Getting Started

Get up and running with RaSEC in minutes. This guide will walk you through installation, configuration, and your first security scan.

Estimated reading time: 10 minutes

Introduction

RaSEC is an AI-powered security testing platform designed for bug bounty hunters and security professionals. It combines dynamic application security testing (DAST), static application security testing (SAST), and specialized security tools into a unified platform powered by advanced AI agents.

The platform provides comprehensive security analysis capabilities including URL scanning, code analysis, security headers auditing, and specialized vulnerability testing tools. All powered by an agentic AI framework that learns and adapts from past findings.

Prerequisites

Node.js and pnpm

RaSEC requires Node.js 20 or higher and pnpm 8 or higher. Install pnpm globally if you haven't already:

npm install -g pnpm

Database

A PostgreSQL database is required. RaSEC uses Neon Postgres (serverless PostgreSQL) by default, but you can use any PostgreSQL 14+ database. You'll need the connection string for configuration.

Object Storage (Optional)

Cloudflare R2 or AWS S3 for storing artifacts, evidence files, and generated reports. Required for production deployments.

AI Provider API Key

An API key from OpenRouter, Cloudflare Workers AI, or Google Gemini for AI-powered analysis. Free models are supported via OpenRouter.

Installation

1. Clone the Repository

git clone https://github.com/rasec/rasec.git cd rasec

2. Install Dependencies

Install all dependencies using pnpm (this will install dependencies for all packages in the monorepo):

pnpm install

3. Copy Environment File

Copy the example environment file and configure it with your settings:

cp .env.example .env.local

Configuration

Edit .env.local with your configuration. Here are the essential environment variables:

Database Configuration

DATABASE_URL=postgresql://user:password@host:port/database

Authentication

NEXTAUTH_SECRET=your-secret-key-here NEXTAUTH_URL=http://localhost:3000

Generate a secure secret: openssl rand -base64 32

AI Provider (OpenRouter - Free Models)

OPENROUTER_API_KEY=your-openrouter-api-key

Get your free API key from openrouter.ai

Object Storage (Cloudflare R2)

CLOUDFLARE_ACCOUNT_ID=your-account-id R2_ACCESS_KEY_ID=your-access-key R2_SECRET_ACCESS_KEY=your-secret-key R2_BUCKET_NAME=rasec-artifacts

Security Note: Never commit your .env.local file to version control. It contains sensitive credentials and secrets.

Database Setup

RaSEC uses Drizzle ORM with PostgreSQL. After configuring your database connection string, push the schema to your database:

pnpm db:push

This command will create all necessary tables, indexes, and constraints in your database. You can also open Drizzle Studio to inspect your database:

pnpm db:studio

Drizzle Studio will open in your browser at http://localhost:4983

Running the Application

Start the development server:

pnpm dev

The application will start on http://localhost:3000

In development mode, Next.js provides hot module replacement (HMR) for instant updates when you modify code.

First Steps

1. Create an Account

Navigate to /signup to create your account. You'll be automatically assigned to a default organization.

2. Configure AI Settings

Go to Settings → AI Configuration and set up your AI provider API key. You can use free models via OpenRouter or configure paid models for better performance.

3. Run Your First Scan

Try the DAST Scanner with a test URL:

Navigate to Dashboard → Tools → URL Analysis (DAST)
Enter a test URL (e.g., https://example.com)
Select scan type: Recon (fastest) or Active (more thorough)
Click "Analyze" and wait for results

4. Explore Other Tools

RaSEC includes many specialized security tools:

SAST Analyzer: Static code analysis for security vulnerabilities
Security Headers: Analyze HTTP security headers
Subdomain Finder: Discover subdomains of target domains
JWT Analyzer: Decode and audit JSON Web Tokens
And many more specialized tools

Project Structure

RaSEC is organized as a monorepo using pnpm workspaces and Turborepo:

RaSEC/ ├── apps/ │   └── web/              # Next.js web application │       ├── src/ │       │   ├── app/      # Next.js App Router pages │       │   ├── components/  # React components │       │   └── lib/      # Utility functions │       └── public/      # Static assets ├── packages/ │   ├── db/               # Drizzle ORM + database schema │   ├── core/             # Shared types and utilities │   ├── ai-gateway/       # AI provider abstraction layer │   ├── agent-core/       # Agentic AI core framework │   ├── agents/           # Specialist security agents │   ├── planner/          # ReAct planner for multi-step tasks │   ├── memory/           # Memory system (episodic, semantic, procedural) │   ├── parsers/          # Security tool output parsers │   ├── storage/          # Object storage abstraction │   └── cli/              # Command-line tool ├── package.json          # Root package.json ├── pnpm-workspace.yaml   # pnpm workspace configuration └── turbo.json            # Turborepo build configuration

Available Scripts

pnpm dev

Start the development server with hot module replacement

pnpm build

Build the application for production

pnpm lint

Run ESLint to check code quality

pnpm db:push

Push database schema changes to your database

pnpm db:studio

Open Drizzle Studio for database inspection

pnpm typecheck

Run TypeScript type checking across all packages

Next Steps

Now that you have RaSEC running, explore the documentation:

DAST Scanner

Learn about dynamic application security testing

SAST Analyzer

Understand static code analysis

API Reference

Explore the REST API endpoints

Integrations

Set up CI/CD and webhooks