Skip to main content

Installation Overview

VulnTrack is a Next.js 14 application with a PostgreSQL database. This guide covers local development setup and deployment considerations.
Prerequisites: Node.js 20+, PostgreSQL 14+, and a terminal with git installed.

Quick Install

1

Clone the Repository

Get the latest version from GitHub:
git clone https://github.com/ogdmerlin/vulntrack.git
cd vulntrack
The repository structure:
vulntrack/
├── src/
│   ├── app/              # Next.js App Router pages
│   ├── components/       # React components
│   └── lib/              # Utilities and configuration
├── prisma/
│   └── schema.prisma     # Database schema
├── public/               # Static assets
└── package.json          # Dependencies
2

Install Dependencies

VulnTrack uses npm as the package manager:
npm install
This installs the core dependencies from package.json:Framework:Database:Authentication:UI Libraries:Additional Features:
The postinstall script in package.json automatically runs prisma generate after installation.
3

Configure Environment Variables

Create a .env file in the project root:
touch .env
Add the following configuration:
.env
# Database Configuration
DATABASE_URL="postgresql://username:password@localhost:5432/vulntrack"

# NextAuth Configuration
NEXTAUTH_URL="http://localhost:3000"
NEXTAUTH_SECRET="your-secret-key-here"  # Generate with: openssl rand -base64 32

# Optional: VulnCheck API (for enhanced CVE data)
VULNCHECK_API_KEY="your-vulncheck-api-key"

# Optional: Email Configuration (for notifications)
RESEND_API_KEY="your-resend-api-key"
FROM_EMAIL="[email protected]"

# Optional: Application URL (for email links)
NEXT_PUBLIC_APP_URL="http://localhost:3000"

Environment Variable Details

PostgreSQL connection string format:
postgresql://USER:PASSWORD@HOST:PORT/DATABASE
Local Development:
DATABASE_URL="postgresql://postgres:postgres@localhost:5432/vulntrack"
Production (example with SSL):
DATABASE_URL="postgresql://user:[email protected]:5432/vulntrack?sslmode=require"
Never commit .env files to version control. Add .env to your .gitignore.
Used to encrypt session tokens. Generate a secure random string:
openssl rand -base64 32
Example output:
J8fHk2L9mN3pQ5rT7vX0yZ4aB6cE8gI1jK3mO5qS7uW=
Use this value as your NEXTAUTH_SECRET.
Enables enhanced CVE data fetching from VulnCheck.Benefits:
  • Faster CVE lookups
  • Real-time KEV (Known Exploited Vulnerabilities) detection
  • More comprehensive metadata
Get an API key:
  1. Sign up at vulncheck.com
  2. Navigate to API Keys section
  3. Generate a new key
  4. Add to .env: VULNCHECK_API_KEY="vc_xxxxx"
Fallback: If not configured, VulnTrack uses the free NIST NVD API (from src/app/actions/cve.ts).
// CVE import logic with fallback
const vulnCheckResult = await fetchVulnCheckData(cveId)
if (vulnCheckResult) {
  source = "VulnCheck"
  cveData = vulnCheckResult
} else {
  // Fallback to NIST
  const nistResult = await fetchNistData(cveId)
  cveData = nistResult
}
Enables email notifications for vulnerability assignments.Setup:
  1. Create account at resend.com
  2. Add and verify your domain
  3. Generate API key
  4. Configure: 
    RESEND_API_KEY="re_xxxxx"
FROM_EMAIL="[email protected]"
Email Triggers (from src/app/actions/vulnerabilities.ts):
  • Vulnerability assignment
  • Status changes (if configured)
  • Team invitations
Without this configuration, the app works but email notifications are disabled.
4

Set Up PostgreSQL Database

VulnTrack requires PostgreSQL 14 or higher.

Option 1: Local PostgreSQL Installation

brew install postgresql@14
brew services start postgresql@14
createdb vulntrack

Option 2: Docker Container

Run PostgreSQL in Docker for isolated development:
docker run --name vulntrack-db \
  -e POSTGRES_PASSWORD=postgres \
  -e POSTGRES_DB=vulntrack \
  -p 5432:5432 \
  -d postgres:14
Verify connection:
docker exec -it vulntrack-db psql -U postgres -d vulntrack

Option 3: Cloud Database

Use a managed PostgreSQL service:Providers:After provisioning, update DATABASE_URL in .env with the connection string.
5

Initialize the Database Schema

VulnTrack uses Prisma for database management. The schema is defined in prisma/schema.prisma.

Generate Prisma Client

npx prisma generate
This creates the TypeScript types and Prisma Client based on your schema.

Push Schema to Database

npx prisma db push
This command:
  • Creates all tables defined in schema.prisma
  • Sets up relationships and constraints
  • Enables full-text search indexes
Tables created:
- Team              # Multi-tenant workspaces
- User              # Authentication and profiles
- Vulnerability     # Core vulnerability records
- DreadScore        # DREAD risk scores (1:1 with Vulnerability)
- StrideScore       # STRIDE classifications (1:1 with Vulnerability)
- Comment           # Collaboration comments
- Invitation        # User invitation tokens
- Notification      # In-app notifications
- AuditLog          # Compliance and activity tracking

Key Schema Features

From prisma/schema.prisma:
model Vulnerability {
  id          String   @id @default(uuid())
  title       String
  description String
  status      String   # OPEN | IN_PROGRESS | REMEDIATED | ACCEPTED | RESOLVED
  severity    String   # CRITICAL | HIGH | MEDIUM | LOW | INFO
  
  userId      String
  user        User     @relation(fields: [userId], references: [id])
  
  teamId      String?
  team        Team?    @relation(fields: [teamId], references: [id])
  
  assignedToId String?
  assignedTo   User?    @relation("AssignedVulnerabilities", fields: [assignedToId], references: [id])
  
  approvalStatus String @default("APPROVED") # PENDING | APPROVED | REJECTED
  
  dread       DreadScore?
  stride      StrideScore?
  comments    Comment[]
  
  # CVE Import Fields
  cveId             String?
  cvssScore         Float?
  affectedSystems   String?  # JSON serialized array
  mitigations       String?  # JSON serialized array
  references        String?  # JSON serialized array
  
  createdAt   DateTime @default(now())
  updatedAt   DateTime @updatedAt
}
prisma db push is for development. For production, use migrations:
npx prisma migrate deploy

Verify Database Schema

Open Prisma Studio to inspect your database:
npx prisma studio
This opens a web interface at http://localhost:5555 where you can:
  • View all tables
  • Browse records
  • Edit data manually (useful for testing)
6

Seed Initial Data (Optional)

Optionally seed the database with sample data for testing.Check if a seed script exists:
ls prisma/seed.ts  # or seed.js
If available, run:
npx prisma db seed
This typically creates:
  • Sample admin user
  • Demo team
  • Example vulnerabilities
  • Test DREAD/STRIDE scores
The first registered user is automatically made an Admin, so seeding is optional for getting started.
7

Start the Development Server

Launch VulnTrack locally:
npm run dev
The application starts on http://localhost:3000.What happens on startup:
  1. Next.js compiles React components
  2. Prisma Client connects to PostgreSQL
  3. NextAuth.js initializes session management
  4. API routes become available at /api/*

Verify Installation

You should see:
 Next.js 14.2.33
- Local:        http://localhost:3000
- Environments: .env

 Ready in 2.3s
Navigate to http://localhost:3000 to see the landing page.

Common Startup Issues

Error: P1001 Can't reach database server
Solutions:
  1. Verify PostgreSQL is running: pg_isready
  2. Check DATABASE_URL format in .env
  3. Test connection: psql $DATABASE_URL
  4. Ensure database exists: createdb vulntrack
Error: @prisma/client did not initialize yet
Solution:
npx prisma generate
npm run dev

Error: Port 3000 is already in use
Solution:
# Use a different port
PORT=3001 npm run dev

# Or kill the process using port 3000
lsof -ti:3000 | xargs kill

Production Deployment

VulnTrack can be deployed to any platform supporting Next.js 14.

Build for Production

npm run build
From package.json, this runs: 
"build": "npx prisma generate && npx prisma db push --accept-data-loss && next build"
--accept-data-loss flag is for CI/CD. For production databases, use migrations:
npx prisma migrate deploy

Start Production Server

npm run start
This serves the optimized build on the configured port.

Deployment Platforms

Vercel

Best for: Quick deployments
# Install Vercel CLI
npm i -g vercel

# Deploy
vercel
Configure environment variables in Vercel dashboard.

Docker

Best for: Self-hosted environments
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npx prisma generate
RUN npm run build
CMD ["npm", "start"]

Railway

Best for: Full-stack deployments
  1. Connect GitHub repo
  2. Railway auto-provisions PostgreSQL
  3. Configure environment variables
  4. Deploy with one click

DigitalOcean App Platform

Best for: Scalable deployments
  1. Create new app from GitHub
  2. Attach managed PostgreSQL
  3. Set environment variables
  4. Configure build command: npm run build

Production Checklist

1

Security Configuration

  • Set strong NEXTAUTH_SECRET
  • Enable HTTPS/SSL
  • Configure CORS if using API
  • Set secure cookie flags
  • Restrict database access to app server only
2

Database Configuration

  • Use managed PostgreSQL or configure backups
  • Set connection pool limits
  • Enable SSL mode: ?sslmode=require
  • Run migrations instead of db push
3

Environment Variables

  • Update NEXTAUTH_URL to production domain
  • Configure NEXT_PUBLIC_APP_URL
  • Set up production email sender
  • Add VulnCheck API key (optional but recommended)
4

Monitoring & Logging

  • Set up error tracking (Sentry, LogRocket)
  • Enable application logs
  • Monitor database performance
  • Set up uptime monitoring

Development Tools

Useful Commands

# Open Prisma Studio
npx prisma studio

# Create migration
npx prisma migrate dev --name add_new_field

# Reset database (caution: deletes data)
npx prisma migrate reset

# View database schema
npx prisma db pull

VS Code Extensions

Recommended extensions for VulnTrack development:
  • Prisma - Syntax highlighting for .prisma files
  • ES7+ React/Redux - React snippets
  • Tailwind CSS IntelliSense - Autocomplete for Tailwind classes
  • TypeScript Error Translator - Readable TypeScript errors

Updating VulnTrack

To update to the latest version: 
# Pull latest changes
git pull origin main

# Install new dependencies
npm install

# Update database schema
npx prisma generate
npx prisma db push  # or migrate deploy in production

# Rebuild application
npm run build

# Restart server
npm start
Always backup your database before updating, especially in production:
pg_dump -U postgres vulntrack > backup-$(date +%Y%m%d).sql

Next Steps

Quickstart Guide

Create your first vulnerability and explore features

Architecture

Understand VulnTrack’s technical design

Troubleshooting

Symptom: Logged out immediately after loginCauses:
  1. Missing or invalid NEXTAUTH_SECRET
  2. Incorrect NEXTAUTH_URL
  3. Cookie issues (check browser console)
Solution:
.env
NEXTAUTH_SECRET="$(openssl rand -base64 32)"
NEXTAUTH_URL="http://localhost:3000"  # Must match browser URL exactly
Symptom: “CVE not found” errorsDiagnosis: Check the server logs for API errors:
# Look for VulnCheck or NIST errors
npm run dev 2>&1 | grep -i "CVE\|API"
Solutions:
  1. Verify VULNCHECK_API_KEY if configured
  2. Check NIST API rate limits (if no VulnCheck)
  3. Test CVE ID format: CVE-YYYY-NNNNN
Symptom: “Unauthorized” when accessing featuresCheck user role:
-- Open Prisma Studio or psql
SELECT email, role FROM "User";
Update role if needed:
UPDATE "User" SET role = 'ADMIN' WHERE email = '[email protected]';

Need Help?

Join the community or report issues on GitHub

Build docs developers (and LLMs) love

Get started for freeTalk to us