openrabbit/docs/security.md

# Security Scanning

The security scanner detects vulnerabilities aligned with OWASP Top 10.

## Supported Rules

### A01:2021 – Broken Access Control

| Rule | Severity | Description |
|------|----------|-------------|
| SEC001 | HIGH | Hardcoded credentials (passwords, API keys) |
| SEC002 | HIGH | Exposed private keys |

### A02:2021 – Cryptographic Failures

| Rule | Severity | Description |
|------|----------|-------------|
| SEC003 | MEDIUM | Weak hash algorithms (MD5, SHA1) |
| SEC004 | MEDIUM | Non-cryptographic random for security |

### A03:2021 – Injection

| Rule | Severity | Description |
|------|----------|-------------|
| SEC005 | HIGH | SQL injection via string formatting |
| SEC006 | HIGH | Command injection in subprocess |
| SEC007 | HIGH | eval() usage |
| SEC008 | MEDIUM | XSS via innerHTML |

### A04:2021 – Insecure Design

| Rule | Severity | Description |
|------|----------|-------------|
| SEC009 | MEDIUM | Debug mode enabled |

### A05:2021 – Security Misconfiguration

| Rule | Severity | Description |
|------|----------|-------------|
| SEC010 | MEDIUM | CORS wildcard (*) |
| SEC011 | HIGH | SSL verification disabled |

### A07:2021 – Authentication Failures

| Rule | Severity | Description |
|------|----------|-------------|
| SEC012 | HIGH | Hardcoded JWT secrets |

### A08:2021 – Integrity Failures

| Rule | Severity | Description |
|------|----------|-------------|
| SEC013 | MEDIUM | Pickle deserialization |

### A09:2021 – Logging Failures

| Rule | Severity | Description |
|------|----------|-------------|
| SEC014 | MEDIUM | Logging sensitive data |

### A10:2021 – Server-Side Request Forgery

| Rule | Severity | Description |
|------|----------|-------------|
| SEC015 | MEDIUM | SSRF via dynamic URLs |

### Additional Rules

| Rule | Severity | Description |
|------|----------|-------------|
| SEC016 | LOW | Hardcoded IP addresses |
| SEC017 | MEDIUM | Security-related TODO/FIXME |

## Usage

### In PR Reviews

Security scanning runs automatically during PR review:

```yaml
agents:
  pr:
    security_scan: true
```

### Standalone

```python
from security import SecurityScanner

scanner = SecurityScanner()

# Scan file content
for finding in scanner.scan_content(code, "file.py"):
    print(f"[{finding.severity}] {finding.rule_name}")
    print(f"  Line {finding.line}: {finding.code_snippet}")
    print(f"  {finding.description}")

# Scan git diff
for finding in scanner.scan_diff(diff):
    print(f"{finding.file}:{finding.line} - {finding.rule_name}")
```

### Get Summary

```python
findings = list(scanner.scan_content(code, "file.py"))
summary = scanner.get_summary(findings)

print(f"Total: {summary['total']}")
print(f"HIGH: {summary['by_severity']['HIGH']}")
print(f"Categories: {summary['by_category']}")
```

## Custom Rules

Create `security/security_rules.yml`:

```yaml
rules:
  - id: "CUSTOM001"
    name: "Custom Pattern"
    pattern: "dangerous_function\\s*\\("
    severity: "HIGH"
    category: "Custom"
    cwe: "CWE-xxx"
    description: "Usage of dangerous function detected"
    recommendation: "Use safe_function() instead"
```

Load custom rules:

```python
scanner = SecurityScanner(rules_file="security/custom_rules.yml")
```

## CI Integration

Fail CI on HIGH severity findings:

```yaml
security:
  fail_on_high: true
```

Or in code:

```python
findings = list(scanner.scan_diff(diff))
high_count = sum(1 for f in findings if f.severity == "HIGH")

if high_count > 0:
    sys.exit(1)
```

## CWE References

All rules include CWE (Common Weakness Enumeration) references:

- [CWE-78](https://cwe.mitre.org/data/definitions/78.html): OS Command Injection
- [CWE-79](https://cwe.mitre.org/data/definitions/79.html): XSS
- [CWE-89](https://cwe.mitre.org/data/definitions/89.html): SQL Injection
- [CWE-798](https://cwe.mitre.org/data/definitions/798.html): Hardcoded Credentials