{ "score": 58, "grade": "D", "gradeLabel": "Significant security risks", "totalFindings": 22, "totalDepVulns": 0, "categories": { "secrets": { "label": "Secrets", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "injection": { "label": "Code Vulnerabilities", "findingCount": 3, "deduction": 9, "counts": { "critical": 0, "high": 0, "medium": 3, "low": 0 } }, "deps": { "label": "Dependencies", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "auth": { "label": "Auth & Access Control", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "config": { "label": "Configuration", "findingCount": 4, "deduction": 10, "counts": { "critical": 0, "high": 4, "medium": 0, "low": 0 } }, "supply-chain": { "label": "Supply Chain", "findingCount": 1, "deduction": 3, "counts": { "critical": 0, "high": 0, "medium": 1, "low": 0 } }, "api": { "label": "API Security", "findingCount": 3, "deduction": 10, "counts": { "critical": 0, "high": 3, "medium": 0, "low": 0 } }, "llm": { "label": "AI/LLM Security", "findingCount": 11, "deduction": 10, "counts": { "critical": 0, "high": 0, "medium": 11, "low": 0 } } }, "findings": [ { "file": "/code/xf/GIA/Dockerfile", "line": 25, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/Dockerfile", "line": 28, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/Dockerfile", "line": 30, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/Dockerfile", "line": 31, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/core/clients/whatsapp.py", "line": 3398, "severity": "high", "category": "api", "rule": "API_UPLOAD_NO_TYPE_CHECK", "title": "API: File Upload Without Type Validation", "description": "File upload using original filename without type validation.", "fix": "Validate file extension and MIME type. Generate random filenames for storage.", "cwe": "CWE-434", "owasp": "A04:2021" }, { "file": "/code/xf/GIA/core/clients/xmpp.py", "line": 57, "severity": "high", "category": "api", "rule": "API_UPLOAD_NO_TYPE_CHECK", "title": "API: File Upload Without Type Validation", "description": "File upload using original filename without type validation.", "fix": "Validate file extension and MIME type. Generate random filenames for storage.", "cwe": "CWE-434", "owasp": "A04:2021" }, { "file": "/code/xf/GIA/core/security/attachments.py", "line": 83, "severity": "high", "category": "api", "rule": "API_UPLOAD_NO_TYPE_CHECK", "title": "API: File Upload Without Type Validation", "description": "File upload using original filename without type validation.", "fix": "Validate file extension and MIME type. Generate random filenames for storage.", "cwe": "CWE-434", "owasp": "A04:2021" }, { "file": "/code/xf/GIA/core/tests/test_attachment_security.py", "line": 29, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/core/tests/test_attachment_security.py", "line": 34, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/core/tests/test_attachment_security.py", "line": 35, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/requirements.txt", "line": 23, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: ./vendor/django-crud-mixins", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: ./vendor/django-crud-mixins==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/core/clients/signalapi.py", "line": 411, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 739, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 744, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 758, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 850, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1377, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1382, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1396, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 189, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 197, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 206, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" } ], "depVulns": [], "remediationPlan": [ { "priority": 1, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:25", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 2, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:28", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 3, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:30", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 4, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:31", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 5, "severity": "high", "category": "api", "categoryLabel": "API SECURITY", "title": "API: File Upload Without Type Validation", "file": "core/clients/whatsapp.py:3398", "action": "Validate file extension and MIME type. Generate random filenames for storage.", "effort": "medium" }, { "priority": 6, "severity": "high", "category": "api", "categoryLabel": "API SECURITY", "title": "API: File Upload Without Type Validation", "file": "core/clients/xmpp.py:57", "action": "Validate file extension and MIME type. Generate random filenames for storage.", "effort": "medium" }, { "priority": 7, "severity": "high", "category": "api", "categoryLabel": "API SECURITY", "title": "API: File Upload Without Type Validation", "file": "core/security/attachments.py:83", "action": "Validate file extension and MIME type. Generate random filenames for storage.", "effort": "medium" }, { "priority": 8, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "core/tests/test_attachment_security.py:29", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 9, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "core/tests/test_attachment_security.py:34", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 10, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "core/tests/test_attachment_security.py:35", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 11, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: ./vendor/django-crud-mixins", "file": "requirements.txt:23", "action": "Pin version: ./vendor/django-crud-mixins==x.y.z", "effort": "medium" }, { "priority": 12, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/clients/signalapi.py:411", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 13, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:739", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 14, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:744", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 15, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:758", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 16, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:850", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 17, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1377", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 18, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1382", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 19, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1396", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 20, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:189", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 21, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:197", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 22, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:206", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" } ], "recon": { "frameworks": [ "django" ], "languages": [ "python" ], "apiRoutes": [ "app/urls.py", "core/management/commands/backfill_xmpp_attachment_urls.py" ], "authPatterns": [], "databases": [], "cloudProviders": [], "frontendExposure": [], "packageManagers": [ "pip" ], "cicd": [], "hasDockerfile": true, "hasTerraform": false, "hasKubernetes": false, "envFiles": [], "configFiles": [] }, "agents": [ { "agent": "InjectionTester", "category": "injection", "findingCount": 0, "success": true }, { "agent": "AuthBypassAgent", "category": "auth", "findingCount": 0, "success": true }, { "agent": "SSRFProber", "category": "ssrf", "findingCount": 3, "success": true }, { "agent": "SupplyChainAudit", "category": "supply-chain", "findingCount": 1, "success": true }, { "agent": "ConfigAuditor", "category": "config", "findingCount": 4, "success": true }, { "agent": "LLMRedTeam", "category": "llm", "findingCount": 11, "success": true }, { "agent": "MobileScanner", "category": "mobile", "findingCount": 0, "success": true }, { "agent": "GitHistoryScanner", "category": "history", "findingCount": 0, "success": true }, { "agent": "CICDScanner", "category": "cicd", "findingCount": 0, "success": true }, { "agent": "APIFuzzer", "category": "api", "findingCount": 3, "success": true } ] }