A FIPS-aware vulnerability scanner for RHEL-based hosts, with AI-assisted, approval-gated, transactional remediation — every fix is snapshotted, validated, and rolled back automatically on failure.
Signed dnf repository — one drop-in covers EL9 and EL10 via
$releasever.
# Trust the signing key and add the repository sudo rpm --import https://repo.techhack.nl/RPM-GPG-KEY-techhack sudo tee /etc/yum.repos.d/techhack.repo <<'EOF' [techhack] name=techhack tools (EL$releasever) baseurl=https://repo.techhack.nl/el$releasever enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://repo.techhack.nl/RPM-GPG-KEY-techhack EOF # Install and run your first scan sudo dnf install vulnscan-ai vulnscan-ai scan
Packages are GPG-signed and repository metadata is signed
(repo_gpgcheck=1), signed by
techhack release signing <security@techhack.nl>.
Per-version install pages live on the
repository.
Built for production RHEL fleets where a careless fix is worse than the vulnerability.
Config and service fixes are applied as a transaction: backup → validate → reload → health-check, with automatic rollback if anything fails.
The model proposes a structured plan; nothing runs until you approve it. A deny-list screens every command before execution.
Drops Red Hat "Not affected" CVEs and downgrades vulnerabilities in daemons that are installed but not running — real signal, less noise.
dnf/RHSA, OpenSCAP OVAL, sshd hardening, systemd sandboxing and open ports — de-duplicated into a single prioritized report.
Understands FIPS mode and the RHEL crypto policy, so findings and fixes respect a hardened, compliant baseline.
Claude by default; OpenAI, Gemini, Kimi, DeepSeek and Mistral supported, plus fully local models via Ollama for air-gapped hosts.
From detection to a verified fix, with you in the loop.
Prefer not to apply on the host? Export any fix as a bash
script or an Ansible playbook with
vulnscan-ai fix --export-script /
--export-ansible.