Merge pull request #35 from devatsecure/claude/add-security-testing-guide-BClsS

Add continuous autonomous security testing framework (v3.0)

Author: devatsecure

.claude/rules/development.md

@@ -50,6 +50,12 @@ Argus-Security/
 │   ├── agent_personas.py         # Phase 3: Multi-agent review
 │   ├── sandbox_validator.py      # Phase 4: Docker validation
 │   ├── remediation_engine.py     # Auto-fix generation
+│   ├── diff_impact_analyzer.py   # Diff-intelligent scanner scoping
+│   ├── agent_chain_discovery.py  # LLM-powered attack chain discovery
+│   ├── autofix_pr_generator.py   # AutoFix PR generation + closed loop
+│   ├── findings_store.py         # SQLite cross-scan findings store
+│   ├── app_context_builder.py    # Unified application context model
+│   ├── sast_dast_validator.py    # SAST-to-DAST live validation
 │   └── argus                     # CLI entry point
 ├── policy/rego/                  # Phase 5: OPA policies
 ├── profiles/                     # Config profiles

.claude/rules/features.md

@@ -1,6 +1,6 @@
 ---
 description: Advanced feature modules and their configuration toggles
-globs: ["scripts/error_classifier.py", "scripts/audit_trail.py", "scripts/phase_gate.py", "scripts/mcp_server.py", "scripts/dast_auth_config.py", "scripts/temporal_orchestrator.py", "scripts/license_risk_scorer.py", "scripts/epss_scorer.py", "scripts/fix_version_tracker.py", "scripts/vex_processor.py", "scripts/vuln_deduplicator.py", "scripts/advanced_suppression.py", "scripts/compliance_mapper.py"]
+globs: ["scripts/error_classifier.py", "scripts/audit_trail.py", "scripts/phase_gate.py", "scripts/mcp_server.py", "scripts/dast_auth_config.py", "scripts/temporal_orchestrator.py", "scripts/license_risk_scorer.py", "scripts/epss_scorer.py", "scripts/fix_version_tracker.py", "scripts/vex_processor.py", "scripts/vuln_deduplicator.py", "scripts/advanced_suppression.py", "scripts/compliance_mapper.py", "scripts/diff_impact_analyzer.py", "scripts/agent_chain_discovery.py", "scripts/autofix_pr_generator.py", "scripts/findings_store.py", "scripts/app_context_builder.py", "scripts/sast_dast_validator.py"]
 ---
 
 # Advanced Features
@@ -43,3 +43,23 @@ Multi-key: {VulnID, PkgName, Version, Path}. Cross-scanner merge. Strategies: au
 
 ## Compliance Mapping (`scripts/compliance_mapper.py`)
 NIST 800-53, PCI DSS 4.0, OWASP Top 10, SOC 2, CIS K8s, ISO 27001. CWE-based mapping + category fallback. Toggle: `enable_compliance_mapping=True`
+
+# Continuous Security Testing (v3.0)
+
+## Diff-Intelligent Scanner Scoping (`scripts/diff_impact_analyzer.py`)
+Classifies changed files by security relevance (skip docs/assets, always scan auth/crypto/config). Expands blast radius via reverse dependency lookup — if auth middleware changed, finds all files importing it. Generates Semgrep `--include` args for scoped scanning. Toggle: `enable_diff_scoping=True`, `diff_expand_impact_radius=True`
+
+## Agent-Driven Chain Discovery (`scripts/agent_chain_discovery.py`)
+LLM-powered multi-step attack chain discovery beyond rule-based patterns. Sends findings to LLM to reason about cross-component exploitation paths. Cross-component analyzer detects dangerous finding combinations across architectural boundaries (auth+api, models+api, middleware+routes). Toggle: `enable_agent_chain_discovery=False` (opt-in), `enable_cross_component_analysis=True`
+
+## AutoFix PR Generator (`scripts/autofix_pr_generator.py`)
+Generates git branches with applied fixes from RemediationEngine suggestions. Creates conventional-commit-style messages, formatted PR bodies with diff/CWE/testing sections. ClosedLoopOrchestrator wires find→fix→verify into a single flow. Toggle: `enable_autofix_pr=False` (opt-in), `autofix_confidence_threshold="high"`, `autofix_max_prs_per_scan=5`
+
+## Persistent Findings Store (`scripts/findings_store.py`)
+SQLite-backed cross-scan intelligence. Tracks findings across scans via content-based fingerprinting. Detects regressions (previously-fixed findings reappearing), computes MTTF, FP rates, severity trending. Injects historical context into LLM enrichment prompts. Toggle: `enable_findings_store=True`, `findings_db_path=".argus/findings.db"`, `inject_historical_context=True`
+
+## Application Context Builder (`scripts/app_context_builder.py`)
+Detects framework (Django/Flask/Express/Spring/etc.), language, auth mechanism (JWT/OAuth2/session), cloud provider, IaC files, middleware chain, entry points, and OpenAPI specs. Generates `to_prompt_context()` string for LLM prompt injection. Toggle: `enable_app_context=True`
+
+## SAST-to-DAST Live Validation (`scripts/sast_dast_validator.py`)
+Validates SAST findings against live deployment targets. Maps vuln types to HTTP test payloads (SQLi, XSS, SSRF, path traversal, command injection, IDOR). Safety: rejects production targets by default, only allows staging/preview/development. Toggle: `enable_live_validation=False` (opt-in), `live_validation_environment="staging"`

.github/workflows/argus-retest.yml

@@ -0,0 +1,124 @@
+name: Argus Retest After Fix
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  retest:
+    # Only run when an argus/fix- PR is merged
+    if: >
+      github.event.pull_request.merged == true &&
+      startsWith(github.event.pull_request.head.ref, 'argus/fix-')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Extract fix metadata
+        id: meta
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          # Extract vuln type and finding ID from branch name: argus/fix-{type}-{id}
+          VULN_TYPE=$(echo "$BRANCH" | sed 's|argus/fix-||' | sed 's|-[a-f0-9]*$||')
+          FINDING_ID=$(echo "$BRANCH" | grep -oP '[a-f0-9]{8}$' || echo "unknown")
+          echo "vuln_type=$VULN_TYPE" >> $GITHUB_OUTPUT
+          echo "finding_id=$FINDING_ID" >> $GITHUB_OUTPUT
+          # Get changed files from the PR
+          CHANGED_FILES=$(gh pr view ${{ github.event.pull_request.number }} --json files -q '.files[].path' || echo "")
+          echo "changed_files=$CHANGED_FILES" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run regression tests
+        id: regression
+        continue-on-error: true
+        run: |
+          python -c "
+          import sys
+          sys.path.insert(0, 'scripts')
+          try:
+              from regression_tester import RegressionTester
+              tester = RegressionTester()
+              results = tester.run('tests/security_regression')
+              passed = results.get('passed', 0)
+              failed = results.get('failed', 0)
+              print(f'Regression tests: {passed} passed, {failed} failed')
+              sys.exit(1 if failed > 0 else 0)
+          except Exception as e:
+              print(f'Regression test error: {e}')
+              sys.exit(1)
+          "
+
+      - name: Run targeted SAST rescan
+        id: rescan
+        continue-on-error: true
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+        run: |
+          python scripts/run_ai_audit.py \
+            --project-type auto \
+            --only-changed \
+            --review-type security
+
+      - name: Update finding status
+        if: steps.regression.outcome == 'success' && steps.rescan.outcome == 'success'
+        run: |
+          python -c "
+          import sys
+          sys.path.insert(0, 'scripts')
+          try:
+              from findings_store import FindingsStore
+              store = FindingsStore()
+              store.record_fix(
+                  finding_id='${{ steps.meta.outputs.finding_id }}',
+                  fix_commit='${{ github.sha }}',
+                  fix_method='autofix',
+                  retest_passed=True,
+              )
+              print('Finding marked as fix-verified')
+          except Exception as e:
+              print(f'Could not update findings store: {e}')
+          "
+
+      - name: Post retest results
+        if: always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const regression = '${{ steps.regression.outcome }}';
+            const rescan = '${{ steps.rescan.outcome }}';
+            const allPassed = regression === 'success' && rescan === 'success';
+
+            const body = `## Argus Retest Results
+
+            | Check | Status |
+            |-------|--------|
+            | Regression Tests | ${regression === 'success' ? 'Passed' : 'Failed'} |
+            | SAST Rescan | ${rescan === 'success' ? 'Clean' : 'Issues found'} |
+            | **Overall** | **${allPassed ? 'Fix Verified' : 'Needs Review'}** |
+
+            ${allPassed ? 'The fix has been verified. The vulnerability is confirmed resolved.' : 'The retest found issues. Please review the scan results.'}
+
+            ---
+            *Argus Security Retest — triggered by merge of \`${{ github.event.pull_request.head.ref }}\`*`;
+
+            // Comment on the merged PR
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: ${{ github.event.pull_request.number }},
+              body: body
+            });

.github/workflows/post-deploy-scan.yml

@@ -0,0 +1,102 @@
+name: Post-Deploy Security Validation
+on:
+  deployment_status:
+    # Trigger when deployment succeeds
+  workflow_dispatch:
+    inputs:
+      target_url:
+        description: 'Deployment URL to scan'
+        required: false
+        type: string
+      environment:
+        description: 'Deployment environment'
+        required: false
+        default: 'staging'
+        type: string
+
+jobs:
+  post-deploy-scan:
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event.deployment_status.state == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Determine deployment context
+        id: context
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "target_url=${{ inputs.target_url }}" >> $GITHUB_OUTPUT
+            echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT
+          else
+            echo "target_url=${{ github.event.deployment.payload.web_url || '' }}" >> $GITHUB_OUTPUT
+            echo "environment=${{ github.event.deployment.environment }}" >> $GITHUB_OUTPUT
+          fi
+          # Get diff since last successful scan
+          PREV_SHA=$(git log --format='%H' -2 | tail -1)
+          echo "prev_sha=$PREV_SHA" >> $GITHUB_OUTPUT
+          CHANGED=$(git diff --name-only $PREV_SHA HEAD | head -100)
+          echo "has_changes=$( [ -n "$CHANGED" ] && echo true || echo false )" >> $GITHUB_OUTPUT
+
+      - name: Run diff-scoped SAST scan
+        if: steps.context.outputs.has_changes == 'true'
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          ONLY_CHANGED: "true"
+        run: |
+          python scripts/run_ai_audit.py \
+            --project-type auto \
+            --only-changed \
+            --review-type security
+
+      - name: Run DAST against deployment
+        if: steps.context.outputs.target_url != ''
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          DAST_TARGET_URL: ${{ steps.context.outputs.target_url }}
+        run: |
+          echo "Running DAST scan against $DAST_TARGET_URL"
+          python -c "
+          import sys
+          sys.path.insert(0, 'scripts')
+          try:
+              from dast_orchestrator import DASTOrchestrator, OrchestratorConfig
+              config = OrchestratorConfig(
+                  project_path='.',
+                  enable_nuclei=True,
+                  enable_zap=False,
+                  max_duration=600,
+              )
+              orch = DASTOrchestrator(config=config)
+              results = orch.run('${{ steps.context.outputs.target_url }}')
+              print(f'DAST scan complete: {len(results.get(\"findings\", []))} findings')
+          except ImportError as e:
+              print(f'DAST not available: {e}')
+          except Exception as e:
+              print(f'DAST scan error: {e}')
+          "
+
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: post-deploy-scan-results
+          path: |
+            .argus/
+            *.sarif
+          retention-days: 30

CHANGELOG.md

@@ -9,6 +9,29 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ---
 
+## [6.0.0] - 2026-03-04
+
+### Added — Continuous Security Testing (v3.0)
+- **Diff-Intelligent Scanner Scoping** (`scripts/diff_impact_analyzer.py`): Classifies changed files by security relevance, expands blast radius via reverse dependency lookup, generates Semgrep `--include` args for scoped scanning. Toggle: `enable_diff_scoping=True`, `diff_expand_impact_radius=True`
+- **Agent-Driven Chain Discovery** (`scripts/agent_chain_discovery.py`): LLM-powered multi-step attack chain discovery beyond rule-based patterns. Cross-component analyzer detects dangerous finding combinations across architectural boundaries (auth+api, models+api, middleware+routes). Toggle: `enable_agent_chain_discovery=False` (opt-in), `enable_cross_component_analysis=True`
+- **AutoFix PR Generator** (`scripts/autofix_pr_generator.py`): Generates git branches with applied fixes from RemediationEngine suggestions. Creates conventional-commit-style messages, formatted PR bodies with diff/CWE/testing sections. ClosedLoopOrchestrator wires find-fix-verify into a single flow. Toggle: `enable_autofix_pr=False` (opt-in), `autofix_confidence_threshold="high"`, `autofix_max_prs_per_scan=5`
+- **Persistent Findings Store** (`scripts/findings_store.py`): SQLite-backed cross-scan intelligence. Tracks findings across scans via content-based fingerprinting. Detects regressions (previously-fixed findings reappearing), computes MTTF, FP rates, severity trending. Injects historical context into LLM enrichment prompts. Toggle: `enable_findings_store=True`, `findings_db_path=".argus/findings.db"`, `inject_historical_context=True`
+- **Application Context Builder** (`scripts/app_context_builder.py`): Detects framework (Django/Flask/Express/Spring/etc.), language, auth mechanism (JWT/OAuth2/session), cloud provider, IaC files, middleware chain, entry points, and OpenAPI specs. Generates `to_prompt_context()` string for LLM prompt injection. Toggle: `enable_app_context=True`
+- **SAST-to-DAST Live Validation** (`scripts/sast_dast_validator.py`): Validates SAST findings against live deployment targets. Maps vuln types to HTTP test payloads (SQLi, XSS, SSRF, path traversal, command injection, IDOR). Safety: rejects production targets by default, only allows staging/preview/development. Toggle: `enable_live_validation=False` (opt-in), `live_validation_environment="staging"`
+- **Post-Deploy Scan workflow** (`.github/workflows/post-deploy-scan.yml`): Triggers on successful deployments, runs diff-scoped SAST + DAST against deployment URL
+- **Retest After Fix workflow** (`.github/workflows/argus-retest.yml`): Triggers when `argus/fix-*` PRs merge, runs regression tests + targeted SAST rescan, updates FindingsStore
+- **Continuous Security Testing Guide** (`docs/CONTINUOUS_SECURITY_TESTING_GUIDE.md`): Architecture guide mapping capabilities vs industry-standard autonomous testing
+- 13 new config keys added to `config_loader.py` with env var and CLI mappings
+- All 7 modules integrated into `hybrid_analyzer.py` with graceful degradation
+- 36 new tests (`tests/test_continuous_security.py`) covering all v3.0 modules
+
+### Changed
+- Updated README.md with v3.0 feature tables, env vars, and deployment scanning docs
+- Updated CLAUDE.md with v3.0 key files and extended documentation references
+- Updated `.claude/rules/features.md` and `.claude/rules/development.md` with v3.0 modules
+
+---
+
 ## [5.0.0] - 2026-02-16
 
 ### Added

CLAUDE.md

@@ -1,6 +1,6 @@
 # CLAUDE.md - Argus Security
 
-> Enterprise-grade AI Security Platform with 6-phase analysis pipeline.
+> Enterprise-grade AI Security Platform with 6-phase analysis pipeline and continuous autonomous security testing.
 
 ## What This Does
 
@@ -17,6 +17,15 @@ Phase 6: Reporting                → SARIF, JSON, Markdown outputs
 
 **Results:** 60-70% false positive reduction, +15-20% more findings via heuristic-based spontaneous discovery (regex pattern matching, not AI-powered).
 
+**v3.0 Continuous Security:**
+- Diff-intelligent scanner scoping with blast radius expansion
+- Persistent cross-scan findings store with regression detection
+- Application context auto-detection for context-aware scanning
+- LLM-powered attack chain discovery + cross-component analysis
+- AutoFix PR generation with closed-loop find-fix-verify
+- SAST-to-DAST live validation against staging targets
+- Deployment-triggered scanning via GitHub Actions workflows
+
 ## Quick Start
 
 ```bash
@@ -47,10 +56,17 @@ python scripts/run_ai_audit.py --project-type backend-api
 | `scripts/agent_personas.py` | Phase 3: multi-agent review |
 | `scripts/sandbox_validator.py` | Phase 4: Docker validation |
 | `policy/rego/` | Phase 5: OPA policies |
+| `scripts/diff_impact_analyzer.py` | v3.0: Diff-intelligent scanner scoping |
+| `scripts/findings_store.py` | v3.0: SQLite persistent findings store |
+| `scripts/app_context_builder.py` | v3.0: Application context auto-detection |
+| `scripts/agent_chain_discovery.py` | v3.0: LLM attack chain discovery |
+| `scripts/autofix_pr_generator.py` | v3.0: AutoFix PR generation + closed loop |
+| `scripts/sast_dast_validator.py` | v3.0: SAST-to-DAST live validation |
 
 ## Extended Documentation
 
 Details moved to scoped rule files (auto-loaded when editing relevant files):
 - `.claude/rules/pipeline.md` — 6-phase pipeline architecture
-- `.claude/rules/features.md` — Advanced feature modules + config toggles
+- `.claude/rules/features.md` — Advanced feature modules + config toggles (incl. v3.0)
 - `.claude/rules/development.md` — Docker, GitHub Action, project structure
+- `docs/CONTINUOUS_SECURITY_TESTING_GUIDE.md` — v3.0 architecture and gap analysis