CHASE - Certificate Hunting and Security Enumeration
  • Go 47.5%
  • Svelte 44%
  • JavaScript 4.3%
  • Python 2.1%
  • TypeScript 1.2%
  • Other 0.9%
Find a file
Repository files (latest commit first)
Filename Latest commit message Latest commit date
Jonas Bo Grimsgaard 3fa16349d1
All checks were successful
CHASE CI/CD Build / lint-chart (push) Successful in 8s
CHASE CI/CD Build / build-and-publish (push) Successful in 2m18s
batch import: backdate FirstSeen to Unix epoch for 'do not mark as new'
2026-07-15 13:31:38 +02:00
.claude feat: implement server-sent events for security scan progress and enhance loading UI 2026-01-27 21:03:09 +00:00
.devcontainer chore(devcontainer): provision postgres on first open 2026-05-08 16:43:29 +02:00
.docs feat: implement data retention policy with aggregation for ping results and cleanup for various tables 2026-04-08 19:08:45 +00:00
.github Remove SQLite from the app + fix chart versioning (#28) 2026-07-12 14:06:50 +02:00
.helm feat(helm)!: drop SQLite migration, go all-in on Postgres + Deployments (#27) 2026-07-12 13:40:40 +02:00
.vscode feat: implement server-sent events for security scan progress and enhance loading UI 2026-01-27 21:03:09 +00:00
api batch import: backdate FirstSeen to Unix epoch for 'do not mark as new' 2026-07-15 13:31:38 +02:00
screenshot-python-legacy feat(http): identify Chase via User-Agent on scanner and screenshot requests 2026-06-03 14:10:40 +02:00
screenshot-service fix(screenshot): clean up rod profiles and move /tmp off the tmpfs 2026-06-08 08:00:27 +02:00
web feat(servers): add FirstSeen for CSV round-trip and "do not mark as new" import (#30) 2026-07-15 13:07:38 +02:00
.dockerignore added screenshot utility 2024-12-11 00:49:13 +01:00
.gitignore Merge origin/main; adopt scheduler package and install CNPG operator 2026-05-14 12:08:21 +02:00
docker-compose.yml refactor: update screenshot service ports and healthcheck URLs 2026-01-27 21:24:44 +01:00
Dockerfile chore: update Go version to 1.26 in Dockerfiles 2026-03-29 13:35:01 +02:00
README.md feat(auth): add PKCE (S256) and state validation to OIDC login flow (#29) 2026-07-14 08:44:41 +02:00
SECURITY_TODO.md feat: update server components and styles for improved UI/UX 2026-01-19 15:36:39 +00:00

CHASE

Certificate Hunting & Security Enumeration

frontpage

Tool to find security issues for a given domain. It checks for:

  • security headers
  • certificate best practices
  • screenshots of the domain over time
  • exposure of admin pages
  • exposure of swagger endpoints

frontpage

Get started

git clone https://github.com/NorskHelsenett/chase.git
cd chase
code .

Devcontainer

Open with VSCode Devcontainer support

Setup OIDC (optional)

Create an .env file,

cat <<EOF > api/.env
OIDC_ISSUER_URL=
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URL=http://localhost:5173/api/callback
EOF

The authorization code flow uses PKCE (S256), so OIDC_CLIENT_SECRET can be left empty if your identity provider allows public clients.

Run docker

docker volume create chase_data
docker run --rm -v chase_data:/data alpine chown -R 101:101 /data
docker run --rm -it -p 8888:8080 -v fit_data:/data chase

Test docker-compose

curl -X POST http://localhost:8081/screenshot \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com"}'

Start debugging

F5 to start debugging golang

Scripts to get started

Create a script to push multiple hosts at once:

cat << 'EOF' > create_servers.sh
#!/bin/bash

while IFS= read -r url; do
    if curl -X POST 'http://localhost:8080/api/servers' \
    -H 'Content-Type: application/json' \
    -d "{
        \"url\": \"$url\",
        \"active\": true,
        \"follow_redirect\": true,
        \"expected_status\": 200
    }"; then
        echo -e "\nSuccessfully processed: $url\n"
    else
        echo -e "\nError processing: $url\n" >&2
    fi
done
EOF

Then use it like:

chmod +x create_servers.sh

And mass insert domains with EOF:

cat << EOF | ./create_servers.sh
https://nhn.no
https://github.com/NorskHelsenett
EOF

Environment Variables

Below are the environment variables used by CHASE. Set these in your api/.env file:

Variable Default Value Description
CHASE_HOSTNAME (empty) Hostname for scanner, used in User-Agent header.
SCREENSHOT_SERVICE_URL (empty) URL for screenshot microservice.
MONITORING_INTERVAL 5 Interval (minutes) for server monitoring.
OIDC_ISSUER_URL (empty) OIDC issuer URL for authentication.
OIDC_CLIENT_ID (empty) OIDC client ID.
OIDC_CLIENT_SECRET (empty) OIDC client secret.
OIDC_REDIRECT_URL http://localhost:5173/api/callback OIDC redirect URI.
CHASE_SECRET_KEY (empty) Secret key for API authentication.
ENV_FILE api/.env Path to environment file to load.

Fill in the values as needed for your deployment. If a variable is not set, defaults will be used where applicable.