-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathremote_sources_local.yaml
More file actions
95 lines (89 loc) · 3.58 KB
/
remote_sources_local.yaml
File metadata and controls
95 lines (89 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# SPDX-FileCopyrightText: GitHub, Inc.
# SPDX-License-Identifier: MIT
seclab-taskflow-agent:
filetype: taskflow
version: "1.0"
model_config: seclab_taskflows.configs.model_config
globals:
repo:
# Taskflow to analyze the existing information
taskflow:
- task:
must_complete: true
headless: true
model: general_tasks
agents:
- seclab_taskflow_agent.personalities.assistant
user_prompt: |
Clear the memory cache and clear the codeql_sqlite database for repo {{ globals.repo }}.
toolboxes:
- seclab_taskflow_agent.toolboxes.memcache
- seclab_taskflows.toolboxes.codeql_python
- task:
model: general_tasks
must_complete: true
headless: true
agents:
- seclab_taskflow_agent.personalities.assistant
user_prompt: |
For the repo {{ globals.repo }} fetch the Python CodeQL database and find all remote flow sources using CodeQL.
toolboxes:
- seclab_taskflows.toolboxes.gh_code_scanning
- seclab_taskflows.toolboxes.codeql_python
- task:
must_complete: true
exclude_from_context: true
model: general_tasks
agents:
- seclab_taskflow_agent.personalities.assistant
user_prompt: |
Fetch the zipball of the repository {{ globals.repo }}.
toolboxes:
- seclab_taskflows.toolboxes.local_gh_resources
- task:
must_complete: true
exclude_from_context: true
model: general_tasks
agents:
- seclab_taskflow_agent.personalities.assistant
user_prompt: |
Fetch the sources from the repo {{ globals.repo }}.
toolboxes:
- seclab_taskflows.toolboxes.codeql_python
- task:
model: code_analysis
must_complete: false
repeat_prompt: true
max_steps: 100
name: source analysis
description: Identify actions that untrusted users are allowed to perform on the source.
agents:
- seclab_taskflows.personalities.auditor
user_prompt: |
The source is a {{ result.source_type }} in {{ result.repo }} in the location {{ result.source_location }} on line {{ result.line }}.
If the source is in a folder relating to tests or demo code, skip the analysis and update the source entry in the codeql_sqlite database indicating it is not relevant.
Analyze what the source endpoint is used for.
If it is a web endpoint, identify the routing path that reaches this source, HTTP method,
any middlewares used, which roles are allowed to call it.
Note which kind of authentication is required for that endpoint.
It is possible that the source does not require any authentication.
If authorization is required, note the details.
Update the source entry in the codeql_sqlite database with your findings.
## IMPORTANT: General Guidance that ALWAYS applies
1. Do NOT ask the user for permission to perform next steps, continue your
analysis autonomously until it is complete.
2. Do NOT use 'fetch_sources' or 'remote_sources' tools.
3. Do NOT speculate. If you do not have access to the information you need, respond with
the error you encountered.
toolboxes:
- seclab_taskflows.toolboxes.codeql_python
- seclab_taskflows.toolboxes.local_file_viewer
- task:
must_complete: true
agents:
- seclab_taskflows.personalities.auditor
model: code_analysis
user_prompt: |
Fetch the sources of the repo {{ globals.repo }} and give a summary of the notes.
toolboxes:
- seclab_taskflows.toolboxes.codeql_python