Operator guide
Setup & deployment.
How to stand ArgusSecure up — locally, on Emergent, or on your own infra. Every secret, every env var, every health check. Nothing handwaved.
Architecture at a glance
ArgusSecure is a three-tier app: React frontend (port 3000), FastAPI backend (port 8001) under /api ingress, and MongoDB for persistence. Long-running scans run as FastAPIBackgroundTasks; OWASP ZAP is reached via the officialzaproxy client when a project is configured to use it.
- Stateless API — every JWT contains
jti; logout writes torevoked_tokens. - Auth — argon2id hashes via passlib. JWT secret rotated by setting
JWT_SECRET. - Rate limits — MongoDB-backed sliding window, applied per route via
rate_limit(). - Secrets — every credential read with
os.environ.get(). Never hardcoded.
Embedded scanner coverage
Every scan mode has a built-in implementation. ArgusSecure ships its own scanners for SAST, DAST, SCA, and Cloud, and bundles additional OSS engines (Semgrep, Trivy, Gitleaks, Checkov, Nuclei, Grype) so secrets, IaC, and container modes work out of the box too. Commercial connectors are optional — never required for any mode.
| Mode | Built-in (always available) | Bundled OSS engines | Optional connectors |
|---|---|---|---|
| SAST | Regex + Python AST + intra-procedural taint (JS / TS / Python / Go / Java) | Semgrep | CodeQL, SonarQube, Snyk Code, Checkmarx, Veracode |
| DAST | Passive / Standard / Deep profiles. SSRF-safe. OWASP Top 10:2025 mapped. | OWASP ZAP, Nuclei | Burp Enterprise, StackHawk, Acunetix |
| SCA | Curated 16-CVE seed + OSV.dev live feed augmentation (npm, PyPI) | Trivy fs | Snyk Open Source, OWASP Dependency-Check |
| Secrets | Built-in patterns: AWS keys, GitHub PAT, Slack, Stripe, Google API, PEM blocks | Gitleaks | — |
| IaC | — | Checkov (Terraform, K8s, Dockerfile, CloudFormation, Helm) | Snyk IaC, Checkmarx IaC |
| Container | — | Trivy image (CVE scan across base + app layers) | Snyk Container, Grype |
| Cloud | AWS S3 public-bucket anonymous probe | — | (coming soon) |
Bundled OSS binaries (Semgrep, Trivy, Gitleaks, Checkov, Nuclei, Grype) are stashed under /app/backend/_bin/ and re-linked into /usr/local/bin/ on every backend boot. View live status under Admin → Engines.
Local quick start
Clone, install, run. The frontend hot-reloads; the backend hot-reloads via supervisor.
# 1. Backend
cd backend
pip install -r requirements.txt
cp .env.example .env # fill in MONGO_URL, DB_NAME at minimum
# 2. Frontend
cd ../frontend
yarn install
cp .env.example .env # set REACT_APP_BACKEND_URL
# 3. Run (supervisor manages both)
sudo supervisorctl restart backend frontend
curl -s $REACT_APP_BACKEND_URL/api/health # → {"status":"ok",...}The seed runs on backend startup and provisions a demo organization with three pre-scanned projects (SAST/SCA/DAST). Default credentials are listed below — change them before any production deploy.
Environment variables
The two .env files map cleanly onto frontend and backend processes.
backend/.env
| Variable | Status | Purpose |
|---|---|---|
| MONGO_URL | required | Mongo connection string. e.g. mongodb://localhost:27017 |
| DB_NAME | required | Logical database name — typically argussecure. |
| JWT_SECRET | required | 32+ random bytes. Rotating this invalidates every active session. |
| EMERGENT_LLM_KEY | optional | Powers Goddy and the AI Fix Agent (Claude Sonnet 4.5). Without it, the chat returns a graceful disabled-state. |
| STRIPE_API_KEY | optional | Billing checkout. Optional in dev — the platform also accepts the Emergent test proxy key. |
| RESEND_API_KEY | optional | Outbound transactional email. Without it, mail is queued in the DB outbox. |
| HCAPTCHA_SECRET | optional | hCaptcha server secret. Without it, captcha is a no-op (recommended only for local dev). |
| HCAPTCHA_SITE_KEY | optional | Public key returned to the frontend so it can render the widget. |
| CORS_ORIGINS | optional | Comma-separated list of additional allowed origins. Defaults already include argus-secure.com. |
| APP_PUBLIC_URL | optional | Canonical public URL for this deploy — added to the CORS allow-list and used in transactional emails. |
| OWNER_PASSWORD | optional | Override the seeded owner password on first boot. Always set this in production. |
frontend/.env
| Variable | Status | Purpose |
|---|---|---|
| REACT_APP_BACKEND_URL | required | Absolute URL of the API. The frontend rewrites every fetch to {URL}/api/v1/... |
Health checks
Two endpoints, two audiences.
GET /api/health— fast, no-DB liveness probe. Returns 200 if the Python process is up. Suitable for load-balancer health checks.GET /api/v1/health— DB ping + integration audit. Reports which env vars are configured (presence only, never values) and the active CORS allow-list. Useful when debugging a production deploy.
curl -s $REACT_APP_BACKEND_URL/api/v1/health | jq
# {
# "status": "ok",
# "service": "argussecure-api",
# "checks": {
# "mongodb": { "ok": true, "detail": "argussecure" },
# "integrations": { "EMERGENT_LLM_KEY": true, "STRIPE_API_KEY": true, ... },
# "cors_allow_origins": ["https://argus-secure.com", ...]
# }
# }Integrations & where to get the keys
- Emergent LLM Key — powers Goddy + Fix-It Agent (Claude Sonnet 4.5, GPT-4o, Gemini text + Nano Banana, etc). Issued from your Emergent profile under Universal Key.
- Stripe — test keys fromStripe dashboard . On Emergent, the platform proxy key works out of the box.
- Resend — get an API key atresend.com/api-keys . Without it, mail still queues to
email_outboxso you can audit what would have been sent. - hCaptcha — site + secret keys fromhCaptcha dashboard .
- OWASP ZAP — install the daemon locally, then add a ZAP integration inSettings → Integrations. Per-project DAST engine selector chooses between the built-in scanner and ZAP.
Production checklist
Run through this before pointing a real domain at ArgusSecure.
- Set OWNER_PASSWORD and JWT_SECRET to strong, unique values (32+ bytes).
- Rotate the seeded demo@argus.security and owner@argus.security passwords.
- Set CORS_ORIGINS to your exact domain(s) — drop the wildcard.
- Enable hCaptcha by setting both HCAPTCHA_SECRET and HCAPTCHA_SITE_KEY.
- Issue real Stripe + Resend keys (or accept the dev-mode degraded states).
- Confirm /api/v1/health returns status:ok with no missing integrations.
- Confirm /api/health is whitelisted in your load balancer / CDN.
- Verify the demo org appears at /demo (proves seeding ran cleanly).
Troubleshooting
Goddy says "AI is disabled"
EMERGENT_LLM_KEY is unset or has zero balance. Add credit at Profile → Universal Key → Add Balance.
Login returns CORS error from a custom domain
Add the domain to CORS_ORIGINS (or set APP_PUBLIC_URL). The defaults already cover argus-secure.com and the Emergent preview host.
Scans hang in "running"
Check /var/log/supervisor/backend.err.log for the scanner traceback. For ZAP-engine projects, verify the ZAP daemon is reachable from the backend container.
Verification emails never arrive
Without RESEND_API_KEY, mail is logged in the email_outbox collection. Owners can replay them by issuing the API key and re-running the relevant action.
Stuck?
The fastest path: open Goddy in the bottom-right and paste the exact error. Goddy knows the codebase. For human follow-up, email security@argus.security.