CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-05-26 22:42:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add secret detection workflows and comprehensive benchmarking (#15)

Browse Source 
Add three production-ready secret detection workflows with full benchmarking infrastructure:

**New Workflows:**
- gitleaks_detection: Pattern-based secret scanning (13/32 benchmark secrets)
- trufflehog_detection: Entropy-based detection with verification (1/32 benchmark secrets)
- llm_secret_detection: AI-powered semantic analysis (32/32 benchmark secrets - 100% recall)

**Benchmarking Infrastructure:**
- Ground truth dataset with 32 documented secrets (12 Easy, 10 Medium, 10 Hard)
- Automated comparison tools for precision/recall testing
- SARIF output format for all workflows
- Performance metrics and tool comparison reports

**Fixes:**
- Set gitleaks default to no_git=True for uploaded directories
- Update documentation with correct secret counts and workflow names
- Temporarily deactivate AI agent command
- Clean up deprecated test files and GitGuardian workflow

**Testing:**
All workflows verified on secret_detection_benchmark and vulnerable_app test projects.
Workers healthy and system fully functional.
This commit is contained in:
tduhamel42
2025-10-16 11:21:24 +02:00
committed by GitHub
parent c3ce03e216
commit 2da986ebb0
28 changed files with 2505 additions and 648 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/toolbox/modules/secret_detection/__init__.py
+2
View File
@@ -7,6 +7,8 @@ in codebases and repositories.
Available modules:
- TruffleHog: Comprehensive secret detection with verification
- Gitleaks: Git-specific secret scanning and leak detection
- GitGuardian: Enterprise secret detection using GitGuardian API
- LLM Secret Detector: AI-powered semantic secret detection
"""
# Copyright (c) 2025 FuzzingLabs
#
backend/toolbox/modules/secret_detection/gitleaks.py
+3 -1
View File
@@ -248,7 +248,8 @@ class GitleaksModule(BaseModule):
rule_id = result.get("RuleID", "unknown")
description = result.get("Description", "")
file_path = result.get("File", "")
line_number = result.get("LineNumber", 0)
line_number = result.get("StartLine", 0) # Gitleaks outputs "StartLine", not "LineNumber"
line_end = result.get("EndLine", 0)
secret = result.get("Secret", "")
match_text = result.get("Match", "")
@@ -278,6 +279,7 @@ class GitleaksModule(BaseModule):
category="secret_leak",
file_path=file_path if file_path else None,
line_start=line_number if line_number > 0 else None,
line_end=line_end if line_end > 0 else None,
code_snippet=match_text if match_text else secret,
recommendation=self._get_leak_recommendation(rule_id),
metadata={
backend/toolbox/modules/secret_detection/llm_secret_detector.py
+397
View File
@@ -0,0 +1,397 @@
"""
LLM Secret Detection Module
This module uses an LLM to detect secrets and sensitive information via semantic understanding.
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
import logging
from pathlib import Path
from typing import Dict, Any, List
from ..base import BaseModule, ModuleMetadata, ModuleFinding, ModuleResult
from . import register_module
logger = logging.getLogger(__name__)
@register_module
class LLMSecretDetectorModule(BaseModule):
"""
LLM-based secret detection module using AI semantic analysis.
Uses an LLM agent to identify secrets through natural language understanding,
potentially catching secrets that pattern-based tools miss.
"""
def get_metadata(self) -> ModuleMetadata:
"""Get module metadata"""
return ModuleMetadata(
name="llm_secret_detector",
version="1.0.0",
description="AI-powered secret detection using LLM semantic analysis",
author="FuzzForge Team",
category="secret_detection",
tags=["secrets", "llm", "ai", "semantic"],
input_schema={
"type": "object",
"properties": {
"agent_url": {
"type": "string",
"default": "http://fuzzforge-task-agent:8000/a2a/litellm_agent",
"description": "A2A agent endpoint URL"
},
"llm_model": {
"type": "string",
"default": "gpt-4o-mini",
"description": "LLM model to use"
},
"llm_provider": {
"type": "string",
"default": "openai",
"description": "LLM provider (openai, anthropic, etc.)"
},
"file_patterns": {
"type": "array",
"items": {"type": "string"},
"default": ["*.py", "*.js", "*.ts", "*.java", "*.go", "*.env", "*.yaml", "*.yml", "*.json", "*.xml", "*.ini", "*.sql", "*.properties", "*.sh", "*.bat", "*.config", "*.conf", "*.toml", "*id_rsa*"],
"description": "File patterns to analyze"
},
"max_files": {
"type": "integer",
"default": 20,
"description": "Maximum number of files to analyze"
},
"max_file_size": {
"type": "integer",
"default": 30000,
"description": "Maximum file size in bytes (30KB default)"
},
"timeout": {
"type": "integer",
"default": 45,
"description": "Timeout per file in seconds"
}
},
"required": []
},
output_schema={
"type": "object",
"properties": {
"findings": {
"type": "array",
"description": "Secrets identified by LLM"
}
}
}
)
def validate_config(self, config: Dict[str, Any]) -> bool:
"""Validate module configuration"""
# Lazy import to avoid Temporal sandbox restrictions
try:
from fuzzforge_ai.a2a_wrapper import send_agent_task # noqa: F401
except ImportError:
raise RuntimeError(
"A2A wrapper not available. Ensure fuzzforge_ai module is accessible."
)
agent_url = config.get("agent_url")
if not agent_url or not isinstance(agent_url, str):
raise ValueError("agent_url must be a valid URL string")
max_files = config.get("max_files", 20)
if not isinstance(max_files, int) or max_files <= 0:
raise ValueError("max_files must be a positive integer")
return True
async def execute(self, config: Dict[str, Any], workspace: Path) -> ModuleResult:
"""
Execute LLM-based secret detection.
Args:
config: Module configuration
workspace: Path to the workspace containing code to analyze
Returns:
ModuleResult with secrets detected by LLM
"""
self.start_timer()
logger.info(f"Starting LLM secret detection in workspace: {workspace}")
# Extract configuration
agent_url = config.get("agent_url", "http://fuzzforge-task-agent:8000/a2a/litellm_agent")
llm_model = config.get("llm_model", "gpt-4o-mini")
llm_provider = config.get("llm_provider", "openai")
file_patterns = config.get("file_patterns", ["*.py", "*.js", "*.ts", "*.java", "*.go", "*.env", "*.yaml", "*.yml", "*.json", "*.xml", "*.ini", "*.sql", "*.properties", "*.sh", "*.bat", "*.config", "*.conf", "*.toml", "*id_rsa*", "*.txt"])
max_files = config.get("max_files", 20)
max_file_size = config.get("max_file_size", 30000)
timeout = config.get("timeout", 30) # Reduced from 45s
# Find files to analyze
# Skip files that are unlikely to contain secrets
skip_patterns = ['*.sarif', '*.md', '*.html', '*.css', '*.db', '*.sqlite']
files_to_analyze = []
for pattern in file_patterns:
for file_path in workspace.rglob(pattern):
if file_path.is_file():
try:
# Skip unlikely files
if any(file_path.match(skip) for skip in skip_patterns):
logger.debug(f"Skipping {file_path.name} (unlikely to have secrets)")
continue
# Check file size
if file_path.stat().st_size > max_file_size:
logger.debug(f"Skipping {file_path} (too large)")
continue
files_to_analyze.append(file_path)
if len(files_to_analyze) >= max_files:
break
except Exception as e:
logger.warning(f"Error checking file {file_path}: {e}")
continue
if len(files_to_analyze) >= max_files:
break
logger.info(f"Found {len(files_to_analyze)} files to analyze for secrets")
# Analyze each file with LLM
all_findings = []
for file_path in files_to_analyze:
logger.info(f"Analyzing: {file_path.relative_to(workspace)}")
try:
findings = await self._analyze_file_for_secrets(
file_path=file_path,
workspace=workspace,
agent_url=agent_url,
llm_model=llm_model,
llm_provider=llm_provider,
timeout=timeout
)
all_findings.extend(findings)
except Exception as e:
logger.error(f"Error analyzing {file_path}: {e}")
# Continue with next file
continue
logger.info(f"LLM secret detection complete. Found {len(all_findings)} potential secrets.")
# Create result
return self.create_result(
findings=all_findings,
status="success",
summary={
"files_analyzed": len(files_to_analyze),
"total_secrets": len(all_findings),
"agent_url": agent_url,
"model": f"{llm_provider}/{llm_model}"
}
)
async def _analyze_file_for_secrets(
self,
file_path: Path,
workspace: Path,
agent_url: str,
llm_model: str,
llm_provider: str,
timeout: int
) -> List[ModuleFinding]:
"""Analyze a single file for secrets using LLM"""
# Read file content
try:
with open(file_path, 'r', encoding='utf-8') as f:
code_content = f.read()
except Exception as e:
logger.error(f"Failed to read {file_path}: {e}")
return []
# Build specialized prompt for secret detection
system_prompt = (
"You are a security expert specialized in detecting secrets and credentials in code. "
"Your job is to find REAL secrets that could be exploited. Be thorough and aggressive.\n\n"
"For each secret found, respond in this exact format:\n"
"SECRET_FOUND: [type like 'AWS Key', 'GitHub Token', 'Database Password']\n"
"SEVERITY: [critical/high/medium/low]\n"
"LINE: [exact line number]\n"
"CONFIDENCE: [high/medium/low]\n"
"DESCRIPTION: [brief explanation]\n\n"
"EXAMPLES of secrets to find:\n"
"1. API Keys: 'AKIA...', 'ghp_...', 'sk_live_...', 'SG.'\n"
"2. Tokens: Bearer tokens, OAuth tokens, JWT secrets\n"
"3. Passwords: Database passwords, admin passwords in configs\n"
"4. Connection Strings: mongodb://, postgres://, redis:// with credentials\n"
"5. Private Keys: -----BEGIN PRIVATE KEY-----, -----BEGIN RSA PRIVATE KEY-----\n"
"6. Cloud Credentials: AWS keys, GCP keys, Azure keys\n"
"7. Encryption Keys: AES keys, secret keys in config\n"
"8. Webhook URLs: URLs with tokens like hooks.slack.com/services/...\n\n"
"FIND EVERYTHING that looks like a real credential, password, key, or token.\n"
"DO NOT be overly cautious. Report anything suspicious.\n\n"
"If absolutely no secrets exist, respond with 'NO_SECRETS_FOUND'."
)
user_message = (
f"Analyze this code for secrets and credentials:\n\n"
f"File: {file_path.relative_to(workspace)}\n\n"
f"```\n{code_content}\n```"
)
# Call LLM via A2A wrapper
try:
from fuzzforge_ai.a2a_wrapper import send_agent_task
result = await send_agent_task(
url=agent_url,
model=llm_model,
provider=llm_provider,
prompt=system_prompt,
message=user_message,
context=f"secret_detection_{file_path.stem}",
timeout=float(timeout)
)
llm_response = result.text
# Debug: Log LLM response
logger.debug(f"LLM response for {file_path.name}: {llm_response[:200]}...")
except Exception as e:
logger.error(f"A2A call failed for {file_path}: {e}")
return []
# Parse LLM response into findings
findings = self._parse_llm_response(
llm_response=llm_response,
file_path=file_path,
workspace=workspace
)
if findings:
logger.info(f"Found {len(findings)} secrets in {file_path.name}")
else:
logger.debug(f"No secrets found in {file_path.name}. Response: {llm_response[:500]}")
return findings
def _parse_llm_response(
self,
llm_response: str,
file_path: Path,
workspace: Path
) -> List[ModuleFinding]:
"""Parse LLM response into structured findings"""
if "NO_SECRETS_FOUND" in llm_response:
return []
findings = []
relative_path = str(file_path.relative_to(workspace))
# Simple parser for the expected format
lines = llm_response.split('\n')
current_secret = {}
for line in lines:
line = line.strip()
if line.startswith("SECRET_FOUND:"):
# Save previous secret if exists
if current_secret:
findings.append(self._create_secret_finding(current_secret, relative_path))
current_secret = {"type": line.replace("SECRET_FOUND:", "").strip()}
elif line.startswith("SEVERITY:"):
severity = line.replace("SEVERITY:", "").strip().lower()
current_secret["severity"] = severity
elif line.startswith("LINE:"):
line_num = line.replace("LINE:", "").strip()
try:
current_secret["line"] = int(line_num)
except ValueError:
current_secret["line"] = None
elif line.startswith("CONFIDENCE:"):
confidence = line.replace("CONFIDENCE:", "").strip().lower()
current_secret["confidence"] = confidence
elif line.startswith("DESCRIPTION:"):
current_secret["description"] = line.replace("DESCRIPTION:", "").strip()
# Save last secret
if current_secret:
findings.append(self._create_secret_finding(current_secret, relative_path))
return findings
def _create_secret_finding(self, secret: Dict[str, Any], file_path: str) -> ModuleFinding:
"""Create a ModuleFinding from parsed secret"""
severity_map = {
"critical": "critical",
"high": "high",
"medium": "medium",
"low": "low"
}
severity = severity_map.get(secret.get("severity", "medium"), "medium")
confidence = secret.get("confidence", "medium")
# Adjust severity based on confidence
if confidence == "low" and severity == "critical":
severity = "high"
elif confidence == "low" and severity == "high":
severity = "medium"
# Create finding
title = f"LLM detected secret: {secret.get('type', 'Unknown secret')}"
description = secret.get("description", "An LLM identified this as a potential secret.")
description += f"\n\nConfidence: {confidence}"
return self.create_finding(
title=title,
description=description,
severity=severity,
category="secret_detection",
file_path=file_path,
line_start=secret.get("line"),
recommendation=self._get_secret_recommendation(secret.get("type", "")),
metadata={
"tool": "llm-secret-detector",
"secret_type": secret.get("type", "unknown"),
"confidence": confidence,
"detection_method": "semantic-analysis"
}
)
def _get_secret_recommendation(self, secret_type: str) -> str:
"""Get remediation recommendation for detected secret"""
return (
f"A potential {secret_type} was detected by AI analysis. "
f"Verify whether this is a real secret or a false positive. "
f"If real: (1) Revoke the credential immediately, "
f"(2) Remove from codebase and Git history, "
f"(3) Rotate to a new secret, "
f"(4) Use secret management tools for storage. "
f"Implement pre-commit hooks to prevent future leaks."
)
backend/toolbox/modules/secret_detection/trufflehog.py
+3 -13
View File
@@ -61,11 +61,6 @@ class TruffleHogModule(BaseModule):
"items": {"type": "string"},
"description": "Specific detectors to exclude"
},
"max_depth": {
"type": "integer",
"default": 10,
"description": "Maximum directory depth to scan"
},
"concurrency": {
"type": "integer",
"default": 10,
@@ -100,11 +95,6 @@ class TruffleHogModule(BaseModule):
if not isinstance(concurrency, int) or concurrency < 1 or concurrency > 50:
raise ValueError("Concurrency must be between 1 and 50")
# Check max_depth bounds
max_depth = config.get("max_depth", 10)
if not isinstance(max_depth, int) or max_depth < 1 or max_depth > 20:
raise ValueError("Max depth must be between 1 and 20")
return True
async def execute(self, config: Dict[str, Any], workspace: Path) -> ModuleResult:
@@ -124,6 +114,9 @@ class TruffleHogModule(BaseModule):
# Add verification flag
if config.get("verify", False):
cmd.append("--verify")
else:
# Explicitly disable verification to get all unverified secrets
cmd.append("--no-verification")
# Add JSON output
cmd.extend(["--json", "--no-update"])
@@ -131,9 +124,6 @@ class TruffleHogModule(BaseModule):
# Add concurrency
cmd.extend(["--concurrency", str(config.get("concurrency", 10))])
# Add max depth
cmd.extend(["--max-depth", str(config.get("max_depth", 10))])
# Add include/exclude detectors
if config.get("include_detectors"):
cmd.extend(["--include-detectors", ",".join(config["include_detectors"])])
backend/toolbox/workflows/gitleaks_detection/__init__.py
+19
View File
@@ -0,0 +1,19 @@
"""
Gitleaks Detection Workflow
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
from .workflow import GitleaksDetectionWorkflow
from .activities import scan_with_gitleaks
__all__ = ["GitleaksDetectionWorkflow", "scan_with_gitleaks"]
backend/toolbox/workflows/gitleaks_detection/activities.py
+166
View File
@@ -0,0 +1,166 @@
"""
Gitleaks Detection Workflow Activities
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
import logging
from pathlib import Path
from typing import Dict, Any
from temporalio import activity
try:
from toolbox.modules.secret_detection.gitleaks import GitleaksModule
except ImportError:
try:
from modules.secret_detection.gitleaks import GitleaksModule
except ImportError:
from src.toolbox.modules.secret_detection.gitleaks import GitleaksModule
logger = logging.getLogger(__name__)
@activity.defn(name="scan_with_gitleaks")
async def scan_with_gitleaks(target_path: str, config: Dict[str, Any]) -> Dict[str, Any]:
"""
Scan code using Gitleaks.
Args:
target_path: Path to the workspace containing code
config: Gitleaks configuration
Returns:
Dictionary containing findings and summary
"""
activity.logger.info(f"Starting Gitleaks scan: {target_path}")
activity.logger.info(f"Config: {config}")
workspace = Path(target_path)
if not workspace.exists():
raise FileNotFoundError(f"Workspace not found: {target_path}")
# Create and execute Gitleaks module
gitleaks = GitleaksModule()
# Validate configuration
gitleaks.validate_config(config)
# Execute scan
result = await gitleaks.execute(config, workspace)
if result.status == "failed":
raise RuntimeError(f"Gitleaks scan failed: {result.error or 'Unknown error'}")
activity.logger.info(
f"Gitleaks scan completed: {len(result.findings)} findings from "
f"{result.summary.get('files_scanned', 0)} files"
)
# Convert ModuleFinding objects to dicts for serialization
findings_dicts = [finding.model_dump() for finding in result.findings]
return {
"findings": findings_dicts,
"summary": result.summary
}
@activity.defn(name="gitleaks_generate_sarif")
async def gitleaks_generate_sarif(findings: list, metadata: Dict[str, Any]) -> Dict[str, Any]:
"""
Generate SARIF report from Gitleaks findings.
Args:
findings: List of finding dictionaries
metadata: Metadata including tool_name, tool_version, run_id
Returns:
SARIF report dictionary
"""
activity.logger.info(f"Generating SARIF report from {len(findings)} findings")
# Debug: Check if first finding has line_start
if findings:
first_finding = findings[0]
activity.logger.info(f"First finding keys: {list(first_finding.keys())}")
activity.logger.info(f"line_start value: {first_finding.get('line_start')}")
# Basic SARIF 2.1.0 structure
sarif_report = {
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": metadata.get("tool_name", "gitleaks"),
"version": metadata.get("tool_version", "8.18.0"),
"informationUri": "https://github.com/gitleaks/gitleaks"
}
},
"results": []
}
]
}
# Convert findings to SARIF results
for finding in findings:
sarif_result = {
"ruleId": finding.get("metadata", {}).get("rule_id", "unknown"),
"level": _severity_to_sarif_level(finding.get("severity", "warning")),
"message": {
"text": finding.get("title", "Secret leak detected")
},
"locations": []
}
# Add description if present
if finding.get("description"):
sarif_result["message"]["markdown"] = finding["description"]
# Add location if file path is present
if finding.get("file_path"):
location = {
"physicalLocation": {
"artifactLocation": {
"uri": finding["file_path"]
}
}
}
# Add region if line number is present
if finding.get("line_start"):
location["physicalLocation"]["region"] = {
"startLine": finding["line_start"]
}
sarif_result["locations"].append(location)
sarif_report["runs"][0]["results"].append(sarif_result)
activity.logger.info(f"Generated SARIF report with {len(sarif_report['runs'][0]['results'])} results")
return sarif_report
def _severity_to_sarif_level(severity: str) -> str:
"""Convert severity to SARIF level"""
severity_map = {
"critical": "error",
"high": "error",
"medium": "warning",
"low": "note",
"info": "note"
}
return severity_map.get(severity.lower(), "warning")
backend/toolbox/workflows/gitleaks_detection/metadata.yaml
+42
View File
@@ -0,0 +1,42 @@
name: gitleaks_detection
version: "1.0.0"
vertical: secrets
description: "Detect secrets and credentials using Gitleaks"
author: "FuzzForge Team"
tags:
- "secrets"
- "gitleaks"
- "git"
- "leak-detection"
workspace_isolation: "shared"
parameters:
type: object
properties:
scan_mode:
type: string
enum: ["detect", "protect"]
default: "detect"
description: "Scan mode: detect (entire repo history) or protect (staged changes)"
redact:
type: boolean
default: true
description: "Redact secrets in output"
no_git:
type: boolean
default: false
description: "Scan files without Git context"
default_parameters:
scan_mode: "detect"
redact: true
no_git: false
required_modules:
- "gitleaks"
supported_volume_modes:
- "ro"
backend/toolbox/workflows/gitleaks_detection/workflow.py
+187
View File
@@ -0,0 +1,187 @@
"""
Gitleaks Detection Workflow - Temporal Version
Scans code for secrets and credentials using Gitleaks.
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
from datetime import timedelta
from typing import Dict, Any, Optional
from temporalio import workflow
from temporalio.common import RetryPolicy
# Import for type hints (will be executed by worker)
with workflow.unsafe.imports_passed_through():
import logging
logger = logging.getLogger(__name__)
@workflow.defn
class GitleaksDetectionWorkflow:
"""
Scan code for secrets using Gitleaks.
User workflow:
1. User runs: ff workflow run gitleaks_detection .
2. CLI uploads project to MinIO
3. Worker downloads project
4. Worker runs Gitleaks
5. Secrets reported as findings in SARIF format
"""
@workflow.run
async def run(
self,
target_id: str, # MinIO UUID of uploaded user code
scan_mode: str = "detect",
redact: bool = True,
no_git: bool = True
) -> Dict[str, Any]:
"""
Main workflow execution.
Args:
target_id: UUID of the uploaded target in MinIO
scan_mode: Scan mode ('detect' or 'protect')
redact: Redact secrets in output
no_git: Scan files without Git context
Returns:
Dictionary containing findings and summary
"""
workflow_id = workflow.info().workflow_id
workflow.logger.info(
f"Starting GitleaksDetectionWorkflow "
f"(workflow_id={workflow_id}, target_id={target_id}, scan_mode={scan_mode})"
)
results = {
"workflow_id": workflow_id,
"target_id": target_id,
"status": "running",
"steps": [],
"findings": []
}
try:
# Get run ID for workspace isolation
run_id = workflow.info().run_id
# Step 1: Download user's project from MinIO
workflow.logger.info("Step 1: Downloading user code from MinIO")
target_path = await workflow.execute_activity(
"get_target",
args=[target_id, run_id, "shared"],
start_to_close_timeout=timedelta(minutes=5),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=1),
maximum_interval=timedelta(seconds=30),
maximum_attempts=3
)
)
results["steps"].append({
"step": "download",
"status": "success",
"target_path": target_path
})
workflow.logger.info(f"✓ Target downloaded to: {target_path}")
# Step 2: Run Gitleaks
workflow.logger.info("Step 2: Scanning with Gitleaks")
scan_config = {
"scan_mode": scan_mode,
"redact": redact,
"no_git": no_git
}
scan_results = await workflow.execute_activity(
"scan_with_gitleaks",
args=[target_path, scan_config],
start_to_close_timeout=timedelta(minutes=10),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=2),
maximum_interval=timedelta(seconds=60),
maximum_attempts=2
)
)
results["steps"].append({
"step": "gitleaks_scan",
"status": "success",
"leaks_found": scan_results.get("summary", {}).get("total_leaks", 0)
})
workflow.logger.info(
f"✓ Gitleaks scan completed: "
f"{scan_results.get('summary', {}).get('total_leaks', 0)} leaks found"
)
# Step 3: Generate SARIF report
workflow.logger.info("Step 3: Generating SARIF report")
sarif_report = await workflow.execute_activity(
"gitleaks_generate_sarif",
args=[scan_results.get("findings", []), {"tool_name": "gitleaks", "tool_version": "8.18.0"}],
start_to_close_timeout=timedelta(minutes=2)
)
# Step 4: Upload results to MinIO
workflow.logger.info("Step 4: Uploading results")
try:
results_url = await workflow.execute_activity(
"upload_results",
args=[workflow_id, scan_results, "json"],
start_to_close_timeout=timedelta(minutes=2)
)
results["results_url"] = results_url
workflow.logger.info(f"✓ Results uploaded to: {results_url}")
except Exception as e:
workflow.logger.warning(f"Failed to upload results: {e}")
results["results_url"] = None
# Step 5: Cleanup cache
workflow.logger.info("Step 5: Cleaning up cache")
try:
await workflow.execute_activity(
"cleanup_cache",
args=[target_path, "shared"],
start_to_close_timeout=timedelta(minutes=1)
)
workflow.logger.info("✓ Cache cleaned up")
except Exception as e:
workflow.logger.warning(f"Cache cleanup failed: {e}")
# Mark workflow as successful
results["status"] = "success"
results["findings"] = scan_results.get("findings", [])
results["summary"] = scan_results.get("summary", {})
results["sarif"] = sarif_report or {}
workflow.logger.info(
f"✓ Workflow completed successfully: {workflow_id} "
f"({results['summary'].get('total_leaks', 0)} leaks found)"
)
return results
except Exception as e:
workflow.logger.error(f"Workflow failed: {e}")
results["status"] = "error"
results["error"] = str(e)
results["steps"].append({
"step": "error",
"status": "failed",
"error": str(e)
})
raise
backend/toolbox/workflows/llm_secret_detection/__init__.py
+6
View File
@@ -0,0 +1,6 @@
"""LLM Secret Detection Workflow"""
from .workflow import LlmSecretDetectionWorkflow
from .activities import scan_with_llm
__all__ = ["LlmSecretDetectionWorkflow", "scan_with_llm"]
backend/toolbox/workflows/llm_secret_detection/activities.py
+112
View File
@@ -0,0 +1,112 @@
"""LLM Secret Detection Workflow Activities"""
from pathlib import Path
from typing import Dict, Any
from temporalio import activity
try:
from toolbox.modules.secret_detection.llm_secret_detector import LLMSecretDetectorModule
except ImportError:
from modules.secret_detection.llm_secret_detector import LLMSecretDetectorModule
@activity.defn(name="scan_with_llm")
async def scan_with_llm(target_path: str, config: Dict[str, Any]) -> Dict[str, Any]:
"""Scan code using LLM."""
activity.logger.info(f"Starting LLM secret detection: {target_path}")
workspace = Path(target_path)
llm_detector = LLMSecretDetectorModule()
llm_detector.validate_config(config)
result = await llm_detector.execute(config, workspace)
if result.status == "failed":
raise RuntimeError(f"LLM detection failed: {result.error}")
findings_dicts = [finding.model_dump() for finding in result.findings]
return {"findings": findings_dicts, "summary": result.summary}
@activity.defn(name="llm_secret_generate_sarif")
async def llm_secret_generate_sarif(findings: list, metadata: Dict[str, Any]) -> Dict[str, Any]:
"""
Generate SARIF report from LLM secret detection findings.
Args:
findings: List of finding dictionaries from LLM secret detector
metadata: Metadata including tool_name, tool_version
Returns:
SARIF 2.1.0 report dictionary
"""
activity.logger.info(f"Generating SARIF report from {len(findings)} findings")
# Basic SARIF 2.1.0 structure
sarif_report = {
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": metadata.get("tool_name", "llm-secret-detector"),
"version": metadata.get("tool_version", "1.0.0"),
"informationUri": "https://github.com/FuzzingLabs/fuzzforge_ai"
}
},
"results": []
}
]
}
# Convert findings to SARIF results
for finding in findings:
sarif_result = {
"ruleId": finding.get("id", finding.get("metadata", {}).get("secret_type", "unknown-secret")),
"level": _severity_to_sarif_level(finding.get("severity", "warning")),
"message": {
"text": finding.get("title", "Secret detected by LLM")
},
"locations": []
}
# Add description if present
if finding.get("description"):
sarif_result["message"]["markdown"] = finding["description"]
# Add location if file path is present
if finding.get("file_path"):
location = {
"physicalLocation": {
"artifactLocation": {
"uri": finding["file_path"]
}
}
}
# Add region if line number is present
if finding.get("line_start"):
location["physicalLocation"]["region"] = {
"startLine": finding["line_start"]
}
if finding.get("line_end"):
location["physicalLocation"]["region"]["endLine"] = finding["line_end"]
sarif_result["locations"].append(location)
sarif_report["runs"][0]["results"].append(sarif_result)
activity.logger.info(f"Generated SARIF report with {len(sarif_report['runs'][0]['results'])} results")
return sarif_report
def _severity_to_sarif_level(severity: str) -> str:
"""Convert severity to SARIF level"""
severity_map = {
"critical": "error",
"high": "error",
"medium": "warning",
"low": "note",
"info": "note"
}
return severity_map.get(severity.lower(), "warning")
backend/toolbox/workflows/llm_secret_detection/metadata.yaml
+43
View File
@@ -0,0 +1,43 @@
name: llm_secret_detection
version: "1.0.0"
vertical: secrets
description: "AI-powered secret detection using LLM semantic analysis"
author: "FuzzForge Team"
tags:
- "secrets"
- "llm"
- "ai"
- "semantic"
workspace_isolation: "shared"
parameters:
type: object
properties:
agent_url:
type: string
default: "http://fuzzforge-task-agent:8000/a2a/litellm_agent"
llm_model:
type: string
default: "gpt-4o-mini"
llm_provider:
type: string
default: "openai"
max_files:
type: integer
default: 20
default_parameters:
agent_url: "http://fuzzforge-task-agent:8000/a2a/litellm_agent"
llm_model: "gpt-4o-mini"
llm_provider: "openai"
max_files: 20
required_modules:
- "llm_secret_detector"
supported_volume_modes:
- "ro"
backend/toolbox/workflows/llm_secret_detection/workflow.py
+156
View File
@@ -0,0 +1,156 @@
"""LLM Secret Detection Workflow"""
from datetime import timedelta
from typing import Dict, Any, Optional
from temporalio import workflow
from temporalio.common import RetryPolicy
@workflow.defn
class LlmSecretDetectionWorkflow:
"""Scan code for secrets using LLM AI."""
@workflow.run
async def run(
self,
target_id: str,
agent_url: Optional[str] = None,
llm_model: Optional[str] = None,
llm_provider: Optional[str] = None,
max_files: Optional[int] = None,
timeout: Optional[int] = None,
file_patterns: Optional[list] = None
) -> Dict[str, Any]:
workflow_id = workflow.info().workflow_id
run_id = workflow.info().run_id
workflow.logger.info(
f"Starting LLM Secret Detection Workflow "
f"(workflow_id={workflow_id}, target_id={target_id}, model={llm_model})"
)
results = {
"workflow_id": workflow_id,
"target_id": target_id,
"status": "running",
"steps": [],
"findings": []
}
try:
# Step 1: Download target from MinIO
workflow.logger.info("Step 1: Downloading target from MinIO")
target_path = await workflow.execute_activity(
"get_target",
args=[target_id, run_id, "shared"],
start_to_close_timeout=timedelta(minutes=5),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=1),
maximum_interval=timedelta(seconds=30),
maximum_attempts=3
)
)
results["steps"].append({
"step": "download",
"status": "success",
"target_path": target_path
})
workflow.logger.info(f"✓ Target downloaded to: {target_path}")
# Step 2: Scan with LLM
workflow.logger.info("Step 2: Scanning with LLM")
config = {}
if agent_url:
config["agent_url"] = agent_url
if llm_model:
config["llm_model"] = llm_model
if llm_provider:
config["llm_provider"] = llm_provider
if max_files:
config["max_files"] = max_files
if timeout:
config["timeout"] = timeout
if file_patterns:
config["file_patterns"] = file_patterns
scan_results = await workflow.execute_activity(
"scan_with_llm",
args=[target_path, config],
start_to_close_timeout=timedelta(minutes=30),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=2),
maximum_interval=timedelta(seconds=60),
maximum_attempts=2
)
)
findings_count = len(scan_results.get("findings", []))
results["steps"].append({
"step": "llm_scan",
"status": "success",
"secrets_found": findings_count
})
workflow.logger.info(f"✓ LLM scan completed: {findings_count} secrets found")
# Step 3: Generate SARIF report
workflow.logger.info("Step 3: Generating SARIF report")
sarif_report = await workflow.execute_activity(
"llm_generate_sarif", # Use shared LLM SARIF activity
args=[
scan_results.get("findings", []),
{
"tool_name": f"llm-secret-detector ({llm_model or 'gpt-4o-mini'})",
"tool_version": "1.0.0"
}
],
start_to_close_timeout=timedelta(minutes=2)
)
workflow.logger.info("✓ SARIF report generated")
# Step 4: Upload results to MinIO
workflow.logger.info("Step 4: Uploading results")
try:
results_url = await workflow.execute_activity(
"upload_results",
args=[workflow_id, scan_results, "json"],
start_to_close_timeout=timedelta(minutes=2)
)
results["results_url"] = results_url
workflow.logger.info(f"✓ Results uploaded to: {results_url}")
except Exception as e:
workflow.logger.warning(f"Failed to upload results: {e}")
results["results_url"] = None
# Step 5: Cleanup cache
workflow.logger.info("Step 5: Cleaning up cache")
try:
await workflow.execute_activity(
"cleanup_cache",
args=[target_path, "shared"],
start_to_close_timeout=timedelta(minutes=1)
)
workflow.logger.info("✓ Cache cleaned up")
except Exception as e:
workflow.logger.warning(f"Cache cleanup failed: {e}")
# Mark workflow as successful
results["status"] = "success"
results["findings"] = scan_results.get("findings", [])
results["summary"] = scan_results.get("summary", {})
results["sarif"] = sarif_report or {}
workflow.logger.info(
f"✓ Workflow completed successfully: {workflow_id} "
f"({findings_count} secrets found)"
)
return results
except Exception as e:
workflow.logger.error(f"Workflow failed: {e}")
results["status"] = "error"
results["error"] = str(e)
results["steps"].append({
"step": "error",
"status": "failed",
"error": str(e)
})
raise
backend/toolbox/workflows/trufflehog_detection/__init__.py
+13
View File
@@ -0,0 +1,13 @@
"""
TruffleHog Detection Workflow
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
from .workflow import TrufflehogDetectionWorkflow
from .activities import scan_with_trufflehog, trufflehog_generate_sarif
__all__ = ["TrufflehogDetectionWorkflow", "scan_with_trufflehog", "trufflehog_generate_sarif"]
backend/toolbox/workflows/trufflehog_detection/activities.py
+111
View File
@@ -0,0 +1,111 @@
"""TruffleHog Detection Workflow Activities"""
import logging
from pathlib import Path
from typing import Dict, Any
from temporalio import activity
try:
from toolbox.modules.secret_detection.trufflehog import TruffleHogModule
except ImportError:
from modules.secret_detection.trufflehog import TruffleHogModule
@activity.defn(name="scan_with_trufflehog")
async def scan_with_trufflehog(target_path: str, config: Dict[str, Any]) -> Dict[str, Any]:
"""Scan code using TruffleHog."""
activity.logger.info(f"Starting TruffleHog scan: {target_path}")
workspace = Path(target_path)
trufflehog = TruffleHogModule()
trufflehog.validate_config(config)
result = await trufflehog.execute(config, workspace)
if result.status == "failed":
raise RuntimeError(f"TruffleHog scan failed: {result.error}")
findings_dicts = [finding.model_dump() for finding in result.findings]
return {"findings": findings_dicts, "summary": result.summary}
@activity.defn(name="trufflehog_generate_sarif")
async def trufflehog_generate_sarif(findings: list, metadata: Dict[str, Any]) -> Dict[str, Any]:
"""
Generate SARIF report from TruffleHog findings.
Args:
findings: List of finding dictionaries
metadata: Metadata including tool_name, tool_version
Returns:
SARIF report dictionary
"""
activity.logger.info(f"Generating SARIF report from {len(findings)} findings")
# Basic SARIF 2.1.0 structure
sarif_report = {
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": metadata.get("tool_name", "trufflehog"),
"version": metadata.get("tool_version", "3.63.2"),
"informationUri": "https://github.com/trufflesecurity/trufflehog"
}
},
"results": []
}
]
}
# Convert findings to SARIF results
for finding in findings:
sarif_result = {
"ruleId": finding.get("metadata", {}).get("detector", "unknown"),
"level": _severity_to_sarif_level(finding.get("severity", "warning")),
"message": {
"text": finding.get("title", "Secret detected")
},
"locations": []
}
# Add description if present
if finding.get("description"):
sarif_result["message"]["markdown"] = finding["description"]
# Add location if file path is present
if finding.get("file_path"):
location = {
"physicalLocation": {
"artifactLocation": {
"uri": finding["file_path"]
}
}
}
# Add region if line number is present
if finding.get("line_start"):
location["physicalLocation"]["region"] = {
"startLine": finding["line_start"]
}
sarif_result["locations"].append(location)
sarif_report["runs"][0]["results"].append(sarif_result)
activity.logger.info(f"Generated SARIF report with {len(sarif_report['runs'][0]['results'])} results")
return sarif_report
def _severity_to_sarif_level(severity: str) -> str:
"""Convert severity to SARIF level"""
severity_map = {
"critical": "error",
"high": "error",
"medium": "warning",
"low": "note",
"info": "note"
}
return severity_map.get(severity.lower(), "warning")
backend/toolbox/workflows/trufflehog_detection/metadata.yaml
+34
View File
@@ -0,0 +1,34 @@
name: trufflehog_detection
version: "1.0.0"
vertical: secrets
description: "Detect secrets with verification using TruffleHog"
author: "FuzzForge Team"
tags:
- "secrets"
- "trufflehog"
- "verification"
workspace_isolation: "shared"
parameters:
type: object
properties:
verify:
type: boolean
default: true
description: "Verify discovered secrets"
max_depth:
type: integer
default: 10
description: "Maximum directory depth to scan"
default_parameters:
verify: true
max_depth: 10
required_modules:
- "trufflehog"
supported_volume_modes:
- "ro"
backend/toolbox/workflows/trufflehog_detection/workflow.py
+104
View File
@@ -0,0 +1,104 @@
"""TruffleHog Detection Workflow"""
from datetime import timedelta
from typing import Dict, Any
from temporalio import workflow
from temporalio.common import RetryPolicy
@workflow.defn
class TrufflehogDetectionWorkflow:
"""Scan code for secrets using TruffleHog."""
@workflow.run
async def run(self, target_id: str, verify: bool = False, concurrency: int = 10) -> Dict[str, Any]:
workflow_id = workflow.info().workflow_id
run_id = workflow.info().run_id
workflow.logger.info(
f"Starting TrufflehogDetectionWorkflow "
f"(workflow_id={workflow_id}, target_id={target_id}, verify={verify})"
)
results = {"workflow_id": workflow_id, "status": "running", "findings": []}
try:
# Step 1: Download target
workflow.logger.info("Step 1: Downloading target from MinIO")
target_path = await workflow.execute_activity(
"get_target", args=[target_id, run_id, "shared"],
start_to_close_timeout=timedelta(minutes=5),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=1),
maximum_interval=timedelta(seconds=30),
maximum_attempts=3
)
)
workflow.logger.info(f"✓ Target downloaded to: {target_path}")
# Step 2: Scan with TruffleHog
workflow.logger.info("Step 2: Scanning with TruffleHog")
scan_results = await workflow.execute_activity(
"scan_with_trufflehog",
args=[target_path, {"verify": verify, "concurrency": concurrency}],
start_to_close_timeout=timedelta(minutes=15),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=2),
maximum_interval=timedelta(seconds=60),
maximum_attempts=2
)
)
workflow.logger.info(
f"✓ TruffleHog scan completed: "
f"{scan_results.get('summary', {}).get('total_secrets', 0)} secrets found"
)
# Step 3: Generate SARIF report
workflow.logger.info("Step 3: Generating SARIF report")
sarif_report = await workflow.execute_activity(
"trufflehog_generate_sarif",
args=[scan_results.get("findings", []), {"tool_name": "trufflehog", "tool_version": "3.63.2"}],
start_to_close_timeout=timedelta(minutes=2)
)
# Step 4: Upload results to MinIO
workflow.logger.info("Step 4: Uploading results")
try:
results_url = await workflow.execute_activity(
"upload_results",
args=[workflow_id, scan_results, "json"],
start_to_close_timeout=timedelta(minutes=2)
)
results["results_url"] = results_url
workflow.logger.info(f"✓ Results uploaded to: {results_url}")
except Exception as e:
workflow.logger.warning(f"Failed to upload results: {e}")
results["results_url"] = None
# Step 5: Cleanup
workflow.logger.info("Step 5: Cleaning up cache")
try:
await workflow.execute_activity(
"cleanup_cache", args=[target_path, "shared"],
start_to_close_timeout=timedelta(minutes=1)
)
workflow.logger.info("✓ Cache cleaned up")
except Exception as e:
workflow.logger.warning(f"Cache cleanup failed: {e}")
# Mark workflow as successful
results["status"] = "success"
results["findings"] = scan_results.get("findings", [])
results["summary"] = scan_results.get("summary", {})
results["sarif"] = sarif_report or {}
workflow.logger.info(
f"✓ Workflow completed successfully: {workflow_id} "
f"({results['summary'].get('total_secrets', 0)} secrets found)"
)
return results
except Exception as e:
workflow.logger.error(f"Workflow failed: {e}")
results["status"] = "error"
results["error"] = str(e)
raise