DEV.co
Open-Source DevOps · infobyte

faraday

Faraday is an open-source vulnerability management platform that centralizes, normalizes, and visualizes security findings from 80+ scanning tools. It supports both terminal-based workflows and web dashboards, enabling teams to aggregate scan data, track remediation, and automate security workflows across CI/CD pipelines.

Source: GitHub — github.com/infobyte/faraday
6.6k
GitHub stars
1.1k
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryinfobyte/faraday
Ownerinfobyte
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars6.6k
Forks1.1k
Open issues21
Latest releasev5.22.0 (2026-06-19)
Last updated2026-06-23
Sourcehttps://github.com/infobyte/faraday

What faraday is

Written in Python with a PostgreSQL backend, Faraday ingests vulnerability data via plugins (console-based and report-based) and exposes findings through a REST API. It includes faraday-cli for terminal integration, faraday-agents for remote scanner execution, and supports orchestration with tools like Nmap, Burp Suite, OWASP ZAP, Nessus, and Bandit.

Quickstart

Get the faraday source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/infobyte/faraday.gitcd faraday# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Centralized vulnerability aggregation in AppSec teams

Consolidate scan outputs from multiple tools (Nmap, Burp, ZAP, Nessus) into a single normalized dataset, reducing manual data reconciliation and enabling cross-tool insights.

CI/CD security automation and reporting

Integrate Faraday into CI/CD pipelines (GitHub, Jenkins, GitLab, TravisCI) to automate security scans, populate dashboards automatically, and trigger remediation workflows on vulnerability discovery.

Multiuser penetration testing and security audit coordination

Support collaborative security assessments where multiple analysts contribute findings from different scanners or manual work, all synchronized in a shared workspace with role-based access.

Implementation considerations

  • PostgreSQL database must be provisioned and maintained separately; Docker Compose setup recommended for quick evaluation but production deployments require persistent storage and backup strategy.
  • API authentication and role-based access control (RBAC) must be configured; default credentials ('faraday') should be changed immediately in any persistent environment.
  • Plugin ecosystem supports 80+ tools but coverage varies; validate that your specific scanning tools are supported before committing to integration.
  • Data normalization depends on plugin accuracy; validate that imported vulnerability classifications (severity, type, CWE) align with your organization's risk model.
  • Faraday-cli and Faraday Agents Dispatcher are separate repositories; plan for additional dependency management and versioning across client/server components.

When to avoid it — and what to weigh

  • Standalone vulnerability scanner needed — Faraday is an aggregation and management layer—it does not generate scan data itself. Requires integration with existing scanners (Nmap, Burp, ZAP, etc.) to function.
  • Minimal operational overhead required — Requires PostgreSQL backend, Docker/systemd orchestration, user management, and ongoing infrastructure maintenance. Not a lightweight SaaS substitute.
  • Real-time threat intelligence or live endpoint detection needed — Faraday focuses on vulnerability ingestion and management, not endpoint detection, behavioral analysis, or live threat feeds.
  • Commercial closed-source license required — Licensed under GPL-3.0, which mandates source code sharing and derivative work licensing. Commercial proprietary use requires vendor negotiation or different license arrangement.

License & commercial use

Faraday is licensed under GPL-3.0 (GNU General Public License v3.0), a strong copyleft license requiring that any derivative work or modification be released under GPL-3.0 and source code be made available.

GPL-3.0 is not a permissive license for closed-source commercial use. Using Faraday in a proprietary product or as a SaaS offering without open-sourcing modifications requires explicit alternative licensing from Infobyte. Requires review with legal counsel before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Faraday ingests vulnerability data and must be treated as a trusted security component. Ensure: PostgreSQL connection uses TLS and strong credentials; API authentication is enforced (avoid default credentials); network access to web UI (port 5985) is restricted; audit logging of who accessed/modified findings. GPL-3.0 license means code can be independently audited, but no pre-built security assessment data provided. Centralization of all scan findings creates a high-value target for lateral movement if compromised.

Alternatives to consider

Defect Dojo

Open-source (BSD 2-Clause), also aggregates and tracks vulnerabilities across tools; simpler deployment model; similar plugin/import architecture; more permissive license for commercial use.

Snyk

Commercial SaaS with integrated scanning, developer-first focus, strong CI/CD integrations, proprietary threat intelligence; no infrastructure management overhead but vendor lock-in and recurring costs.

Qualys VMDR or Rapid7 InsightVM

Enterprise-grade commercial platforms with integrated scanning engines, compliance reporting, and managed services; no open-source licensing restrictions; higher total cost of ownership and setup complexity.

Software development agency

Build on faraday with DEV.co software developers

Deploy Faraday in your environment using Docker Compose in minutes, or contact our team to discuss commercial licensing options and enterprise support.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

faraday FAQ

Can I use Faraday in a proprietary commercial product?
Not under GPL-3.0 without source code release. You must either: (1) open-source your product and derivative work under GPL-3.0, (2) negotiate a proprietary license with Infobyte, or (3) use Faraday as an internal tool only. Consult legal counsel.
What scanners does Faraday support?
80+ tools documented in the plugin list, including Nmap, Burp Suite, OWASP ZAP, Nessus, Bandit, SonarQube, and many others. Both 'console' plugins (real-time output parsing) and 'report' plugins (XML/JSON import) are supported. Check the plugin repository for current coverage.
Is Faraday self-contained or does it need external dependencies?
Requires PostgreSQL database backend and Python runtime. Docker Compose bundles PostgreSQL; standalone Docker or binary installs require you to provision PostgreSQL separately. No embedded database option.
Can I export findings and reports from Faraday?
REST API allows programmatic export of findings. Web UI includes dashboards and visualizations. Custom reporting and scripted exports possible via API, but no built-in report generation format (e.g., PDF, Excel) documented in README; check documentation or source.

Work with a software development agency

DEV.co helps companies turn open-source tools like faraday into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.

Ready to consolidate your security findings?

Deploy Faraday in your environment using Docker Compose in minutes, or contact our team to discuss commercial licensing options and enterprise support.