#!/bin/bash # Security Audit Script # Performs security checks and vulnerability scanning set -e echo "============================================================" echo "Security Audit - HonestAI Application" echo "============================================================" # Check Python security linting with Bandit if command -v bandit &> /dev/null; then echo "" echo "Running Bandit security linter..." bandit -r src/ -f json -o bandit_report.json || true bandit -r src/ || true echo "✅ Bandit scan complete (see bandit_report.json for details)" else echo "ℹ️ Bandit not installed. Install with: pip install bandit" fi # Check dependency vulnerabilities with Safety if command -v safety &> /dev/null; then echo "" echo "Checking dependency vulnerabilities with Safety..." safety check --json || true safety check || true echo "✅ Safety scan complete" else echo "ℹ️ Safety not installed. Install with: pip install safety" fi # Check for hardcoded secrets echo "" echo "Checking for potential hardcoded secrets..." if grep -r "password\s*=\s*['\"]" src/ --exclude-dir=__pycache__ 2>/dev/null; then echo "⚠️ WARNING: Potential hardcoded passwords found" else echo "✅ No obvious hardcoded passwords found" fi if grep -r "api_key\s*=\s*['\"]" src/ --exclude-dir=__pycache__ 2>/dev/null; then echo "⚠️ WARNING: Potential hardcoded API keys found" else echo "✅ No obvious hardcoded API keys found" fi # Check file permissions echo "" echo "Checking file permissions..." if [ -f "flask_api_standalone.py" ]; then perms=$(stat -c "%a" flask_api_standalone.py 2>/dev/null || stat -f "%OLp" flask_api_standalone.py 2>/dev/null) if [ "$perms" != "644" ] && [ "$perms" != "755" ]; then echo "⚠️ WARNING: flask_api_standalone.py has unusual permissions: $perms" else echo "✅ flask_api_standalone.py permissions OK: $perms" fi fi # Check for SQL injection vulnerabilities echo "" echo "Checking for SQL injection patterns..." if grep -r "execute.*%s\|execute.*\+" src/ --include="*.py" 2>/dev/null | grep -v "# SQL injection safe"; then echo "⚠️ WARNING: Potential SQL injection vulnerabilities found" echo " Review SQL queries for proper parameterization" else echo "✅ No obvious SQL injection patterns found" fi # Check for XSS vulnerabilities echo "" echo "Checking for XSS patterns..." if grep -r "render_template_string\|Markup\|SafeString" src/ --include="*.py" 2>/dev/null; then echo "⚠️ WARNING: Potential XSS vulnerabilities found" echo " Review template rendering for proper escaping" else echo "✅ No obvious XSS patterns found" fi # Check environment variable usage echo "" echo "Checking environment variable usage..." if grep -r "os.getenv\|os.environ" src/ flask_api_standalone.py 2>/dev/null | grep -v "HF_TOKEN\|LOG_DIR\|OMP_NUM_THREADS"; then echo "ℹ️ Environment variables found - ensure they are properly validated" fi echo "" echo "============================================================" echo "Security Audit Complete" echo "============================================================" echo "" echo "Recommendations:" echo "1. Review bandit_report.json for security issues" echo "2. Update dependencies with: safety check" echo "3. Run OWASP ZAP for dynamic security testing" echo "4. Perform regular security audits (quarterly recommended)" echo "5. Keep dependencies up to date"