Initial commit with core functionality and documentation

Author: bvvard

.github/workflows/security_scan.yml

@@ -0,0 +1,15 @@
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install Dependencies
+        run: |
+          pip install -r requirements.txt
+      - name: Run Secure Code Scanner
+        run: |
+          python scanner.py --repo "${{ github.repository }}"

config.yaml

@@ -0,0 +1,31 @@
+# config.yaml
+
+rules:
+  - name: "disallow_eval"
+    pattern: "eval"
+    severity: "critical"
+
+  - name: "disallow_exec"
+    pattern: "exec"
+    severity: "critical"
+
+whitelisted_functions:
+  - "safe_eval"
+
+blacklisted_functions:
+  - "exec"
+  - "eval"
+
+dependency_policies:
+  check_outdated: true
+  minimum_security_level: "high"
+  allow_pre_releases: false
+  disallowed_packages:
+    - "pycrypto"
+
+reporting:
+  output_format: "json"
+  verbosity: "high"
+  include_timestamp: true
+  critical_only: false
+  save_path: "./reports"

core/clone_repo.py

@@ -0,0 +1,19 @@
+import git
+import tempfile
+import os
+import shutil
+
+def clone_repository(repo_url):
+    temp_dir = tempfile.mkdtemp()
+    try:
+        git.Repo.clone_from(repo_url, temp_dir)
+        print(f"Repository cloned to {temp_dir}")
+        return temp_dir
+    except Exception as e:
+        print(f"Error cloning repository: {e}")
+        return None
+
+def cleanup_repository(directory):
+    if directory and os.path.exists(directory):
+        shutil.rmtree(directory)
+        print(f"Cleaned up directory: {directory}")

core/dependency_check.py

@@ -0,0 +1,19 @@
+import requests
+import os
+
+def check_dependencies(repo_dir, config):
+    results = []
+    with open(os.path.join(repo_dir, "requirements.txt"), 'r') as file:
+        for line in file:
+            package_name, version = line.strip().split("==")
+            vulnerabilities = check_vulnerabilities(package_name, version)
+            if vulnerabilities:
+                results.append(vulnerabilities)
+    return results
+
+def check_vulnerabilities(package_name, version):
+    url = f"https://api.github.com/advisories/{package_name}/{version}"
+    response = requests.get(url)
+    if response.status_code == 200:
+        return response.json()
+    return []

core/detect_malicious.py

@@ -0,0 +1,15 @@
+import ast
+import re
+
+def detect_malicious_patterns(file_path, config):
+    results = []
+    with open(file_path, 'r') as file:
+        try:
+            tree = ast.parse(file.read(), filename=file_path)
+            for node in ast.walk(tree):
+                if isinstance(node, ast.Call) and isinstance(node.func, ast.Name):
+                    if node.func.id in config['blacklisted_functions']:
+                        results.append(f"Suspicious function `{node.func.id}` in {file_path}")
+        except SyntaxError:
+            print(f"Syntax error in {file_path}")
+    return results

core/policy_config.py

@@ -0,0 +1,13 @@
+import yaml
+
+def load_policy(file_path='config.yaml'):
+    try:
+        with open(file_path, 'r') as file:
+            config = yaml.safe_load(file)
+        return config
+    except FileNotFoundError:
+        print("Configuration file not found. Using default settings.")
+        return {}
+    except yaml.YAMLError as e:
+        print(f"Error reading configuration file: {e}")
+        return {}

core/report.py

@@ -0,0 +1,11 @@
+import json
+import os
+from datetime import datetime
+
+def generate_report(results, config):
+    report_path = config['reporting']['save_path']
+    os.makedirs(report_path, exist_ok=True)
+    filename = os.path.join(report_path, f"scan_report_{datetime.now().isoformat()}.json")
+    with open(filename, "w") as file:
+        json.dump(results, file, indent=4)
+    print(f"Report saved to {filename}")

core/scan_insecure.py

@@ -0,0 +1,8 @@
+from bandit.core import manager
+
+def run_bandit_scan(file_path):
+    bandit_manager = manager.BanditManager()
+    bandit_manager.discover_files([file_path])
+    bandit_manager.run_tests()
+    results = [f"{issue.fname}:{issue.lineno} - {issue.text}" for issue in bandit_manager.get_issue_list()]
+    return results

requirements.txt

@@ -0,0 +1,5 @@
+GitPython
+bandit
+click
+requests
+pyyaml

scanner.py

@@ -0,0 +1,43 @@
+import click
+from core import clone_repo, detect_malicious, scan_insecure, dependency_check, policy_config, report
+
+@click.command()
+@click.option("--repo", prompt="GitHub repository URL", help="URL of the GitHub repository")
+def main(repo):
+    """Secure Source Code Scanner CLI."""
+    config = policy_config.load_policy("config.yaml")
+
+    # Clone repository
+    repo_dir = clone_repo.clone_repository(repo)
+    if not repo_dir:
+        click.echo("Failed to clone repository.")
+        return
+
+    # Scan repository for malicious code
+    malicious_results = []
+    insecure_results = []
+    
+    # Perform scans on each .py file
+    for root, _, files in os.walk(repo_dir):
+        for file in files:
+            if file.endswith('.py'):
+                file_path = os.path.join(root, file)
+                malicious_results += detect_malicious.detect_malicious_patterns(file_path, config)
+                insecure_results += scan_insecure.run_bandit_scan(file_path)
+
+    # Check dependencies
+    dependency_results = dependency_check.check_dependencies(repo_dir, config)
+
+    # Generate report
+    results = {
+        "malicious": malicious_results,
+        "insecure": insecure_results,
+        "dependencies": dependency_results
+    }
+    report.generate_report(results, config)
+
+    # Cleanup cloned repository
+    clone_repo.cleanup_repository(repo_dir)
+
+if __name__ == "__main__":
+    main()