for template-based vulnerability detection, integrates with Naabu, OWASP ZAP, Dalfox, and Gitleaks for broad coverage, and connects directly to cloud provider APIs — AWS, GCP, Azure, DigitalOcean, Cloudflare, and more — for internal infrastructure audits. The web UI (HTMX + Tailwind + DaisyUI) runs on the same binary with no build step required.

Compliance Frameworks

SOC 2 Type II

Trust Services Criteria mapping. Access controls, availability, processing integrity, confidentiality, and privacy controls — all mapped to scan findings automatically.

ISO/IEC 27001:2022

Full Annex A control coverage. Network exposure, cryptography, configuration management, vulnerability management, and SSDLC checks.

HIPAA Security Rule

45 CFR §164.308 Administrative and §164.312 Technical Safeguard controls mapped to cloud audit and scan results.

Control mappings are plain YAML files in mappings/ — add any custom framework (PCI-DSS, NZISM, etc.) by dropping in a new file.

Key Features

🔍

Vulnerability Scanning

Nuclei (embedded SDK), Naabu port scanning, OWASP ZAP web app scanning, TLS inspector, Dalfox XSS detection, and email security checks (SPF/DKIM/DMARC).

☁️

Cloud & IDP Auditing

Direct API audits across 10+ cloud providers and 6+ identity providers. No agent required — uses your existing credentials or tokens.

📄

Compliance Reports

Generate HTML, PDF, and JSON reports with executive summaries, control coverage matrices, and per-finding remediation advice. AI-enhanced with Claude, GPT, Grok, or OpenRouter.

📥

File Import

Import existing scan results from Nessus (.nessus), Burp Suite XML, and OpenVAS/GVM XML. Map them to compliance frameworks without re-scanning.

🔑

Secrets Detection

Gitleaks integration for hardcoded secrets in source trees, plus govulncheck and osv-scanner for known dependency CVEs.

🖥️

Web UI + REST API

Live dashboard at localhost:4242 with HTMX live updates. REST API for CI/CD integration and retest tracking via PATCH /api/findings/{id}/status.

Quick Start

      # Build from source (Go 1.22+, no CGO)

      git clone https://github.com/PhillipC05/tpt-security-test.git

      cd tpt-security-test && go build -o tpt ./cmd/tpt

      # Or with Docker

      docker compose up -d

      # Scan a target mapped to SOC 2 + ISO 27001

      tpt scan example.com –framework soc2,iso27001 –scope web,network,tls

      # Audit AWS account for SOC 2 + HIPAA

      tpt audit –provider aws –aws-profile prod –framework soc2,hipaa

      # Audit a Linux server over SSH

      tpt audit –provider linux –linux-host 10.0.0.5:22 \

        –linux-user ubuntu –linux-key ~/.ssh/id_rsa –framework iso27001

      # Generate PDF + HTML report (AI-enhanced if key is set)

      tpt report <job-id> –format html,pdf –output reports/

      # Launch web UI at http://localhost:4242

      tpt serve

Audit Providers

Cloud

AWS GCP Azure DigitalOcean Hetzner Cloudflare Vercel Supabase Wasabi Backblaze

Identity

Okta Azure AD / Entra Google Workspace Auth0 Keycloak Active Directory / LDAP

VCS

GitHub GitLab Bitbucket Gitea / Forgejo

Infrastructure

Linux (SSH) Kubernetes

Compliance-Mapped Nuclei Templates

Template	Framework	Detects
soc2/cc6.1-access-controls.yaml	SOC 2	Access control misconfigurations
soc2/cc6.3-broken-auth.yaml	SOC 2	JWT none-alg, insecure session cookies
soc2/cc6.6-cors-misconfig.yaml	SOC 2	Wildcard / reflective CORS
soc2/cc6.7-crypto-transmission.yaml	SOC 2	Weak TLS, missing HSTS
soc2/cc9.2-api-exposure.yaml	SOC 2	Swagger, GraphQL introspection
iso27001/a.5.17-auth-weakness.yaml	ISO 27001	Default credentials, HTTP Basic auth
iso27001/a.8.8-technical-vulnerabilities.yaml	ISO 27001	CVE detection
iso27001/a.8.20-network-exposure.yaml	ISO 27001	Exposed MongoDB, Redis, Elasticsearch
iso27001/a.8.25-ssdlc.yaml	ISO 27001	Debug endpoints, stack traces, .env files
iso27001/a.8.29-injection.yaml	ISO 27001	SQLi indicators, SSTI

Point --template-dir at any Nuclei templates directory to use your own.

AI-Enhanced Reports

Set any LLM API key to enable AI-generated executive summaries and per-finding remediation advice. Static templates are always used as a fallback, so reports work fully offline.

      # Claude Haiku (recommended — fastest + cheapest)

      export ANTHROPIC_API_KEY=sk-ant-…

      # Or GPT-4o mini, Grok 3 mini, or any OpenRouter model

      export OPENAI_API_KEY=sk-…

      export GROK_API_KEY=…

      export OPENROUTER_API_KEY=…

      # Disable AI even when a key is set

      tpt report <job-id> –format pdf –no-ai

Tech Stack

Go 1.22+ Nuclei (embedded SDK) Naabu OWASP ZAP Dalfox Gitleaks govulncheck / osv-scanner SQLite (GORM, no CGO) HTMX Tailwind CSS + DaisyUI go-pdf/fpdf cobra Docker