PyPI - agentic-devtools - Versions diffs - 0.2.4__tar.gz → 0.2.5__tar.gz - Mend

agentic-devtools 0.2.4tar.gz → 0.2.5tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (352) hide show

agentic_devtools-0.2.5/.github/agents/security-scan.agent.md ADDED Viewed

@@ -0,0 +1,294 @@
+---
+name: 'Security Scanning Agent'
+description: 'Specialized agent for scanning code vulnerabilities and security issues'
+model: claude-opus-4.5
+temperature: 0.3
+max_tokens: 8192
+tools:
+  - view
+  - grep
+  - glob
+  - bash
+  - web_search
+  - github-mcp-server
+---
+# Security Scanning Agent
+## Role
+You are a specialized security scanning agent with expertise in identifying vulnerabilities, security issues, and potential threats in codebases. Your primary responsibility is to perform comprehensive security analysis and provide actionable recommendations.
+## Core Expertise
+### 1. Security Vulnerability Analysis
+You excel at identifying:
+- **Code Vulnerabilities**: SQL injection, XSS, CSRF, command injection
+- **Authentication/Authorization Issues**: Weak credentials, improper access controls
+- **Data Security**: Sensitive data exposure, insufficient encryption
+- **Dependency Vulnerabilities**: Outdated packages with known CVEs
+- **Configuration Issues**: Insecure defaults, exposed secrets
+- **Input Validation**: Missing or inadequate input sanitization
+- **API Security**: Rate limiting, authentication, authorization issues
+### 2. Security Scanning Tools
+You leverage multiple security scanning tools:
+- **Python Security**: `bandit`, `safety`, `pip-audit`
+- **Dependency Scanning**: Check for known vulnerabilities in dependencies
+- **Secret Detection**: Scan for hardcoded credentials, API keys, tokens
+- **SAST (Static Analysis)**: Identify code-level security issues
+- **Linting**: Security-focused linting rules
+### 3. Security Review Process
+When scanning code for vulnerabilities:
+1. **Scan Dependencies**: Check all dependencies for known vulnerabilities
+2. **Static Analysis**: Run security-focused static analysis tools
+3. **Secret Detection**: Search for exposed credentials and API keys
+4. **Code Review**: Manual review of critical security areas
+5. **Configuration Review**: Check for insecure configurations
+6. **Documentation**: Generate comprehensive security report
+### 4. Risk Assessment
+For each finding, you provide:
+- **Severity Level**: Critical, High, Medium, Low, Informational
+- **Impact Description**: What could go wrong if exploited
+- **Affected Components**: Specific files, functions, or modules
+- **Remediation Steps**: Clear instructions to fix the issue
+- **Priority**: Immediate action required vs. technical debt
+## Scanning Workflow
+When invoked to scan a repository:
+### Step 1: Environment Setup
+```bash
+# Navigate to repository root
+cd /path/to/repository
+# Check Python version and environment
+python --version
+# Install security scanning tools if not available
+pip install bandit safety pip-audit
+```
+### Step 2: Dependency Vulnerability Scan
+```bash
+# Check for known vulnerabilities in installed packages
+pip-audit
+# Check for security issues in dependencies
+safety scan --json
+# Generate dependency report
+pip list --format=json > dependencies.json
+```
+### Step 3: Static Security Analysis
+```bash
+# Run bandit security scanner
+bandit -r . -f json -o bandit-report.json
+# Run with baseline for comparison (if available)
+bandit -r . -f screen
+```
+### Step 4: Secret Detection
+```bash
+# Search for potential secrets using grep patterns
+grep -r -E "(password|secret|api_key|token|credential)" . --include="*.py" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=".git" --exclude-dir="node_modules" --exclude-dir="venv" --exclude-dir=".venv"
+# Check for common secret patterns
+grep -r -E "[0-9a-f]{32,}" . --include="*.py" --exclude-dir=".git" --exclude-dir="venv"
+```
+### Step 5: Manual Code Review
+Focus on:
+- **Authentication/Authorization logic**
+- **Input validation and sanitization**
+- **Database queries and ORM usage**
+- **File operations and path handling**
+- **Encryption and hashing implementations**
+- **API endpoints and request handling**
+- **Configuration files and environment variables**
+### Step 6: Generate Security Report
+Create a comprehensive report including:
+#### Executive Summary
+- Total number of findings
+- Breakdown by severity
+- Critical issues requiring immediate attention
+- Overall security posture assessment
+#### Detailed Findings
+For each vulnerability:
+```markdown
+### [SEVERITY] Vulnerability Title
+**File**: `path/to/file.py:line_number`
+**Description**: Brief description of the vulnerability
+**Impact**: What could happen if this is exploited
+**Remediation**:
+1. Step-by-step fix instructions
+2. Code example if applicable
+3. Additional security best practices
+**References**:
+- CWE ID (if applicable)
+- OWASP reference (if applicable)
+- CVE ID (if applicable)
+```
+#### Recommendations
+- **Immediate Actions**: Critical fixes needed now
+- **Short-term Improvements**: High/Medium priority items
+- **Long-term Enhancements**: Security posture improvements
+- **Security Best Practices**: General recommendations
+## Output Format
+Your security scan report should follow this structure:
+```markdown
+# Security Scan Report
+**Date**: YYYY-MM-DD
+**Repository**: [repository name]
+**Branch**: [branch name]
+**Commit**: [commit SHA]
+## Executive Summary
+- **Total Findings**: X issues detected
+  - Critical: X
+  - High: X
+  - Medium: X
+  - Low: X
+  - Informational: X
+- **Overall Risk Level**: [Critical/High/Medium/Low]
+## Critical Findings (Immediate Action Required)
+[List of critical issues with details]
+## High Priority Findings
+[List of high priority issues]
+## Medium Priority Findings
+[List of medium priority issues]
+## Low Priority & Informational
+[List of low priority and informational findings]
+## Dependency Vulnerabilities
+[Results from pip-audit and safety check]
+## Security Best Practices Recommendations
+[General security recommendations for the codebase]
+## Tool Output Summary
+- **Bandit**: [summary]
+- **pip-audit**: [summary]
+- **Safety**: [summary]
+- **Manual Review**: [summary]
+## Next Steps
+1. Address all critical findings immediately
+2. Create tickets for high priority issues
+3. Schedule reviews for medium priority items
+4. Consider implementing security best practices
+---
+*Automated security scan performed by Security Scanning Agent*
+```
+## Security Scanning Best Practices
+1. **Be Thorough**: Don't skip any critical areas
+2. **Be Accurate**: Minimize false positives with verification
+3. **Be Clear**: Provide actionable remediation steps
+4. **Be Timely**: Complete scans efficiently
+5. **Be Constructive**: Focus on improvement, not blame
+## Common Vulnerability Patterns to Check
+### Python-Specific
+- `eval()` and `exec()` usage
+- `pickle` deserialization without validation
+- SQL string concatenation instead of parameterized queries
+- Insecure random number generation (`random` vs `secrets`)
+- Unsafe YAML loading (`yaml.load` vs `yaml.safe_load`)
+- Command injection via `os.system()`, `subprocess.shell=True`
+- Path traversal in file operations
+- Hardcoded credentials or secrets
+### Dependencies
+- Packages with known CVEs
+- Outdated versions with security patches available
+- Packages from untrusted sources
+- Unnecessary dependencies increasing attack surface
+### Configuration
+- Debug mode enabled in production
+- Exposed error messages with stack traces
+- Insecure default configurations
+- Missing security headers
+- Weak cryptographic settings
+## False Positive Handling
+When a security tool reports a finding:
+1. **Verify**: Is this a real vulnerability or false positive?
+2. **Context**: Consider the specific use case and context
+3. **Risk**: Assess the actual exploitability and impact
+4. **Document**: If it's a false positive, document why
+5. **Suppress**: Add appropriate suppressions with justification
+## Communication Style
+- **Professional**: Technical and precise
+- **Clear**: Easy to understand even for non-security experts
+- **Actionable**: Always provide clear next steps
+- **Prioritized**: Focus on what matters most
+- **Balanced**: Acknowledge both risks and mitigations
+## Remember
+Your goal is to improve security, not to create alarm. Be thorough but pragmatic. Prioritize real risks over theoretical vulnerabilities. Provide context and help the team understand not just what's wrong, but why it matters and how to fix it.
+Every security scan is an opportunity to improve the codebase and strengthen the organization's security posture. Your work directly protects users, data, and systems.

agentic_devtools-0.2.5/.github/workflows/security-scan-on-merge.yml ADDED Viewed

@@ -0,0 +1,326 @@
+name: Security Scan on Main Merge
+on:
+  push:
+    branches:
+      - main
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+jobs:
+  security-scan:
+    name: Run Security Scanning Agent
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history for better analysis
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+          # Install security scanning tools
+          pip install bandit safety pip-audit
+      - name: Get Merge Information
+        id: merge-info
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const commitSha = context.sha;
+            console.log(`Current commit SHA: ${commitSha}`);
+            // Get the commit details
+            const { data: commit } = await github.rest.repos.getCommit({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: commitSha
+            });
+            console.log(`Commit message: ${commit.commit.message}`);
+            console.log(`Author: ${commit.commit.author.name}`);
+            // Check if this is a merge commit
+            const isMerge = commit.parents.length > 1;
+            console.log(`Is merge commit: ${isMerge}`);
+            core.setOutput('commit_sha', commitSha);
+            core.setOutput('commit_message', commit.commit.message);
+            core.setOutput('is_merge', isMerge);
+            // Try to find associated PR using GitHub API
+            let prNumber = null;
+            let prTitle = '';
+            let prUrl = '';
+            try {
+              // Use the API to list PRs associated with this commit
+              const { data: prs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                commit_sha: commitSha
+              });
+              if (prs.length > 0) {
+                // Take the first merged PR
+                const pr = prs.find(p => p.merged_at) || prs[0];
+                prNumber = pr.number;
+                prTitle = pr.title;
+                prUrl = pr.html_url;
+                console.log(`Found associated PR via API: #${prNumber} - ${prTitle}`);
+              }
+            } catch (error) {
+              console.log(`Could not fetch associated PRs via API: ${error.message}`);
+            }
+            // Fallback: try to parse PR number from commit message
+            if (!prNumber && isMerge) {
+              const prMatch = commit.commit.message.match(/#(\d+)/);
+              if (prMatch) {
+                prNumber = parseInt(prMatch[1]);
+                console.log(`Found PR number from commit message: ${prNumber}`);
+                // Get PR details
+                try {
+                  const { data: pr } = await github.rest.pulls.get({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    pull_number: prNumber
+                  });
+                  prTitle = pr.title;
+                  prUrl = pr.html_url;
+                  console.log(`Fetched PR details: #${prNumber} - ${prTitle}`);
+                } catch (error) {
+                  console.log(`Could not fetch PR details: ${error.message}`);
+                }
+              }
+            }
+            if (prNumber) {
+              core.setOutput('pr_number', prNumber);
+              core.setOutput('pr_title', prTitle);
+              core.setOutput('pr_url', prUrl);
+            }
+      - name: Run Dependency Vulnerability Scan
+        id: pip-audit
+        run: |
+          echo "Running pip-audit..."
+          pip-audit --format json > pip-audit-report.json || true
+          # Check if vulnerabilities were actually found by parsing JSON
+          if [ -s pip-audit-report.json ]; then
+            vuln_count=$(python -c "import json; data=json.load(open('pip-audit-report.json')); print(len(data.get('vulnerabilities', [])))" 2>/dev/null || echo "0")
+            if [ "$vuln_count" -gt 0 ]; then
+              echo "Dependency vulnerabilities found: $vuln_count vulnerability(ies)"
+              pip-audit || true
+            else
+              echo "No dependency vulnerabilities found"
+            fi
+          else
+            echo "pip-audit did not produce a report"
+          fi
+        continue-on-error: true
+      - name: Run Bandit Security Scanner
+        id: bandit
+        run: |
+          echo "Running bandit security scanner..."
+          bandit -r agentic_devtools -f json -o bandit-report.json || true
+          # Check if issues were actually found by parsing JSON
+          if [ -s bandit-report.json ]; then
+            issue_count=$(python -c "import json; data=json.load(open('bandit-report.json')); print(len(data.get('results', [])))" 2>/dev/null || echo "0")
+            if [ "$issue_count" -gt 0 ]; then
+              echo "Security issues found: $issue_count issue(s)"
+              bandit -r agentic_devtools -f screen || true
+            else
+              echo "No security issues found by bandit"
+            fi
+          else
+            echo "Bandit did not produce a report"
+          fi
+        continue-on-error: true
+      - name: Run Safety Scan
+        id: safety
+        run: |
+          echo "Running safety scan..."
+          safety scan --json > safety-report.json
+          safety_exit_code=$?
+          # Validate that the report exists and is valid JSON before interpreting results
+          if [ ! -s safety-report.json ]; then
+            echo "Safety scan did not produce a report (exit code: ${safety_exit_code})"
+          elif ! python -c "import json; json.load(open('safety-report.json'))" 2>/dev/null; then
+            echo "Safety scan produced an invalid JSON report (exit code: ${safety_exit_code})"
+          else
+            # At this point, we have a non-empty, parseable JSON report
+            if [ "${safety_exit_code}" -eq 0 ]; then
+              echo "No vulnerabilities found by safety"
+            else
+              echo "Vulnerabilities or issues reported by safety - see safety-report.json"
+              # Run a human-readable summary; ignore its exit code to keep the workflow running
+              safety scan || true
+            fi
+          fi
+        continue-on-error: true
+      - name: Create Security Scan Issue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const commitSha = '${{ steps.merge-info.outputs.commit_sha }}';
+            const isMerge = '${{ steps.merge-info.outputs.is_merge }}' === 'true';
+            const prNumber = '${{ steps.merge-info.outputs.pr_number }}';
+            const prTitle = ${{ toJson(steps.merge-info.outputs.pr_title) }};
+            const prUrl = ${{ toJson(steps.merge-info.outputs.pr_url) }};
+            // Read scan results
+            let pipAuditResults = 'No vulnerabilities detected';
+            let banditResults = 'No issues detected';
+            let safetyResults = 'No vulnerabilities detected';
+            try {
+              if (fs.existsSync('pip-audit-report.json')) {
+                const pipAudit = JSON.parse(fs.readFileSync('pip-audit-report.json', 'utf8'));
+                if (pipAudit.vulnerabilities && pipAudit.vulnerabilities.length > 0) {
+                  pipAuditResults = `Found ${pipAudit.vulnerabilities.length} vulnerability(ies)`;
+                }
+              }
+            } catch (e) {
+              console.log('Could not read pip-audit results:', e.message);
+            }
+            try {
+              if (fs.existsSync('bandit-report.json')) {
+                const bandit = JSON.parse(fs.readFileSync('bandit-report.json', 'utf8'));
+                if (bandit.results && bandit.results.length > 0) {
+                  const critical = bandit.results.filter(r => r.issue_severity === 'HIGH').length;
+                  const medium = bandit.results.filter(r => r.issue_severity === 'MEDIUM').length;
+                  const low = bandit.results.filter(r => r.issue_severity === 'LOW').length;
+                  banditResults = `Found ${bandit.results.length} issue(s): ${critical} high, ${medium} medium, ${low} low`;
+                }
+              }
+            } catch (e) {
+              console.log('Could not read bandit results:', e.message);
+            }
+            try {
+              if (fs.existsSync('safety-report.json')) {
+                const safety = JSON.parse(fs.readFileSync('safety-report.json', 'utf8'));
+                if (safety.vulnerabilities && safety.vulnerabilities.length > 0) {
+                  safetyResults = `Found ${safety.vulnerabilities.length} vulnerability(ies)`;
+                }
+              }
+            } catch (e) {
+              console.log('Could not read safety results:', e.message);
+            }
+            // Determine if there are any findings
+            const hasFindings =
+              pipAuditResults.includes('Found') ||
+              banditResults.includes('Found') ||
+              safetyResults.includes('Found');
+            // Build issue body
+            let issueBody = [
+              '<!-- security-scan-report -->',
+              '',
+              '# 🔒 Security Scan Report',
+              '',
+              '**Date**: ' + new Date().toISOString().split('T')[0],
+              '**Commit**: ' + commitSha.substring(0, 7),
+              '**Branch**: main',
+              ''
+            ];
+            if (isMerge && prNumber) {
+              issueBody.push(`**Merged PR**: [#${prNumber} - ${prTitle}](${prUrl})`);
+              issueBody.push('');
+            }
+            issueBody.push('## Summary');
+            issueBody.push('');
+            if (hasFindings) {
+              issueBody.push('⚠️ **Security findings detected** - review required.');
+            } else {
+              issueBody.push('✅ **No security issues detected** - all scans passed.');
+            }
+            issueBody.push('');
+            issueBody.push('## Scan Results');
+            issueBody.push('');
+            issueBody.push('### Dependency Vulnerabilities (pip-audit)');
+            issueBody.push('');
+            issueBody.push(pipAuditResults);
+            issueBody.push('');
+            issueBody.push('### Static Security Analysis (bandit)');
+            issueBody.push('');
+            issueBody.push(banditResults);
+            issueBody.push('');
+            issueBody.push('### Dependency Safety Check (safety)');
+            issueBody.push('');
+            issueBody.push(safetyResults);
+            issueBody.push('');
+            issueBody.push('## Next Steps');
+            issueBody.push('');
+            if (hasFindings) {
+              issueBody.push('1. Review the [workflow logs](' + context.payload.repository.html_url + '/actions/runs/' + context.runId + ') for detailed findings');
+              issueBody.push('2. Address critical and high-severity issues immediately');
+              issueBody.push('3. Create tickets for medium-priority items');
+              issueBody.push('4. Tag @copilot for assistance with remediation');
+            } else {
+              issueBody.push('No action required. Continue monitoring for security issues.');
+            }
+            issueBody.push('');
+            issueBody.push('---');
+            issueBody.push('');
+            issueBody.push('*Automated security scan performed by the Security Scanning Agent*');
+            issueBody.push('*View [workflow run](' + context.payload.repository.html_url + '/actions/runs/' + context.runId + ') for full details*');
+            const issueTitle = hasFindings
+              ? '🔒 Security Scan Report - Findings Detected'
+              : '🔒 Security Scan Report - All Clear';
+            // Create the issue
+            const { data: issue } = await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: issueTitle,
+              body: issueBody.join('\n'),
+              labels: hasFindings
+                ? ['security', 'security-scan', 'needs-review']
+                : ['security', 'security-scan', 'all-clear']
+            });
+            console.log(`Created issue #${issue.number}: ${issue.title}`);
+            console.log(`Issue URL: ${issue.html_url}`);
+      - name: Upload Scan Reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: security-scan-reports
+          path: |
+            pip-audit-report.json
+            bandit-report.json
+            safety-report.json
+          retention-days: 90

{agentic_devtools-0.2.4 → agentic_devtools-0.2.5}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentic-devtools
-Version: 0.2.4
+Version: 0.2.5
 Summary: AI assistant helper commands for the Dragonfly platform
 Author: Dragonfly Team
 License-Expression: MIT
@@ -800,3 +800,63 @@ The workflow uses labels to manage state:
 - `speckit:processing` - Specification generation in progress
 - `speckit:completed` - Specification created successfully
 - `speckit:failed` - Generation failed (check workflow logs)
+## GitHub Actions: Security Scanning on Main Merge
+The repository includes an automated security scanning workflow that runs whenever
+code is merged to the main branch. This ensures continuous security monitoring and
+helps identify vulnerabilities early.
+### How It Works
+1. Workflow triggers automatically on push to main branch (typically after PR merge)
+2. Installs security scanning tools: `bandit`, `pip-audit`, `safety`
+3. Runs comprehensive security scans:
+   - **pip-audit**: Scans dependencies for known vulnerabilities (CVEs)
+   - **bandit**: Static analysis for common security issues in Python code
+   - **safety**: Checks dependencies against a database of known security issues
+4. Creates a GitHub issue with the security scan report
+5. Attaches scan reports as artifacts for detailed review
+### Security Scan Report
+After each merge to main, an issue is automatically created with:
+- **Summary**: Quick overview of security status
+- **Scan Results**: Findings from each security tool
+- **Severity Breakdown**: Critical, high, medium, low issues
+- **Next Steps**: Recommended actions to address findings
+- **Artifacts**: Detailed JSON reports attached to the workflow run
+### Labels
+The workflow uses labels to categorize scan results:
+- `security` - All security scan reports
+- `security-scan` - Identifies automated scan issues
+- `needs-review` - Findings detected, review required
+- `all-clear` - No security issues detected
+### Responding to Security Findings
+When a security scan detects issues:
+1. Review the created issue for summary of findings
+2. Check workflow logs for detailed information
+3. Download scan report artifacts for in-depth analysis
+4. Address critical and high-severity issues immediately
+5. Tag @copilot in the issue for assistance with remediation
+### Manual Security Scan
+You can manually trigger a security scan by running:
+```bash
+# Install security tools
+pip install bandit safety pip-audit
+# Run scans
+pip-audit
+bandit -r agentic_devtools
+safety scan
+```

agentic-devtools 0.2.4__tar.gz → 0.2.5__tar.gz

agentic-devtools 0.2.4tar.gz → 0.2.5tar.gz