This repository hosts the open source version of SAMMY - the OWASP SAMM tool.
https://owasp.org/www-project-open-sammy/
This project is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file for details.
- The setup comes with a predefined user injected in the database:
- username: admin@example.com
- password: admin
- mfa key: AB4FHDUHYVGW7IAB (add this key to your authenticator app manually)
- MySQL or MariaDB
- Redis (only if you want to run it in
APP_ENV=prod) - php8.2+
- composer
- Symfony CLI (https://symfony.com/download)
- Create
.env.localfile with your local setup. Example with MariaDB:- in case of any other DB here you can find proper connection string - https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
DATABASE_URL=mysql://root:root@127.0.0.1:3306/sammy?serverVersion=11.3.2-MariaDB
REDIS_HOST=127.0.0.1
REDIS_PORT=6379
APP_ENV=dev
APP_DEBUG=1- install & run
composer install
./scripts/setup_database.sh
# if you have symfony cli
symfony server:start --allow-http
# else
php -S 0.0.0.0:8000 -t ./public
open http://127.0.0.1:8000# 1. start DB and Redis
docker compose up -d db redis
# 2. now we can start our application
docker compose up -d --build app
# 3. sync SAMM model. Note, this step syncs the SAMM model from the core GitHub repo. You only have to run this the very first time and upon every SAMM model update.
docker compose exec app ./scripts/sync_samm.sh
# 4. sync DSOMM model. Note, this step syncs the DSOMM model from the core GitHub repo. You only have to run this the very first time and upon every DSOMM model update.
docker compose exec app ./scripts/sync_dsomm.sh
# 5. Enjoy
open http://127.0.0.1:8000- If you want to use mailing feature you have to add following to your
.env.localorcompose.yamlfile. All fields are Required. Also, server should use proper SSL by default.- for
.env.lcoalPHPMAILER_SMTP_HOST= PHPMAILER_SMTP_PORT= PHPMAILER_SMTP_USERNAME= PHPMAILER_SMTP_PASSWORD= PHPMAILER_SMTP_DEFAULT_SENDER= PHPMAILER_SMTP_USE_AUTH= PHPMAILER_SMTP_DEFAULT_ENCRYPTION= PHPMAILER_SMTP_AUTO_TLS=
- for
compose.yamlunderappsection underenvironment
- PHPMAILER_SMTP_HOST= - PHPMAILER_SMTP_PORT= - PHPMAILER_SMTP_USERNAME= - PHPMAILER_SMTP_PASSWORD= - PHPMAILER_SMTP_DEFAULT_SENDER= - PHPMAILER_SMTP_USE_AUTH= - PHPMAILER_SMTP_DEFAULT_ENCRYPTION=
- for
- for
- If you are using docker you do not have to do anything else. There is a cronjob which runs every 2 minutes.
- If you are running this locally you have to run following command manually:
php ./bin/console app:process-mailingWe have support for assessments for DSOMM model. By default you will have DSOMM model in your database with the needed things. If you wish you can import custom DSOMM variation. For example you can have model with more/less domains and practices. You can have many DSOMM variations simultaneously.
php ./bin/console app:sync-from-dsomm --source="path/to/dsomm-file.yaml"
Optionally you can pass metamodel ID if you wish to perform updates to existing DSOMM variation
php ./bin/console app:sync-from-dsomm --source="path/to/dsomm-file.yaml" --metamodel=33
We expect single YAML file with all the data structure as below. By default we will use this file https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/blob/main/src/assets/YAML/generated/generated.yaml