@chain305/x-security 0.3.1 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +13 -115
- package/bin/scripts/README.md +1 -1
- package/bin/scripts/x-security-resolve.sh +1 -1
- package/bin/{xsecurity.mjs → x-security.mjs} +12361 -13180
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,132 +1,30 @@
|
|
|
1
1
|
# x-security CLI
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
already in the box — authentication, rate limits, request validation,
|
|
5
|
-
ownership/BOLA checks — but turning it on means learning each vendor's config
|
|
6
|
-
DSL, and the rules you write lock you into that vendor and drift out of sync
|
|
7
|
-
with your code.
|
|
8
|
-
|
|
9
|
-
**`x-security` is one security policy per route, written as an extension of the
|
|
10
|
-
OpenAPI spec you already have.** It versions in git, diffs like code, and a
|
|
11
|
-
deterministic CLI compiles it to whichever gateway you run.
|
|
12
|
-
|
|
13
|
-
- **No new DSL** — policy lives in your OpenAPI file, next to the route it protects.
|
|
14
|
-
- **No vendor lock-in** — one spec compiles to Kong, Coraza, BunkerWeb, OpenAppSec, Envoy, or a firewall bundle. Switch gateways without rewriting a line of policy.
|
|
15
|
-
- **No config drift** — the spec is the source of truth; `validate` fails CI when the running gateway drifts from it.
|
|
16
|
-
- **Deterministic** — no LLM calls, no API keys. It compiles exactly what your spec says, and nothing it can't verify.
|
|
17
|
-
|
|
18
|
-
## Install
|
|
19
|
-
|
|
20
|
-
```
|
|
21
|
-
npm i -g @chain305/x-security # installs the `xsecurity` command
|
|
22
|
-
xsecurity --help
|
|
23
|
-
```
|
|
24
|
-
|
|
25
|
-
Or run it without installing:
|
|
3
|
+
Compile, validate, test, and report on `x-security` policies in OpenAPI specs — deterministic, no LLM calls, no API keys.
|
|
26
4
|
|
|
27
5
|
```
|
|
28
6
|
npx @chain305/x-security --help
|
|
29
7
|
```
|
|
30
8
|
|
|
31
|
-
Requires Node 20+. Docker is needed only for `xsecurity test`.
|
|
32
|
-
|
|
33
|
-
## How it works
|
|
34
|
-
|
|
35
|
-
```
|
|
36
|
-
your OpenAPI spec your gateway
|
|
37
|
-
┌──────────────────┐ xsecurity generate ┌──────────────┐
|
|
38
|
-
│ paths: │ ───────────────────► │ Kong / Coraza│
|
|
39
|
-
│ /users/{id}: │ │ Envoy / WAF │
|
|
40
|
-
│ x-security: │ ◄─────────────────── │ …enforced │
|
|
41
|
-
│ … │ xsecurity validate └──────────────┘
|
|
42
|
-
└──────────────────┘ (drift gate)
|
|
43
|
-
```
|
|
44
|
-
|
|
45
|
-
1. **Annotate** — attach an `x-security` block to each route. Write it by hand,
|
|
46
|
-
with the [visual builder](https://usewaf.com/policy-builder.html), or with
|
|
47
|
-
the free AI plugin that reads your code and drafts the policy for you.
|
|
48
|
-
2. **Compile** — `xsecurity generate` turns the annotated spec into native
|
|
49
|
-
config for your gateway. One spec, any supported target.
|
|
50
|
-
3. **Test** — `xsecurity test` spins the gateway up in Docker, sends real
|
|
51
|
-
traffic, and asserts the policy actually blocks what it should.
|
|
52
|
-
4. **Enforce & catch drift** — deploy the config, then run `xsecurity validate`
|
|
53
|
-
in CI so the pipeline fails the moment the gateway and the spec disagree.
|
|
54
|
-
|
|
55
|
-
## Quickstart
|
|
56
|
-
|
|
57
|
-
```bash
|
|
58
|
-
npm i -g @chain305/x-security
|
|
59
|
-
|
|
60
|
-
# 1. scaffold empty x-security blocks on every route that lacks one
|
|
61
|
-
xsecurity init api.yaml
|
|
62
|
-
|
|
63
|
-
# 2. fill them in — by hand, the visual builder, or the plugin —
|
|
64
|
-
# then check your OWASP API Top 10 coverage
|
|
65
|
-
xsecurity report api.yaml
|
|
66
|
-
|
|
67
|
-
# 3. compile to the gateway you run
|
|
68
|
-
xsecurity generate api.yaml --target kong > kong.yaml
|
|
69
|
-
|
|
70
|
-
# 4. prove it blocks the exploit and allows legit traffic (needs Docker)
|
|
71
|
-
xsecurity test api.yaml --target kong
|
|
72
|
-
|
|
73
|
-
# 5. gate CI on drift between the spec and the deployed gateway
|
|
74
|
-
xsecurity validate api.yaml --target kong --gateway http://localhost:8001
|
|
75
|
-
```
|
|
76
|
-
|
|
77
9
|
## Commands
|
|
78
10
|
|
|
79
11
|
| Command | What it does |
|
|
80
12
|
| --- | --- |
|
|
81
|
-
| `
|
|
82
|
-
| `
|
|
83
|
-
| `
|
|
84
|
-
| `
|
|
85
|
-
| `
|
|
86
|
-
| `
|
|
87
|
-
| `
|
|
88
|
-
| `
|
|
89
|
-
|
|
90
|
-
Run `xsecurity <command> --help` for full flags.
|
|
91
|
-
|
|
92
|
-
## Support matrix
|
|
93
|
-
|
|
94
|
-
### Compile & deploy targets
|
|
95
|
-
|
|
96
|
-
`xsecurity generate --target <name>` compiles one annotated spec to any of these. Two are hosted deploys; the rest are self-hosted bundles you drop into your gateway.
|
|
97
|
-
|
|
98
|
-
| Target (`--target`) | What it is | Delivery | Status |
|
|
99
|
-
| --- | --- | --- | --- |
|
|
100
|
-
| `cloudflare` | Cloudflare Ruleset Engine + WAF | hosted deploy | GA |
|
|
101
|
-
| `aws-apigw` | AWS API Gateway + WAFv2 | hosted deploy | beta |
|
|
102
|
-
| `kong` | Kong Gateway (decK plugin config) | self-hosted bundle | beta |
|
|
103
|
-
| `coraza` | Coraza / ModSecurity WAF (SecLang) | self-hosted bundle | beta |
|
|
104
|
-
| `coraza` *(nginx preset)* | NGINX + libcoraza | self-hosted bundle | beta |
|
|
105
|
-
| `bunkerweb` | BunkerWeb (OpenResty WAF) | self-hosted bundle | beta |
|
|
106
|
-
| `openappsec` | Check Point Open AppSec WAF | self-hosted bundle | beta |
|
|
107
|
-
| `envoy` | Envoy (ext_proc / Lua filter) | self-hosted bundle | alpha |
|
|
108
|
-
| `firewall` | Host firewall (iptables) | self-hosted bundle | SSRF egress only¹ |
|
|
109
|
-
|
|
110
|
-
¹ `firewall` is L3/L4 — it enforces only API7 SSRF egress via `domainAllowlist`; it can't introspect HTTP, so it's not on the coverage matrix below.
|
|
111
|
-
|
|
112
|
-
### OWASP API Top 10 coverage per target
|
|
13
|
+
| `x-security generate <spec> --target <t>` | Compile an annotated OpenAPI spec into gateway config (`kong`, `coraza`, `bunkerweb`, `openappsec`, `firewall`, `envoy`) |
|
|
14
|
+
| `x-security validate <spec> --target kong --gateway <url\|file>` | Detect drift between the spec and a running/exported gateway config |
|
|
15
|
+
| `x-security test <spec> --target <t>` | Closed-loop test: generate config, spin up Docker, send traffic, assert |
|
|
16
|
+
| `x-security verify <spec> --target <t> --gateway <addr>` | Read-only post-deploy check that the gateway loaded the emitted artifacts |
|
|
17
|
+
| `x-security report <spec>` | OWASP API Top 10 coverage and annotation reports |
|
|
18
|
+
| `x-security diff <old> <new> --target <t>` | Diff the generated config for two spec versions |
|
|
19
|
+
| `x-security init <spec>` | Add empty `x-security` blocks to operations missing them |
|
|
20
|
+
| `x-security migrate <spec> --from 0.4 --to 0.5` | Rewrite a spec between schema versions |
|
|
113
21
|
|
|
114
|
-
|
|
22
|
+
Run `x-security <command> --help` for full flags.
|
|
115
23
|
|
|
116
|
-
|
|
117
|
-
| --- | :--: | :--: | :--: |
|
|
118
|
-
| API1 · Broken Object Level Auth (BOLA) | 🔴→🟡 | 🔴→🟢 | 🔴 |
|
|
119
|
-
| API2 · Broken Authentication | 🟡 | 🟡 | 🟡 |
|
|
120
|
-
| API3 · Broken Object Property Auth (BOPLA) | 🟡 | 🟡 | 🟡 |
|
|
121
|
-
| API4 · Unrestricted Resource Consumption | 🟢 | 🟡 | 🟡 |
|
|
122
|
-
| API5 · Broken Function Level Auth (BFLA) | 🟡 | 🟡→🟢 | 🟡 |
|
|
123
|
-
| API6 · Unrestricted Access to Business Flows | 🟡 | 🟡 | 🟡 |
|
|
124
|
-
| API7 · Server-Side Request Forgery (SSRF) | 🔴 | 🔴 | 🟢 |
|
|
125
|
-
| API8 · Security Misconfiguration | 🟡 | 🟡 | 🟡 |
|
|
126
|
-
| API9 · Improper Inventory Management | 🔴 | 🔴 | 🟡 |
|
|
127
|
-
| API10 · Unsafe Consumption of APIs | 🟡 | 🟡 | 🟡 |
|
|
24
|
+
## Requirements
|
|
128
25
|
|
|
129
|
-
|
|
26
|
+
- Node 20+
|
|
27
|
+
- Docker (only for `x-security test`)
|
|
130
28
|
|
|
131
29
|
## License
|
|
132
30
|
|
package/bin/scripts/README.md
CHANGED
|
@@ -25,7 +25,7 @@ These scripts complete that flow.
|
|
|
25
25
|
install -m 0755 x-security-resolve.sh /usr/local/sbin/x-security-resolve.sh
|
|
26
26
|
install -m 0755 x-security-refresh.sh /usr/local/sbin/x-security-refresh.sh
|
|
27
27
|
|
|
28
|
-
# 2. Place the rule templates emitted by `
|
|
28
|
+
# 2. Place the rule templates emitted by `x-security generate`.
|
|
29
29
|
install -d /etc/x-security
|
|
30
30
|
install -m 0644 iptables.rules /etc/x-security/rules.template
|
|
31
31
|
install -m 0644 ip6tables.rules /etc/x-security/rules6.template
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# x-security-resolve.sh — deploy-time DNS resolver for XSecurity firewall rules.
|
|
3
3
|
#
|
|
4
4
|
# Reads an iptables-save-format ruleset containing @@X_SECURITY_RESOLVE:<fqdn>@@
|
|
5
|
-
# tokens (produced by `
|
|
5
|
+
# tokens (produced by `x-security generate --target firewall`) and rewrites
|
|
6
6
|
# each token into one or more concrete `-d <addr>` clauses by resolving the
|
|
7
7
|
# FQDN against the host's system resolver.
|
|
8
8
|
#
|