Documentation
¶
Overview ¶
Package audit provides agent surface security auditing for hawk-eco. It scans MCP hooks, permissions, and integration points for security issues.
Index ¶
- Variables
- func DefaultRules() []string
- func ValidateRule(rule string) bool
- type AuditFinding
- type AuditReport
- func (r *AuditReport) AddFinding(f AuditFinding)
- func (r *AuditReport) Count() int
- func (r *AuditReport) FilterByCategory(category string) []AuditFinding
- func (r *AuditReport) FilterBySeverity(severity string) []AuditFinding
- func (r *AuditReport) Findings() []AuditFinding
- func (r *AuditReport) Stats() AuditStats
- func (r *AuditReport) Summary() string
- type AuditScope
- type AuditStats
- type AuditTarget
- type AuditTargetType
- type Category
- type HTTPClient
- type HTTPResponse
Constants ¶
This section is empty.
Variables ¶
var ( CriticalCategories = []Category{ {Name: "RCE", Description: "Remote Code Execution", Severity: "critical"}, {Name: "SQL Injection", Description: "SQL Injection vulnerability", Severity: "critical"}, {Name: "Auth Bypass", Description: "Authentication bypass", Severity: "critical"}, } HighCategories = []Category{ {Name: "SSRF", Description: "Server-Side Request Forgery", Severity: "high"}, {Name: "Path Traversal", Description: "Path traversal vulnerability", Severity: "high"}, {Name: "Command Injection", Description: "OS command injection", Severity: "high"}, } MediumCategories = []Category{ {Name: "XSS", Description: "Cross-Site Scripting", Severity: "medium"}, {Name: "IDOR", Description: "Insecure Direct Object Reference", Severity: "medium"}, {Name: "Missing Encryption", Description: "Missing TLS/encryption", Severity: "medium"}, } LowCategories = []Category{ {Name: "Info Exposure", Description: "Information exposure", Severity: "low"}, {Name: "Missing Headers", Description: "Missing security headers", Severity: "low"}, {Name: "Verbose Errors", Description: "Verbose error messages", Severity: "low"}, } )
Common categories
var ( SecretPatterns = []*regexp.Regexp{ regexp.MustCompile(`(?i)(password|passwd|pwd)\s*[:=]\s*["'][^"']{8,}`), regexp.MustCompile(`(?i)api[_-]?key\s*[:=]\s*["'][^"']{16,}`), regexp.MustCompile(`(?i)secret[_-]?key\s*[:=]\s*["'][^"']{16,}`), regexp.MustCompile(`(?i)token\s*[:=]\s*["'][^"']{20,}`), regexp.MustCompile(`(?i)aws[_-]?access[_-]?key[_-]?id\s*[:=]\s*["'][A-Z0-9]{16}`), regexp.MustCompile(`(?i)hardcoded.*secret`), regexp.MustCompile(`(?i)(sk|pk)_[a-zA-Z0-9]{20,}`), } AuthBypassPatterns = []*regexp.Regexp{ regexp.MustCompile(`(?i)(bypass|disable|skip|ignore|no.*auth|without.*auth)`), regexp.MustCompile(`(?i)(admin.*true|superuser|root.*access)`), } )
Common patterns for security detection
Functions ¶
func DefaultRules ¶
func DefaultRules() []string
DefaultRules returns the default security audit rules.
Types ¶
type AuditFinding ¶
type AuditFinding struct {
Severity string `json:"severity"`
Category string `json:"category"`
File string `json:"file"`
Line int `json:"line"`
Description string `json:"description"`
Recommendation string `json:"recommendation"`
Evidence string `json:"evidence,omitempty"`
Source string `json:"source"`
}
AuditFinding represents a security finding from an audit.
type AuditReport ¶
type AuditReport struct {
// contains filtered or unexported fields
}
AuditReport contains the results of an audit.
func Audit ¶
func Audit(ctx context.Context, scope *AuditScope) (*AuditReport, error)
Audit performs a security audit on the given targets. It returns a report with all findings.
func NewAuditReport ¶
func NewAuditReport() *AuditReport
NewAuditReport creates a new empty audit report.
func (*AuditReport) AddFinding ¶
func (r *AuditReport) AddFinding(f AuditFinding)
AddFinding adds a finding to the report.
func (*AuditReport) Count ¶
func (r *AuditReport) Count() int
Count returns the total number of findings.
func (*AuditReport) FilterByCategory ¶
func (r *AuditReport) FilterByCategory(category string) []AuditFinding
FilterByCategory filters findings by category.
func (*AuditReport) FilterBySeverity ¶
func (r *AuditReport) FilterBySeverity(severity string) []AuditFinding
FilterBySeverity filters findings by severity.
func (*AuditReport) Findings ¶
func (r *AuditReport) Findings() []AuditFinding
Findings returns all findings.
func (*AuditReport) Stats ¶
func (r *AuditReport) Stats() AuditStats
Stats returns audit statistics.
func (*AuditReport) Summary ¶
func (r *AuditReport) Summary() string
Summary returns a summary of the report.
type AuditScope ¶
type AuditScope struct {
Targets []AuditTarget
Rules []string
Timeout time.Duration
MaxDepth int
Concurrency int
}
AuditScope defines the scope of an audit.
type AuditStats ¶
type AuditStats struct {
TotalTargets int
TargetsScanned int
FindingsBySeverity map[string]int
Categories map[string]int
DurationMs int64
}
AuditStats contains statistics about the audit.
type AuditTarget ¶
type AuditTarget struct {
Type AuditTargetType
Path string
Recurse bool
Depth int
}
AuditTarget represents a target to audit in the codebase.
type AuditTargetType ¶
type AuditTargetType int
AuditTargetType represents a type of audit target.
const ( // AuditTargetHooks audits MCP hooks and webhooks. AuditTargetHooks AuditTargetType = iota // AuditTargetMCP audits MCP server configurations. AuditTargetMCP // AuditTargetPermissions audits permission configurations. AuditTargetPermissions // AuditTargetSecrets audits secret storage and access. AuditTargetSecrets // AuditTargetEndpoints audits external endpoints and APIs. AuditTargetEndpoints )
type HTTPClient ¶
type HTTPClient struct {
// contains filtered or unexported fields
}
HTTPClient provides HTTP access for auditing endpoints.
func NewHTTPClient ¶
func NewHTTPClient(timeout time.Duration) *HTTPClient
NewHTTPClient creates a new HTTP client.
func (*HTTPClient) Get ¶
func (h *HTTPClient) Get(ctx context.Context, url string) (*HTTPResponse, error)
Get performs a GET request to an endpoint.