Skip to content

Commit 8be16bf

Browse files
committed
Add AI advisory agents and architecture/dataflow analysis
Introduces AI-powered advisory agents for architecture, dataflow, and secret confidence analysis, with opt-in consent and redaction for privacy. Adds new modules for AI engine, agent protocols, and feature-based architecture and dataflow scanning. Updates CLI to support AI features, integrates AI findings into scan results, and improves documentation on ethics and usage. Removes test_secret.py and adds cross-file test cases.
1 parent ee0e72f commit 8be16bf

30 files changed

Lines changed: 912 additions & 10 deletions

File tree

AI_ETHICS.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# 🛡 AI Ethics & Privacy in OpenAuditKit
2+
3+
OpenAuditKit integrates AI capabilities with a "Safety-First" approach. We believe security tools should not compromise the privacy of the code they analyze.
4+
5+
## 1. Opt-In by Default
6+
AI features are **strictly opt-in**.
7+
- You must explicitly pass the `--ai` flag to enable them.
8+
- On the first run, you will be asked to grant consent interactively.
9+
- For CI/CD, you must explicitly enable consent (e.g., via `openaudit consent --grant`).
10+
11+
## 2. Data Redaction
12+
Before any code snippet is sent to an LLM (Large Language Model):
13+
- **Secrets are Redacted**: We use our static analysis engine to detect and mask secrets (API keys, passwords, tokens) with `[REDACTED]`.
14+
- **Anonymization**: We aim to strip PII where possible, though code context is preserved for analysis.
15+
16+
## 3. Advisory Nature
17+
AI is non-deterministic.
18+
- All AI-generated findings are tagged as **Advisory**.
19+
- They should be reviewed by a human.
20+
- They do not block builds by default unless configured otherwise.
21+
22+
## 4. Local vs External
23+
- We support local LLMs (e.g., via Ollama) for users who want zero data egress.
24+
- External providers (e.g., OpenAI, Anthropic) are optional and require your own API keys. We do not proxy your code through our servers.
25+
26+
## 5. Transparency
27+
- We explain *why* an AI finding was generated.
28+
- We show the prompt context (in debug mode) so you know exactly what was sent.

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ OpenAuditKit is an open-source CLI security audit tool designed to scan your cod
77
- **Config Scanning**: Identifies misconfigurations in deployment files (e.g., .env, Dockerfile).
88
- **Secure**: Secrets are masked in outputs; offline-first design.
99
- **Backend Ready**: Feature-based architecture with Pydantic models for easy integration into dashboards or APIs.
10-
- **Customizable**: Add your own rules! See [Rule Documentation](rules/README.md).
10+
- **Customizable**: Add your own rules! See [Rule Documentation](openopenaudit/rules/README.md).
1111

1212
## 🛡️ Why OpenAuditKit?
1313

@@ -33,7 +33,7 @@ Often, security tools are either too simple (grep) or too complex (enterprise SA
3333
pip install openaudit
3434

3535
# Or from source
36-
git clone https://github.com/StartUp-Agency/OpenAuditKit.git
36+
git clone https://github.com/neuralforgeone/OpenAuditKit.git
3737
cd OpenAuditKit
3838
pip install .
3939
```

build/lib/openaudit/__init__.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
__version__ = "0.1.0"

build/lib/openaudit/main.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
from openaudit.interface.cli.app import app
2+
3+
def main():
4+
app()
5+
6+
if __name__ == "__main__":
7+
main()
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
rules:
2+
# .env Rules
3+
- id: "CONF_DEBUG_ENABLED"
4+
description: "Debug mode enabled in configuration"
5+
regex: "(?i)^\\s*DEBUG\\s*=\\s*(true|1|yes)"
6+
severity: "high"
7+
confidence: "high"
8+
category: "config"
9+
remediation: "Set DEBUG=False in production environments."
10+
11+
- id: "CONF_DATABASE_URL_UNENCRYPTED"
12+
description: "Plaintext database URL detected"
13+
regex: "^\\s*DATABASE_URL\\s*=\\s*(postgres|mysql|mongodb)://"
14+
severity: "high"
15+
confidence: "high"
16+
category: "config"
17+
remediation: "Use encrypted secrets management or mask credentials."
18+
19+
- id: "CONF_ENV_DEV_IN_PROD"
20+
description: "Development environment setting detected"
21+
regex: "(?i)^\\s*ENV\\s*=\\s*(dev|development)"
22+
severity: "medium"
23+
confidence: "high"
24+
category: "config"
25+
remediation: "Ensure this is not a production environment."
26+
27+
# Dockerfile Rules
28+
- id: "DOCKER_USER_ROOT"
29+
description: "Container running as root"
30+
regex: "^\\s*USER\\s+root"
31+
severity: "high"
32+
confidence: "high"
33+
category: "infrastructure"
34+
remediation: "Create and switch to a non-root user."
35+
36+
- id: "DOCKER_EXPOSE_ALL"
37+
description: "Exposing service on all interfaces (0.0.0.0)"
38+
regex: "^\\s*EXPOSE\\s+.*0\\.0\\.0\\.0"
39+
severity: "medium"
40+
confidence: "high"
41+
category: "infrastructure"
42+
remediation: "Bind to specific interfaces if possible."
43+
44+
- id: "DOCKER_ADD_COPY_ALL"
45+
description: "Broad COPY instruction (COPY . /)"
46+
regex: "^\\s*COPY\\s+\\.\\s+/"
47+
severity: "low"
48+
confidence: "medium"
49+
category: "infrastructure"
50+
remediation: "Use .dockerignore and copy only necessary files."
51+
52+
# Docker Compose Rules (Regex approximation for simple detection, can be refined with yaml parsing)
53+
- id: "COMPOSE_RESTART_ALWAYS"
54+
description: "Restart policy set to always"
55+
regex: "restart:\\s*always"
56+
severity: "low"
57+
confidence: "high"
58+
category: "infrastructure"
59+
remediation: "Consider 'on-failure' or specific restart policies."
60+
61+
- id: "COMPOSE_PORT_EXPOSURE"
62+
description: "Port exposed to host (broad range)"
63+
regex: "\\s*-\\s*[\"']?0\\.0\\.0\\.0:"
64+
severity: "medium"
65+
confidence: "high"
66+
category: "infrastructure"
67+
remediation: "Bind ports to localhost (127.0.0.1) if external access is not required."
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
rules:
2+
- id: "AWS_ACCESS_KEY_ID"
3+
description: "AWS Access Key ID"
4+
regex: "(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
5+
entropy_check: false
6+
severity: "critical"
7+
confidence: "high"
8+
category: "secret"
9+
remediation: "Revoke the key immediately and rotate credentials."
10+
11+
- id: "GENERIC_API_KEY"
12+
description: "Potential High Entropy Key"
13+
regex: "api_key['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9_\\-]{32,})"
14+
entropy_check: true
15+
severity: "high"
16+
confidence: "medium"
17+
category: "secret"
18+
remediation: "Verify if this is a real secret and move to environment variables."

openaudit.egg-info/PKG-INFO

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ OpenAuditKit is an open-source CLI security audit tool designed to scan your cod
2626
- **Config Scanning**: Identifies misconfigurations in deployment files (e.g., .env, Dockerfile).
2727
- **Secure**: Secrets are masked in outputs; offline-first design.
2828
- **Backend Ready**: Feature-based architecture with Pydantic models for easy integration into dashboards or APIs.
29-
- **Customizable**: Add your own rules! See [Rule Documentation](rules/README.md).
29+
- **Customizable**: Add your own rules! See [Rule Documentation](openopenaudit/rules/README.md).
3030

3131
## 🛡️ Why OpenAuditKit?
3232

@@ -48,7 +48,13 @@ Often, security tools are either too simple (grep) or too complex (enterprise SA
4848

4949
## Installation
5050
```bash
51-
pip install -r requirements.txt
51+
# From PyPI (Coming Real Soon!)
52+
pip install openaudit
53+
54+
# Or from source
55+
git clone https://github.com/neuralforgeone/OpenAuditKit.git
56+
cd OpenAuditKit
57+
pip install .
5258
```
5359

5460
## Usage

openaudit/ai/__init__.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
from .models import PromptContext, AIResult
2+
from .protocol import AgentProtocol
3+
from .ethics import Redactor, ConsentManager
4+
5+
__all__ = ["PromptContext", "AIResult", "AgentProtocol", "Redactor", "ConsentManager"]

openaudit/ai/engine.py

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
from typing import List, Dict
2+
from openaudit.ai.models import PromptContext, AIResult
3+
from openaudit.ai.protocol import AgentProtocol
4+
from openaudit.ai.ethics import ConsentManager
5+
6+
class AIEngine:
7+
"""
8+
Orchestrator for AI Agents.
9+
"""
10+
def __init__(self, offline_only: bool = True):
11+
self.offline_only = offline_only
12+
self.agents: Dict[str, AgentProtocol] = {}
13+
14+
def register_agent(self, agent: AgentProtocol):
15+
"""
16+
Register a new agent capability.
17+
"""
18+
self.agents[agent.name] = agent
19+
20+
def run_agent(self, agent_name: str, context: PromptContext) -> AIResult:
21+
"""
22+
Run a specific agent by name.
23+
"""
24+
if not ConsentManager.has_consented():
25+
raise PermissionError("User has not consented to AI usage.")
26+
27+
if agent_name not in self.agents:
28+
raise ValueError(f"Agent {agent_name} not found.")
29+
30+
return self.agents[agent_name].run(context)

openaudit/ai/ethics.py

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
import re
2+
from typing import List
3+
from pathlib import Path
4+
5+
# Placeholder for consent storage file
6+
CONSENT_FILE = Path(".openaudit_consent")
7+
8+
class Redactor:
9+
"""
10+
Utility to redaction secrets from text before sending to an LLM.
11+
Uses basic patterns to identify potential secrets.
12+
"""
13+
14+
# Simple regex for common secrets (placeholder, ideally reuse SecretScanner patterns)
15+
# This is a safety net; specific scanners should also redact.
16+
SENSITIVE_PATTERNS = [
17+
r"(?i)(api[_-]?key|secret|token|password|passwd|pwd)['\"]?\s*[:=]\s*['\"]?([a-zA-Z0-9_\-]{8,})['\"]?",
18+
r"(?i)private[_-]?key",
19+
]
20+
21+
@classmethod
22+
def redact(cls, text: str) -> str:
23+
"""
24+
Replace sensitive patterns with [REDACTED].
25+
"""
26+
redacted_text = text
27+
for pattern in cls.SENSITIVE_PATTERNS:
28+
redacted_text = re.sub(pattern, lambda m: m.group(0).replace(m.group(2), "[REDACTED]"), redacted_text)
29+
return redacted_text
30+
31+
class ConsentManager:
32+
"""
33+
Manages user consent for AI features.
34+
"""
35+
36+
@staticmethod
37+
def has_consented() -> bool:
38+
"""
39+
Check if the user has explicitly consented to AI usage.
40+
For now, we check for a specific marker file or env var.
41+
"""
42+
# In a real impl, this might check a global config file in user home
43+
return CONSENT_FILE.exists()
44+
45+
@staticmethod
46+
def grant_consent():
47+
"""
48+
Grant consent creates the marker.
49+
"""
50+
CONSENT_FILE.touch()
51+
52+
@staticmethod
53+
def revoke_consent():
54+
"""
55+
Revoke consent removes the marker.
56+
"""
57+
if CONSENT_FILE.exists():
58+
CONSENT_FILE.unlink()

0 commit comments

Comments
 (0)