first commit

docs/security.md

@@ -0,0 +1,163 @@
+# Security Scanning
+
+The security scanner detects vulnerabilities aligned with OWASP Top 10.
+
+## Supported Rules
+
+### A01:2021 – Broken Access Control
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC001 | HIGH | Hardcoded credentials (passwords, API keys) |
+| SEC002 | HIGH | Exposed private keys |
+
+### A02:2021 – Cryptographic Failures
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC003 | MEDIUM | Weak hash algorithms (MD5, SHA1) |
+| SEC004 | MEDIUM | Non-cryptographic random for security |
+
+### A03:2021 – Injection
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC005 | HIGH | SQL injection via string formatting |
+| SEC006 | HIGH | Command injection in subprocess |
+| SEC007 | HIGH | eval() usage |
+| SEC008 | MEDIUM | XSS via innerHTML |
+
+### A04:2021 – Insecure Design
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC009 | MEDIUM | Debug mode enabled |
+
+### A05:2021 – Security Misconfiguration
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC010 | MEDIUM | CORS wildcard (*) |
+| SEC011 | HIGH | SSL verification disabled |
+
+### A07:2021 – Authentication Failures
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC012 | HIGH | Hardcoded JWT secrets |
+
+### A08:2021 – Integrity Failures
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC013 | MEDIUM | Pickle deserialization |
+
+### A09:2021 – Logging Failures
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC014 | MEDIUM | Logging sensitive data |
+
+### A10:2021 – Server-Side Request Forgery
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC015 | MEDIUM | SSRF via dynamic URLs |
+
+### Additional Rules
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC016 | LOW | Hardcoded IP addresses |
+| SEC017 | MEDIUM | Security-related TODO/FIXME |
+
+## Usage
+
+### In PR Reviews
+
+Security scanning runs automatically during PR review:
+
+```yaml
+agents:
+  pr:
+    security_scan: true
+```
+
+### Standalone
+
+```python
+from security import SecurityScanner
+
+scanner = SecurityScanner()
+
+# Scan file content
+for finding in scanner.scan_content(code, "file.py"):
+    print(f"[{finding.severity}] {finding.rule_name}")
+    print(f"  Line {finding.line}: {finding.code_snippet}")
+    print(f"  {finding.description}")
+
+# Scan git diff
+for finding in scanner.scan_diff(diff):
+    print(f"{finding.file}:{finding.line} - {finding.rule_name}")
+```
+
+### Get Summary
+
+```python
+findings = list(scanner.scan_content(code, "file.py"))
+summary = scanner.get_summary(findings)
+
+print(f"Total: {summary['total']}")
+print(f"HIGH: {summary['by_severity']['HIGH']}")
+print(f"Categories: {summary['by_category']}")
+```
+
+## Custom Rules
+
+Create `security/security_rules.yml`:
+
+```yaml
+rules:
+  - id: "CUSTOM001"
+    name: "Custom Pattern"
+    pattern: "dangerous_function\\s*\\("
+    severity: "HIGH"
+    category: "Custom"
+    cwe: "CWE-xxx"
+    description: "Usage of dangerous function detected"
+    recommendation: "Use safe_function() instead"
+```
+
+Load custom rules:
+
+```python
+scanner = SecurityScanner(rules_file="security/custom_rules.yml")
+```
+
+## CI Integration
+
+Fail CI on HIGH severity findings:
+
+```yaml
+security:
+  fail_on_high: true
+```
+
+Or in code:
+
+```python
+findings = list(scanner.scan_diff(diff))
+high_count = sum(1 for f in findings if f.severity == "HIGH")
+
+if high_count > 0:
+    sys.exit(1)
+```
+
+## CWE References
+
+All rules include CWE (Common Weakness Enumeration) references:
+
+- [CWE-78](https://cwe.mitre.org/data/definitions/78.html): OS Command Injection
+- [CWE-79](https://cwe.mitre.org/data/definitions/79.html): XSS
+- [CWE-89](https://cwe.mitre.org/data/definitions/89.html): SQL Injection
+- [CWE-798](https://cwe.mitre.org/data/definitions/798.html): Hardcoded Credentials