Skip to content

Add continuous autonomous security testing framework (v3.0) #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
devatsecure merged 3 commits into from
Mar 4, 2026
+6,596 −3
Merged

Add continuous autonomous security testing framework (v3.0) #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2f562ff
docs: Add continuous security testing guide with gap analysis
claude Mar 4, 2026
32dfcc9
feat: Add 7 continuous security testing modules (v3.0)
claude Mar 4, 2026
c235c1e
docs: Update README, CLAUDE.md, and CHANGELOG for v6.0.0 release
claude Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .claude/rules/development.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ Argus-Security/
│ ├── agent_personas.py # Phase 3: Multi-agent review
│ ├── sandbox_validator.py # Phase 4: Docker validation
│ ├── remediation_engine.py # Auto-fix generation
│ ├── diff_impact_analyzer.py # Diff-intelligent scanner scoping
│ ├── agent_chain_discovery.py # LLM-powered attack chain discovery
│ ├── autofix_pr_generator.py # AutoFix PR generation + closed loop
│ ├── findings_store.py # SQLite cross-scan findings store
│ ├── app_context_builder.py # Unified application context model
│ ├── sast_dast_validator.py # SAST-to-DAST live validation
│ └── argus # CLI entry point
├── policy/rego/ # Phase 5: OPA policies
├── profiles/ # Config profiles
Expand Down
22 changes: 21 additions & 1 deletion .claude/rules/features.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
description: Advanced feature modules and their configuration toggles
globs: ["scripts/error_classifier.py", "scripts/audit_trail.py", "scripts/phase_gate.py", "scripts/mcp_server.py", "scripts/dast_auth_config.py", "scripts/temporal_orchestrator.py", "scripts/license_risk_scorer.py", "scripts/epss_scorer.py", "scripts/fix_version_tracker.py", "scripts/vex_processor.py", "scripts/vuln_deduplicator.py", "scripts/advanced_suppression.py", "scripts/compliance_mapper.py"]
globs: ["scripts/error_classifier.py", "scripts/audit_trail.py", "scripts/phase_gate.py", "scripts/mcp_server.py", "scripts/dast_auth_config.py", "scripts/temporal_orchestrator.py", "scripts/license_risk_scorer.py", "scripts/epss_scorer.py", "scripts/fix_version_tracker.py", "scripts/vex_processor.py", "scripts/vuln_deduplicator.py", "scripts/advanced_suppression.py", "scripts/compliance_mapper.py", "scripts/diff_impact_analyzer.py", "scripts/agent_chain_discovery.py", "scripts/autofix_pr_generator.py", "scripts/findings_store.py", "scripts/app_context_builder.py", "scripts/sast_dast_validator.py"]
---

# Advanced Features
Expand Down Expand Up @@ -43,3 +43,23 @@ Multi-key: {VulnID, PkgName, Version, Path}. Cross-scanner merge. Strategies: au

## Compliance Mapping (`scripts/compliance_mapper.py`)
NIST 800-53, PCI DSS 4.0, OWASP Top 10, SOC 2, CIS K8s, ISO 27001. CWE-based mapping + category fallback. Toggle: `enable_compliance_mapping=True`

# Continuous Security Testing (v3.0)

## Diff-Intelligent Scanner Scoping (`scripts/diff_impact_analyzer.py`)
Classifies changed files by security relevance (skip docs/assets, always scan auth/crypto/config). Expands blast radius via reverse dependency lookup — if auth middleware changed, finds all files importing it. Generates Semgrep `--include` args for scoped scanning. Toggle: `enable_diff_scoping=True`, `diff_expand_impact_radius=True`

## Agent-Driven Chain Discovery (`scripts/agent_chain_discovery.py`)
LLM-powered multi-step attack chain discovery beyond rule-based patterns. Sends findings to LLM to reason about cross-component exploitation paths. Cross-component analyzer detects dangerous finding combinations across architectural boundaries (auth+api, models+api, middleware+routes). Toggle: `enable_agent_chain_discovery=False` (opt-in), `enable_cross_component_analysis=True`

## AutoFix PR Generator (`scripts/autofix_pr_generator.py`)
Generates git branches with applied fixes from RemediationEngine suggestions. Creates conventional-commit-style messages, formatted PR bodies with diff/CWE/testing sections. ClosedLoopOrchestrator wires find→fix→verify into a single flow. Toggle: `enable_autofix_pr=False` (opt-in), `autofix_confidence_threshold="high"`, `autofix_max_prs_per_scan=5`

## Persistent Findings Store (`scripts/findings_store.py`)
SQLite-backed cross-scan intelligence. Tracks findings across scans via content-based fingerprinting. Detects regressions (previously-fixed findings reappearing), computes MTTF, FP rates, severity trending. Injects historical context into LLM enrichment prompts. Toggle: `enable_findings_store=True`, `findings_db_path=".argus/findings.db"`, `inject_historical_context=True`

## Application Context Builder (`scripts/app_context_builder.py`)
Detects framework (Django/Flask/Express/Spring/etc.), language, auth mechanism (JWT/OAuth2/session), cloud provider, IaC files, middleware chain, entry points, and OpenAPI specs. Generates `to_prompt_context()` string for LLM prompt injection. Toggle: `enable_app_context=True`

## SAST-to-DAST Live Validation (`scripts/sast_dast_validator.py`)
Validates SAST findings against live deployment targets. Maps vuln types to HTTP test payloads (SQLi, XSS, SSRF, path traversal, command injection, IDOR). Safety: rejects production targets by default, only allows staging/preview/development. Toggle: `enable_live_validation=False` (opt-in), `live_validation_environment="staging"`
124 changes: 124 additions & 0 deletions .github/workflows/argus-retest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
name: Argus Retest After Fix
on:
pull_request:
types: [closed]

jobs:
retest:
# Only run when an argus/fix- PR is merged
if: >
github.event.pull_request.merged == true &&
startsWith(github.event.pull_request.head.ref, 'argus/fix-')
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'

- name: Install dependencies
run: pip install -r requirements.txt

- name: Extract fix metadata
id: meta
run: |
BRANCH="${{ github.event.pull_request.head.ref }}"
Copy link

@cursor cursor bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shell injection via branch ref in workflow

High Severity

${{ github.event.pull_request.head.ref }} is interpolated directly into a shell script. While the if condition ensures the branch starts with argus/fix-, the remainder is attacker-controlled. A branch name containing shell metacharacters like $(cmd) or backticks would execute arbitrary commands during the run step, potentially exfiltrating secrets like ANTHROPIC_API_KEY or GITHUB_TOKEN.

Fix in Cursor Fix in Web

# Extract vuln type and finding ID from branch name: argus/fix-{type}-{id}
VULN_TYPE=$(echo "$BRANCH" | sed 's|argus/fix-||' | sed 's|-[a-f0-9]*$||')
FINDING_ID=$(echo "$BRANCH" | grep -oP '[a-f0-9]{8}$' || echo "unknown")
echo "vuln_type=$VULN_TYPE" >> $GITHUB_OUTPUT
echo "finding_id=$FINDING_ID" >> $GITHUB_OUTPUT
# Get changed files from the PR
CHANGED_FILES=$(gh pr view ${{ github.event.pull_request.number }} --json files -q '.files[].path' || echo "")
echo "changed_files=$CHANGED_FILES" >> $GITHUB_OUTPUT
Comment on lines +32 to +41

Check failure

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection Error

Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Run regression tests
id: regression
continue-on-error: true
run: |
python -c "
import sys
sys.path.insert(0, 'scripts')
try:
from regression_tester import RegressionTester
tester = RegressionTester()
results = tester.run('tests/security_regression')
passed = results.get('passed', 0)
failed = results.get('failed', 0)
print(f'Regression tests: {passed} passed, {failed} failed')
sys.exit(1 if failed > 0 else 0)
except Exception as e:
print(f'Regression test error: {e}')
sys.exit(1)
"

- name: Run targeted SAST rescan
id: rescan
continue-on-error: true
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
python scripts/run_ai_audit.py \
--project-type auto \
--only-changed \
--review-type security

- name: Update finding status
if: steps.regression.outcome == 'success' && steps.rescan.outcome == 'success'
run: |
python -c "
import sys
sys.path.insert(0, 'scripts')
try:
from findings_store import FindingsStore
store = FindingsStore()
store.record_fix(
finding_id='${{ steps.meta.outputs.finding_id }}',
fix_commit='${{ github.sha }}',
fix_method='autofix',
retest_passed=True,
)
print('Finding marked as fix-verified')
except Exception as e:
print(f'Could not update findings store: {e}')
"

- name: Post retest results
if: always()
uses: actions/github-script@v7
with:
script: |
const regression = '${{ steps.regression.outcome }}';
const rescan = '${{ steps.rescan.outcome }}';
const allPassed = regression === 'success' && rescan === 'success';

const body = `## Argus Retest Results

| Check | Status |
|-------|--------|
| Regression Tests | ${regression === 'success' ? 'Passed' : 'Failed'} |
| SAST Rescan | ${rescan === 'success' ? 'Clean' : 'Issues found'} |
| **Overall** | **${allPassed ? 'Fix Verified' : 'Needs Review'}** |

${allPassed ? 'The fix has been verified. The vulnerability is confirmed resolved.' : 'The retest found issues. Please review the scan results.'}

---
*Argus Security Retest — triggered by merge of \`${{ github.event.pull_request.head.ref }}\`*`;

// Comment on the merged PR
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.pull_request.number }},
body: body
});
Comment on lines +100 to +124

Check failure

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection Error

Using variable interpolation ${...} with github context data in a actions/github-script's script: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
102 changes: 102 additions & 0 deletions .github/workflows/post-deploy-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
name: Post-Deploy Security Validation
on:
deployment_status:
# Trigger when deployment succeeds
workflow_dispatch:
inputs:
target_url:
description: 'Deployment URL to scan'
required: false
type: string
environment:
description: 'Deployment environment'
required: false
default: 'staging'
type: string

jobs:
post-deploy-scan:
if: >
github.event_name == 'workflow_dispatch' ||
github.event.deployment_status.state == 'success'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'

- name: Install dependencies
run: pip install -r requirements.txt

- name: Determine deployment context
id: context
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "target_url=${{ inputs.target_url }}" >> $GITHUB_OUTPUT
echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT
else
echo "target_url=${{ github.event.deployment.payload.web_url || '' }}" >> $GITHUB_OUTPUT
echo "environment=${{ github.event.deployment.environment }}" >> $GITHUB_OUTPUT
fi
# Get diff since last successful scan
PREV_SHA=$(git log --format='%H' -2 | tail -1)
echo "prev_sha=$PREV_SHA" >> $GITHUB_OUTPUT
CHANGED=$(git diff --name-only $PREV_SHA HEAD | head -100)
echo "has_changes=$( [ -n "$CHANGED" ] && echo true || echo false )" >> $GITHUB_OUTPUT

Comment on lines +42 to +55

Check failure

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection Error

Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
- name: Run diff-scoped SAST scan
if: steps.context.outputs.has_changes == 'true'
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
ONLY_CHANGED: "true"
run: |
python scripts/run_ai_audit.py \
--project-type auto \
--only-changed \
--review-type security

- name: Run DAST against deployment
if: steps.context.outputs.target_url != ''
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
DAST_TARGET_URL: ${{ steps.context.outputs.target_url }}
run: |
echo "Running DAST scan against $DAST_TARGET_URL"
python -c "
import sys
sys.path.insert(0, 'scripts')
try:
from dast_orchestrator import DASTOrchestrator, OrchestratorConfig
config = OrchestratorConfig(
project_path='.',
enable_nuclei=True,
enable_zap=False,
max_duration=600,
)
orch = DASTOrchestrator(config=config)
results = orch.run('${{ steps.context.outputs.target_url }}')
Copy link

@cursor cursor bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script injection via target URL in workflow

High Severity

The ${{ steps.context.outputs.target_url }} is interpolated directly into an inline Python string on line 86. If the URL contains a single quote (e.g., from workflow_dispatch user input or a crafted deployment payload), it breaks out of the Python string literal, enabling arbitrary code execution in the workflow runner. This value originates from ${{ inputs.target_url }} which is directly user-controlled.

Additional Locations (1)

Fix in Cursor Fix in Web

print(f'DAST scan complete: {len(results.get(\"findings\", []))} findings')
except ImportError as e:
print(f'DAST not available: {e}')
except Exception as e:
print(f'DAST scan error: {e}')
"

- name: Upload results
if: always()
uses: actions/upload-artifact@v4
with:
name: post-deploy-scan-results
path: |
.argus/
*.sarif
retention-days: 30
23 changes: 23 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,29 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

---

## [6.0.0] - 2026-03-04

### Added — Continuous Security Testing (v3.0)
- **Diff-Intelligent Scanner Scoping** (`scripts/diff_impact_analyzer.py`): Classifies changed files by security relevance, expands blast radius via reverse dependency lookup, generates Semgrep `--include` args for scoped scanning. Toggle: `enable_diff_scoping=True`, `diff_expand_impact_radius=True`
- **Agent-Driven Chain Discovery** (`scripts/agent_chain_discovery.py`): LLM-powered multi-step attack chain discovery beyond rule-based patterns. Cross-component analyzer detects dangerous finding combinations across architectural boundaries (auth+api, models+api, middleware+routes). Toggle: `enable_agent_chain_discovery=False` (opt-in), `enable_cross_component_analysis=True`
- **AutoFix PR Generator** (`scripts/autofix_pr_generator.py`): Generates git branches with applied fixes from RemediationEngine suggestions. Creates conventional-commit-style messages, formatted PR bodies with diff/CWE/testing sections. ClosedLoopOrchestrator wires find-fix-verify into a single flow. Toggle: `enable_autofix_pr=False` (opt-in), `autofix_confidence_threshold="high"`, `autofix_max_prs_per_scan=5`
- **Persistent Findings Store** (`scripts/findings_store.py`): SQLite-backed cross-scan intelligence. Tracks findings across scans via content-based fingerprinting. Detects regressions (previously-fixed findings reappearing), computes MTTF, FP rates, severity trending. Injects historical context into LLM enrichment prompts. Toggle: `enable_findings_store=True`, `findings_db_path=".argus/findings.db"`, `inject_historical_context=True`
- **Application Context Builder** (`scripts/app_context_builder.py`): Detects framework (Django/Flask/Express/Spring/etc.), language, auth mechanism (JWT/OAuth2/session), cloud provider, IaC files, middleware chain, entry points, and OpenAPI specs. Generates `to_prompt_context()` string for LLM prompt injection. Toggle: `enable_app_context=True`
- **SAST-to-DAST Live Validation** (`scripts/sast_dast_validator.py`): Validates SAST findings against live deployment targets. Maps vuln types to HTTP test payloads (SQLi, XSS, SSRF, path traversal, command injection, IDOR). Safety: rejects production targets by default, only allows staging/preview/development. Toggle: `enable_live_validation=False` (opt-in), `live_validation_environment="staging"`
- **Post-Deploy Scan workflow** (`.github/workflows/post-deploy-scan.yml`): Triggers on successful deployments, runs diff-scoped SAST + DAST against deployment URL
- **Retest After Fix workflow** (`.github/workflows/argus-retest.yml`): Triggers when `argus/fix-*` PRs merge, runs regression tests + targeted SAST rescan, updates FindingsStore
- **Continuous Security Testing Guide** (`docs/CONTINUOUS_SECURITY_TESTING_GUIDE.md`): Architecture guide mapping capabilities vs industry-standard autonomous testing
- 13 new config keys added to `config_loader.py` with env var and CLI mappings
- All 7 modules integrated into `hybrid_analyzer.py` with graceful degradation
- 36 new tests (`tests/test_continuous_security.py`) covering all v3.0 modules

### Changed
- Updated README.md with v3.0 feature tables, env vars, and deployment scanning docs
- Updated CLAUDE.md with v3.0 key files and extended documentation references
- Updated `.claude/rules/features.md` and `.claude/rules/development.md` with v3.0 modules

---

## [5.0.0] - 2026-02-16

### Added
Expand Down
20 changes: 18 additions & 2 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# CLAUDE.md - Argus Security

> Enterprise-grade AI Security Platform with 6-phase analysis pipeline.
> Enterprise-grade AI Security Platform with 6-phase analysis pipeline and continuous autonomous security testing.

## What This Does

Expand All @@ -17,6 +17,15 @@ Phase 6: Reporting → SARIF, JSON, Markdown outputs

**Results:** 60-70% false positive reduction, +15-20% more findings via heuristic-based spontaneous discovery (regex pattern matching, not AI-powered).

**v3.0 Continuous Security:**
- Diff-intelligent scanner scoping with blast radius expansion
- Persistent cross-scan findings store with regression detection
- Application context auto-detection for context-aware scanning
- LLM-powered attack chain discovery + cross-component analysis
- AutoFix PR generation with closed-loop find-fix-verify
- SAST-to-DAST live validation against staging targets
- Deployment-triggered scanning via GitHub Actions workflows

## Quick Start

```bash
Expand Down Expand Up @@ -47,10 +56,17 @@ python scripts/run_ai_audit.py --project-type backend-api
| `scripts/agent_personas.py` | Phase 3: multi-agent review |
| `scripts/sandbox_validator.py` | Phase 4: Docker validation |
| `policy/rego/` | Phase 5: OPA policies |
| `scripts/diff_impact_analyzer.py` | v3.0: Diff-intelligent scanner scoping |
| `scripts/findings_store.py` | v3.0: SQLite persistent findings store |
| `scripts/app_context_builder.py` | v3.0: Application context auto-detection |
| `scripts/agent_chain_discovery.py` | v3.0: LLM attack chain discovery |
| `scripts/autofix_pr_generator.py` | v3.0: AutoFix PR generation + closed loop |
| `scripts/sast_dast_validator.py` | v3.0: SAST-to-DAST live validation |

## Extended Documentation

Details moved to scoped rule files (auto-loaded when editing relevant files):
- `.claude/rules/pipeline.md` — 6-phase pipeline architecture
- `.claude/rules/features.md` — Advanced feature modules + config toggles
- `.claude/rules/features.md` — Advanced feature modules + config toggles (incl. v3.0)
- `.claude/rules/development.md` — Docker, GitHub Action, project structure
- `docs/CONTINUOUS_SECURITY_TESTING_GUIDE.md` — v3.0 architecture and gap analysis
Loading
Loading