Web compliance and vulnerability scanner
GDPR • PCI-DSS • ISO 27001, with a GTK4 desktop UI, a REST API, and JSON/SARIF reporting
Features • Quick Start • Screenshots • Architecture • API • Contributing
ComplianceScan checks a web target against common security baselines and maps the findings onto compliance standards. It inspects TLS configuration, security headers, and cookie flags, then evaluates the result against GDPR, PCI-DSS, and ISO 27001 control sets and produces a report with CVSS v3.1-scored findings.
You can drive it three ways: a GTK4 desktop app for interactive use, a CLI for local and scripted runs, and a FastAPI REST service for integration. Results are persisted to SQLite and can be exported as JSON, SARIF, CSV, XML, Markdown, or PDF.
It's meant for the recurring "is this site configured sanely, and where does it sit against the standards we care about" check, not a substitute for a full audit or a manual pentest. HIPAA mapping exists but is partial.
⚠️ Authorized use only. Only scan systems you own or have explicit written permission to test.
|
|
|
|
| Dashboard | New Scan | History |
|---|---|---|
![]() |
![]() |
![]() |
| Compliance overview and metrics | Configure and launch a scan | Scan audit trail with filtering |
A modular Python backend shared by three frontends (GTK, CLI, REST):
┌──────────────────────────────────────────────────────────────┐
│ GTK4 GUI • CLI • FastAPI REST API │
└─────────────────────────────┬────────────────────────────────┘
▼
┌──────────────────────────────────────────────────────────────┐
│ Backend Core │
│ Scanner • Analyzer • Reporter │
└───────┬─────────────────────┬─────────────────────┬──────────┘
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Scanner │ │ Analyzer │ │ Reporter │
│ (requests) │ │ (Compliance) │ │ (PDF/SARIF…) │
└───────────────┘ └───────────────┘ └───────────────┘
└──────────┬──────────┴─────────────────────┘
▼
┌─────────────────────────────┐
│ SQLite Database │
│ Scans • Findings • History │
└─────────────────────────────┘
| Layer | Technology |
|---|---|
| GUI | GTK4 + libadwaita, PyGObject |
| API | FastAPI, Uvicorn |
| Scanning | requests, BeautifulSoup4 |
| Reporting | wkhtmltopdf (PDF), SARIF/CSV/XML/Markdown exporters |
| Storage | SQLite |
| Requirement | Version | Notes |
|---|---|---|
| Python | 3.10–3.13 | |
| GTK4 + libadwaita | 4.0+ | system package, with PyGObject |
| wkhtmltopdf | recent | only for PDF reports |
| Linux | - | tested on Arch, Fedora/RHEL |
GTK and PyGObject come from your distro, not pip:
# Arch
sudo pacman -S python-gobject gtk4 libadwaita wkhtmltopdf
# Fedora / RHEL
sudo dnf install python3-gobject gtk4 libadwaita wkhtmltopdfgit clone https://github.com/exiv703/ShieldEye_ComplianceScan.git
cd ShieldEye_ComplianceScan
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtOr use the interactive launcher, which handles dependency install for you:
./run.sh./run.sh # interactive menu
python main_gtk.py # GUI directly# Run a scan and save it to the database
python -m backend.cli.advanced scan https://example.com --save-db
# View recent scans
python -m backend.cli.advanced history --limit 10
# Compare two scans
python -m backend.cli.advanced compare <scan-id-a> <scan-id-b>
# Health and database stats
python -m backend.cli.advanced health
python -m backend.cli.advanced statsPaths are overridable via environment variables:
export SHIELDEYE_DB_PATH="$HOME/.shieldeye/scans.db"
export SHIELDEYE_LOG_DIR="$HOME/.shieldeye/logs"
export SHIELDEYE_REPORTS_DIR="$HOME/.shieldeye/reports"A few capabilities are gated behind flags (defaults are safe):
| Flag | Default | Description |
|---|---|---|
COMPLIANCE_BENCHMARKS_ENABLED |
true |
CIS/PCI-DSS/SOC2 benchmark execution |
SHIELDEYE_ALLOW_INSECURE_TARGETS |
false |
Permit scanning targets with invalid TLS (internal use) |
ENABLE_REMEDIATION_SNIPPETS |
true |
Include copy-paste fix commands in reports |
Production toggles (Redis-backed rate limiting, Prometheus export, ML
correlation) live in .env.example and are documented in
docs/MIGRATION_GUIDE.md. Version history is in
CHANGELOG.md.
The REST API ships with OpenAPI/Swagger docs. Scan and config routes require a Bearer token; health and template lookups are open.
| Method | Endpoint | Description |
|---|---|---|
POST |
/scans |
Create and queue a compliance scan |
GET |
/scans |
List recent scans (with filtering) |
GET |
/scans/{id} |
Scan details and findings |
DELETE |
/scans/{id} |
Remove a scan and its findings |
GET |
/scans/{id}/export?format=sarif |
Export results (json, csv, xml, sarif, markdown) |
GET |
/templates · /templates/{name} |
Scan templates |
POST |
/schedules · GET /schedules |
Recurring scan schedules |
POST |
/webhooks/subscribe · GET /webhooks |
Scan-completion webhooks |
GET |
/stats |
Aggregated scan statistics |
GET |
/health |
Service health and dependency checks |
See docs/INTEGRATION_GUIDE.md for the Core /
SurfaceScan data flow.
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
# Tests (113 across scanner, policy, integrations, reporting, …)
pytest tests/ -v
pytest tests/ --cov=backend --cov-report=htmlBeyond the basics, the backend also carries a policy-as-code engine
(policy/validator.py), control-mapping benchmarks (benchmark/engine.py),
typed Core/SurfaceScan integration clients (integrations/), and optional
resilience/observability hooks (backend/utils/). See CHANGELOG.md
for what landed when.
- Fork and branch off
main. - Keep changes scoped and add tests for new scanner or compliance logic.
- Make sure
pytestpasses before opening a PR.
MIT - see LICENSE.
Part of the ShieldEye toolkit:
- ShieldEye Core - network security scanner (Nmap + GTK4)
- ShieldEye SurfaceScan - web attack-surface mapper
- ShieldEye NeuralScan - local source-code security scanner


