Dradis
Dradis.md
Dradis
Overview
Dradis is an open-source collaboration and reporting framework designed specifically for penetration testers. It acts as a central repository for all findings, notes, and evidence gathered during an engagement, and generates professional client-ready reports from structured data.
Category
#reporting #collaboration #documentation
Phase
Reporting
Developer
Security Roots — dradisframework.com GitHub: github.com/dradis/dradis-ce
Editions
| Edition | Notes |
|---|---|
| Community Edition (CE) | Free, open-source; full core features |
| Pro | Commercial; team features, advanced integrations, templates |
Install (Kali Linux)
# Pre-installed on Kali
dradis
# Or start manually
cd /usr/share/dradis
bundle exec rails server -b 0.0.0.0
# Access at: https://localhost:3000
Install (from source)
git clone https://github.com/dradis/dradis-ce.git
cd dradis-ce
bundle install
bundle exec rails server
Core Concepts
| Term | Description |
|---|---|
| Project | A single engagement/pentest |
| Node | A target (host, service, web app) |
| Issue | A vulnerability or finding |
| Evidence | Proof associated with an issue on a specific node |
| Note | Freeform documentation on a node |
| Plugin | Import connector for tool output |
Key Features
Tool Import Plugins
Dradis can import output directly from:
- Nmap (XML)
- Nessus (.nessus files)
- OpenVAS (XML)
- Metasploit (XML)
- Burp Suite (XML)
- Nikto, w3af, Qualys, Acunetix, and more
# Example: Import Nmap XML into Dradis via UI
# Plugins → Upload Manager → Select nmap.xml
Structured Findings
Each issue can contain:
- Title
- CVSS score
- Description
- Risk rating
- Affected hosts (nodes + evidence)
- Recommendation
- References (CVE, CWE, etc.)
Report Generation
Export findings as:
- Word (.docx)
- HTML
- CSV
- Custom templates (using Textile/Markdown markup)
Workflow
1. Create new Dradis project for the engagement
2. Import tool output (Nmap, Nessus, Burp, etc.)
3. Review auto-created nodes and findings
4. Add manual findings, notes, screenshots as evidence
5. Assign findings to nodes (host → issue → evidence)
6. Generate report from template
7. Export as .docx or HTML for client delivery
Report Template Syntax
Dradis uses Textile markup with field tags in templates:
h1. #[Title]#
Risk: #[Risk]#
CVSS: #[CVSS]#
h2. Description
#[Description]#
h2. Recommendation
#[Recommendation]#
REST API
Dradis Pro exposes a REST API for integration with CI/CD pipelines:
curl -H "Authorization: Token YOUR_API_TOKEN" \
https://localhost:3000/api/issues.json
OPSEC Notes
Dradis stores sensitive client data — vulnerability details, credentials, screenshots. Run it on localhost or a secured internal host only. Use HTTPS and strong credentials. Back up the database (
db/dradis.dbfor SQLite) after each engagement.
Dradis vs Faraday
| Feature | Dradis CE | Faraday CE |
|---|---|---|
| Focus | Reporting + collaboration | Real-time vuln aggregation |
| UI | Clean, finding-centric | Dashboard/statistics heavy |
| Report output | Word, HTML, CSV | Word, PDF, CSV |
| Best for | Client report writing | Large team aggregation |
Related Tools
- Faraday — Alternative reporting/aggregation platform
- Nmap, Nessus, OpenVAS — Primary data sources imported into Dradis
- Metasploit — Findings can be exported and imported into Dradis
Tags
#ethical-hacking #reporting #collaboration #documentation #project-management