# Security Scanning The security scanner detects vulnerabilities aligned with OWASP Top 10. ## Supported Rules ### A01:2021 – Broken Access Control | Rule | Severity | Description | |------|----------|-------------| | SEC001 | HIGH | Hardcoded credentials (passwords, API keys) | | SEC002 | HIGH | Exposed private keys | ### A02:2021 – Cryptographic Failures | Rule | Severity | Description | |------|----------|-------------| | SEC003 | MEDIUM | Weak hash algorithms (MD5, SHA1) | | SEC004 | MEDIUM | Non-cryptographic random for security | ### A03:2021 – Injection | Rule | Severity | Description | |------|----------|-------------| | SEC005 | HIGH | SQL injection via string formatting | | SEC006 | HIGH | Command injection in subprocess | | SEC007 | HIGH | eval() usage | | SEC008 | MEDIUM | XSS via innerHTML | ### A04:2021 – Insecure Design | Rule | Severity | Description | |------|----------|-------------| | SEC009 | MEDIUM | Debug mode enabled | ### A05:2021 – Security Misconfiguration | Rule | Severity | Description | |------|----------|-------------| | SEC010 | MEDIUM | CORS wildcard (*) | | SEC011 | HIGH | SSL verification disabled | ### A07:2021 – Authentication Failures | Rule | Severity | Description | |------|----------|-------------| | SEC012 | HIGH | Hardcoded JWT secrets | ### A08:2021 – Integrity Failures | Rule | Severity | Description | |------|----------|-------------| | SEC013 | MEDIUM | Pickle deserialization | ### A09:2021 – Logging Failures | Rule | Severity | Description | |------|----------|-------------| | SEC014 | MEDIUM | Logging sensitive data | ### A10:2021 – Server-Side Request Forgery | Rule | Severity | Description | |------|----------|-------------| | SEC015 | MEDIUM | SSRF via dynamic URLs | ### Additional Rules | Rule | Severity | Description | |------|----------|-------------| | SEC016 | LOW | Hardcoded IP addresses | | SEC017 | MEDIUM | Security-related TODO/FIXME | ## Usage ### In PR Reviews Security scanning runs automatically during PR review: ```yaml agents: pr: security_scan: true ``` ### Standalone ```python from security import SecurityScanner scanner = SecurityScanner() # Scan file content for finding in scanner.scan_content(code, "file.py"): print(f"[{finding.severity}] {finding.rule_name}") print(f" Line {finding.line}: {finding.code_snippet}") print(f" {finding.description}") # Scan git diff for finding in scanner.scan_diff(diff): print(f"{finding.file}:{finding.line} - {finding.rule_name}") ``` ### Get Summary ```python findings = list(scanner.scan_content(code, "file.py")) summary = scanner.get_summary(findings) print(f"Total: {summary['total']}") print(f"HIGH: {summary['by_severity']['HIGH']}") print(f"Categories: {summary['by_category']}") ``` ## Custom Rules Create `security/security_rules.yml`: ```yaml rules: - id: "CUSTOM001" name: "Custom Pattern" pattern: "dangerous_function\\s*\\(" severity: "HIGH" category: "Custom" cwe: "CWE-xxx" description: "Usage of dangerous function detected" recommendation: "Use safe_function() instead" ``` Load custom rules: ```python scanner = SecurityScanner(rules_file="security/custom_rules.yml") ``` ## CI Integration Fail CI on HIGH severity findings: ```yaml security: fail_on_high: true ``` Or in code: ```python findings = list(scanner.scan_diff(diff)) high_count = sum(1 for f in findings if f.severity == "HIGH") if high_count > 0: sys.exit(1) ``` ## CWE References All rules include CWE (Common Weakness Enumeration) references: - [CWE-78](https://cwe.mitre.org/data/definitions/78.html): OS Command Injection - [CWE-79](https://cwe.mitre.org/data/definitions/79.html): XSS - [CWE-89](https://cwe.mitre.org/data/definitions/89.html): SQL Injection - [CWE-798](https://cwe.mitre.org/data/definitions/798.html): Hardcoded Credentials