A user on a call with our Success team asked a question:

Is there any way to see all my projects and issues on a map?

The short answer at the time was No.

But it’s a genuinely useful thing for teams running engagements across multiple offices, data centers, facilities, or regions. At the same time, it’s probably not widespread enough for it to make it into the product.

But then I thought, can I vibe code this? Turns out I could!

What is this?

A small open-source companion tool that:

1. Reads from your Dradis Pro API
2. Plots each project as a dot on a North America map
3. Colors each dot by the most severe tag found in that project. One Critical finding turns the dot purple regardless of how many Lows sit alongside it.

It runs entirely on your machine — a local Node.js server proxies all API calls, so your token never touches a browser, and the data never leaves your network. Think of it as a lightweight, self-hosted dashboard you can spin up in a couple of minutes.

How it uses Dradis

The tool uses three REST API endpoints:

• GET /pro/api/projects — lists all projects

• GET /pro/api/issues with Dradis-Project-Id header — fetches issues per project

• GET /pro/api/document_properties with Dradis-Project-Id header — reads the dradis.coordinates property to place the project on the map

Tag colors are read directly from tag.color in the API response — no hardcoded mappings. Severity ordering (critical → high → medium → low → info) determines the dominant color for each map marker.

Enabling coordinates

For a project to appear on the map, add a dradis.coordinates document property under Project Configuration → Document Properties:

dradis.coordinates: 40.7128N, 74.0060W

Accepted formats:

40.7128° N, 74.0060° W    (degrees with cardinal)
40.7128N, 74.0060W        (cardinal, no degree symbol)
40.7128, -74.0060         (decimal, negative = West/South)
lat:40.7128, lon:-74.0060 (labeled)

Projects without this property are silently skipped — nothing breaks if only some projects have coordinates.

Installation

Prerequisites: Node.js 18 or later

1. Clone from GitHub

[email protected]:dradis/dradis-map.git
cd dradis-map

2. Install dependencies

npm install

This pulls in Express, Helmet, Morgan, and a couple of other small packages. No database, no Docker required.

3. Configure your credentials

cp .env.example .env

Open .env and fill in your values:

DRADIS_HOST=https://your-dradis-instance.example.com
DRADIS_TOKEN=your_api_token_here

Your API token is in Account Settings → API token inside Dradis.

Self-signed certificates: if your Dradis instance uses a self-signed cert (common for local or on-prem installs), uncomment one of these lines:

# Quickest option — safe on a trusted local network:
TRUST_SELF_SIGNED=true

# More secure — point to your exported certificate:
CA_CERT_PATH=/path/to/dradis-ca.pem

To export your cert: click the padlock in your browser → Certificate → Export as PEM.

4. Start the server

npm run dev      # development — auto-restarts on file changes
npm start        # production

Open http://localhost:3000 and click Load Data.

Architecture notes (for the curious)

A few decisions worth calling out for anyone who wants to extend or audit this:

• Token never reaches the browser. The Express server handles all Dradis API calls server-side. The frontend only talks to localhost.

• Bound to 127.0.0.1 only. The server won’t accept connections from the network — it’s a local tool.

• Nonce-based CSP. A cryptographic nonce is generated per request and injected into both the Content-Security-Policy header and the served HTML, eliminating unsafe-inline from script-src.

• Input validation on API routes. Project IDs are validated as positive integers before they touch any upstream request.

• Tag color values from the API are validated. All tag color values from the API pass through a hex validator (/^#[0-9a-fA-F]{3,8}$/) before being injected into any HTML style attribute or SVG attribute, covering issue pills, map markers, tooltips, and the legend.

• Graceful shutdown. SIGTERM/SIGINT handlers let in-flight requests drain before the process exits, which matters if you run this under PM2 or systemd.

The project structure follows a layered pattern if you want to add endpoints or adapt it for a different region:

server.js                  ← entry point: config, middleware, startup
src/
  services/dradisClient.js ← all Dradis API communication (no Express dependency)
  routes/api.js            ← Express router (receives client via DI)
public/
  index.html               ← full frontend: D3 map + sidebar UI

Relation to Echo and the Claude Code skills

This tool was built using Claude as a coding assistant. The work is similar in spirit to the Claude Code skills post: using an LLM to do the heavy lifting on something that would otherwise be tedious to build from scratch.

We’ve just incorporated a whole lot of instructions for LLMs to the Dradis repo, covering architecture, code style, conventions and much more.

It complements Echo well; Echo improves what’s inside your issues, and this visualizes where those issues are.

What’s next / ideas

We’d be happy to help you make these changes, or you’re free to build on this base:

• World map support — the current projection is Albers/North America. Swapping to a world projection would be a small change to the D3 setup.

• Filtering by tag — click a tag in the legend to show only projects with that severity.

• Click through to Dradis — clicking a marker could open the project directly in your Dradis instance.

If you were the one who asked about this on that call, this one’s for you

And if others have been wondering the same thing, hopefully this scratches the itch. Questions, ideas, and feedback welcome below.

When OWASP Top 10:2021 was released, LLMs were not a thing, it took us a while to create a Dradis methodology for the 2021 edition. The process was fairly manual, collecting the information from the OWASP site, and formatting it using Dradis to prepare the methodology template. Nevertheless we did it, and it has been shipping with Dradis Community Edition for the last few years.

In Nov 2025, OWASP released OWASP Top 10:2025 edition, so it was time to update our templates. However, before starting the process there was a bit of a moment, could this be automated? It turns out it could.

I started a new Claude session, uploaded the Top 10:2021 edition as a sample and prompted:

I have the attached document that formats the OWASP Top 10 list from 2021 into a specific XML format that can be used by the Dradis Framework tool. I want you to generate an equivalent XML for the OWASP Top 10 list from 2025, using exclusively the content from: OWASP Top 10:2025 and following the same convention as the original file.

Parse these pages only:
A01 Broken Access Control - OWASP Top 10:2025
A02 Security Misconfiguration - OWASP Top 10:2025
A03 Software Supply Chain Failures - OWASP Top 10:2025
A04 Cryptographic Failures - OWASP Top 10:2025
A05 Injection - OWASP Top 10:2025
A06 Insecure Design - OWASP Top 10:2025
A07 Authentication Failures - OWASP Top 10:2025
A08 Software or Data Integrity Failures - OWASP Top 10:2025
A09 Security Logging and Alerting Failures - OWASP Top 10:2025
A10 Mishandling of Exceptional Conditions - OWASP Top 10:2025

To avoid running into file size or content issues, split this in 10 tasks, fetch each item independently and once you have them all formatted in the right XML structure, compile the final XML file.

It one-shotted the right output, Textile formatting and everything. You can check it out in our templates and methodologies page. You can also see it in action in the CE Sandbox.

Once you think about it is not surprising that the LLM was able to handle the task, but the real unlock was to realise that we could probably use a similar process to get to other methodology templates that we’ve been wanting to provide but haven’t found the time to do so yet.

First, let’s create a Project

Our original idea was to create a new project, and provide a generalised version of the prompt above, along with some sample files as Instructions for the project. That could definitely work, and it’s a good way to make this compatible cross-models.

However, we were about to do this when we realised we could unlock this not just for ourselves, but for everyone in the community.

Enter the /methodology skill

If you’re not familiar with Claude, there is a bit of a terminology soup that is worth describing:

• Project: A workspace for organizing conversations.
• Skill: Instructions that teach Claude how to do something.
• Plugin: A sharable package that can contain skills, commands, agents, hooks, and MCP server configs.

So one way to skin this cat would have been to create a Project, provide the right Instructions, and use it every time we wanted to create a new template:

Hey Claude, I want to create the 'OWASP Top 10 for LLM Applications 2025…

This would have worked internally and would have saved us many hours of manually processing and formatting.

But we quickly realised that we could open this up (that’s why people choose Dradis after all), and let others create their own methodologies using the same process.

To do that, we’d have to encapsulate the knowledge on how to build a Dradis methodology into a Skill, and package it into a Plugin.

Enter dradis/dradis-claude:

A repo holding the methodology skill (more to come) that you can use from today to generate your own methodology templates for Dradis (both editions).

1. Run Claude Code, start a new session and drop to the CLI, then run:

   /plugin
   

2. Select Marketplaces and hit [Enter]. Type:

   dradis/dradis-claude
   

3. You’ll see the dradis-core plugin and will be givent he option to install it, select it with [Space] and hit [Enter]

   

4. Choose the right scope, e.g. local scope (any would do)

It install correctly, but a weird quirk I encountered is that I had to restart the Claude app in order for the /methodology skill to be available. After that, we’re golden:

Congrats, you can now us the /methodology skill to create your own Dradis testing methodologies. Turn your existing methodology documents (Word, PDF, markdown) and checklists into a template you and your team can use and keep up to date.

OWASP Top 10 for LLM Applications 2025

So let’s put this to use and see it in action to generate a new Dradis methodology for the OWASP Top 10 for LLM Applications 2025.

The obvious first attempt, unfortunatelly didn’t fly, I tried running:

/methodology https://genai.owasp.org/llm-top-10/

But Claude ran into issues fetching the pages.

So I tried providing each of the pages:

/methodology https://genai.owasp.org/llmrisk/llm01-prompt-injection/

  https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/

  https://genai.owasp.org/llmrisk/llm032025-supply-chain/

  https://genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/ 

  https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/

  https://genai.owasp.org/llmrisk/llm062025-excessive-agency/

  https://genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/

  https://genai.owasp.org/llmrisk/llm082025-vector-and-embedding-weaknesses/

  https://genai.owasp.org/llmrisk/llm092025-misinformation/

  https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/

Success! That did the trick, the file was created, and it could be used in Dradis right away:

The new methodology is available for you to use from dradis/dradis-templates:

I’ve got a workaround for you, it’s ugly though, so brace yourself.

Re-eneable note category selection

› git diff app/views/notes/_form.html.erb
diff --git a/app/views/notes/_form.html.erb b/app/views/notes/_form.html.erb
index d55bd6e99..f7605f2fd 100644
--- a/app/views/notes/_form.html.erb
+++ b/app/views/notes/_form.html.erb
@@ -6,7 +6,8 @@
     }
   } do |f| %>

-  <%= f.hidden_field :category, value: Category.default.id %>
+  <%= f.association :category, collection: Category.all, label_method: :name, prompt: 'Assign note category' %>

   <%= f.label :text, 'Note source input', class: 'visually-hidden' %>
   <%=

Create a reporting category

Now we need to bring back the old reporting category:

./bin/rails console
irb> Category.report

That will create the record in the DB.

Create your Notes

After you restart the server, the Note form will have a new select box.

I’d create new folder to keep my reporting notes (e.g. “Report” in the screenie), and add a new Note.

Also, add some fields (Title, Description, whatever).

Export report

Once the note is in the right category, Dradis::Plugins and Dradis::Plugins::PdfExport will both find them, and it’s a matter of tweaking the format:

As a quick reminder, Echo is our self-hosted, open-souce, privacy-first LLM integration for Dradis: it’s aware of your entire project context and allows you create custom prompts and commands so you can create your own workflows.

Dradis + Echo image

Clone Dradis:

git clone https://github.com/dradis/dradis-ce.git

Add Echo to your Gemfile.plugins, point it to Echo’s repo:

cd dradis-ce/
echo "gem 'dradis-echo', github: 'dradis/dradis-echo'" \
  > Gemfile.plugins

Bundle and build a custom docker image:

bundle
docker build --platform=linux/amd64 \
  -t dradis-ce-echo:YYYYMMDD \
  -t dradis-ce-echo:latest \
  .

Ollama container

We have two options: either run the Dradis and Ollama containers independently, or to use a compose.yaml to bring the full stack up. I’ll do the latter.

This is my compose.yaml:

services:
  dradis:
    image: dradis-ce-echo:latest
    container_name: app
    networks:
      - internal_backend
      - public_facing
    ports:
      - 3000:80
    volumes:
      - dradis-storage:/dradis/storage

  ollama:
    image: ollama/ollama
    networks:
      - internal_backend
      - public_facing
    volumes:
      - dradis-ollama:/root/.ollama


volumes:
  dradis-ollama:
  dradis-storage:

networks:
  public_facing:
  internal_backend:
    internal: true # Restricts external access for backend containers

The choices I’ve made:

• We’re routing the local port 3000 to the container’s 80.
• Put Dradis and Ollama data in a volume, so we can update the containers without loosing it.
• Defining both an internal (internal_backend) and an external (public_facing) networks.

The networking isn’t as important if you’re running the stack in your local machine, but if you want to deploy to the cloud, it becomes so.

Give it a try with:

docker compose up

You’ll see something like:

✔ Container app                 Created
✔ Container ce-ollama-ollama-1  Created
[...]
ollama-1  | time=2026-02-05T01:26:28.015Z level=INFO source=routes.go:1725 msg="entering low vram mode" "total vram"="0 B" threshold="20.0 GiB"
[...]
app       | * Listening on http://0.0.0.0:3000
app       | Use Ctrl-C to stop

We’re cooking.

Pulling the model

In order for Ollama to pull a model, the Ollama container needs to be connected to the internet. Because the data is stored in a docker volume, we’re going to use a new container to download the model with:

docker exec -it ollama-1 ollama pull deepseek-r1:latest

If you see this error:

Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/deepseek-r1/manifests/latest": dial tcp: lookup registry.ollama.ai on 127.0.0.11:53: server misbehaving

Review your compose.yaml to ensure the ollama container is connected to the public_facing network.

A successful model pull would look like this:

› docker exec -it ce-ollama-ollama-1 ollama pull deepseek-r1:latest
pulling manifest
pulling e6a7edc1a4d7: 100% ▕█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▏ 5.2 GB
pulling c5ad996bda6e: 100% ▕█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▏  556 B
pulling 6e4c38e1172f: 100% ▕█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▏ 1.1 KB
pulling ed8474dc73db: 100% ▕█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▏  179 B
pulling f64cd5418e4b: 100% ▕█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▏  487 B
verifying sha256 digest
writing manifest
success

After you pull your models, update the configuration and comment the - public_facing line in ollama’s service definition:

  ollama:
    image: ollama/ollama
    networks:
      - internal_backend
      # - public_facing
    volumes:
      - dradis-ollama:/root/.ollama

Stop the stack and run docker compose up again.

Configuring

Point your browser to http://127.0.0.1:3000/ and go through the initial setup. On the last stage, choose “No, I’m a new user”, to get Dradis populated with some sample content:

Then sign in, head over to Tools > Echo and configure it:

For the address we’re pointing it to the docker internal hostname of the Ollama container, the default port is fine.

And for the model, make sure it matches the one you downloaded a few steps above.

Running Echo

To give it a try, navigate to Issues, pick one, and click on the Echo tab, then choose one of the default prompts and see the engine in action (wait time will depend on your machine specs, and the model you’ve chosen):

Perhaps I’m trying to something a bit outlandish, please correct me if I’m going in the wrong direction. I’m ultimately trying to create an “Executive Summary” section as part of the PDF. I Understand about creating a Node (not note!) in Dradis, and giving the Node an appropriate Title (“Executive Summary”) and a Description (blurb about a Pen Test), I was having trouble pulling that information into the PDF via exporter.rb using the notes structures already in the template as inspiration.

Any thoughts on how to best proceed, referencing Nodes (if this is now the correct way to do so) and pulling a relevant Note out (“Executive Summary”) would be wonderful. Thanks for any ideas in advance!

I see the problem, we need to update the default template.

Notes is how we used to handle things like host properties, in your own example: IP, host name, OS, etc.

Today Nodes have properties you can access directly.

Can you give us a hint about what is the output you’re trying to generate so we can point you in the right direction in terms of template changes?

I’m new to dradis, trying out the community edition. After downloading and installing via git, I’m trying to use the PDF exporter plugin. It is installed, and generating PDFs, but I cannot seem to include anything regarded as a “note” in Dradis in the PDF.

I am using the unadulterated exporter.rb from Creating PDF reports | Dradis Framework , the only changes are uncommenting the “project_notes” line 22, to encourage the tool to add in project notes in the PDF. I can see a page in the generated PDF called “Project Notes”, but its just a heading on an otherwise blank page. (summary of findings, and detailed findings, are populated with data further on in the PDF, but these are regarded as “Issues” I believe)

I am just testing it against the sample Dradis project that comes bundled with Dradis-CE, and I can confirm that there appear to be several “notes” in many of the nodes, one, for example, is:

Nodes > Scanner Output > 10.0.155.157 > Notes > Basic Host Info.

The raw “source” of the above note (Basic Host Info) is:

#[Title]#
Basic host info

#[Description]#
IP: 10.0.155.157
Name: smtp.example.com
OS: Linux 2.4-2.6

Unfortunately neither this, nor other Notes make a mention in the PDF report.

Could some kind person let me know what I’m doing wrong? Thanks!

When designing Echo, we knew we couldn’t sacrifice data sovereignty. For teams working with sensitive findings or those in air-gapped environments, sending data to external LLM providers isn’t an option. That’s why we built around locally-hosted Ollama instances that put you in control. You bring your own LLM, and we provide the context-aware prompting engine through Liquid templating. Your data stays on your infrastructure, and you get responses informed by your full project context, not generic outputs from copy-pasting into external chat interfaces. No external API calls, no 3rd party subscription fees, no data leaving your network.

This is still in beta, but for the keen tinkerers and early adopters, you can install this early release for a taste of what’s to come. Although it should work, we recommend using it with a non-production instance of Dradis until the official release.

Prerequisites

The add-on requires Dradis CE > 4.0, or Dradis Pro.

It uses a local Ollama installation to connect Dradis to your preferred LLMs.

Setup

Run Ollama and pull one of the models:

ollama serve
ollama run qwen2.5:14b

Note, the smaller the model, the faster the responses, but potentially less accurate. Larger models can be slower but should produce higher-quality results.

The RAM requirement is directly tied to the model’s parameter count. A reliable rule of thumb is:

• 3B-7B Models: At least 8GB of RAM.
• 13B-14B Models: At least 16GB of RAM.
• 30B-34B Models: At least 32GB of RAM.
• 70B Models: At least 64GB of RAM.

Always aim for the recommended amount rather than the minimum for a smoother experience. More about resource requirements.

If you are using the CE edition, you’ll need to run Redis.

redis-server

And you’ll also need to update this line to

adapter: redis

Install

Add this to your Gemfile.plugins:

gem 'dradis-echo', github: 'dradis/dradis-echo'

And

bundle install

Then install and run the migrations

bin/rails dradis_plugins_echo:install:migrations

bin/rails db:migrate

Lastly, restart your Dradis server, and you should see Echo available in your instance.

Configure

Configure Echo with the Ollama server address and selected model:

• CE: Settings → Configure Integrations
• Pro: Tools → Tool Manager → Configure (in the Echo section)

Usage

Navigate to an Issue and click the Echo tab. From there you’ll be able to Summarize or Reword your Issue content, or generate a cheeky Haiku.

Check out GitHub - dradis/dradis-echo: Dradis Echo is an AI copilot for Dradis Framework · GitHub for more.

The refreshed interface provides comprehensive access to all work items in one centralized location, including Gateway projects and Questionnaires, Remediation tickets, and Notifications.

Key Features

The redesigned dashboard introduces several improvements that enhance visibility and productivity. At the center of these updates is the updated Gateway Projects widget, which delivers essential project information at a glance. Contributors can now quickly review key details for each project, including current findings, and relevant dates, eliminating the need to navigate through individual projects to gather this information.

Additionally, the dashboard features a complete, organized list of all assigned Remediation Tickets, complete with current status indicators and due dates.

These enhancements enable Contributors to stay on top of their work items more easily, reducing the time spent searching for information and increasing focus on meaningful tasks. The improved dashboard also makes it easier to work together by keeping everyone in the loop on project status and helping team members stay connected.

With everything they need right at their fingertips, Contributors can tackle priorities head-on and respond quickly when things change.

What other features would you like to see added to the Contributor Dashboard?

Navigation Structure

Say goodbye to shifting Trash and Configuration icons! As of v4.19.0, they are permanently placed in the main navigation bar, giving you quick access to Instance Trash, and Configuration views. Or, Project Trash, and Configuration views when you’re working within a specific project.

Editor

We’ve updated the editor toolbar to make styling your content easier and faster. New buttons let you add inline code and apply syntax highlighting with just a click. No need to remember formatting syntax.

Primary actions

Primary actions have moved out of the right sidebar and into the main content area, making them easier to find. This also means you can keep the sidebar closed to maximize your workspace!

Speaking of the sidebar, notice how the toggle button no longer hides behind your browser’s scrollbar? We’ve increased its size for better accessibility.

Project Users

We understand that adding testers to new projects one by one can be tedious, so we’ve added Select all and Deselect all options to streamline the process.

Our team is always listening to your feedback and working to make Dradis better. Give the latest version a try and let us know what you’d like to see next!

Thanks for reaching out!

I have taken a look and this seems to have been a permissions issue related to ownership of the directory. It has now been fixed!

You can pull the latest dradis/dradis-ce image again and run a new container and everything should work as expected.

Please let me know if you run into any other issues

Caitlin

Permission denied @ dir_s_mkdir - /dradis/app/views/tmp

I cannot see what I might have done to cause it - is this something I can tweak and fix?

Thanks!

Get the big picture at a glance

• Compare your current year achievements against previous performance

• Track project and team growth with real-time counts

• Monitor vulnerability identification across all your projects

Dive deeper with smart filtering
Filter your data by tags used across projects to focus on what’s most relevant to your work. Need to zero in on specific tags? Our enhanced filtering puts the right information at your fingertips.

Set up custom properties for your teams to effortlessly answer questions like:

• “What are the top 3 vulnerabilities affecting our Finance clients?”

• “What are our most time consuming projects?”

• “Which project types are the most common ones?”

The new dashboard transforms raw data into actionable insights, helping you make informed decisions faster than ever.

This is just the beginning

Our team is actively working to expand the Business Intelligence feature based on your feedback and evolving needs. We have exciting enhancements planned that will make your data analysis even more powerful and intuitive.

Ready to give it a try?
Take the new dashboard for a spin and discover how it can streamline your workflow.

We’d love to hear your thoughts and learn what features would be most valuable for your team’s success!

Not maintained. Find the official Dradis image at [dradis/dradis-ce](https://hub.docker.com/r/dradis/dradis-ce)

We’re looking to keep the official regularly updated going forward.

Thanks!

Version 4.18.0 is up on Docker Hub and we have a new command line interface that streamlines deployment on a remote server.

You can spin up a production instance, including a Let’s Encrypt certificate using the following set of commands:

Step 1: Download dradis-cli
curl -sSLOJ https://dradis.new/install

Step 2: Run dradis-cli, passing in your domain name

./dradis-cli dradis.example.com

Alternatively, you can spin up an instance locally:

docker image pull dradis/dradis-ce:latest

docker run -it -p 3000:80 dradis/dradis-ce

More info on Docker deployment options can be found here

Please let our team know if you have any questions

You can spin up a production instance, including a Let’s Encrypt certificate using:
TLS_DOMAIN=<yourdomain.com> docker compose up

You can also run a production instance locally with docker run -p 3000:80 dradis-ce-web

The new Dradis CE image will be available on https://hub.docker.com/u/dradis soon, but for now you can build the image locally if you want to get started!

Please let our team know if you have any questions

Users may want to integrate with Dradis in different ways, for instance:

• Listen for changes in Business Intelligence properties, for instance, when project’s State is changed to “Done”/“Finished” to reach out to the customer, or trigger billing.
• When a contributor submits a New Project request through Gateway - our user-facing results portal, kick the workflow that will set things in motion for the process to happen (resource allocation, requirement gathering, $$$ proposal creation and approval, etc.).
• When a significant event happens in-project (e.g. new High impact Issue added), post in the project’s Slack/Teams/Discord channel.
• …

Before, this could be done through our command line interface and scripting, but it wasn’t very convenient. This is why we’ve been working on Webhooks:

We’re still working on this feature and would like to gather some ideas and use cases from teams out there already integrating Dradis with their other tools and systems.

• What sorts of workflows do you wish to build?
• What are the interesting events you’d like Dradis to broadcast?

Use this category if:

• You want to discuss a feature that’s under active delveopment or about to be released.

• You want to gather feedback from the community for an idea or feature that you’re considering developing or are developing already.

Apologies as we can’t seem to replicate the issue you’re seeing so more information would be helpful:

• Do you get the same error when you create a node, note, or evidence in a project?
• Are you seeing the error on a fresh database?
• There are some test burp files here: dradis-burp/spec/fixtures/files at main · dradis/dradis-burp · GitHub. Can you try and upload some of these and see if you get the same error?

Once that is resolved, you’ll need to run rails c as a separate command. Once you’re in the rails console, then run PaperTrail::Version.where(item_id: nil). We’ll get this resolved!

the following is images of the command’s outputs:

Also, where can i get the log file?

To check, can you connect to your instance and run the following commands:

$ rails c
> PaperTrail::Version.where(item_id: nil)

Also, sharing the dradis logs around when you get the error will also help!

I deployed the docker deployment and the version is “Dradis Community Edition v4.16.0“.

The uploaded file was burpsuite HTML file.

Yes whenever I am trying to upload the any issues manually(by pressing the ‘+’ on the top right corner of the issues page), it redirects to the error page.

let me know if you need any further details

Also when adding the Vulnerability manually, the error was popping up:

The Problem That Started It All

So this whole thing began when we kept running into issues with Jira integrations. When you’re sending issues to Jira and need to select an assignee, the Jira API has a limitation where it only returns 50 results max - no pagination, no way to get a complete user list. For teams with more than 50 people, you’d either get stuck with whoever happened to be in those first 50 results, or you’d have to leave the field blank and assign it later in Jira. Super annoying.

Our solution was to add filtering that returns the top 50 results based on what the user types. So now you can actually find any assignee by just starting to type their name, even if your team has hundreds of users.

Making It Bigger

But then we realized - why stop at Jira assignees? We had similar issues all over the app, where long select lists were either tedious to scroll through or, in odd cases, crashed Dradis when dealing with massive datasets.

So we decided to go all-in and build a proper combobox component that could replace select elements app-wide.

What We Built

Our new combobox handles all the good stuff:

• Filtering - Type to narrow down options instantly

• Multi-select - Choose multiple items with a nice tag-style display

• Remote data sources - Load options on-demand from APIs

• Infinite scroll - Handle massive lists without performance hits

• Grouped options - Keep things organized with optgroups

• Manual input - Add custom values when needed

• Rich rendering - Icons, colors, and custom styling

The best part? It’s built 100% in-house with zero dependencies. We wanted full control over the experience and performance.

The Results

Selecting options from long lists is now way easier, faster, and more intuitive. No more endless scrolling, no more crashes, and definitely no more “I’ll just assign this later” workarounds.

We’re still iterating and improving the component before we roll it out to replace 100% of selects in the app, but the early feedback has been really positive.

GitHub repo: dradis/dradis-calculator_mitre

Once you select a Tactic, the calculator will load the associated list of Techniques, followed by Sub-Techniques based on your selection. You can include Enterprise, Mobile, and ICS data all within the same Issue.

You can also access it in Standalone mode via the Tools menu:

The calculator will also be available for our PRO users starting with the upcoming v4.17 release!

We encourage you to create your own custom tools and share them with the community! You’ll find documentation to help you get started below:

• Create a Custom Export Add-on
• Create a Custom Upload Add-on

If you’d like to create your own custom calculator, you can also explore the repositories for our CVSS and DREAD calculators:

• dradis/dradis-calculator_cvss
• dradis-calculator_dread

We’re always happy to help - feel free to share any questions or feedback!

I try to upgrade Bundle and Ruby to a newer version and no luck.

When you say you tried to upgrade Ruby, what version were you trying to upgrade to?

File.exists? was deprecated in Ruby version 3.2 so that would explain the error you’re seeing. If you run Dradis with Ruby v3.1.2 this error should resolve itself.

Can you restart your VM and confirm that the correct ruby version is being used by your instance?

rvm list

If ruby-3.1.2 is listed in the output:

rvm use 3.1.2

If ruby-3.1.2 is not listed in the output:

rvm install 3.1.2
rvm use 3.1.2

┌──(root㉿kali)-[/home/kali/dradis-ce/dradis-ce]
└─# git log | head -1
commit 0a4b0404ba0cab5ab338312ca8ef0f8c9a40e773

And report back?

I see the Ruby version is not quite right and that you’re running the git command from outside the dradis-ce/ folder. Hopefully the guide has all the steps you need to get you up and running.

In a nutshell:

• install dependencies: Installing Dradis on Kali Linux | Dradis Framework
• follow the git instructions: Installing Dradis from Git | Dradis Framework

I got the code from the Dradis site.

──(kali㉿kali)-[~]
└─$ ruby -v
ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu]

┌──(kali㉿kali)-[~]
└─$ git log | head -1
fatal: not a git repository (or any of the parent directories): .git

┌──(kali㉿kali)-[~]
└─$

1. where did you get your Dradis CE code from? Stright from git pull or from a distro (e.g. Kali) or somewhere else?

I just run git clone and it seems the current code on develop with Ruby 3.1.2 (from .ruby-version), has no issues w/ ./bin/setup or ./bin/bundle.

2. What version of Ruby are you on? (ruby -v)

3. What version of Dradis? (git log | head -1)

== Enabling default add-ons ==
== Installing dependencies ==

[!] There was an error parsing `Gemfile`: undefined method `exists?' for class File. Bundler cannot continue.                                             
                                                                             
 #  from /dradis-ce/Gemfile:227                                              
 #  -------------------------------------------                              
 #  plugins_file = 'Gemfile.plugins'                                         
 >  if File.exists?(plugins_file)                                            
 #    eval(IO.read(plugins_file), binding)                                   
 #  -------------------------------------------                              
                                                                             
[!] There was an error parsing `Gemfile`: undefined method `exists?' for class File. Bundler cannot continue.                                             
                                                                             
 #  from /dradis-ce/Gemfile:227                                              
 #  -------------------------------------------                              
 #  plugins_file = 'Gemfile.plugins'                                         
 >  if File.exists?(plugins_file)                                            
 #    eval(IO.read(plugins_file), binding)                                   
 #  -------------------------------------------                              
                                                                             
== Command ["bundle install"] failed ==

Thanks for checking in.

Thanks,

services:
  dradis:
    image: dradis/dradis-ce
    ports:
      - "3000:3000"
    volumes:
      - /tmp/dradis:/app

An excerpt from the log:

dradis-1  | * Listening on http://0.0.0.0:3000
dradis-1  | Use Ctrl-C to stop
dradis-1  | Started GET "/" for 192.168.65.1 at 2024-06-21 08:39:25 +0000
dradis-1  | Cannot render console from 192.168.65.1! Allowed networks: 127.0.0.0/127.255.255.255, ::1
dradis-1  |   ActiveRecord::SchemaMigration Pluck (0.5ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
dradis-1  | Processing by Setup::PasswordsController#new as HTML
dradis-1  |   Configuration Load (0.2ms)  SELECT "configurations".* FROM "configurations" WHERE "configurations"."name" = ? LIMIT ?  [["name", "admin:password"], ["LIMIT", 1]]
dradis-1  |   ↳ app/models/configuration.rb:34:in `shared_password'
dradis-1  |   TRANSACTION (0.1ms)  begin transaction
dradis-1  |   ↳ app/models/configuration.rb:34:in `shared_password'
dradis-1  |   Configuration Exists? (0.1ms)  SELECT 1 AS one FROM "configurations" WHERE "configurations"."name" = ? LIMIT ?  [["name", "admin:password"], ["LIMIT", 1]]
dradis-1  |   ↳ app/models/configuration.rb:34:in `shared_password'
dradis-1  |   Configuration Create (0.2ms)  INSERT INTO "configurations" ("name", "value", "created_at", "updated_at") VALUES (?, ?, ?, ?)  [["name", "admin:password"], ["value", "improvable_dradis"], ["created_at", "2024-06-21 08:39:25.310387"], ["updated_at", "2024-06-21 08:39:25.310387"]]
dradis-1  |   ↳ app/models/configuration.rb:34:in `shared_password'
dradis-1  |   TRANSACTION (3.8ms)  commit transaction
dradis-1  |   ↳ app/models/configuration.rb:34:in `shared_password'
dradis-1  |   Rendering layout layouts/setup.html.erb
dradis-1  |   Rendering setup/passwords/new.html.erb within layouts/setup
dradis-1  |   Rendered setup/_progress.html.erb (Duration: 0.8ms | Allocations: 355)
dradis-1  |   Rendered setup/passwords/new.html.erb within layouts/setup (Duration: 5.7ms | Allocations: 2158)
dradis-1  |   Rendered shared/_noscript.html.erb (Duration: 0.3ms | Allocations: 165)
dradis-1  |   Rendered layout layouts/setup.html.erb (Duration: 29949.5ms | Allocations: 1710417)
dradis-1  | Completed 200 OK in 29977ms (Views: 29954.8ms | ActiveRecord: 4.4ms | Allocations: 1723063)

Be mindful though that the image’s WORKDIR is /app not /dradis though:

version: ‘3.8’

services:
  dradis:
    image: dradis/dradis-ce
    ports:
      - "3000:3000"
    volumes:
      - dradis_data:/dradis

volumes:
  dradis_data:

but when i try to go the webGUI it keeps saying on the logs

dradis-dradis-1 | Started GET "/" for 192.168.7.199 at 2024-06-20 04:40:26 +0000
dradis-dradis-1 | Cannot render console from 192.168.7.199! Allowed networks: 127.0.0.0/127.255.255.255, ::1
dradis-dradis-1 | Processing by Setup::PasswordsController#new as HTML