{ "score": 74, "grade": "C", "gradeLabel": "Fix before shipping", "totalFindings": 10, "totalDepVulns": 0, "categories": { "secrets": { "label": "Secrets", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "injection": { "label": "Code Vulnerabilities", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "deps": { "label": "Dependencies", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "auth": { "label": "Auth & Access Control", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "config": { "label": "Configuration", "findingCount": 1, "deduction": 8, "counts": { "critical": 0, "high": 1, "medium": 0, "low": 0 } }, "supply-chain": { "label": "Supply Chain", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "api": { "label": "API Security", "findingCount": 1, "deduction": 8, "counts": { "critical": 0, "high": 1, "medium": 0, "low": 0 } }, "llm": { "label": "AI/LLM Security", "findingCount": 8, "deduction": 10, "counts": { "critical": 0, "high": 0, "medium": 8, "low": 0 } } }, "findings": [ { "file": "/code/xf/GIA/Dockerfile", "line": 26, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/core/security/attachments.py", "line": 113, "severity": "high", "category": "api", "rule": "API_UPLOAD_NO_TYPE_CHECK", "title": "API: File Upload Without Type Validation", "description": "File upload using original filename without type validation.", "fix": "Validate file extension and MIME type. Generate random filenames for storage.", "cwe": "CWE-434", "owasp": "A04:2021" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 775, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 781, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 795, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1418, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1424, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1438, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 202, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 211, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" } ], "depVulns": [], "remediationPlan": [ { "priority": 1, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:26", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 2, "severity": "high", "category": "api", "categoryLabel": "API SECURITY", "title": "API: File Upload Without Type Validation", "file": "core/security/attachments.py:113", "action": "Validate file extension and MIME type. Generate random filenames for storage.", "effort": "medium" }, { "priority": 3, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:775", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 4, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:781", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 5, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:795", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 6, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1418", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 7, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1424", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 8, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1438", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 9, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:202", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 10, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:211", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" } ], "recon": { "frameworks": [ "django" ], "languages": [ "python" ], "apiRoutes": [ "app/urls.py", "core/management/commands/backfill_xmpp_attachment_urls.py" ], "authPatterns": [], "databases": [], "cloudProviders": [], "frontendExposure": [], "packageManagers": [ "pip" ], "cicd": [], "hasDockerfile": true, "hasTerraform": false, "hasKubernetes": false, "envFiles": [], "configFiles": [] }, "agents": [ { "agent": "InjectionTester", "category": "injection", "findingCount": 0, "success": true }, { "agent": "AuthBypassAgent", "category": "auth", "findingCount": 0, "success": true }, { "agent": "SSRFProber", "category": "ssrf", "findingCount": 0, "success": true }, { "agent": "SupplyChainAudit", "category": "supply-chain", "findingCount": 0, "success": true }, { "agent": "ConfigAuditor", "category": "config", "findingCount": 1, "success": true }, { "agent": "LLMRedTeam", "category": "llm", "findingCount": 8, "success": true }, { "agent": "MobileScanner", "category": "mobile", "findingCount": 0, "success": true }, { "agent": "GitHistoryScanner", "category": "history", "findingCount": 0, "success": true }, { "agent": "CICDScanner", "category": "cicd", "findingCount": 0, "success": true }, { "agent": "APIFuzzer", "category": "api", "findingCount": 1, "success": true } ] }