faraday
Faraday is an open-source vulnerability management platform that centralizes, normalizes, and visualizes security findings from 80+ scanning tools. It supports both terminal-based workflows and web dashboards, enabling teams to aggregate scan data, track remediation, and automate security workflows across CI/CD pipelines.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | infobyte/faraday |
| Owner | infobyte |
| Primary language | Python |
| License | GPL-3.0 — OSI-approved |
| Stars | 6.6k |
| Forks | 1.1k |
| Open issues | 21 |
| Latest release | v5.22.0 (2026-06-19) |
| Last updated | 2026-06-23 |
| Source | https://github.com/infobyte/faraday |
What faraday is
Written in Python with a PostgreSQL backend, Faraday ingests vulnerability data via plugins (console-based and report-based) and exposes findings through a REST API. It includes faraday-cli for terminal integration, faraday-agents for remote scanner execution, and supports orchestration with tools like Nmap, Burp Suite, OWASP ZAP, Nessus, and Bandit.
Get the faraday source
Clone the repository and explore it locally.
git clone https://github.com/infobyte/faraday.gitcd faraday# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- PostgreSQL database must be provisioned and maintained separately; Docker Compose setup recommended for quick evaluation but production deployments require persistent storage and backup strategy.
- API authentication and role-based access control (RBAC) must be configured; default credentials ('faraday') should be changed immediately in any persistent environment.
- Plugin ecosystem supports 80+ tools but coverage varies; validate that your specific scanning tools are supported before committing to integration.
- Data normalization depends on plugin accuracy; validate that imported vulnerability classifications (severity, type, CWE) align with your organization's risk model.
- Faraday-cli and Faraday Agents Dispatcher are separate repositories; plan for additional dependency management and versioning across client/server components.
When to avoid it — and what to weigh
- Standalone vulnerability scanner needed — Faraday is an aggregation and management layer—it does not generate scan data itself. Requires integration with existing scanners (Nmap, Burp, ZAP, etc.) to function.
- Minimal operational overhead required — Requires PostgreSQL backend, Docker/systemd orchestration, user management, and ongoing infrastructure maintenance. Not a lightweight SaaS substitute.
- Real-time threat intelligence or live endpoint detection needed — Faraday focuses on vulnerability ingestion and management, not endpoint detection, behavioral analysis, or live threat feeds.
- Commercial closed-source license required — Licensed under GPL-3.0, which mandates source code sharing and derivative work licensing. Commercial proprietary use requires vendor negotiation or different license arrangement.
License & commercial use
Faraday is licensed under GPL-3.0 (GNU General Public License v3.0), a strong copyleft license requiring that any derivative work or modification be released under GPL-3.0 and source code be made available.
GPL-3.0 is not a permissive license for closed-source commercial use. Using Faraday in a proprietary product or as a SaaS offering without open-sourcing modifications requires explicit alternative licensing from Infobyte. Requires review with legal counsel before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Faraday ingests vulnerability data and must be treated as a trusted security component. Ensure: PostgreSQL connection uses TLS and strong credentials; API authentication is enforced (avoid default credentials); network access to web UI (port 5985) is restricted; audit logging of who accessed/modified findings. GPL-3.0 license means code can be independently audited, but no pre-built security assessment data provided. Centralization of all scan findings creates a high-value target for lateral movement if compromised.
Alternatives to consider
Defect Dojo
Open-source (BSD 2-Clause), also aggregates and tracks vulnerabilities across tools; simpler deployment model; similar plugin/import architecture; more permissive license for commercial use.
Snyk
Commercial SaaS with integrated scanning, developer-first focus, strong CI/CD integrations, proprietary threat intelligence; no infrastructure management overhead but vendor lock-in and recurring costs.
Qualys VMDR or Rapid7 InsightVM
Enterprise-grade commercial platforms with integrated scanning engines, compliance reporting, and managed services; no open-source licensing restrictions; higher total cost of ownership and setup complexity.
Build on faraday with DEV.co software developers
Deploy Faraday in your environment using Docker Compose in minutes, or contact our team to discuss commercial licensing options and enterprise support.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
faraday FAQ
Can I use Faraday in a proprietary commercial product?
What scanners does Faraday support?
Is Faraday self-contained or does it need external dependencies?
Can I export findings and reports from Faraday?
Work with a software development agency
DEV.co helps companies turn open-source tools like faraday into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.
Ready to consolidate your security findings?
Deploy Faraday in your environment using Docker Compose in minutes, or contact our team to discuss commercial licensing options and enterprise support.