HenKaiPan ASPM — Self-Hosted
Application Security Posture Management platform. Self-hosted edition.
📚 Documentation: Production Deployment | Backup & Restore
Prerequisites
- Docker & Docker Compose (v2.24+)
- 8 GB RAM minimum (16 GB recommended for concurrent scans)
- 30 GB free disk — scanner images are ~6 GB, plus app images and data
Quickstart
Docker Compose (Recommended for local/dev)
# 1. Run the installer (checks prerequisites, generates secrets)
./install.sh
# If you already have Ollama or don't need AI summaries:
# ./install.sh --skip-ollama
# 2. Start
docker compose up -d
# 3. Open http://localhost:8080
# Login with the auto-generated admin password (shown at end of install.sh)Kubernetes (Production)
See Kubernetes Deployment Guide for production K8s deployment.
# Quick test deployment
kubectl apply -f kubernetes/all-in-one.yaml
kubectl port-forward svc/henkaipan-api 8080:8080 -n henkaipanManual setup (without install.sh)
cp .env.example .env
# Edit .env: set JWT_SECRET, SECRET_ENCRYPTION_KEY
# ADMIN_PASS is optional - defaults to "admin" if not set
# If using Ollama, uncomment and set OLLAMA_URL and OLLAMA_MODEL
docker compose up -dInstaller Options
| Flag | Description |
|---|---|
--skip-ollama |
Skip Ollama installation, model pull, and Ollama environment configuration |
Configuration
See .env.example for all options. Required variables:
| Variable | Description |
|---|---|
DATABASE_URL |
PostgreSQL connection string |
JWT_SECRET |
Auth token signing key |
SECRET_ENCRYPTION_KEY |
Encryption key for stored secrets |
Optional variables:
| Variable | Description | Default |
|---|---|---|
ADMIN_PASS |
Admin password (set on first run only) | admin |
PROMETHEUS_PORT |
Prometheus metrics endpoint | 9090 |
Kubernetes Configuration
For Kubernetes deployments, environment variables are configured via ConfigMap and Secret resources. See Kubernetes Deployment Guide for details.
AI Providers
The self-hosted edition supports multiple AI providers with different capabilities:
- Ollama (FREE, self-hosted) — AI summaries, remediation, and validation. Set
OLLAMA_URLandOLLAMA_MODEL - OpenRouter — AI summaries, remediation, and validation. Set
OPENROUTER_API_KEY - Cloudflare Workers AI — AI summaries, remediation, and validation. Set
CF_ACCOUNT_IDandCF_API_TOKEN - Use
./install.sh --skip-ollamaif you already have Ollama running elsewhere or don't need AI summaries
Monitoring
Prometheus metrics are exposed on port 9090 (configurable via PROMETHEUS_PORT). Includes queue and database metrics collectors.
Access metrics:
# Docker Compose
curl http://localhost:9090/metrics
# Kubernetes
kubectl port-forward svc/henkaipan-api 9090:9090 -n henkaipan
curl http://localhost:9090/metricsSample Prometheus configuration:
scrape_configs:
- job_name: 'henkaipan-api'
static_configs:
- targets: ['api:9090']
metrics_path: /metrics
scrape_interval: 10sSee monitoring/prometheus.yml for a complete example configuration.
Rate Limiting
Redis-based rate limiting is enabled by default with per-endpoint tiers:
- Auth endpoints: 10 requests/min
- Heavy operations: 20 requests/min
- General endpoints: 100 requests/min
Rate limit headers (X-RateLimit-*) are included in responses. The system fails open on Redis errors.
Updating
docker compose pull
docker compose up -dMigrations run automatically on startup. See the production guide for upgrade and rollback procedures.
Production Checklist
See the Production Deployment Guide for the full checklist covering security hardening, TLS, environment configuration, database backups, email notifications, and more.
Support
- Documentation: https://henkaipan.dyallab.com.ar/docs/
- GitHub Issues: Report bugs or feature requests