Spaces:
Running
Running
File size: 23,646 Bytes
e1e9580 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 | <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Security Auditor - Help Guide</title>
<style>
:root {
--bg: #faf9f6;
--text: #131314;
--accent: #d97757;
--accent-hover: #cc6944;
--gray: #6b7280;
--light-gray: #9ca3af;
--border: #e5e7eb;
--card-bg: #ffffff;
--critical: #dc2626;
--critical-bg: #fef2f2;
--critical-border: #fca5a5;
--high: #ea580c;
--high-bg: #fff7ed;
--high-border: #fdba74;
--medium: #d97706;
--medium-bg: #fffbeb;
--medium-border: #fcd34d;
--low: #0d9488;
--low-bg: #f0fdfa;
--low-border: #5eead4;
--info-color: #6b7280;
--info-bg: #f9fafb;
--info-border: #d1d5db;
}
* { margin: 0; padding: 0; box-sizing: border-box; }
body {
font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
background: var(--bg);
color: var(--text);
line-height: 1.7;
max-width: 920px;
margin: 0 auto;
padding: 40px 24px 60px;
}
/* Header */
.header {
display: flex;
align-items: center;
gap: 14px;
padding-bottom: 24px;
border-bottom: 1px solid var(--border);
margin-bottom: 32px;
}
.header-icon {
width: 44px;
height: 44px;
background: var(--text);
border-radius: 8px;
display: flex;
align-items: center;
justify-content: center;
flex-shrink: 0;
}
.header-icon svg { width: 24px; height: 24px; stroke: white; fill: none; }
.header-title { font-size: 24px; font-weight: 700; }
.header-subtitle { font-size: 14px; color: var(--gray); margin-top: 2px; }
/* Headings */
h2 {
font-size: 22px;
font-weight: 700;
margin: 48px 0 16px;
padding-bottom: 8px;
border-bottom: 2px solid var(--border);
display: flex;
align-items: center;
gap: 10px;
}
h2 .h-num {
display: inline-flex;
align-items: center;
justify-content: center;
width: 30px;
height: 30px;
background: var(--accent);
color: white;
border-radius: 50%;
font-size: 14px;
font-weight: 700;
flex-shrink: 0;
}
h3 {
font-size: 17px;
font-weight: 600;
margin: 28px 0 12px;
color: var(--text);
}
/* Paragraphs and lists */
p { margin: 0 0 14px; color: var(--text); }
ul, ol { margin: 0 0 16px; padding-left: 24px; }
li { margin: 6px 0; }
/* Links */
a { color: var(--accent); text-decoration: none; }
a:hover { color: var(--accent-hover); text-decoration: underline; }
/* Table of Contents */
.toc {
background: var(--card-bg);
border: 1px solid var(--border);
border-radius: 10px;
padding: 24px 28px;
margin: 0 0 40px;
}
.toc-title {
font-size: 15px;
font-weight: 700;
margin-bottom: 12px;
color: var(--text);
}
.toc ol { padding-left: 20px; margin: 0; }
.toc li { margin: 7px 0; font-size: 15px; }
.toc a { color: var(--accent); font-weight: 500; }
/* Cards */
.card {
background: var(--card-bg);
border: 1px solid var(--border);
border-radius: 10px;
padding: 20px 24px;
margin: 16px 0;
}
.card-label {
font-size: 12px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 0.05em;
color: var(--gray);
margin-bottom: 6px;
}
/* Steps */
.steps { counter-reset: step; list-style: none; padding-left: 0; }
.steps li {
counter-increment: step;
position: relative;
padding-left: 40px;
margin: 14px 0;
}
.steps li::before {
content: counter(step);
position: absolute;
left: 0;
top: 1px;
width: 26px;
height: 26px;
background: var(--accent);
color: white;
border-radius: 50%;
font-size: 13px;
font-weight: 700;
display: flex;
align-items: center;
justify-content: center;
}
/* Severity badges */
.severity-sample {
display: inline-flex;
align-items: center;
gap: 8px;
padding: 8px 16px;
border-radius: 6px;
font-size: 13px;
font-weight: 600;
border: 2px solid;
margin: 4px 4px 4px 0;
}
/* Severity table */
.severity-table { width: 100%; border-collapse: collapse; margin: 16px 0; }
.severity-table th {
text-align: left;
padding: 12px 16px;
background: var(--bg);
border-bottom: 2px solid var(--border);
font-size: 13px;
font-weight: 600;
color: var(--gray);
text-transform: uppercase;
letter-spacing: 0.05em;
}
.severity-table td {
padding: 14px 16px;
border-bottom: 1px solid var(--border);
vertical-align: top;
font-size: 14px;
}
.severity-table tr:last-child td { border-bottom: none; }
.severity-tag {
display: inline-block;
padding: 3px 10px;
border-radius: 4px;
font-size: 12px;
font-weight: 700;
white-space: nowrap;
}
/* Screenshots */
.screenshot {
display: block;
max-width: 100%;
border: 1px solid var(--border);
border-radius: 10px;
margin: 20px 0;
box-shadow: 0 2px 8px rgba(0, 0, 0, 0.06);
}
.screenshot-caption {
font-size: 13px;
color: var(--gray);
text-align: center;
margin: -10px 0 20px;
font-style: italic;
}
/* Tip / Note boxes */
.tip {
background: var(--high-bg);
border-left: 4px solid var(--accent);
border-radius: 0 8px 8px 0;
padding: 14px 18px;
margin: 16px 0;
font-size: 14px;
}
.tip-label {
font-weight: 700;
color: var(--accent);
margin-bottom: 4px;
}
/* Footer */
.footer {
margin-top: 60px;
padding-top: 24px;
border-top: 1px solid var(--border);
text-align: center;
color: var(--gray);
font-size: 13px;
}
/* Keyboard shortcut styling */
kbd {
background: var(--bg);
border: 1px solid var(--border);
border-radius: 4px;
padding: 2px 6px;
font-size: 13px;
font-family: ui-monospace, 'SF Mono', Monaco, 'Cascadia Code', monospace;
}
/* Print */
@media print {
body { background: white; max-width: 100%; padding: 20px; }
.toc { break-after: page; }
.card, .severity-table tr { break-inside: avoid; }
.screenshot { max-width: 80%; margin: 12px auto; }
a { color: var(--text); }
h2 { break-after: avoid; }
}
/* Responsive */
@media (max-width: 640px) {
body { padding: 20px 16px 40px; }
.header-title { font-size: 20px; }
h2 { font-size: 19px; }
.severity-table th, .severity-table td { padding: 10px 10px; font-size: 13px; }
}
</style>
</head>
<body>
<!-- Header -->
<div class="header">
<div class="header-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
<path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
</svg>
</div>
<div>
<div class="header-title">Security Auditor</div>
<div class="header-subtitle">Help Guide</div>
</div>
</div>
<!-- Table of Contents -->
<nav class="toc">
<div class="toc-title">Contents</div>
<ol>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#local-scan">Scanning a Local Directory</a></li>
<li><a href="#remote-scan">Scanning a Remote URL</a></li>
<li><a href="#understanding-results">Understanding Your Results</a></li>
<li><a href="#nvd-enrichment">National Vulnerability Database (NVD) Enrichment</a> <a href="https://nvd.nist.gov/general/cve-process" target="_blank" rel="noopener noreferrer">NVD CVE Process</a></li>
<li><a href="#severity-guide">Severity Levels Guide</a></li>
</ol>
</nav>
<!-- Section 1: Getting Started -->
<h2 id="getting-started"><span class="h-num">1</span> Getting Started</h2>
<p>
Security Auditor is a combined <strong>Static Application Security Testing (SAST)</strong> and
<strong>Dynamic Application Security Testing (DAST)</strong> platform that identifies security
vulnerabilities in your application code and web deployments. It performs <strong>40+ security checks</strong>
across two scanning modes.
</p>
<p>
The checks this tool performs overlap with the <strong><a href="https://owasp.org/www-project-top-ten/" target="_blank" rel="noopener noreferrer">Open Web Application Security Project (OWASP)</a></strong> Top Ten; many checks map to common OWASP categories such as Injection, Cross-Site Scripting (XSS), Broken Authentication, and Security Misconfiguration.
</p>
<div class="card">
<div class="card-label">Two Scanning Modes</div>
<ul>
<li><strong>Local Directory</strong> — Upload source code files or specify a directory path. The SAST engine scans your code for 28+ vulnerability patterns including SQL injection, XSS, command injection, hardcoded credentials, and more.</li>
<li><strong>Remote URL</strong> — Enter a web application URL. The DAST engine checks HTTP security headers, probes for exposed sensitive paths, verifies HTTPS configuration, and scans response content for information leaks.</li>
</ul>
</div>
<img src="/helpimg/NewGradioScreenshot_landingPage.png"
alt="Security Auditor landing page showing Local Directory mode selected"
class="screenshot" />
<p class="screenshot-caption">The Security Auditor landing page with Local Directory mode selected.</p>
<p>
<strong>Supported file types for local scanning:</strong><br />
<code>.py, .js, .ts, .java, .php, .go, .rb, .c, .cpp, .cs, .swift, .kt, .scala, .rs, .jsx, .tsx</code>
</p>
<!-- Section 2: Local Directory Scan -->
<h2 id="local-scan"><span class="h-num">2</span> Scanning a Local Directory</h2>
<p>Use this mode to scan application source code files for security vulnerabilities using static analysis.</p>
<ol class="steps">
<li>Select <strong>Local Directory</strong> in the Analysis Mode panel on the left sidebar.</li>
<li>Provide your code using one of two methods:
<ul>
<li><strong>Upload files</strong> — Drag and drop or click the upload area (total size maximum 25 MB).</li>
<li><strong>Enter a directory path</strong> — Type the full path to a local directory, e.g. <kbd>C:/Projects/my-application</kbd>.</li>
</ul>
</li>
<li>Optionally toggle <strong>NVD Enriched Scan Results</strong> on or off (see <a href="#nvd-enrichment">Section 5</a>).</li>
<li>Click the <strong>Analyze</strong> button.</li>
<li>Wait for the scan to complete. A progress indicator shows the current status.</li>
</ol>
<div class="tip">
<div class="tip-label">Tip</div>
When uploading files, you can select multiple files at once. The scanner analyses all uploaded files together, detecting cross-file vulnerability patterns.
</div>
<img src="/helpimg/NewGradioScreenshot_LocalAppResult.png"
alt="Local directory scan results showing Analysis Summary and Security Findings"
class="screenshot" />
<p class="screenshot-caption">Results from a local directory scan showing the Analysis Summary, severity badges, and individual finding cards.</p>
<!-- Section 3: Remote URL Scan -->
<h2 id="remote-scan"><span class="h-num">3</span> Scanning a Remote URL</h2>
<p>Use this mode to dynamically test a running web application for security misconfigurations and vulnerabilities.</p>
<ol class="steps">
<li>Select <strong>Remote URL</strong> in the Analysis Mode panel.</li>
<li>Enter the target web application URL in the <strong>Web Application URL</strong> field, e.g. <kbd>https://your-app.example.com</kbd>.</li>
<li>Click the <strong>Analyze</strong> button.</li>
</ol>
<h3>What Gets Checked</h3>
<div class="card">
<ul>
<li><strong>HTTP Security Headers</strong> — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security, Referrer-Policy, Permissions-Policy.</li>
<li><strong>Sensitive Path Exposure</strong> — Probes for common exposed paths such as <code>/.env</code>, <code>/.git/config</code>, <code>/admin</code>, <code>/phpinfo.php</code>, <code>/swagger.json</code>, and 15+ other paths.</li>
<li><strong>HTTPS Configuration</strong> — Verifies the application uses HTTPS rather than unencrypted HTTP.</li>
<li><strong>Response Content Analysis</strong> — Scans HTML responses for database error messages, stack trace disclosures, debug mode indicators, and sensitive data in comments.</li>
<li><strong>Server Version Disclosure</strong> — Detects if the server reveals its software version in response headers.</li>
</ul>
</div>
<img src="/helpimg/NewGradioScreenshot_RemoteURLResult.png"
alt="Remote URL scan results showing missing security headers and other findings"
class="screenshot" />
<p class="screenshot-caption">Results from a remote URL scan showing missing security headers and insecure HTTP connection findings.</p>
<!-- Section 4: Understanding Results -->
<h2 id="understanding-results"><span class="h-num">4</span> Understanding Your Results</h2>
<h3>Analysis Summary</h3>
<p>
After a scan completes, the <strong>Analysis Summary</strong> section appears at the top of the results. It
displays metadata about the scan and a count of findings grouped by severity level.
</p>
<div class="card">
<ul>
<li><strong>Target</strong> — The directory path or URL that was scanned.</li>
<li><strong>Files Analyzed</strong> — Number of source code files processed (local scans only).</li>
<li><strong>Total Findings</strong> — Total number of security issues detected.</li>
<li><strong>Analysis Type</strong> — Either <em>Local</em> (SAST) or <em>Web</em> (DAST).</li>
</ul>
</div>
<h3>Severity Badges</h3>
<p>
Below the metadata, colour-coded severity badges show how many findings fall into each severity level:
</p>
<p>
<span class="severity-sample" style="background: var(--critical-bg); color: var(--critical); border-color: var(--critical-border);">Critical</span>
<span class="severity-sample" style="background: var(--high-bg); color: var(--high); border-color: var(--high-border);">High</span>
<span class="severity-sample" style="background: var(--medium-bg); color: var(--medium); border-color: var(--medium-border);">Medium</span>
<span class="severity-sample" style="background: var(--low-bg); color: var(--low); border-color: var(--low-border);">Low</span>
<span class="severity-sample" style="background: var(--info-bg); color: var(--info-color); border-color: var(--info-border);">Info</span>
</p>
<h3>Finding Cards</h3>
<p>Each detected vulnerability is displayed as a finding card containing the following information:</p>
<div class="card">
<ul>
<li><strong>Vulnerability Name</strong> — The type of security issue (e.g. "SQL Injection", "Missing Security Header: Content-Security-Policy").</li>
<li><strong>Severity Tag</strong> — A colour-coded badge showing CRITICAL, HIGH, MEDIUM, LOW, or INFO.</li>
<li><strong>Common Weakness Enumeration (CWE) Reference</strong> — The identifier (e.g. CWE-89).</li>
<li><strong>CVE References</strong> — Related Common Vulnerabilities and Exposures entries (when NVD enrichment is enabled).</li>
<li><strong>File Path & Line Number</strong> — Exact location in the source code (local scans) or the target URL (remote scans).</li>
<li><strong>Description</strong> — Explanation of the vulnerability and its potential impact.</li>
<li><strong>Remediation Guidance</strong> — Click the expandable section to view recommended fixes and best practices.</li>
</ul>
</div>
<h3>Exporting Reports</h3>
<p>
At the bottom of the results, two export options are available:
</p>
<ul>
<li><strong>Export JSON Report</strong> — Downloads a structured JSON file containing all scan data, suitable for integration with CI/CD pipelines or other security tools.</li>
<li><strong>Export Markdown Report</strong> — Downloads a Markdown report with findings grouped by severity, including file locations, code snippets, and remediation guidance. Ideal for pasting into vibe-coding platforms (Cursor, Lovable, Bolt, etc.) to fix identified issues.</li>
</ul>
<!-- Section 5: NVD Enrichment -->
<h2 id="nvd-enrichment"><span class="h-num">5</span> NVD Enrichment</h2>
<p>
The <strong>NVD Enriched Scan Results</strong> toggle in the sidebar controls whether scan findings are
enriched with data from the <strong><a href="https://nvd.nist.gov/general/cve-process" target="_blank" rel="noopener noreferrer">NVD</a></strong>, maintained by the <strong><a href="https://www.nist.gov/" target="_blank" rel="noopener noreferrer">National Institute of Standards and Technology (NIST)</a></strong>.
</p>
<div class="card">
<div class="card-label">What NVD Enrichment Adds</div>
<ul>
<li>Related <strong><a href="https://nvd.nist.gov/general/cve-process" target="_blank" rel="noopener noreferrer">Common Vulnerabilities and Exposures (CVE)</a></strong> references for each finding.</li>
</div>
<h3>When to Enable</h3>
<ul>
<li>Comprehensive security audits where you need full CVE context.</li>
<li>Compliance reporting that requires specific vulnerability references.</li>
<li>When you need detailed remediation guidance for each finding.</li>
</ul>
<h3>When to Disable</h3>
<ul>
<li>Quick scans where speed is the priority.</li>
<li>Offline environments without internet access.</li>
<li>When the NVD API is rate-limited or unavailable.</li>
</ul>
<div class="tip">
<div class="tip-label">Note</div>
NVD enrichment adds processing time to the scan. The toggle is enabled by default. You can disable it for faster scans and re-run with enrichment when needed.
</div>
<!-- Section 6: Severity Levels Guide -->
<h2 id="severity-guide"><span class="h-num">6</span> Severity Levels Guide</h2>
<p>
Findings are classified into five severity levels. Use this guide to prioritise remediation efforts.
</p>
<table class="severity-table">
<thead>
<tr>
<th style="width: 120px;">Severity</th>
<th>Description</th>
<th style="width: 200px;">Examples</th>
</tr>
</thead>
<tbody>
<tr>
<td><span class="severity-tag" style="background: var(--critical-bg); color: var(--critical);">CRITICAL</span></td>
<td>Immediate action required. These vulnerabilities can lead to full system compromise, data breaches, or remote code execution.</td>
<td>SQL Injection, Command Injection, Hardcoded Credentials, Insecure Deserialization</td>
</tr>
<tr>
<td><span class="severity-tag" style="background: var(--high-bg); color: var(--high);">HIGH</span></td>
<td>Serious vulnerabilities requiring prompt attention. These can lead to significant data exposure or unauthorized access.</td>
<td>Cross-Site Scripting (XSS), Path Traversal, SSRF, JWT Without Verification</td>
</tr>
<tr>
<td><span class="severity-tag" style="background: var(--medium-bg); color: var(--medium);">MEDIUM</span></td>
<td>Moderate risk requiring investigation. These may enable attacks under certain conditions or weaken security posture.</td>
<td>CORS Misconfiguration, Weak Cryptographic Algorithm, Open Redirect, Missing Content-Security-Policy</td>
</tr>
<tr>
<td><span class="severity-tag" style="background: var(--low-bg); color: var(--low);">LOW</span></td>
<td>Minor issues with lower priority. These represent defence-in-depth concerns or best practice violations.</td>
<td>Debug Mode Enabled, Missing Non-Critical Headers, Verbose Error Messages, Sensitive Data in Logs</td>
</tr>
<tr>
<td><span class="severity-tag" style="background: var(--info-bg); color: var(--info-color);">INFO</span></td>
<td>Informational findings with no direct security risk. These highlight areas for awareness or potential improvement.</td>
<td>Technology Detection, Configuration Notes, Server Version Disclosure</td>
</tr>
</tbody>
</table>
<div class="tip">
<div class="tip-label">Prioritisation Strategy</div>
Address <strong>Critical</strong> and <strong>High</strong> findings first, as they pose the greatest risk. Medium findings should be reviewed and scheduled for remediation. Low and Info findings can be addressed as part of regular maintenance cycles.
</div>
<!-- Footer -->
<div class="footer">
Security Auditor · SAST + DAST Platform<br />
</div>
</body>
</html>
|