mirror of
https://github.com/NorskHelsenett/chase.git
synced 2026-07-17 14:36:22 +02:00
CHASE - Certificate Hunting and Security Enumeration
- Go 47.5%
- Svelte 44%
- JavaScript 4.3%
- Python 2.1%
- TypeScript 1.2%
- Other 0.9%
| Filename | Latest commit message | Latest commit date |
|---|---|---|
| .claude | ||
| .devcontainer | ||
| .docs | ||
| .github | ||
| .helm | ||
| .vscode | ||
| api | ||
| screenshot-python-legacy | ||
| screenshot-service | ||
| web | ||
| .dockerignore | ||
| .gitignore | ||
| docker-compose.yml | ||
| Dockerfile | ||
| README.md | ||
| SECURITY_TODO.md | ||
CHASE
Certificate Hunting & Security Enumeration
Tool to find security issues for a given domain. It checks for:
- security headers
- certificate best practices
- screenshots of the domain over time
- exposure of admin pages
- exposure of swagger endpoints
Get started
git clone https://github.com/NorskHelsenett/chase.git
cd chase
code .
Devcontainer
Open with VSCode Devcontainer support
Setup OIDC (optional)
Create an .env file,
cat <<EOF > api/.env
OIDC_ISSUER_URL=
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URL=http://localhost:5173/api/callback
EOF
The authorization code flow uses PKCE (S256), so OIDC_CLIENT_SECRET can be left empty if your identity provider allows public clients.
Run docker
docker volume create chase_data
docker run --rm -v chase_data:/data alpine chown -R 101:101 /data
docker run --rm -it -p 8888:8080 -v fit_data:/data chase
Test docker-compose
curl -X POST http://localhost:8081/screenshot \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com"}'
Start debugging
F5 to start debugging golang
Scripts to get started
Create a script to push multiple hosts at once:
cat << 'EOF' > create_servers.sh
#!/bin/bash
while IFS= read -r url; do
if curl -X POST 'http://localhost:8080/api/servers' \
-H 'Content-Type: application/json' \
-d "{
\"url\": \"$url\",
\"active\": true,
\"follow_redirect\": true,
\"expected_status\": 200
}"; then
echo -e "\nSuccessfully processed: $url\n"
else
echo -e "\nError processing: $url\n" >&2
fi
done
EOF
Then use it like:
chmod +x create_servers.sh
And mass insert domains with EOF:
cat << EOF | ./create_servers.sh
https://nhn.no
https://github.com/NorskHelsenett
EOF
Environment Variables
Below are the environment variables used by CHASE. Set these in your api/.env file:
| Variable | Default Value | Description |
|---|---|---|
| CHASE_HOSTNAME | (empty) | Hostname for scanner, used in User-Agent header. |
| SCREENSHOT_SERVICE_URL | (empty) | URL for screenshot microservice. |
| MONITORING_INTERVAL | 5 | Interval (minutes) for server monitoring. |
| OIDC_ISSUER_URL | (empty) | OIDC issuer URL for authentication. |
| OIDC_CLIENT_ID | (empty) | OIDC client ID. |
| OIDC_CLIENT_SECRET | (empty) | OIDC client secret. |
| OIDC_REDIRECT_URL | http://localhost:5173/api/callback | OIDC redirect URI. |
| CHASE_SECRET_KEY | (empty) | Secret key for API authentication. |
| ENV_FILE | api/.env | Path to environment file to load. |
Fill in the values as needed for your deployment. If a variable is not set, defaults will be used where applicable.

