Hiddenden/openrabbit
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
15beb0fb5be035f7bf328d7a8a1c5262effc63d5
openrabbit/docs/security.md
latte f9b24fe248 first commit
2025-12-21 13:42:30 +01:00

3.8 KiB
Raw Blame History

Security Scanning

The security scanner detects vulnerabilities aligned with OWASP Top 10.

Supported Rules

A01:2021 Broken Access Control

Rule Severity Description
SEC001 HIGH Hardcoded credentials (passwords, API keys)
SEC002 HIGH Exposed private keys

A02:2021 Cryptographic Failures

Rule Severity Description
SEC003 MEDIUM Weak hash algorithms (MD5, SHA1)
SEC004 MEDIUM Non-cryptographic random for security

A03:2021 Injection

Rule Severity Description
SEC005 HIGH SQL injection via string formatting
SEC006 HIGH Command injection in subprocess
SEC007 HIGH eval() usage
SEC008 MEDIUM XSS via innerHTML

A04:2021 Insecure Design

Rule Severity Description
SEC009 MEDIUM Debug mode enabled

A05:2021 Security Misconfiguration

Rule Severity Description
SEC010 MEDIUM CORS wildcard (*)
SEC011 HIGH SSL verification disabled

A07:2021 Authentication Failures

Rule Severity Description
SEC012 HIGH Hardcoded JWT secrets

A08:2021 Integrity Failures

Rule Severity Description
SEC013 MEDIUM Pickle deserialization

A09:2021 Logging Failures

Rule Severity Description
SEC014 MEDIUM Logging sensitive data

A10:2021 Server-Side Request Forgery

Rule Severity Description
SEC015 MEDIUM SSRF via dynamic URLs

Additional Rules

Rule Severity Description
SEC016 LOW Hardcoded IP addresses
SEC017 MEDIUM Security-related TODO/FIXME

Usage

In PR Reviews

Security scanning runs automatically during PR review:

agents:
  pr:
    security_scan: true

Standalone

from security import SecurityScanner

scanner = SecurityScanner()

# Scan file content
for finding in scanner.scan_content(code, "file.py"):
    print(f"[{finding.severity}] {finding.rule_name}")
    print(f"  Line {finding.line}: {finding.code_snippet}")
    print(f"  {finding.description}")

# Scan git diff
for finding in scanner.scan_diff(diff):
    print(f"{finding.file}:{finding.line} - {finding.rule_name}")

Get Summary

findings = list(scanner.scan_content(code, "file.py"))
summary = scanner.get_summary(findings)

print(f"Total: {summary['total']}")
print(f"HIGH: {summary['by_severity']['HIGH']}")
print(f"Categories: {summary['by_category']}")

Custom Rules

Create security/security_rules.yml:

rules:
  - id: "CUSTOM001"
    name: "Custom Pattern"
    pattern: "dangerous_function\\s*\\("
    severity: "HIGH"
    category: "Custom"
    cwe: "CWE-xxx"
    description: "Usage of dangerous function detected"
    recommendation: "Use safe_function() instead"

Load custom rules:

scanner = SecurityScanner(rules_file="security/custom_rules.yml")

CI Integration

Fail CI on HIGH severity findings:

security:
  fail_on_high: true

Or in code:

findings = list(scanner.scan_diff(diff))
high_count = sum(1 for f in findings if f.severity == "HIGH")

if high_count > 0:
    sys.exit(1)

CWE References

All rules include CWE (Common Weakness Enumeration) references:

Reference in New Issue View Git Blame Copy Permalink