Purpose: Security validation, access control, and threat detection for the GNN processing pipeline
Pipeline Step: Step 18: Security validation (18_security.py)
Category: Security / Access Control
Status: ✅ Production Ready
Version: 1.6.0
Last Updated: 2026-04-16
- Security validation of GNN models and pipeline components
- Access control and authorization management
- Threat detection and vulnerability assessment
- Secure data handling and encryption
- Security policy enforcement
- Audit logging and compliance reporting
- Model security validation and risk assessment
- Access control for sensitive operations
- Threat detection and mitigation
- Data encryption and secure storage
- Security policy configuration
- Audit trail maintenance
- Compliance reporting
process_security(target_dir: Path, output_dir: Path, verbose: bool = False, logger: Optional[logging.Logger] = None, **kwargs) -> bool
Description: Main security processing function called by orchestrator (18_security.py). Validates security, assesses vulnerabilities, and checks compliance.
Parameters:
target_dir(Path): Directory containing files to validateoutput_dir(Path): Output directory for security reportsverbose(bool): Enable verbose logging (default: False)logger(Optional[logging.Logger]): Logger instance (default: None)security_level(str, optional): Security validation level ("basic", "standard", "strict") (default: "standard")check_vulnerabilities(bool, optional): Enable vulnerability scanning (default: True)check_compliance(bool, optional): Enable compliance checking (default: True)compliance_standards(List[str], optional): Standards to check against (default: ["OWASP Top 10"])**kwargs: Additional security options
Returns: bool - True if security validation passed, False otherwise
Example:
from security import process_security
from pathlib import Path
import logging
logger = logging.getLogger(__name__)
success = process_security(
target_dir=Path("input/gnn_files"),
output_dir=Path("output/18_security_output"),
logger=logger,
verbose=True,
security_level="strict",
compliance_standards=["OWASP Top 10", "CWE"]
)Description: Perform comprehensive security check on a file (AST analysis for Python, pattern scanning for all files).
Parameters:
file_path(Path): Path to file to checkverbose(bool): Enable verbose logging
Returns: Dict[str, Any] - Security check results with:
file(str): File path checkedvulnerabilities(List[Dict]): Detected vulnerabilitiessecurity_score(float): Security score (0.0–1.0)recommendations(List[Dict]): Security improvement recommendations
Description: Scan a file for security vulnerabilities using pattern matching and Python AST analysis.
Parameters:
file_path(Path): Path to file to scanverbose(bool): Enable verbose logging
Returns: List[Dict[str, Any]] - List of detected vulnerability dicts
Description: Generate security improvement recommendations for a file.
Description: Calculate overall security score (0.0–1.0) based on vulnerability severity weights.
cryptography- Encryption and hashingpathlib- Path manipulationjson- Data serialization
PyYAML- Configuration file parsingrequests- External security service integration
utils.pipeline_template- Pipeline utilities
SECURITY_LEVELS = {
'basic': {
'validate_file_integrity': True,
'check_basic_permissions': True,
'log_access': True
},
'standard': {
'validate_file_integrity': True,
'check_basic_permissions': True,
'log_access': True,
'scan_for_malicious_content': True,
'validate_model_structure': True
},
'strict': {
'validate_file_integrity': True,
'check_basic_permissions': True,
'log_access': True,
'scan_for_malicious_content': True,
'validate_model_structure': True,
'encrypt_sensitive_data': True,
'require_authorization': True
}
}SECURITY_POLICIES = {
'allowed_file_types': ['.md', '.json', '.yaml'],
'max_file_size_mb': 100,
'require_encryption': False,
'audit_all_operations': True,
'block_suspicious_content': True
}from security.processor import process_security
success = process_security(
target_dir="input/gnn_files",
output_dir="output/18_security_output",
security_level="standard"
)from security.processor import perform_security_check
security_result = perform_security_check(
file_path=Path("models/sensitive_model.md"),
verbose=True
)
if security_result["security_score"] > 0.8:
print("Security check passed")
else:
print("Security issues found:")
for vuln in security_result["vulnerabilities"]:
print(f" - {vuln['description']}")from security.processor import check_vulnerabilities
vulns = check_vulnerabilities(Path("output/11_render_output/model_pymdp.py"))
for vuln in vulns:
print(f" [{vuln['severity']}] {vuln['description']}")security_validation_report.json- Comprehensive security reportaccess_control_log.json- Access control audit logthreat_detection_report.json- Threat detection resultssecurity_summary.md- Human-readable security summary
output/18_security_output/
├── security_validation_report.json
├── access_control_log.json
├── threat_detection_report.json
├── security_summary.md
└── security_audit_trail/
├── 2025-10-01_access_log.json
└── threat_indicators.json
- Duration: ~1-3 seconds per model
- Memory: ~20-50MB
- Status: ✅ Production Ready
- Basic Validation: < 1 second
- Standard Validation: 1-2 seconds
- Strict Validation: 2-5 seconds
- Threat Detection: Variable based on content
- Malicious Content Detection: Pattern-based threat detection
- Suspicious Script Detection: Script injection detection
- Data Exfiltration Detection: Unauthorized data access patterns
- Cryptographic Validation: Digital signature verification
- File Permission Validation: OS-level permission checks
- Operation Authorization: Role-based access control
- Audit Logging: Comprehensive operation logging
- Security Context: Security-aware operation context
- Encryption Support: Sensitive data encryption
- Secure Storage: Protected data storage
- Key Management: Encryption key lifecycle management
- Data Sanitization: Secure data cleanup
- Access Denied: Insufficient permissions
- Threat Detected: Malicious content found
- Validation Failed: Security requirements not met
- Encryption Error: Cryptographic operation failure
- Access Issues: Request elevated permissions
- Threats: Isolate and report suspicious content
- Validation: Provide remediation guidance
- Encryption: Use alternative encryption methods
- Script:
18_security.py(Step 18) - Function:
process_security()
utils.pipeline_template- Pipeline utilities
- All pipeline steps requiring security validation
tests.test_security_*- Security tests
File Input → Security Validation → Threat Detection → Access Control → Security Report → Pipeline Continuation
src/tests/security/test_security_overall.py- Module-level testssrc/tests/security/test_security_functional.py- Functional tests
Measure on demand:
uv run --extra dev python -m pytest src/tests/test_security*.py \
--cov=src/security --cov-report=term-missing- Security validation with various threat types
- Access control enforcement
- Encryption and data protection
- Audit logging functionality
- Error handling and recovery
security.validate_model- Perform security check on a model filesecurity.scan_file- Scan file for vulnerabilitiessecurity.get_report- Get security reportsecurity.list_checks- List available security checks
@mcp_tool("security.validate_model")
def validate_model_security_tool(file_path, security_level="standard"):
"""Validate security aspects of a GNN model"""
# Implementationsrc/security/mcp.py- MCP tool registrations
Symptom: Valid models reported as having vulnerabilities
Cause: Security rules too strict or outdated
Solution:
- Use
--security-level basicfor lenient validation - Review security rules and update if needed
- Check compliance standards are appropriate
- Use
--verboseflag for detailed validation logs
Symptom: Valid operations blocked by access control
Cause: Permission configuration incorrect or overly restrictive
Solution:
- Verify file permissions are correct
- Check access control configuration
- Review security policy settings
- Ensure user has required permissions
Features:
- Security validation
- Access control
- Threat detection
- Vulnerability assessment
- Compliance reporting
Known Issues:
- None currently
- Next Version: Enhanced threat detection
- Future: Real-time security monitoring
Last Updated: 2026-04-16 Maintainer: GNN Pipeline Team Status: ✅ Production Ready Version: 1.6.0 Architecture Compliance: ✅ 100% Thin Orchestrator Pattern