File size: 3,495 Bytes
79ea999 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
#!/bin/bash
# Security Audit Script
# Performs security checks and vulnerability scanning
set -e
echo "============================================================"
echo "Security Audit - HonestAI Application"
echo "============================================================"
# Check Python security linting with Bandit
if command -v bandit &> /dev/null; then
echo ""
echo "Running Bandit security linter..."
bandit -r src/ -f json -o bandit_report.json || true
bandit -r src/ || true
echo "✅ Bandit scan complete (see bandit_report.json for details)"
else
echo "ℹ️ Bandit not installed. Install with: pip install bandit"
fi
# Check dependency vulnerabilities with Safety
if command -v safety &> /dev/null; then
echo ""
echo "Checking dependency vulnerabilities with Safety..."
safety check --json || true
safety check || true
echo "✅ Safety scan complete"
else
echo "ℹ️ Safety not installed. Install with: pip install safety"
fi
# Check for hardcoded secrets
echo ""
echo "Checking for potential hardcoded secrets..."
if grep -r "password\s*=\s*['\"]" src/ --exclude-dir=__pycache__ 2>/dev/null; then
echo "⚠️ WARNING: Potential hardcoded passwords found"
else
echo "✅ No obvious hardcoded passwords found"
fi
if grep -r "api_key\s*=\s*['\"]" src/ --exclude-dir=__pycache__ 2>/dev/null; then
echo "⚠️ WARNING: Potential hardcoded API keys found"
else
echo "✅ No obvious hardcoded API keys found"
fi
# Check file permissions
echo ""
echo "Checking file permissions..."
if [ -f "flask_api_standalone.py" ]; then
perms=$(stat -c "%a" flask_api_standalone.py 2>/dev/null || stat -f "%OLp" flask_api_standalone.py 2>/dev/null)
if [ "$perms" != "644" ] && [ "$perms" != "755" ]; then
echo "⚠️ WARNING: flask_api_standalone.py has unusual permissions: $perms"
else
echo "✅ flask_api_standalone.py permissions OK: $perms"
fi
fi
# Check for SQL injection vulnerabilities
echo ""
echo "Checking for SQL injection patterns..."
if grep -r "execute.*%s\|execute.*\+" src/ --include="*.py" 2>/dev/null | grep -v "# SQL injection safe"; then
echo "⚠️ WARNING: Potential SQL injection vulnerabilities found"
echo " Review SQL queries for proper parameterization"
else
echo "✅ No obvious SQL injection patterns found"
fi
# Check for XSS vulnerabilities
echo ""
echo "Checking for XSS patterns..."
if grep -r "render_template_string\|Markup\|SafeString" src/ --include="*.py" 2>/dev/null; then
echo "⚠️ WARNING: Potential XSS vulnerabilities found"
echo " Review template rendering for proper escaping"
else
echo "✅ No obvious XSS patterns found"
fi
# Check environment variable usage
echo ""
echo "Checking environment variable usage..."
if grep -r "os.getenv\|os.environ" src/ flask_api_standalone.py 2>/dev/null | grep -v "HF_TOKEN\|LOG_DIR\|OMP_NUM_THREADS"; then
echo "ℹ️ Environment variables found - ensure they are properly validated"
fi
echo ""
echo "============================================================"
echo "Security Audit Complete"
echo "============================================================"
echo ""
echo "Recommendations:"
echo "1. Review bandit_report.json for security issues"
echo "2. Update dependencies with: safety check"
echo "3. Run OWASP ZAP for dynamic security testing"
echo "4. Perform regular security audits (quarterly recommended)"
echo "5. Keep dependencies up to date"
|