scripts/security_audit.sh

#!/bin/bash
# Security Audit Script
# Performs security checks and vulnerability scanning

set -e

echo "============================================================"
echo "Security Audit - HonestAI Application"
echo "============================================================"

# Check Python security linting with Bandit
if command -v bandit &> /dev/null; then
    echo ""
    echo "Running Bandit security linter..."
    bandit -r src/ -f json -o bandit_report.json || true
    bandit -r src/ || true
    echo "✅ Bandit scan complete (see bandit_report.json for details)"
else
    echo "ℹ️  Bandit not installed. Install with: pip install bandit"
fi

# Check dependency vulnerabilities with Safety
if command -v safety &> /dev/null; then
    echo ""
    echo "Checking dependency vulnerabilities with Safety..."
    safety check --json || true
    safety check || true
    echo "✅ Safety scan complete"
else
    echo "ℹ️  Safety not installed. Install with: pip install safety"
fi

# Check for hardcoded secrets
echo ""
echo "Checking for potential hardcoded secrets..."
if grep -r "password\s*=\s*['\"]" src/ --exclude-dir=__pycache__ 2>/dev/null; then
    echo "⚠️  WARNING: Potential hardcoded passwords found"
else
    echo "✅ No obvious hardcoded passwords found"
fi

if grep -r "api_key\s*=\s*['\"]" src/ --exclude-dir=__pycache__ 2>/dev/null; then
    echo "⚠️  WARNING: Potential hardcoded API keys found"
else
    echo "✅ No obvious hardcoded API keys found"
fi

# Check file permissions
echo ""
echo "Checking file permissions..."
if [ -f "flask_api_standalone.py" ]; then
    perms=$(stat -c "%a" flask_api_standalone.py 2>/dev/null || stat -f "%OLp" flask_api_standalone.py 2>/dev/null)
    if [ "$perms" != "644" ] && [ "$perms" != "755" ]; then
        echo "⚠️  WARNING: flask_api_standalone.py has unusual permissions: $perms"
    else
        echo "✅ flask_api_standalone.py permissions OK: $perms"
    fi
fi

# Check for SQL injection vulnerabilities
echo ""
echo "Checking for SQL injection patterns..."
if grep -r "execute.*%s\|execute.*\+" src/ --include="*.py" 2>/dev/null | grep -v "# SQL injection safe"; then
    echo "⚠️  WARNING: Potential SQL injection vulnerabilities found"
    echo "   Review SQL queries for proper parameterization"
else
    echo "✅ No obvious SQL injection patterns found"
fi

# Check for XSS vulnerabilities
echo ""
echo "Checking for XSS patterns..."
if grep -r "render_template_string\|Markup\|SafeString" src/ --include="*.py" 2>/dev/null; then
    echo "⚠️  WARNING: Potential XSS vulnerabilities found"
    echo "   Review template rendering for proper escaping"
else
    echo "✅ No obvious XSS patterns found"
fi

# Check environment variable usage
echo ""
echo "Checking environment variable usage..."
if grep -r "os.getenv\|os.environ" src/ flask_api_standalone.py 2>/dev/null | grep -v "HF_TOKEN\|LOG_DIR\|OMP_NUM_THREADS"; then
    echo "ℹ️  Environment variables found - ensure they are properly validated"
fi

echo ""
echo "============================================================"
echo "Security Audit Complete"
echo "============================================================"
echo ""
echo "Recommendations:"
echo "1. Review bandit_report.json for security issues"
echo "2. Update dependencies with: safety check"
echo "3. Run OWASP ZAP for dynamic security testing"
echo "4. Perform regular security audits (quarterly recommended)"
echo "5. Keep dependencies up to date"