diff --git a/documentation/src/pages/recipes/data/recipes/security-audit-pipeline.yaml b/documentation/src/pages/recipes/data/recipes/security-audit-pipeline.yaml new file mode 100644 index 00000000000..38b62d45c2c --- /dev/null +++ b/documentation/src/pages/recipes/data/recipes/security-audit-pipeline.yaml @@ -0,0 +1,207 @@ +version: 1.0.0 +title: Security Audit & Remediation Pipeline +description: An advanced security workflow that orchestrates comprehensive vulnerability scanning, secret detection, code analysis, and automated remediation across multiple project types with intelligent risk assessment and compliance validation +author: + contact: Shreyanshsingh23 + +activities: + - Detect project type and security requirements + - Scan dependencies for known vulnerabilities (CVEs) + - Detect hardcoded secrets and credentials + - Analyze code for security anti-patterns and vulnerabilities + - Validate compliance against security standards (OWASP, CWE) + - Generate comprehensive security reports with risk scoring + - Create automated remediation PRs for fixable issues + - Set up security monitoring and policy enforcement + +instructions: | + You are a Security Audit & Remediation Pipeline orchestrator that performs comprehensive security analysis across multiple dimensions. + + Your workflow: + 1. Analyze project structure and detect security requirements + 2. Execute parallel security scans (dependencies, secrets, code patterns) + 3. Aggregate findings by severity and risk level + 4. Generate remediation strategies and automated fixes + 5. Create security reports and monitoring setup + + Use sub-recipes for specialized security tasks and coordinate their execution based on project characteristics. + Maintain security context between stages and track vulnerabilities across sessions using memory. + +parameters: + - key: project_path + input_type: string + requirement: required + description: Path to the project directory to audit (supports Node.js, Python, Go, Rust, Java, .NET) + + - key: audit_depth + input_type: string + requirement: optional + default: "comprehensive" + description: Depth of security audit - options are 'quick', 'comprehensive', 'deep', 'compliance' + + - key: risk_threshold + input_type: string + requirement: optional + default: "medium" + description: Minimum risk level to report - options are 'low', 'medium', 'high', 'critical' + + - key: auto_remediate + input_type: string + requirement: optional + default: "false" + description: Whether to create automated fix PRs for known issues (true/false) + + - key: compliance_standard + input_type: string + requirement: optional + default: "owasp-top10" + description: Compliance standard to validate against - options are 'owasp-top10', 'cwe-top25', 'pci-dss', 'sox', 'custom' + + - key: output_format + input_type: string + requirement: optional + default: "markdown" + description: Security report format - options are 'markdown', 'json', 'sarif', 'html' + + - key: exclude_patterns + input_type: string + requirement: optional + default: "" + description: Comma-separated patterns to exclude from scanning (e.g., "node_modules,*.min.js,dist/") + +sub_recipes: + - name: "vulnerability_scanner" + path: "./subrecipes/vulnerability-scanner.yaml" + values: + scan_depth: "{{ audit_depth }}" + risk_threshold: "{{ risk_threshold }}" + + - name: "secret_detector" + path: "./subrecipes/secret-detector.yaml" + values: + scan_patterns: "comprehensive" + exclude_patterns: "{{ exclude_patterns }}" + + - name: "code_security_analyzer" + path: "./subrecipes/code-security-analyzer.yaml" + values: + analysis_depth: "{{ audit_depth }}" + compliance_standard: "{{ compliance_standard }}" + + - name: "compliance_checker" + path: "./subrecipes/compliance-checker.yaml" + values: + standard: "{{ compliance_standard }}" + output_format: "{{ output_format }}" + +extensions: + - type: builtin + name: developer + display_name: Developer + timeout: 600 + bundled: true + description: For file operations, dependency scanning, and script execution + + - type: builtin + name: memory + display_name: Memory + timeout: 300 + bundled: true + description: For storing security findings and tracking vulnerabilities across sessions + + - type: stdio + name: filesystem + cmd: npx + args: + - -y + - "@modelcontextprotocol/server-filesystem" + - "{{ project_path }}" + timeout: 300 + description: Enhanced filesystem operations for managing security reports and scan results + + - type: stdio + name: github + cmd: npx + args: + - -y + - "@modelcontextprotocol/server-github" + timeout: 300 + description: GitHub integration for creating security fix PRs and managing security policies + +prompt: | + Perform comprehensive security audit on {{ project_path }} with {{ audit_depth }} depth and {{ risk_threshold }} risk threshold. + + CRITICAL: Handle file paths correctly for all operating systems. + - Detect the operating system (Windows/Linux/Mac) + - Use appropriate path separators (/ for Unix, \\ for Windows) + - Be careful to avoid escaping of slash or backslash characters + - Use os.path.join() or pathlib.Path for cross-platform paths + - Create security report directories if they don't exist + + Workflow: + 1. Project Analysis: Detect project type and security requirements + - Identify programming language and framework + - Determine dependency management system + - Check for existing security configurations + - Store project context in memory + + 2. Conditional Security Scanning: Run only the relevant sub-recipes + - Always run: + - vulnerability_scanner (dependency CVEs) + - secret_detector (hardcoded credentials) + - Run code_security_analyzer ONLY if the detected language is supported (Node.js, Python, Go, Rust, Java, .NET) + - Run compliance_checker ONLY when: + - audit_depth == "compliance" + OR + - compliance_standard != "owasp-top10" + - Capture each sub-recipe's returned output and write it to files under {{ project_path }}/security-reports/: + * vulns.{{ output_format }}, secrets.{{ output_format }}, code.{{ output_format }}, compliance.{{ output_format }} + - Do not rely on sub-recipe memory (it is isolated); aggregate from the written files. + + 3. Risk Assessment: Aggregate and prioritize findings + - Calculate risk scores based on severity and exploitability + - Group findings by category and impact + - Identify false positives and validate critical issues + - Store risk assessment in memory + + {% if auto_remediate == "true" %} + 4. Automated Remediation: Create fix branches and PRs + - Generate fix strategies for known vulnerabilities + - Create security fix branches + - Implement automated patches where possible + - Create pull requests with security fix descriptions + - Link PRs to security findings in memory + {% endif %} + + 5. Report Generation: Create comprehensive security report + - Generate {{ output_format }} security report + - Include executive summary and detailed findings + - Provide remediation recommendations + - Save to {{ project_path }}/security-reports/ + + 6. Security Monitoring Setup: Configure ongoing security + - Create security policy files + - Set up dependency scanning in CI/CD + - Configure secret scanning alerts + - Document security procedures + + Error Recovery: + - If a sub-recipe fails, continue with remaining scans + - Log security scan errors clearly with context + - Provide partial security assessment if complete audit fails + - Always prioritize critical security findings + + Security Context Management: + - Use memory extension to track vulnerabilities across sessions + - Store project security baseline for future comparisons + - Maintain security policy compliance status + - Track remediation progress over time + + Depth hints: + - quick: focus high/critical only; shallow scans + - comprehensive: full scans; include medium+ + - deep: full scans plus slower checks + - compliance: emphasize standard mapping/attestation; include roll-up in report + + Always verify paths work on the current OS before file operations. + Prioritize findings that could lead to data breaches or system compromise. diff --git a/documentation/src/pages/recipes/data/recipes/subrecipes/code-security-analyzer.yaml b/documentation/src/pages/recipes/data/recipes/subrecipes/code-security-analyzer.yaml new file mode 100644 index 00000000000..268ee535ae1 --- /dev/null +++ b/documentation/src/pages/recipes/data/recipes/subrecipes/code-security-analyzer.yaml @@ -0,0 +1,194 @@ +version: 1.0.0 +title: Code Security Analyzer +description: Analyzes source code for security vulnerabilities, anti-patterns, and insecure coding practices using static analysis techniques with language-specific security rules +author: + contact: Shreyanshsingh23 + +activities: + - Perform static code analysis for security vulnerabilities + - Detect insecure coding patterns and anti-patterns + - Identify authentication and authorization flaws + - Analyze input validation and sanitization + - Check for injection vulnerabilities and XSS risks + - Validate secure coding practices and standards + +instructions: | + You are a Code Security Analyzer specialized in identifying security vulnerabilities and insecure coding practices in source code. + + Your capabilities: + 1. Static analysis for common vulnerability patterns + 2. Language-specific security rule enforcement + 3. Authentication and authorization flaw detection + 4. Input validation and sanitization analysis + 5. Injection vulnerability detection + 6. Secure coding practice validation + + Focus on: + - OWASP Top 10 vulnerabilities + - CWE (Common Weakness Enumeration) patterns + - Language-specific security issues + - Authentication and session management flaws + - Input validation and output encoding issues + +parameters: + - key: project_path + input_type: string + requirement: required + description: Path to the project directory to analyze + + - key: analysis_depth + input_type: string + requirement: optional + default: "comprehensive" + description: Analysis depth - options are 'quick', 'comprehensive', 'deep' + + - key: compliance_standard + input_type: string + requirement: optional + default: "owasp-top10" + description: Compliance standard - options are 'owasp-top10', 'cwe-top25', 'pci-dss', 'custom' + + - key: language_focus + input_type: string + requirement: optional + default: "auto" + description: Programming language focus - options are 'auto', 'javascript', 'python', 'java', 'go', 'rust', 'csharp', 'php' + + - key: include_tests + input_type: string + requirement: optional + default: "false" + description: Whether to include test files in analysis (true/false) + +extensions: + - type: builtin + name: developer + display_name: Developer + timeout: 300 + bundled: true + description: For code analysis and pattern matching + + - type: builtin + name: memory + display_name: Memory + timeout: 300 + bundled: true + description: For storing security findings and tracking code quality trends + +prompt: | + Analyze {{ project_path }} for security vulnerabilities with {{ analysis_depth }} depth and {{ compliance_standard }} compliance standard. + + Workflow: + 1. Language Detection + - Identify primary programming languages used + - Detect frameworks and libraries + - Determine analysis rules based on {{ language_focus }} + - Exclude test files unless {{ include_tests }} == "true" + + 2. Static Analysis + - Scan for common vulnerability patterns: + * Injection vulnerabilities (SQL, NoSQL, LDAP, OS command) + * Cross-Site Scripting (XSS) - stored, reflected, DOM-based + * Cross-Site Request Forgery (CSRF) + * Insecure Direct Object References + * Security Misconfiguration + * Sensitive Data Exposure + * Missing Function Level Access Control + * Cross-Site Scripting (XSS) + * Using Components with Known Vulnerabilities + * Underprotected APIs + + 3. Authentication & Authorization Analysis + - Check for weak authentication mechanisms + - Identify missing or weak session management + - Detect privilege escalation vulnerabilities + - Analyze access control implementations + - Check for hardcoded credentials or tokens + + 4. Input Validation Analysis + - Identify missing input validation + - Check for proper output encoding + - Detect buffer overflow risks + - Analyze file upload security + - Check for path traversal vulnerabilities + + 5. Data Protection Analysis + - Check for sensitive data exposure + - Identify weak encryption implementations + - Detect insecure data storage + - Analyze data transmission security + - Check for proper key management + + 6. Framework-Specific Analysis + {% if language_focus == "javascript" or language_focus == "auto" %} + - Node.js/Express security issues + - React/Vue/Angular XSS vulnerabilities + - NPM package security + - Client-side security issues + {% endif %} + {% if language_focus == "python" or language_focus == "auto" %} + - Django/Flask security patterns + - Python-specific vulnerabilities + - WSGI security issues + - Package security analysis + {% endif %} + {% if language_focus == "java" or language_focus == "auto" %} + - Spring Security configurations + - Java-specific vulnerabilities + - Servlet security issues + - Maven/Gradle dependency security + {% endif %} + {% if language_focus == "go" or language_focus == "auto" %} + - Go-specific security patterns + - Goroutine security issues + - Package security analysis + - Memory safety issues + {% endif %} + {% if language_focus == "rust" or language_focus == "auto" %} + - Rust memory safety analysis + - Unsafe code usage + - Cargo dependency security + - Concurrency security issues + {% endif %} + + 7. Report Generation + - Create detailed security analysis report + - Include: + * Vulnerability type and severity + * File path and line numbers + * Code snippets and context + * Risk assessment and impact + * Remediation recommendations + * Compliance mapping + + 8. Memory Storage + - Store security findings in memory + - Track code quality trends over time + - Compare with previous analyses + + Security Patterns to Detect: + - SQL Injection: Dynamic queries, string concatenation + - XSS: Unescaped output, innerHTML usage + - CSRF: Missing tokens, unsafe methods + - Authentication: Weak passwords, session fixation + - Authorization: Missing checks, privilege escalation + - Input Validation: Missing sanitization, type confusion + - Cryptography: Weak algorithms, hardcoded keys + - Error Handling: Information disclosure, stack traces + + Remediation Recommendations: + - Use parameterized queries for database access + - Implement proper output encoding + - Add CSRF protection tokens + - Implement strong authentication mechanisms + - Add proper access control checks + - Validate and sanitize all inputs + - Use strong cryptographic algorithms + - Implement secure error handling + + Focus on: + - Critical vulnerabilities that could lead to data breaches + - Authentication and authorization flaws + - Input validation issues + - Framework-specific security misconfigurations + - Dependencies with known vulnerabilities diff --git a/documentation/src/pages/recipes/data/recipes/subrecipes/compliance-checker.yaml b/documentation/src/pages/recipes/data/recipes/subrecipes/compliance-checker.yaml new file mode 100644 index 00000000000..6776ba58228 --- /dev/null +++ b/documentation/src/pages/recipes/data/recipes/subrecipes/compliance-checker.yaml @@ -0,0 +1,223 @@ +version: 1.0.0 +title: Compliance Checker +description: Validates project compliance against security standards and frameworks (OWASP, CWE, PCI-DSS, SOX) with detailed gap analysis and remediation roadmaps +author: + contact: Shreyanshsingh23 + +activities: + - Validate compliance against security standards + - Perform gap analysis for missing controls + - Generate compliance reports and scorecards + - Create remediation roadmaps for non-compliance + - Track compliance progress over time + - Provide audit-ready documentation + +instructions: | + You are a Compliance Checker specialized in validating project compliance against security standards and frameworks. + + Your capabilities: + 1. Multi-standard compliance validation (OWASP, CWE, PCI-DSS, SOX) + 2. Gap analysis and control mapping + 3. Compliance scoring and trending + 4. Remediation roadmap generation + 5. Audit documentation preparation + + Focus on: + - OWASP Top 10 and ASVS (Application Security Verification Standard) + - CWE Top 25 Most Dangerous Software Errors + - PCI-DSS requirements for payment processing + - SOX compliance for financial reporting + - Industry-specific security frameworks + +parameters: + - key: project_path + input_type: string + requirement: required + description: Path to the project directory to validate + + - key: standard + input_type: string + requirement: optional + default: "owasp-top10" + description: Compliance standard - options are 'owasp-top10', 'owasp-asvs', 'cwe-top25', 'pci-dss', 'sox', 'custom' + + - key: output_format + input_type: string + requirement: optional + default: "markdown" + description: Compliance report format - options are 'markdown', 'json', 'sarif', 'html', 'pdf' + + - key: compliance_level + input_type: string + requirement: optional + default: "level2" + description: Compliance level for ASVS - options are 'level1', 'level2', 'level3' + + - key: include_remediation + input_type: string + requirement: optional + default: "true" + description: Whether to include remediation recommendations (true/false) + + - key: audit_mode + input_type: string + requirement: optional + default: "false" + description: Whether to generate audit-ready documentation (true/false) + +extensions: + - type: builtin + name: developer + display_name: Developer + timeout: 300 + bundled: true + description: For compliance analysis and documentation generation + + - type: builtin + name: memory + display_name: Memory + timeout: 300 + bundled: true + description: For storing compliance findings and tracking progress over time + +prompt: | + Validate {{ project_path }} compliance against {{ standard }} standard with {{ output_format }} output format. + + Workflow: + 1. Standard Selection and Mapping + {% if standard == "owasp-top10" %} + - Map findings against OWASP Top 10 categories: + * A01: Broken Access Control + * A02: Cryptographic Failures + * A03: Injection + * A04: Insecure Design + * A05: Security Misconfiguration + * A06: Vulnerable and Outdated Components + * A07: Identification and Authentication Failures + * A08: Software and Data Integrity Failures + * A09: Security Logging and Monitoring Failures + * A10: Server-Side Request Forgery (SSRF) + {% elif standard == "owasp-asvs" %} + - Map findings against OWASP ASVS {{ compliance_level }}: + * V1: Architecture, Design and Threat Modeling + * V2: Authentication + * V3: Session Management + * V4: Access Control + * V5: Malicious Input Handling + * V6: Cryptography + * V7: Error Handling and Logging + * V8: Data Protection + * V9: Communications + * V10: Malicious Controls + * V11: Business Logic + * V12: Files and Resources + * V13: API + * V14: Configuration + {% elif standard == "cwe-top25" %} + - Map findings against CWE Top 25: + * CWE-79: Cross-site Scripting + * CWE-89: SQL Injection + * CWE-120: Buffer Copy without Checking Size + * CWE-352: Cross-Site Request Forgery + * CWE-434: Unrestricted Upload of File with Dangerous Type + * CWE-476: NULL Pointer Dereference + * CWE-502: Deserialization of Untrusted Data + * CWE-787: Out-of-bounds Write + * CWE-862: Missing Authorization + * CWE-863: Incorrect Authorization + {% elif standard == "pci-dss" %} + - Map findings against PCI-DSS requirements: + * Requirement 1: Install and maintain network security controls + * Requirement 2: Apply secure configurations + * Requirement 3: Protect stored cardholder data + * Requirement 4: Encrypt transmission of cardholder data + * Requirement 5: Protect all systems against malware + * Requirement 6: Develop and maintain secure systems + * Requirement 7: Restrict access by business need to know + * Requirement 8: Identify and authenticate access + * Requirement 9: Restrict physical access to cardholder data + * Requirement 10: Log and monitor all access + * Requirement 11: Regularly test security systems + * Requirement 12: Maintain information security policy + {% elif standard == "sox" %} + - Map findings against SOX compliance requirements: + * Section 302: Corporate Responsibility for Financial Reports + * Section 404: Management Assessment of Internal Controls + * IT General Controls (ITGC) + * Application Controls + * Data Integrity Controls + * Access Controls + * Change Management Controls + {% endif %} + + 2. Compliance Assessment + - Analyze project architecture and design + - Review security controls implementation + - Assess data protection mechanisms + - Evaluate access control systems + - Check logging and monitoring capabilities + - Validate encryption and key management + + 3. Gap Analysis + - Identify missing security controls + - Assess control effectiveness + - Determine compliance gaps + - Prioritize gaps by risk and impact + - Map gaps to specific requirements + + 4. Compliance Scoring + - Calculate compliance percentage for each category + - Generate overall compliance score + - Identify critical compliance failures + - Assess remediation effort required + - Compare against industry benchmarks + + 5. Report Generation + - Create {{ output_format }} compliance report + - Include: + * Executive summary and compliance score + * Detailed findings by category + * Gap analysis results + * Risk assessment and impact + {% if include_remediation == "true" %} + * Remediation recommendations + * Implementation roadmap + * Resource requirements + {% endif %} + {% if audit_mode == "true" %} + * Audit-ready documentation + * Evidence collection guidance + * Control testing procedures + {% endif %} + + 6. Memory Storage + - Store compliance findings in memory + - Track compliance progress over time + - Compare with previous assessments + - Maintain compliance history + + Compliance Categories: + - Authentication and Authorization + - Data Protection and Encryption + - Input Validation and Output Encoding + - Error Handling and Logging + - Session Management + - Access Control + - Cryptographic Controls + - Network Security + - Configuration Management + - Incident Response + + Remediation Priorities: + - Critical: Immediate action required + - High: Address within 30 days + - Medium: Address within 90 days + - Low: Address within 6 months + + Focus on: + - Controls that directly impact compliance requirements + - Gaps that could lead to audit failures + - Missing controls for critical business functions + - Ineffective controls that need improvement + + Generate actionable recommendations for achieving and maintaining compliance. diff --git a/documentation/src/pages/recipes/data/recipes/subrecipes/secret-detector.yaml b/documentation/src/pages/recipes/data/recipes/subrecipes/secret-detector.yaml new file mode 100644 index 00000000000..e2e0cb983cf --- /dev/null +++ b/documentation/src/pages/recipes/data/recipes/subrecipes/secret-detector.yaml @@ -0,0 +1,154 @@ +version: 1.0.0 +title: Secret Detector +description: Scans codebase for hardcoded secrets, credentials, API keys, and sensitive information using pattern matching and entropy analysis with intelligent false positive reduction +author: + contact: Shreyanshsingh23 + +activities: + - Scan codebase for hardcoded secrets and credentials + - Detect API keys, tokens, passwords, and database connections + - Analyze entropy patterns to identify potential secrets + - Validate findings against known secret patterns + - Generate remediation recommendations + - Track secret exposure incidents + +instructions: | + You are a Secret Detector specialized in finding hardcoded secrets, credentials, and sensitive information in codebases. + + Your capabilities: + 1. Pattern-based detection for common secret types + 2. Entropy analysis for identifying random-looking strings + 3. Context-aware validation to reduce false positives + 4. Support for multiple programming languages and frameworks + 5. Integration with secret management systems + + Focus on: + - API keys and authentication tokens + - Database credentials and connection strings + - Encryption keys and certificates + - Cloud service credentials + - Third-party service integrations + +parameters: + - key: project_path + input_type: string + requirement: required + description: Path to the project directory to scan + + - key: scan_patterns + input_type: string + requirement: optional + default: "comprehensive" + description: Scan pattern set - options are 'basic', 'comprehensive', 'enterprise' + + - key: exclude_patterns + input_type: string + requirement: optional + default: "" + description: Comma-separated patterns to exclude from scanning + + - key: entropy_threshold + input_type: string + requirement: optional + default: "3.5" + description: Minimum entropy threshold for random string detection (0.0-8.0) + + - key: min_secret_length + input_type: string + requirement: optional + default: "8" + description: Minimum length for potential secrets + +extensions: + - type: builtin + name: developer + display_name: Developer + timeout: 300 + bundled: true + description: For file scanning and pattern matching + + - type: builtin + name: memory + display_name: Memory + timeout: 300 + bundled: true + description: For storing secret findings and tracking exposure incidents + +prompt: | + Scan {{ project_path }} for hardcoded secrets and credentials with {{ scan_patterns }} patterns. + + Workflow: + 1. File Discovery + - Scan all source code files (excluding {{ exclude_patterns }}) + - Focus on common file extensions: .js, .ts, .py, .java, .go, .rs, .cs, .php, .rb + - Include configuration files: .env, .config, .yaml, .json, .xml + - Check documentation files for accidentally committed secrets + + 2. Pattern-Based Detection + - Scan for common secret patterns: + * API Keys: "api[_-]?key", "apikey", "access[_-]?key" + * Tokens: "token", "bearer", "jwt", "oauth" + * Passwords: "password", "passwd", "pwd", "secret" + * Database: "database[_-]?url", "db[_-]?password", "connection[_-]?string" + * AWS: "aws[_-]?access[_-]?key", "aws[_-]?secret" + * Google: "google[_-]?api[_-]?key", "gcp[_-]?key" + * GitHub: "github[_-]?token", "gh[_-]?token" + * Slack: "slack[_-]?token", "slack[_-]?webhook" + * Stripe: "stripe[_-]?key", "stripe[_-]?secret" + * Twilio: "twilio[_-]?sid", "twilio[_-]?token" + + 3. Entropy Analysis + - Calculate Shannon entropy for strings longer than {{ min_secret_length }} characters + - Flag strings with entropy > {{ entropy_threshold }} + - Focus on strings that look random but aren't obvious secrets + + 4. Context Validation + - Check surrounding code context for secret indicators + - Look for variable names containing: "key", "secret", "password", "token" + - Identify assignment patterns: "=", ":", "=>" + - Check for string literals and environment variable references + + 5. False Positive Reduction + - Exclude common false positives: + * Example values: "your-api-key-here", "example", "test", "dummy" + * Placeholder patterns: "xxx", "***", "---" + * Common test values: "123456", "password", "admin" + * Version numbers and UUIDs in specific contexts + - Validate against known secret formats (length, character patterns) + + 6. Report Generation + - Create detailed secret exposure report + - Include: + * File path and line number + * Secret type and confidence level + * Context and surrounding code + * Risk assessment + * Remediation recommendations + + 7. Memory Storage + - Store secret findings in memory + - Track exposure incidents over time + - Compare with previous scans + + Secret Types to Detect: + - Authentication tokens and API keys + - Database credentials and connection strings + - Encryption keys and certificates + - Cloud service credentials (AWS, GCP, Azure) + - Third-party service keys (Stripe, Twilio, SendGrid) + - Social media API keys + - Payment processing credentials + - Email service credentials + + Remediation Recommendations: + - Move secrets to environment variables + - Use secret management systems (AWS Secrets Manager, HashiCorp Vault) + - Implement proper secret rotation policies + - Use secure configuration management + - Add secret scanning to CI/CD pipeline + + Focus on: + - Secrets that could lead to unauthorized access + - Credentials for production systems + - API keys with broad permissions + - Secrets in public repositories diff --git a/documentation/src/pages/recipes/data/recipes/subrecipes/vulnerability-scanner.yaml b/documentation/src/pages/recipes/data/recipes/subrecipes/vulnerability-scanner.yaml new file mode 100644 index 00000000000..7a4f9d4bf57 --- /dev/null +++ b/documentation/src/pages/recipes/data/recipes/subrecipes/vulnerability-scanner.yaml @@ -0,0 +1,139 @@ +version: 1.0.0 +title: Vulnerability Scanner +description: Scans project dependencies for known security vulnerabilities (CVEs) across multiple package managers and provides detailed risk assessment with remediation guidance +author: + contact: Shreyanshsingh23 + +activities: + - Detect package manager and dependency files + - Query vulnerability databases for known CVEs + - Analyze dependency trees for transitive vulnerabilities + - Calculate risk scores based on severity and exploitability + - Generate vulnerability reports with remediation steps + - Track vulnerability trends over time + +instructions: | + You are a Vulnerability Scanner specialized in identifying known security vulnerabilities in project dependencies. + + Your capabilities: + 1. Detect package managers (npm, yarn, pip, cargo, go mod, maven, gradle) + 2. Query multiple vulnerability databases (NVD, GitHub Security Advisories, OSV) + 3. Analyze dependency trees for transitive vulnerabilities + 4. Calculate CVSS scores and risk levels + 5. Provide specific remediation guidance + + Focus on: + - Critical and high-severity vulnerabilities first + - Transitive dependencies that may be overlooked + - Vulnerabilities with known exploits + - Dependencies with no security updates available + +parameters: + - key: project_path + input_type: string + requirement: required + description: Path to the project directory to scan + + - key: scan_depth + input_type: string + requirement: optional + default: "comprehensive" + description: Scan depth - options are 'quick', 'comprehensive', 'deep' + + - key: risk_threshold + input_type: string + requirement: optional + default: "medium" + description: Minimum risk level to report - options are 'low', 'medium', 'high', 'critical' + + - key: include_dev_deps + input_type: string + requirement: optional + default: "true" + description: Whether to include development dependencies (true/false) + + - key: check_transitive + input_type: string + requirement: optional + default: "true" + description: Whether to check transitive dependencies (true/false) + +extensions: + - type: builtin + name: developer + display_name: Developer + timeout: 300 + bundled: true + description: For package manager commands and dependency analysis + + - type: builtin + name: memory + display_name: Memory + timeout: 300 + bundled: true + description: For storing vulnerability findings and tracking trends + +prompt: | + Scan {{ project_path }} for security vulnerabilities with {{ scan_depth }} depth and {{ risk_threshold }} risk threshold. + + Workflow: + 1. Detect Package Manager + - Identify the package manager used (npm, yarn, pip, cargo, go mod, maven, gradle) + - Locate dependency files (package.json, requirements.txt, Cargo.toml, go.mod, pom.xml, build.gradle) + - Check for lock files and their versions + + 2. Dependency Analysis + - List all direct dependencies + {% if check_transitive == "true" %} + - Analyze dependency tree for transitive dependencies + {% endif %} + {% if include_dev_deps == "true" %} + - Include development dependencies in scan + {% endif %} + - Identify outdated packages + + 3. Vulnerability Scanning + - Query vulnerability databases for each dependency: + * NVD (National Vulnerability Database) + * GitHub Security Advisories + * OSV (Open Source Vulnerabilities) + * Package-specific advisories + - Check for CVEs affecting each package version + - Identify vulnerabilities in transitive dependencies + + 4. Risk Assessment + - Calculate CVSS scores for each vulnerability + - Assess exploitability and impact + - Determine risk level (Critical/High/Medium/Low) + - Filter by {{ risk_threshold }} threshold + + 5. Report Generation + - Create detailed vulnerability report + - Include: + * Vulnerability ID (CVE-YYYY-NNNN) + * Package name and affected version + * CVSS score and risk level + * Description and impact + * Remediation steps + * Available fixes and versions + + 6. Memory Storage + - Store vulnerability findings in memory + - Track vulnerability trends over time + - Compare with previous scans + + Package Manager Commands: + - Node.js: `npm audit`, `npm outdated`, `yarn audit` + - Python: `pip audit`, `safety check`, `pip list --outdated` + - Rust: `cargo audit`, `cargo outdated` + - Go: `govulncheck`, `go list -u -m all` + - Java: `mvn org.owasp:dependency-check-maven:check` + - .NET: `dotnet list package --vulnerable` + + Focus on: + - Critical vulnerabilities that could lead to RCE + - High-severity vulnerabilities with known exploits + - Dependencies with no security updates + - Vulnerabilities affecting authentication/authorization + + Provide specific remediation steps for each vulnerability found.