zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
skills/appsec/sast-bandit/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

211
skills/appsec/sast-bandit/assets/bandit_config.yaml Normal file
View File

@@ -0,0 +1,211 @@
# Bandit Configuration File
# Production-ready configuration for Python security scanning
# Directories to exclude from scanning
exclude_dirs:
# Python environments
- /venv/
- /.venv/
- /env/
- /.env/
- /virtualenv/
- /.virtualenv/
- /site-packages/
- /dist-packages/
# Testing and build artifacts
- /tests/
- /test/
- /.pytest_cache/
- /.tox/
- /build/
- /dist/
- /.eggs/
- /*.egg-info/
# Version control and IDE
- /.git/
- /.svn/
- /.hg/
- /.idea/
- /.vscode/
- /__pycache__/
# Node modules and other language dependencies
- /node_modules/
- /vendor/
# Documentation and examples
- /docs/
- /examples/
# Tests to skip (use sparingly and document reasons)
skips:
# B101: Test for use of assert
# Commonly safe in test files and development code
# Consider keeping this enabled for production code
# - B101
# B311: Standard pseudo-random generators
# Only skip if using for non-security purposes (e.g., data generation)
# NEVER skip for security tokens, session IDs, or cryptographic operations
# - B311
# B404-B412: Import checks
# Skip only if you've reviewed and whitelisted specific imports
# - B404 # subprocess import
# - B405 # xml.etree.cElementTree import
# - B406 # xml.etree.ElementTree import
# - B407 # xml.expat import
# - B408 # xml.dom.minidom import
# - B409 # xml.dom.pulldom import
# - B410 # lxml import
# - B411 # xml.sax import
# - B412 # httpoxy
# Specific tests to run (comment out to run all tests)
# Use this to focus on specific security checks
# tests:
# - B201 # Flask app run with debug=True
# - B301 # Pickle usage
# - B302 # Use of insecure MD2, MD4, MD5, or SHA1 hash
# - B303 # Use of insecure MD2, MD4, MD5, or SHA1 hash
# - B304 # Use of insecure cipher mode
# - B305 # Use of insecure cipher mode
# - B306 # Use of mktemp
# - B307 # Use of eval
# - B308 # Use of mark_safe
# - B310 # Audit URL open for permitted schemes
# - B311 # Standard pseudo-random generators
# - B313 # XML bad element tree
# - B314 # XML bad element tree (lxml)
# - B315 # XML bad element tree (expat)
# - B316 # XML bad element tree (sax)
# - B317 # XML bad element tree (expatreader)
# - B318 # XML bad element tree (expatbuilder)
# - B319 # XML bad element tree (xmlrpc)
# - B320 # XML bad element tree (pulldom)
# - B321 # FTP-related functions
# - B323 # Unverified context
# - B324 # Use of insecure hash functions
# - B601 # Paramiko call with shell=True
# - B602 # subprocess call with shell=True
# - B603 # subprocess without shell equals true
# - B604 # Function call with shell=True
# - B605 # Starting a process with a shell
# - B606 # Starting a process without shell
# - B607 # Starting a process with a partial path
# - B608 # Possible SQL injection
# - B609 # Use of wildcard injection
# - B610 # SQL injection via Django raw SQL
# - B611 # SQL injection via Django extra
# - B701 # jinja2 autoescape false
# - B702 # Test for use of mako templates
# - B703 # Django autoescape false
# Plugin configuration
# Customize individual plugin behaviors
# Shell injection plugin configuration
shell_injection:
# Additional commands to check for shell injection
# Default: ['os.system', 'subprocess.call', 'subprocess.Popen']
no_shell:
- os.system
- subprocess.call
- subprocess.Popen
- subprocess.run
# Hard-coded password plugin configuration
hardcoded_tmp_directory:
# Directories considered safe for temporary files
# tmp_dirs:
# - /tmp
# - /var/tmp
# Output configuration (for reference - set via CLI)
# These are applied at runtime, not in config file
# output_format: json
# output_file: bandit-report.json
# verbose: true
# level: LOW # Report severity: LOW, MEDIUM, HIGH
# confidence: LOW # Report confidence: LOW, MEDIUM, HIGH
# Severity and confidence thresholds
# LOW: Report all issues (default)
# MEDIUM: Report MEDIUM and HIGH severity issues only
# HIGH: Report only HIGH severity issues
# Example usage commands:
#
# Basic scan:
# bandit -r . -c .bandit.yaml
#
# Scan with MEDIUM and HIGH severity only:
# bandit -r . -c .bandit.yaml -ll
#
# Scan with HIGH confidence only:
# bandit -r . -c .bandit.yaml -i
#
# Generate JSON report:
# bandit -r . -c .bandit.yaml -f json -o bandit-report.json
#
# Scan with enhanced analyzer script:
# python scripts/bandit_analyzer.py . --config .bandit.yaml --html report.html
# Progressive security hardening approach:
#
# Phase 1 - Baseline scan (all findings):
# bandit -r . -c .bandit.yaml
#
# Phase 2 - Block CRITICAL (HIGH severity + HIGH confidence):
# bandit -r . -c .bandit.yaml -ll -i
#
# Phase 3 - Block HIGH severity:
# bandit -r . -c .bandit.yaml -ll
#
# Phase 4 - Block MEDIUM and above:
# bandit -r . -c .bandit.yaml -l
#
# Phase 5 - Report all findings:
# bandit -r . -c .bandit.yaml
# Integration with CI/CD:
#
# GitHub Actions:
# - name: Run Bandit
# run: |
# pip install bandit
# bandit -r . -c .bandit.yaml -ll -f json -o bandit-report.json
# bandit -r . -c .bandit.yaml -ll || exit 1
#
# GitLab CI:
# bandit:
# image: python:3.11
# script:
# - pip install bandit
# - bandit -r . -c .bandit.yaml -ll
# allow_failure: false
#
# Jenkins:
# stage('Security Scan') {
# steps {
# sh 'pip install bandit'
# sh 'bandit -r . -c .bandit.yaml -ll -f json -o bandit-report.json'
# }
# }
# False positive handling:
#
# Inline suppression (use sparingly and document):
# import pickle # nosec B403 - Internal use only, not exposed to user input
#
# Line-specific suppression:
# result = eval(safe_expression) # nosec B307
#
# Block suppression:
# # nosec
# import xml.etree.ElementTree as ET
#
# NOTE: Always document WHY you're suppressing a finding
# Security team should review all nosec comments during code review

217
skills/appsec/sast-bandit/assets/pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,217 @@
# Pre-commit Hook Configuration for Bandit
#
# This configuration integrates Bandit security scanning into your git workflow,
# preventing commits that introduce HIGH severity security vulnerabilities.
#
# Installation:
# 1. Install pre-commit: pip install pre-commit
# 2. Copy this file to .pre-commit-config.yaml in your repository root
# 3. Install hooks: pre-commit install
# 4. (Optional) Run on all files: pre-commit run --all-files
#
# Usage:
# - Hooks run automatically on 'git commit'
# - Bypass hooks temporarily: git commit --no-verify (use sparingly!)
# - Update hooks: pre-commit autoupdate
# - Test hooks: pre-commit run --all-files
repos:
# Python code formatting and linting
- repo: https://github.com/psf/black
rev: 23.12.1
hooks:
- id: black
language_version: python3.11
- repo: https://github.com/pycqa/isort
rev: 5.13.2
hooks:
- id: isort
args: ["--profile", "black"]
- repo: https://github.com/pycqa/flake8
rev: 7.0.0
hooks:
- id: flake8
args: ['--max-line-length=100', '--extend-ignore=E203,W503']
# Security scanning with Bandit
- repo: https://github.com/PyCQA/bandit
rev: '1.7.5'
hooks:
- id: bandit
name: Bandit Security Scan
args:
# Block HIGH and MEDIUM severity issues
- '-ll'
# Recursive scan
- '--recursive'
# Use custom config if present
- '--configfile'
- '.bandit.yaml'
# Skip low-priority tests to reduce false positives
# Uncomment to skip specific tests:
# - '-s'
# - 'B101,B601'
# Only scan Python files
files: \.py$
# Exclude test files (adjust pattern as needed)
exclude: |
(?x)^(
tests/.*|
test_.*\.py|
.*_test\.py
)$
# Alternative Bandit configuration with stricter settings
# Uncomment to use this instead of the above
# - repo: https://github.com/PyCQA/bandit
# rev: '1.7.5'
# hooks:
# - id: bandit
# name: Bandit Security Scan (Strict)
# args:
# # Block only HIGH severity with HIGH confidence (Critical findings)
# - '-ll'
# - '-i'
# - '--recursive'
# - '--configfile'
# - '.bandit.yaml'
# files: \.py$
# Alternative: Run Bandit with custom script for enhanced reporting
# Uncomment to use enhanced analyzer
# - repo: local
# hooks:
# - id: bandit-enhanced
# name: Bandit Enhanced Security Scan
# entry: python scripts/bandit_analyzer.py
# args:
# - '.'
# - '--config'
# - '.bandit.yaml'
# - '--min-priority'
# - '4' # HIGH priority
# language: python
# files: \.py$
# pass_filenames: false
# Additional security and quality checks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
# Prevent commits to main/master
- id: no-commit-to-branch
args: ['--branch', 'main', '--branch', 'master']
# Check for merge conflicts
- id: check-merge-conflict
# Detect private keys
- id: detect-private-key
# Check for large files (>500KB)
- id: check-added-large-files
args: ['--maxkb=500']
# Check YAML syntax
- id: check-yaml
args: ['--safe']
# Check JSON syntax
- id: check-json
# Check for files that would conflict on case-insensitive filesystems
- id: check-case-conflict
# Ensure files end with newline
- id: end-of-file-fixer
# Trim trailing whitespace
- id: trailing-whitespace
# Check for debugger imports
- id: debug-statements
# Dependency security scanning
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
rev: v1.3.3
hooks:
- id: python-safety-dependencies-check
files: requirements.*\.txt$
# Secret detection
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
exclude: package.lock.json
# Configuration for progressive security hardening
#
# Phase 1: Start with warnings only (for legacy codebases)
# Set bandit args to ['-r', '.', '--configfile', '.bandit.yaml', '--exit-zero']
# This runs Bandit but doesn't block commits
#
# Phase 2: Block HIGH severity only
# Set bandit args to ['-lll', '--recursive', '--configfile', '.bandit.yaml']
#
# Phase 3: Block MEDIUM and HIGH severity
# Set bandit args to ['-ll', '--recursive', '--configfile', '.bandit.yaml']
#
# Phase 4: Block all findings (strictest)
# Set bandit args to ['-l', '--recursive', '--configfile', '.bandit.yaml']
# Bypassing hooks (use judiciously)
#
# Skip all hooks for a single commit:
# git commit --no-verify -m "Emergency hotfix"
#
# Skip specific hook:
# SKIP=bandit git commit -m "Commit message"
#
# Note: All bypasses should be documented and reviewed in code review
# Troubleshooting
#
# Hook fails with "command not found":
# - Ensure pre-commit is installed: pip install pre-commit
# - Reinstall hooks: pre-commit install
#
# Hook fails with import errors:
# - Install dependencies: pip install -r requirements.txt
# - Update hooks: pre-commit autoupdate
#
# Too many false positives:
# - Adjust exclude patterns in .bandit.yaml
# - Use inline # nosec comments with justification
# - Adjust severity threshold in args (-l, -ll, -lll)
#
# Performance issues:
# - Exclude virtual environments in .bandit.yaml
# - Use 'files' and 'exclude' patterns to limit scope
# - Consider running stricter checks only on CI/CD
# CI/CD Integration
#
# Run pre-commit checks in CI/CD:
#
# GitHub Actions:
# - name: Pre-commit checks
# uses: pre-commit/action@v3.0.0
#
# GitLab CI:
# pre-commit:
# image: python:3.11
# script:
# - pip install pre-commit
# - pre-commit run --all-files
#
# Jenkins:
# stage('Pre-commit') {
# steps {
# sh 'pip install pre-commit'
# sh 'pre-commit run --all-files'
# }
# }