|
1 | | -# OpenAuditKit Memory Bank |
2 | | - |
3 | | -## 🧠 Project Context |
4 | | -**OpenAuditKit** is an open-source, CLI-based security audit tool designed to scan codebases for secrets and configuration vulnerabilities. It mimics the functionality of tools like "TruffleHog" or "Gitleaks" but with a modular, Python-native design. |
5 | | - |
6 | | -## 🏗 Architecture |
7 | | -We adopted a **Feature-Based Architecture** to ensure scalability and ease of future backend/dashboard integration. |
8 | | - |
9 | | -### Structure |
10 | | -- **`openaudit.core`**: Contains the domain models (`Finding`, `Rule`, `ScanContext`) and interfaces (`ScannerProtocol`). This layer is pure python, has no CLI dependencies, and is ready for use in a web API. |
11 | | -- **`openaudit.features`**: Contains the business logic, organized by domain (e.g., `secrets`, `config`). |
12 | | - - **`features.secrets`**: Implements regex and entropy-based secret detection. |
13 | | -- **`openaudit.interface.cli`**: The Typer-based CLI application. It orchestrates the core and features. |
14 | | -- **`openaudit.reporters`**: Handles output formatting (currently Rich Console). |
15 | | - |
16 | | -### Key Decisions |
17 | | -1. **Decoupling**: The scanner logic (`SecretScanner`) returns Pydantic models (`Finding`), not printed strings. This allows the same logic to feed a JSON API or a database in the future. |
18 | | -2. **Offline-First**: The tool works entirely locally without external API calls. |
19 | | -3. **Extensible Rules**: Rules are defined in YAML (`rules/secrets.yaml`), making it easy for users to add new patterns without changing code. |
20 | | - |
21 | | -## 🛠 Implemented Features (v0.1.0) |
22 | | -### 1. Core System |
23 | | -- **Rules Engine**: Loads detection rules from YAML files. |
24 | | -- **Domain Models**: Defined `Finding` with fields for file path, line number, and mocked secret. |
25 | | - |
26 | | -### 2. Secret Scanner (`openaudit.features.secrets`) |
27 | | -- **Regex Matching**: Compiles patterns from rules. |
28 | | -- **Entropy Check**: Calculates Shannon entropy to reduce false positives (e.g., detecting random high-entropy strings). |
29 | | -- **Masking**: Automatically masks detected secrets (e.g., `AKIA****************`) to prevent leakage in logs. |
30 | | - |
31 | | -### 3. Config Scanner (`openaudit.features.config`) |
32 | | -- **Infrastructure Code**: specific checks for `.env`, `Dockerfile`, and `docker-compose.yml`. |
33 | | -- **Masking**: Enhanced masking for config values (keeping keys visible). |
34 | | - |
35 | | -### 4. Developer Experience & CLI (DX) |
36 | | -- **Smart Ignores**: Supports `.oaignore` (and `.gitignore` syntax) via `pathspec`. |
37 | | -- **UX**: Progress bars, scan duration, and colored severity legends. |
38 | | -- **Duration**: Timings displayed for performance visibility. |
39 | | - |
40 | | -### 5. Rule System v2 |
41 | | -- **Confidence Scoring**: Rules now have `confidence` (LOW, MEDIUM, HIGH) to better triage findings. |
42 | | -- **Validation**: RulesEngine validates regex and schema on load. |
43 | | -- **Documentation**: Comprehensive `rules/README.md` for contributors. |
44 | | - |
45 | | -### 6. CI/CD & Reporting |
46 | | -- **CI Mode**: `--ci` flag for non-interactive runs with strict exit codes. |
47 | | -- **Formats**: Supports `JSON` and `Rich Console` outputs. |
48 | | -- **GitHub Actions**: Ready-to-use workflow template. |
49 | | - |
50 | | -### 7. Packaging & Distribution |
51 | | -- **PyPI Ready**: Configured with `pyproject.toml` and `setuptools`. |
52 | | -- **Standalone**: Can be installed via `pip install .` and run as `openaudit`. |
53 | | -- **Bundled Rules**: Default security rules are packaged with the library. |
54 | | - |
55 | | -## 📊 Status |
56 | | -- [x] Project Skeleton Created |
57 | | -- [x] Core Domain & Protocols Implemented |
58 | | -- [x] Rules Engine (YAML) Implemented |
59 | | -- [x] Secret Scanner (Regex + Entropy) Implemented |
60 | | -- [x] Config Scanner (.env, Dockerfile, docker-compose) Implemented |
61 | | -- [x] CLI (Typer + Rich) Implemented |
62 | | -- [x] Reporting System (JSON + Console) Implemented |
63 | | -- [x] CI Mode & Exit Codes Implemented |
64 | | -- [x] Manual Verification (Verified CI flags and Exit Codes) |
65 | | -- [x] Test Suite Implemented (Core, Secrets, Config, CI Coverage > 90%) |
66 | | -- [x] Rule System v2 Upgrade (Confidence field, Validation, Community Docs) |
67 | | -- [x] Developer Experience (DX) Improvements (Ignore System, README Polish, CLI UX) |
68 | | -- [x] Release & Distribution (Packaging, pyproject.toml, Entry Points) |
69 | | - |
70 | | -## 🔮 Next Steps |
71 | | -- Implement Inline Comments Support (e.g., `# openaudit:ignore`). |
72 | | -- Plugin System for third-party scanners. |
73 | | -- Dashboard Integration / HTML Report. |
| 1 | +# 🧠 OpenAuditKit Memory Bank |
| 2 | + |
| 3 | +## 📅 Status: Active Development |
| 4 | +**Last Update**: 2025-12-21 |
| 5 | +**Version**: 0.1.1+"Vibe" |
| 6 | + |
| 7 | +## 🚀 Recent Major Changes (The "Vibe" Update) |
| 8 | + |
| 9 | +### 1. VibeGuard (Technical Debt Scanner) |
| 10 | +- **Objective**: Catch "vibecoding" leftovers and non-engineering practices. |
| 11 | +- **Implementation**: `openaudit.features.debt.scanner.TechDebtScanner` |
| 12 | +- **Capabilities**: |
| 13 | + - 🏷️ **Annotations**: Detects `TODO`, `FIXME`, `BUG`, `HACK`. |
| 14 | + - 🐛 **Debug Leftovers**: Detects `print()`, `console.log()`, `debugger`, `pdb`. |
| 15 | + - 🔇 **Silent Failures**: Detects `except: pass`. |
| 16 | + - 🌐 **Hardcoded Values**: Detects IP addresses. |
| 17 | + |
| 18 | +### 2. MCP Server Integration (Model Context Protocol) 🤖 |
| 19 | +- **Objective**: Allow AI Agents (Claude, Cursor, etc.) to use OpenAuditKit as a tool. |
| 20 | +- **Implementation**: `openaudit.mcp.server` using `FastMCP`. |
| 21 | +- **Tools Exposed**: |
| 22 | + - `scan_workspace(path)`: Full security & quality scan. |
| 23 | + - `check_file(path)`: Single file analysis. |
| 24 | +- **Usage**: Run `openaudit mcp` to start the server. |
| 25 | + |
| 26 | +### 3. UI/UX Overhaul 🎨 |
| 27 | +- **Objective**: Make the CLI "fun" and modern. |
| 28 | +- **Implementation**: `openaudit.interface.cli.ui.UI` class. |
| 29 | +- **Features**: |
| 30 | + - ASCII Banner on startup. |
| 31 | + - Animated spinners (Dots, Earth, Weather). |
| 32 | + - Emoji-enriched, table-formatted reports. |
| 33 | + - "Scan Summary" verification panel. |
| 34 | + |
| 35 | +## 🛠️ Known Technical Debt & TODOs |
| 36 | + |
| 37 | +### 1. Windows Encoding Support |
| 38 | +- **Issue**: The new "fun" emojis (🔍, 🚀) cause `UnicodeEncodeError` on Windows (cp1254) terminals. |
| 39 | +- **Priority**: High (UX breaking). |
| 40 | +- **Fix**: Force UTF-8 encoding in `main.py` or strip emojis in legacy terminals. |
| 41 | + |
| 42 | +### 2. Single File Scanning in MCP |
| 43 | +- **Issue**: `check_file` tool currently re-initializes full context or relies on disk presence. |
| 44 | +- **Improvement**: Allow passing file content directly in memory for true "pre-save" checks. |
| 45 | + |
| 46 | +### 3. Project Self-Audit |
| 47 | +- **Status**: The project currently fails the self-audit (`openaudit scan .`). |
| 48 | +- **Issues Found**: 22 Total (1 Critical, 2 High). |
| 49 | +- **Details**: |
| 50 | + - **Tech Debt**: Multiple `TODO` and `Hack` annotations in `server.py` and `scanner.py`. |
| 51 | + - **Security**: Likely `except: pass` usage or similar high severity debt. |
| 52 | +- **Action**: Use VibeGuard to hunt them down in the next sprint. |
| 53 | + |
| 54 | +## 🔮 Future Roadmap |
| 55 | +- [ ] **IDE Extensions**: VSCode extension using the MCP server. |
| 56 | +- [ ] **Git Hooks**: Pre-commit hook to run `openaudit scan --fail-on high`. |
| 57 | +- [ ] **Custom Rules**: Allow users to define custom "Vibe Checks" (rules). |
0 commit comments