Hugging Face's logo

Spaces:
mugdhav
/
security_auditor_orig
Sleeping

App Files Community
security_auditor_orig / README.md
MugdhaV
Deploy Security Auditor to HF Spaces
dbf9094
preview code
|
raw
history blame contribute delete
5.08 kB
metadata 
title: Security Auditor
emoji: πŸ”’
colorFrom: red
colorTo: yellow
sdk: docker
pinned: false
license: mit
app_port: 7860

πŸ”’ Security Auditor

Comprehensive SAST Platform for Vulnerability Detection

Scan your application code for security vulnerabilities with AI-powered analysis and NIST NVD integration.

✨ Features

πŸ” Detection Capabilities

  • 28+ Vulnerability Types - SQL Injection, XSS, Command Injection, and more
  • 15+ Programming Languages - Python, JavaScript, Java, PHP, Go, Ruby, C/C++, and more
  • NIST NVD Integration - Enrich findings with real-world CVE data
  • Multiple Scan Modes - Local files, remote URLs, GitHub repositories

🎯 Analysis Types

  1. Local Directory Scan - Upload source code files for comprehensive analysis
  2. Remote URL Scan - Test live web applications for security misconfigurations
  3. GitHub Repository Scan - Analyze public or private GitHub repositories

πŸ“Š Vulnerability Categories

  • Injection Flaws - SQL, Command, LDAP, XXE, Path Traversal
  • Authentication Issues - Hardcoded credentials, weak hashing, JWT validation
  • Cryptographic Flaws - Weak algorithms, insecure random, hardcoded keys
  • Deserialization - Pickle, YAML, ObjectInputStream vulnerabilities
  • Security Misconfigurations - CORS, SSL/TLS, missing headers
  • Information Disclosure - Debug mode, sensitive logs, stack traces

πŸš€ How to Use

1. Upload Code (Local Scan)

  • Upload source code files (.py, .js, .java, .php, etc.)
  • Multiple files and folders supported
  • Detects vulnerabilities in real-time

2. Scan Repository (GitHub)

  • Enter GitHub repository URL
  • Supports public repositories (private with token)
  • Automatically clones and analyzes code

3. Test Web App (Remote URL)

  • Enter live application URL
  • Checks security headers
  • Scans for exposed sensitive files

πŸ” Privacy & Security

  • βœ… Temporary Storage Only - All files deleted after 1 hour
  • βœ… No Permanent Storage - Code is never saved
  • βœ… Isolated Sessions - Each scan is completely isolated
  • βœ… No Logging - Source code content is not logged

πŸ“‹ Report Formats

  • Interactive HTML - Visual dashboard with severity breakdown
  • JSON Export - Machine-readable format for CI/CD integration
  • Text Report - Console-friendly output

⚠️ Usage Guidelines

Only scan code and applications that:

  • You own or created
  • You have explicit permission to test
  • Are part of authorized security assessments

Do not:

  • Scan third-party applications without permission
  • Use for unauthorized security testing
  • Scan production systems without approval

πŸ› οΈ Technology Stack

  • Static Analysis - Pattern-based SAST engine with 28+ detection rules
  • NVD Integration - Real-time CVE enrichment from NIST database
  • Web Scanning - HTTP security analysis and exposed file detection
  • UI Framework - Modern Gradio interface with custom theme

πŸ“š Detected Vulnerabilities

Critical Severity

  • SQL Injection (CWE-89)
  • Command Injection (CWE-78)
  • Insecure Deserialization (CWE-502)

High Severity

  • Cross-Site Scripting (CWE-79)
  • Hardcoded Credentials (CWE-798)
  • Weak Cryptography (CWE-327)

Medium Severity

  • Path Traversal (CWE-22)
  • LDAP Injection (CWE-90)
  • CORS Wildcard (CWE-942)

Low Severity

  • Debug Mode Enabled (CWE-215)
  • Sensitive Data in Logs (CWE-532)
  • Missing Security Headers (CWE-693)

πŸŽ“ Educational Purpose

This tool is designed for:

  • Security education and training
  • DevSecOps integration
  • Code review assistance
  • Vulnerability awareness
  • Secure coding practices

πŸ“– Documentation

API Reference

Remediation Resources

  • Each finding includes detailed remediation guidance
  • Code examples for secure implementations
  • Framework-specific security best practices

πŸ’‘ Pro Tips

  1. Enable NVD Enrichment for CVE correlation (slower but more detailed)
  2. Scan early and often - integrate into development workflow
  3. Review remediation guidance - learn from each finding
  4. Export reports for documentation and tracking
  5. Use GitHub mode for repository-wide analysis

🀝 Support

  • Report issues: GitHub Issues
  • Contribute: Pull requests welcome
  • Documentation: Full guide in repository

πŸ“„ License

MIT License - See LICENSE file for details

⚑ Performance

  • Scan Speed - ~1-2 seconds per 1000 files
  • Language Support - 15+ programming languages
  • Detection Rules - 28+ vulnerability patterns
  • Max Upload - 100MB per session

πŸ”„ Updates

Regular updates include:

  • New vulnerability detection rules
  • Enhanced false positive reduction
  • Additional language support
  • Performance improvements

πŸ›‘οΈ Secure your code, protect your users.

Built with ❀️ for the security community.