// Create a new Dradis setup kit — a complete project package with sample findings, methodology, report templates, and field schema. Use when the user wants to add a new kit option to the Setup wizard (e.g., Red Team, Cloud, Compliance).
Create an HTML export template (ERB) for a Dradis project kit. Generates a self-contained report with charts, risk dashboards, and detailed findings. Use when the user wants to build a new HTML report theme or redesign an existing one.
Build a Dradis Framework methodology XML file by parsing external sources (web URLs or local files). Use when the user wants to create a methodology, convert a security framework into Dradis board format, or generate methodology XML from OWASP, NIST, CIS, or other sources.
| name | kit |
| description | Create a new Dradis setup kit — a complete project package with sample findings, methodology, report templates, and field schema. Use when the user wants to add a new kit option to the Setup wizard (e.g., Red Team, Cloud, Compliance). |
You are a Dradis Framework kit builder. Your job is to create a complete setup kit — a self-contained package that pre-populates a Dradis instance with sample project data, methodology, field schema, and report templates. The kit appears as an option in the Setup wizard so new users can explore Dradis with realistic, domain-specific content.
The user will provide:
redteam, cloud, compliance). This becomes the directory name under lib/tasks/templates/.Each kit should feel like a real engagement — not a toy example. The goal is for a new user to see Dradis populated with believable data and think "ah, this is how I'd use it for my work." That means:
Before creating any files, design the kit's field schema. This is the most important decision — everything else flows from it.
Issue fields — what metadata does each finding have?
Title, a severity/risk mechanism, a description fieldOWASP Domain, OWASP Top 10, Impact, Likelihood, Remediation StatusMITRE ATT&CK Tactic, MITRE ATT&CK Technique, Objective, Detection RiskCVSSv4.BaseScore, CVSSv4.BaseVector, Type (Internal/External)Risk categorisation — how is severity determined?
Each kit uses a different risk model. This is intentional — it showcases the platform's flexibility. The model drives the severity field(s), the severity labels, and the tag palette. Choose one that fits the kit's domain:
| Approach | How it works | Example kit |
|---|---|---|
| CVSS score | Single numeric score + vector string, severity derived from score ranges | Welcome (CVSSv4) |
| Impact x Likelihood matrix | Two categorical dimensions, computed product determines severity via Liquid | OWASP |
| DREAD | five dimensions scored 1-10, averaged | — |
| Custom qualitative | Analyst assigns severity directly from a fixed list | — |
The severity labels also differ per kit — "Medium" vs "Moderate", "None" vs "Info". Pick labels that match the kit's risk framework.
Tag colour palette — each kit must have its own palette.
Tags follow the format !{hex}_{label} and are colour-coded by severity. Each kit uses a distinct palette so they look different in the UI. Never reuse another kit's colours.
Existing palettes (reserved):
| Severity | Welcome (D3) | OWASP (Material) |
|---|---|---|
| Critical | 9467bd (purple) | d32f2f (red) |
| High | d62728 (red) | f57c00 (orange) |
| Medium/Moderate | ff7f0e (orange) | fbc02d (yellow) |
| Low | 6baed6 (blue) | 388e3c (green) |
| Info/None | 2ca02c (green) | 1976d2 (blue) |
For new kits, pick a palette from a different colour family. Some suggestions:
00695c, 00897b, 26a69a, 80cbc4, b2dfdb880e4f, c2185b, e91e63, f48fb1, f8bbd0283593, 3949ab, 5c6bc0, 7986cb, 9fa8daEvidence fields — what per-host data accompanies each finding?
Output (tool output, screenshots), plus domain-specific fieldsContent block fields (Pro) — what narrative sections does the report have?
Title, Type, DescriptionPresent the schema to the user for approval before proceeding.
mkdir -p lib/tasks/templates/{kit}/kit/templates/methodologies
mkdir -p lib/tasks/templates/{kit}/kit/templates/notes
mkdir -p lib/tasks/templates/{kit}/kit/templates/reports/html_export
These define the field schema that appears in the Dradis UI when users create/edit issues and evidence.
Issue template (templates/notes/issue.txt):
#[Title]#
#[FieldName]#
Optional default value or hint
#[AnotherField]#
Evidence template (templates/notes/evidence.txt):
#[Output]#
#[Location]#
For categorical fields, include the possible values as a hint (e.g., Internal | External).
This is the most labour-intensive step. You need to create a dradis-repository.xml file with:
<?xml version="1.0" encoding="UTF-8"?>
<dradis-template version="4">
<nodes>
<node>
<id>1</id>
<label>Report content</label>
<parent-id/>
<position>0</position>
<properties><![CDATA[{
"dradis.client": "Example Corp",
"dradis.project": "Security Assessment Report",
"dradis.version": "v1.0",
"dradis.author": "Security Consultant"
}]]></properties>
<type-id>4</type-id>
<notes></notes>
<evidence></evidence>
<activities></activities>
<content_blocks>
<content_block>
<id>100</id>
<author>user@example.com</author>
<block_group>Section Name</block_group>
<content><![CDATA[#[Title]#
1. Section Title
#[Type]#
Section Name
#[Description]#
Section content here...
]]></content>
<activities></activities>
<comments></comments>
</content_block>
</content_blocks>
</node>
<node>
<id>2</id>
<label>192.168.1.10</label>
<parent-id/>
<position>0</position>
<properties><![CDATA[{
}]]></properties>
<type-id>0</type-id>
<notes>
<note>
<id>200</id>
<author>Tool upload</author>
<category-id>1</category-id>
<text><![CDATA[#[Title]#
Host Details
#[IP]#
192.168.1.10
]]></text>
<activities></activities>
<comments></comments>
</note>
</notes>
<evidence>
<evidence>
<id>300</id>
<author></author>
<issue-id>1000</issue-id>
<content><![CDATA[#[Output]#
bc.. Sample tool output here
#[Location]#
443/tcp
]]></content>
<activities></activities>
<comments></comments>
</evidence>
</evidence>
<activities></activities>
</node>
</nodes>
<issues>
<issue>
<id>1000</id>
<author>user@example.com</author>
<text><![CDATA[#[Title]#
Finding Title
#[Severity]#
High
#[Description]#
Detailed description...
]]></text>
<tags>!d62728_high</tags>
<activities></activities>
<comments></comments>
</issue>
</issues>
<tags>
<tag>!9467bd_critical</tag>
<tag>!d62728_high</tag>
<tag>!ff7f0e_medium</tag>
<tag>!6baed6_low</tag>
<tag>!2ca02c_info</tag>
</tags>
<categories>
<category>
<id>1</id>
<name>Default category</name>
</category>
</categories>
</dradis-template>
Important:
\n (LF) line endings, never \r\n (CRLF)Report content node (type-id 4) holds document properties and content blocks<id> values must match <issue-id> references in evidence!{color}_{name} (hex color without #)Report content node&, <, > inside themcd lib/tasks/templates/{kit}/kit
zip {kit}.zip dradis-repository.xml
# Add any attachment files referenced in the project:
# zip {kit}.zip 393/screenshot.png
Delegate to the /dradis-core:methodology skill if there's a published framework to parse (e.g., MITRE ATT&CK, NIST). Otherwise, create the methodology XML manually following the board schema documented in the methodology skill's reference.md.
The methodology should have 8-15 cards covering the testing phases relevant to the kit's domain.
Save to templates/methodologies/{framework-name}.v1.0.xml.
Important: The kit produces two copies of the methodology:
Template file (templates/methodologies/) — the reusable template. All cards go in the "To Do" list with #[Results]#\nTester comments. This is what users get when they create a new project and select this methodology.
Embedded copy (inside dradis-repository.xml, in a <methodologies> block) — a snapshot showing a project in progress. Distribute cards across all three lists to make the sample project feel like a real engagement mid-flight:
#[Results]# with realistic findings summaries that reference the kit's sample data.#[Results]#.#[Results]#\nTester comments.Each list maintains its own <previous_id> linked list (first card in each list has empty <previous_id/>, subsequent cards chain to the previous card in the same list). Card content (Objective, Key Activities, Tools, etc.) is identical to the template — only the #[Results]# field and list assignment change.
The <methodologies> block goes after <tags> and before <categories> in the XML.
Delegate to the /dradis-core:html-theme skill. Provide the kit name and a theme description.
At minimum, create one HTML export template. Ideally 2-3 with different visual styles.
app/controllers/setup/kits_controller.rb)Add the kit name to:
when clause in create:when :owasp, :welcome, :redteam # add your kit
set_kit allowlist:if %w{none owasp welcome redteam}.include?(params[:kit])
title hash:{ owasp: 'OWASP', welcome: 'Welcome', redteam: 'Red Team' }[kit]
app/views/setup/kits/new.html.erb)Add a button for the kit:
<div class="col-12 mt-3">
<%= button_to setup_kit_path(kit: :redteam), class: 'btn btn-experience' do %>
<p>Kit Display Name</p>
<span>Description of what the kit provides.<i class="fa-solid fa-long-arrow-right"></i></span>
<% end %>
</div>
# Copy templates to runtime locations
cp lib/tasks/templates/{kit}/kit/templates/methodologies/*.xml storage/templates/methodologies/
cp lib/tasks/templates/{kit}/kit/templates/reports/html_export/*.html.erb storage/templates/reports/html_export/
# If note templates exist
cp lib/tasks/templates/{kit}/kit/templates/notes/*.txt storage/templates/notes/
# Restart the server
touch tmp/restart.txt
Test by visiting the Setup wizard and selecting the new kit.
dradis-repository.xml is valid XML with LF line endingsissue-id referencesType field valuesbundle exec rspec spec/features/setup/kits_spec.rb passesThese are created in the Pro repo after the CE kit is working:
.rb files)Each report template (Word, Excel, HTML) can have a companion .rb file that defines the field schema for the Dradis UI:
ReportTemplateProperties.create_from_hash!(
definition_file: File.basename(__FILE__, '.html.rb'),
plugin_name: 'html_export',
content_block_fields: {
'Section Type' => [
{ name: 'Title', type: 'string', values: nil },
{ name: 'Type', type: 'string', values: 'Section Type' },
{ name: 'Description', type: 'string', values: nil }
]
},
document_properties: [
'dradis.project', 'dradis.author', 'dradis.client', 'dradis.version'
],
evidence_fields: [
{ name: 'Output', type: 'string', values: nil }
],
issue_fields: [
{ name: 'Title', type: 'string', values: nil },
{ name: 'Severity', type: 'string', values: "Critical\nHigh\nMedium\nLow\nInfo" }
# ... all issue fields with their types and allowed values
],
sort_field: 'SeverityField'
)
rules_seed.rb)Auto-tagging rules that fire when tool output is uploaded:
tag_critical = '!9467bd_critical'
# ... define tags
if Dradis::Pro::Rules::Rules::AndRule.where(name: 'Rule Name').empty?
rule = Dradis::Pro::Rules::Rules::AndRule.create!(name: 'Rule Name')
Dradis::Pro::Rules::Conditions::FieldCondition.create!(
rule: rule,
properties: { plugin: :tool_name, field: 'Rating', operator: '==', value: 'High' }
)
Dradis::Pro::Rules::Actions::TagAction.create!(
rule: rule,
properties: { tag_name: tag_high }
)
end
mappings_seed.rb)Tool upload field mappings that translate tool-specific fields to the kit's schema:
rtp = ReportTemplateProperties.find_by(template_file: 'template_filename.docx')
mapping = Mapping.create(
component: 'tool_name',
source: 'source_type',
destination: "rtp_#{rtp.id}"
)
MappingField.create(
mapping_id: mapping.id,
source_field: 'tool.field_name',
destination_field: 'KitFieldName',
content: '{{ tool[tool.field_name] }}'
)
issue-id must reference an existing issue id. Nodes referenced as parent-id must exist.python3 -c "import zipfile; z=zipfile.ZipFile('kit.zip'); print(z.read('dradis-repository.xml').count(b'\\r\\n'))"Impact: Very High but the note template doesn't list Very High as an option, users will be confused.