Harden security

2026-03-05 05:42:19 +00:00
parent 06735bdfb1
commit 438e561da0
75 changed files with 6260 additions and 278 deletions
--- a/artifacts/audits/5-final-pass-fix.json
+++ b/artifacts/audits/5-final-pass-fix.json
@@ -0,0 +1,234 @@
+
+{
+  "score": 90,
+  "grade": "A",
+  "gradeLabel": "Ship it!",
+  "totalFindings": 2,
+  "totalDepVulns": 0,
+  "categories": {
+    "secrets": {
+      "label": "Secrets",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "injection": {
+      "label": "Code Vulnerabilities",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "deps": {
+      "label": "Dependencies",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "auth": {
+      "label": "Auth & Access Control",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "config": {
+      "label": "Configuration",
+      "findingCount": 2,
+      "deduction": 10,
+      "counts": {
+        "critical": 0,
+        "high": 2,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "supply-chain": {
+      "label": "Supply Chain",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "api": {
+      "label": "API Security",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    },
+    "llm": {
+      "label": "AI/LLM Security",
+      "findingCount": 0,
+      "deduction": 0,
+      "counts": {
+        "critical": 0,
+        "high": 0,
+        "medium": 0,
+        "low": 0
+      }
+    }
+  },
+  "findings": [
+    {
+      "file": "/code/xf/GIA/Dockerfile",
+      "line": 26,
+      "severity": "high",
+      "category": "config",
+      "rule": "DOCKER_RUN_AS_ROOT",
+      "title": "Docker: Running as Root",
+      "description": "No USER instruction found. Container runs as root by default.",
+      "fix": "Add USER nonroot before CMD/ENTRYPOINT",
+      "cwe": "CWE-250",
+      "owasp": "A05:2021"
+    },
+    {
+      "file": "/code/xf/GIA/Dockerfile",
+      "line": 1,
+      "severity": "high",
+      "category": "config",
+      "rule": "DOCKER_NO_USER",
+      "title": "Dockerfile: No Non-Root USER",
+      "description": "No USER instruction found. Container runs as root, enabling escape attacks.",
+      "fix": "Add before CMD: RUN addgroup -S app && adduser -S app -G app\nUSER app",
+      "cwe": null,
+      "owasp": null
+    }
+  ],
+  "depVulns": [],
+  "remediationPlan": [
+    {
+      "priority": 1,
+      "severity": "high",
+      "category": "config",
+      "categoryLabel": "CONFIGURATION",
+      "title": "Docker: Running as Root",
+      "file": "Dockerfile:26",
+      "action": "Add USER nonroot before CMD/ENTRYPOINT",
+      "effort": "low"
+    },
+    {
+      "priority": 2,
+      "severity": "high",
+      "category": "config",
+      "categoryLabel": "CONFIGURATION",
+      "title": "Dockerfile: No Non-Root USER",
+      "file": "Dockerfile:1",
+      "action": "Add before CMD: RUN addgroup -S app && adduser -S app -G app\nUSER app",
+      "effort": "low"
+    }
+  ],
+  "recon": {
+    "frameworks": [
+      "django"
+    ],
+    "languages": [
+      "python"
+    ],
+    "apiRoutes": [
+      "app/urls.py",
+      "core/management/commands/backfill_xmpp_attachment_urls.py"
+    ],
+    "authPatterns": [],
+    "databases": [],
+    "cloudProviders": [],
+    "frontendExposure": [],
+    "packageManagers": [
+      "pip"
+    ],
+    "cicd": [],
+    "hasDockerfile": true,
+    "hasTerraform": false,
+    "hasKubernetes": false,
+    "envFiles": [],
+    "configFiles": []
+  },
+  "agents": [
+    {
+      "agent": "InjectionTester",
+      "category": "injection",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "AuthBypassAgent",
+      "category": "auth",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "SSRFProber",
+      "category": "ssrf",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "SupplyChainAudit",
+      "category": "supply-chain",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "ConfigAuditor",
+      "category": "config",
+      "findingCount": 2,
+      "success": true
+    },
+    {
+      "agent": "LLMRedTeam",
+      "category": "llm",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "MobileScanner",
+      "category": "mobile",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "GitHistoryScanner",
+      "category": "history",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "CICDScanner",
+      "category": "cicd",
+      "findingCount": 0,
+      "success": true
+    },
+    {
+      "agent": "APIFuzzer",
+      "category": "api",
+      "findingCount": 0,
+      "success": true
+    }
+  ]
+}