Documentation

Everything you need to install, configure, and run bum.pt.

Quick Start

Get bum.pt running in under 5 minutes:

bash
git clone https://github.com/Berg-io/bumpt.git
cd bumpt
cp .env.example .env
docker compose up -d

Open https://localhost and log in with the default credentials:

Email: admin@bumpt.local

Password: admin123

Change the default password immediately after first login.

Requirements

  • Docker and Docker Compose
  • 1 CPU core, 512 MB RAM minimum
  • Ports 80/443 available (configurable)

Installation

bum.pt is distributed as a Docker image. The included docker-compose.yml sets up the app, a Caddy reverse proxy (HTTPS), and a cron scheduler.

Community Edition (free)

bash
git clone https://github.com/Berg-io/bumpt.git
cd bumpt
cp .env.example .env
docker compose up -d

Professional Edition

Professional features (AI, webhooks, reports, SSO, API keys) require the Pro Docker image. The Community image does not include Pro code.

bash
git clone https://github.com/Berg-io/bumpt.git
cd bumpt
cp .env.example .env

Then edit docker-compose.yml: replace the build: section of the app service with:

yaml
image: bergio/bumpt-pro:latest

Add your license key to .env and start:

bash
# Add LICENSE_KEY="your_key" to .env, then:
docker compose up -d

Generating secure secrets

bash
# Linux/macOS:
sed -i "s/JWT_SECRET=.*/JWT_SECRET=\"$(openssl rand -hex 32)\"/" .env
sed -i "s/CRON_SECRET=.*/CRON_SECRET=\"$(openssl rand -hex 32)\"/" .env

Configuration

All configuration is done via environment variables in the .env file.

Application

VariableDescriptionDefault
NEXT_PUBLIC_APP_NAMEApp name in the UIbum.pt
APP_LANGUAGEDefault languageen
APP_PORTExposed port (Docker)3000
JWT_SECRETJWT signing secret(change!)
CRON_SCHEDULEVersion check frequency0 0 */6 * * *
ADMIN_EMAILSuper admin emailadmin@bumpt.local
ADMIN_PASSWORDSuper admin passwordadmin123

License Key

bum.pt runs in Community Edition by default (up to 25 monitored items). To unlock unlimited items, AI analysis, webhooks, scheduled reports, SSO, and API keys, you need a Professional license.

Activating your license

  1. Purchase a Professional license at bum.pt
  2. Copy the license key from your email or Polar customer portal
  3. Make sure you are using the Pro Docker image. In your docker-compose.yml, the app service should use:
yaml
image: bergio/bumpt-pro:latest
  1. Add your license key to .env:
code
LICENSE_KEY="your_license_key_from_email"
  1. Start or restart your container:
bash
docker compose up -d --pull always

The license is validated automatically. If the key is valid, Professional features are unlocked immediately. Your data is preserved when upgrading from Community.

Important: The Community Docker image (bergio/bumpt:latest) does not include Pro code. A license key alone is not sufficient — you must use the Pro image.

What happens when the license expires?

The app gracefully degrades to Community Edition. Your data is never lost. Renew your license to restore Professional features.

Database

bum.pt supports 4 database engines:

  • SQLite (default) — no extra setup
  • PostgreSQL — Docker container included
  • MariaDB — Docker container included
  • MSSQL — external server (Professional)

Set DB_TYPE and DATABASE_URL in your .env. See the README for full examples.

Release Metadata

Every version check automatically extracts rich metadata from the source when available:

  • Release notes — changelog or description of the update
  • Release date — when the version was published
  • Release URL — direct link to the release page
  • Download URL — direct link to download the artifact
  • EOL date — end-of-life date (when available via EndOfLife.date)
  • LTS status — whether the version is a Long Term Support release
  • Description — package or software description

This data is stored per item and displayed in the Item Detail Modal — click any item on the dashboard to see the full breakdown.

All 42 check sources extract as much metadata as the upstream API provides. No configuration needed — it works out of the box.

CVE Enrichment

After each version check, bum.pt automatically looks up known vulnerabilities using three free, commercially-usable sources:

  • OSV.dev (Google, Apache 2.0) — ecosystem-level CVE lookup for packages (NPM, PyPI, Go, Maven, etc.)
  • NVD / NIST API 2.0 (US public domain) — keyword-based CVE search with rate limiting
  • GitHub Advisory Database (CC-BY-4.0) — reviewed security advisories from GitHub

CVEs are shown as clickable badges in the dashboard and item detail modal, linking directly to the NVD detail page.

How it works

  1. A version check runs (manual or scheduled)
  2. The result is persisted to the database
  3. CVE enrichment runs in the background (fire-and-forget)
  4. Found CVEs are stored on the item as a JSON array

No configuration is required — CVE enrichment is enabled by default for all editions. A GITHUB_TOKEN environment variable is recommended to avoid GitHub API rate limits.

AI Analysis

With a Professional license, bum.pt can analyze each update using AI and generate a structured summary. This runs automatically after each version check.

Supported providers

  • OpenAI — GPT-4o, GPT-4o-mini, or any OpenAI model
  • Anthropic — Claude 4 Sonnet, Claude 3.5 Haiku, etc.
  • Mistral — Mistral Large, Small, etc.
  • Self-hosted — any OpenAI-compatible API (Ollama, vLLM, LM Studio, etc.)

What does the AI produce?

For each update, the AI generates a structured analysis including:

  • A concise summary of the update
  • An impact level assessment (low, medium, high, critical)
  • Security notes based on detected CVEs and release notes
  • An update recommendation (update now, schedule, or skip)

The analysis is displayed in the Item Detail Modal and responds in the app's configured language.

Configuration

Go to Settings > AI Analysis in the admin panel. Select a provider, enter your API key, optionally specify a model, and toggle "AI Enrichment enabled". For self-hosted providers, enter your server's base URL instead.

Webhooks

With a Professional license, bum.pt can send real-time notifications to external services when events occur.

Supported channels

  • Slack — formatted messages with blocks and mrkdwn
  • Discord — rich embeds with color-coded status
  • Microsoft Teams — Adaptive Card format
  • Email — SMTP delivery to one or more recipients
  • Custom HTTP — JSON payload to any URL, with optional X-Webhook-Signature (HMAC-SHA256) and custom headers

Supported events

  • version.new — a new version is detected
  • version.critical — a critical update is available
  • cve.detected — a CVE is found for an item
  • item.eol — an item has reached end-of-life
  • check.failed — a version check failed

Configuration

Go to Settings > Notifications in the admin panel. Add a webhook, select its type, choose which events to subscribe to, and optionally add a secret for signature verification.

You can also define webhooks via environment variables for Docker-based deployments. Each webhook can be individually enabled or disabled.

Scheduled Reports

With a Professional license, bum.pt can generate and deliver automated reports on a schedule.

Schedule options

  • Daily — runs every day at a specified hour
  • Weekly — runs on a chosen day of the week
  • Monthly — runs on a chosen day of the month

Delivery channels

  • Email — HTML report sent via SMTP to specified recipients
  • Slack — summary posted to your first enabled Slack webhook
  • Discord — summary posted to your first enabled Discord webhook
  • Microsoft Teams — summary posted to your first enabled Teams webhook
  • In-app — full HTML report stored in the app, viewable from Admin > Reports

You can enable multiple channels per report. Each report can have custom filters (by status, type, or tags) and choose which sections to include (summary, outdated items, critical items, CVEs, etc.).

Configuration

Go to Admin > Reports to create and manage scheduled reports. The cron scheduler handles execution automatically.

Tags & Filters

Organize your monitored items with color-coded tags for easy categorization and filtering.

Tagging items

When creating or editing an item, add one or more tags (e.g. "production", "staging", "database", "web"). Tags are displayed as colored pills next to the item name in the dashboard. Colors are automatically generated based on the tag name.

Filtering

The dashboard filter bar allows you to combine multiple filters:

  • Free-text search — filter by item name
  • Type — software, docker, service, firmware, plugin, library, database, network, mobile/desktop/web app, OS, driver, IoT
  • Status — up to date, outdated, critical
  • Tags — filter by a specific tag

Export & print

From the dashboard, you can export to CSV for further analysis in a spreadsheet, or use the print function to generate a printable view of the current items table. Both respect the active filters.

HTTPS / TLS

Caddy is included as a reverse proxy and handles HTTPS automatically. Three TLS modes are available:

  • Self-signed (default) — for development and internal networks
  • Custom certificates — place your .crt and .key in the certs/ folder
  • Let's Encrypt — automatic certificates for public domains

Updating

Community Edition

bash
docker compose down
docker compose build --no-cache
docker compose up -d

Professional Edition

bash
docker compose down
docker compose pull
docker compose up -d

Database migrations are applied automatically on startup. Your data and settings are preserved.

FAQ

Is my data sent to the cloud?

No. bum.pt is 100% self-hosted. License keys are verified locally using cryptographic signatures (Ed25519) — no external API calls are made.

Does it work offline?

Yes. License validation is fully offline. The key contains a cryptographic signature verified locally — no internet connection is needed for the license to work.

Can I switch databases after setup?

Yes. Export your data using the admin backup feature, change the database configuration in your .env file, restart, and restore the backup.

How do I cancel my subscription?

You can cancel anytime from your Polar customer portal. Your license remains active until the end of the billing period.

Does CVE enrichment require an API key?

No. CVE enrichment uses free public APIs (OSV.dev, NVD/NIST, GitHub Advisory) and works out of the box. Adding a GITHUB_TOKEN is recommended to avoid GitHub rate limits.

Can I use AI analysis with a local model?

Yes. The self-hosted provider supports any OpenAI-compatible API, including Ollama, vLLM, and LM Studio. Just enter your server URL in Settings > AI Analysis.