Hugging Face's logo

Spaces:
lablab-ai-amd-developer-hackathon
/
SwarmAudit
Running

App Files Community
SwarmAudit / app /agents /security_agent.py
Pranoy Mukherjee
Add crawler, security agent, API, and Gradio MVP
a3ecd30
raw
history blame contribute delete
2.77 kB
import re
from app.schemas import AgentOutput, CodeChunk, Finding, Severity
from app.services.llm_client import LLMClient
SECURITY_PATTERNS = [
 (
 re.compile(r"(?i)(api[_-]?key|secret|token|password)\s*=\s*['\"][^'\"]{8,}['\"]"),
 "Potential hardcoded secret",
 Severity.high,
 "A credential-like value appears to be hardcoded.",
 "Move secrets into environment variables or a managed secret store.",
 ),
 (
 re.compile(r"(?i)verify\s*=\s*False"),
 "TLS certificate verification disabled",
 Severity.high,
 "Disabling TLS verification can allow man-in-the-middle attacks.",
 "Remove verify=False and use a trusted CA bundle if needed.",
 ),
 (
 re.compile(r"(?i)(eval|exec)\s*\("),
 "Dynamic code execution",
 Severity.medium,
 "Dynamic execution can turn untrusted input into arbitrary code execution.",
 "Replace eval/exec with explicit parsing or a constrained command map.",
 ),
]
class SecurityAgent:
 name = "Security Agent"
def __init__(self, llm_client: LLMClient):
 self.llm_client = llm_client
async def analyze(self, chunks: list[CodeChunk]) -> AgentOutput:
 findings: list[Finding] = []
for chunk in chunks:
 findings.extend(self._scan_chunk(chunk))
await self.llm_client.complete_json(
 "You are a security code review agent. Return JSON findings only.",
 f"Review {len(chunks)} chunks for security issues.",
 )
return AgentOutput(
 agent_name=self.name,
 findings=findings,
 metadata={"chunks_scanned": len(chunks), "mode": "static-rules-plus-llm-interface"},
 )
def _scan_chunk(self, chunk: CodeChunk) -> list[Finding]:
 findings: list[Finding] = []
 lines = chunk.content.splitlines()
for offset, line in enumerate(lines):
 actual_line = chunk.line_start + offset
 for pattern, title, severity, description, fix in SECURITY_PATTERNS:
 if pattern.search(line):
 findings.append(
 Finding(
 title=title,
 severity=severity,
 file_path=chunk.file_path,
 line_start=actual_line,
 line_end=actual_line,
 description=description,
 why_it_matters="Attackers often search repos for exposed credentials and unsafe execution paths.",
 suggested_fix=fix,
 agent_source=self.name,
 )
 )
return findings