| 5.1 | scan-service scaffolding & proto | Scaffold the scan-service NestJS application with gRPC transport. Define scan.proto (StartScan, GetScan, ListScans, CancelScan RPCs) and generate TypeScript stubs. | Service starts, registers with the API Gateway, and responds to a health-check RPC. |
| 5.2 | report-service scaffolding & proto | Scaffold the report-service NestJS application with gRPC transport. Define report.proto (GenerateReport, GetReport, ListReports RPCs) and generate TypeScript stubs. | Service starts, registers with the API Gateway, and responds to a health-check RPC. |
| 5.3 | K8s Job creation for scan workers | Implement the scan-service logic that creates a Kubernetes Job for each scan request, mounts the correct scanner image, passes target and config as environment variables, and collects exit status. | A StartScan call creates a K8s Job visible via kubectl get jobs; the Job runs to completion and the scan-service records its exit code. |
| 5.4 | Nmap scanner container & integration | Build a Docker image wrapping nmap with a thin entrypoint script that reads target/config from env, runs the scan, and publishes structured JSON results to NATS. | An Nmap scan Job completes, publishes results to scan.results.nmap, and the scan-service persists the output. |
| 5.5 | ZAP scanner container & integration | Build a Docker image wrapping OWASP ZAP in headless mode with a similar entrypoint: env-based config, structured JSON output, NATS publish. | A ZAP scan Job completes within the configured timeout, publishes results, and the scan-service persists the output. |
| 5.6 | SSLyze scanner container & integration | Build a Docker image wrapping sslyze with the same entrypoint pattern. Output includes certificate details, protocol support, and vulnerability flags. | An SSLyze scan Job completes, publishes results to scan.results.sslyze, and the scan-service persists the output. |
| 5.7 | DNS recon container & integration | Build a Docker image wrapping subfinder and dnsx for subdomain enumeration and DNS record collection. | A DNS recon Job completes, publishes discovered subdomains and records, and the scan-service persists the output. |
| 5.8 | Real-time output streaming (WebSocket) | Implement WebSocket endpoint on the API Gateway that subscribes to NATS scan output subjects and streams lines to the connected client in real time. | While a scan is running, the client receives live output lines; when the scan finishes, the stream closes cleanly. |
| 5.9 | Scheduled scans (cron) | Add cron-based scheduling to the scan-service: users configure a cron expression per domain, and the service creates Jobs on schedule. Store schedule definitions in PostgreSQL. | A scan with cron expression 0 3 * * * triggers automatically at 03:00; the next run time is displayed in the UI. |
| 5.10 | Scan results UI | Build the admin portal scan pages: scan list (filterable by domain, tool, status), scan detail (raw output, parsed findings, severity badges), and report download (PDF/JSON). | Users can browse, filter, and inspect scan results; findings are displayed with severity color-coding; PDF export produces a readable report. |