argus-appsec 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (86) hide show
  1. argus_appsec-0.1.0/.dockerignore +21 -0
  2. argus_appsec-0.1.0/.env.example +15 -0
  3. argus_appsec-0.1.0/.gitattributes +9 -0
  4. argus_appsec-0.1.0/.github/CODEOWNERS +8 -0
  5. argus_appsec-0.1.0/.github/ISSUE_TEMPLATE/bug_report.yml +58 -0
  6. argus_appsec-0.1.0/.github/ISSUE_TEMPLATE/config.yml +8 -0
  7. argus_appsec-0.1.0/.github/ISSUE_TEMPLATE/feature_request.yml +38 -0
  8. argus_appsec-0.1.0/.github/PULL_REQUEST_TEMPLATE.md +27 -0
  9. argus_appsec-0.1.0/.github/workflows/argus-scan.yml +45 -0
  10. argus_appsec-0.1.0/.github/workflows/ci.yml +49 -0
  11. argus_appsec-0.1.0/.github/workflows/publish.yml +48 -0
  12. argus_appsec-0.1.0/.gitignore +34 -0
  13. argus_appsec-0.1.0/CODE_OF_CONDUCT.md +42 -0
  14. argus_appsec-0.1.0/CONTRIBUTING.md +67 -0
  15. argus_appsec-0.1.0/Dockerfile +36 -0
  16. argus_appsec-0.1.0/LICENSE +19 -0
  17. argus_appsec-0.1.0/Makefile +29 -0
  18. argus_appsec-0.1.0/PKG-INFO +246 -0
  19. argus_appsec-0.1.0/README.md +208 -0
  20. argus_appsec-0.1.0/RELEASING.md +89 -0
  21. argus_appsec-0.1.0/SECURITY.md +29 -0
  22. argus_appsec-0.1.0/docs/README.md +11 -0
  23. argus_appsec-0.1.0/docs/architecture.md +97 -0
  24. argus_appsec-0.1.0/docs/attack-simulation.md +69 -0
  25. argus_appsec-0.1.0/docs/ci-cd.md +66 -0
  26. argus_appsec-0.1.0/docs/configuration.md +111 -0
  27. argus_appsec-0.1.0/docs/fixing.md +88 -0
  28. argus_appsec-0.1.0/docs/plugins.md +146 -0
  29. argus_appsec-0.1.0/examples/vulnerable-app/Dockerfile +11 -0
  30. argus_appsec-0.1.0/examples/vulnerable-app/app.py +55 -0
  31. argus_appsec-0.1.0/examples/vulnerable-app/requirements.txt +4 -0
  32. argus_appsec-0.1.0/pyproject.toml +97 -0
  33. argus_appsec-0.1.0/src/argus/__init__.py +28 -0
  34. argus_appsec-0.1.0/src/argus/__main__.py +6 -0
  35. argus_appsec-0.1.0/src/argus/agents/__init__.py +21 -0
  36. argus_appsec-0.1.0/src/argus/agents/base.py +37 -0
  37. argus_appsec-0.1.0/src/argus/agents/enrichment.py +111 -0
  38. argus_appsec-0.1.0/src/argus/agents/exploit.py +173 -0
  39. argus_appsec-0.1.0/src/argus/agents/patch.py +82 -0
  40. argus_appsec-0.1.0/src/argus/ai/__init__.py +16 -0
  41. argus_appsec-0.1.0/src/argus/ai/anthropic_provider.py +47 -0
  42. argus_appsec-0.1.0/src/argus/ai/base.py +62 -0
  43. argus_appsec-0.1.0/src/argus/ai/factory.py +47 -0
  44. argus_appsec-0.1.0/src/argus/ai/heuristic.py +99 -0
  45. argus_appsec-0.1.0/src/argus/ai/ollama_provider.py +51 -0
  46. argus_appsec-0.1.0/src/argus/ai/openai_provider.py +43 -0
  47. argus_appsec-0.1.0/src/argus/analysis/__init__.py +5 -0
  48. argus_appsec-0.1.0/src/argus/analysis/languages.py +54 -0
  49. argus_appsec-0.1.0/src/argus/analysis/repository.py +217 -0
  50. argus_appsec-0.1.0/src/argus/cli/__init__.py +5 -0
  51. argus_appsec-0.1.0/src/argus/cli/main.py +441 -0
  52. argus_appsec-0.1.0/src/argus/core/__init__.py +1 -0
  53. argus_appsec-0.1.0/src/argus/core/config.py +101 -0
  54. argus_appsec-0.1.0/src/argus/core/engine.py +131 -0
  55. argus_appsec-0.1.0/src/argus/core/models.py +231 -0
  56. argus_appsec-0.1.0/src/argus/core/plugin.py +180 -0
  57. argus_appsec-0.1.0/src/argus/core/project.py +157 -0
  58. argus_appsec-0.1.0/src/argus/plugins.py +27 -0
  59. argus_appsec-0.1.0/src/argus/py.typed +0 -0
  60. argus_appsec-0.1.0/src/argus/remediation/__init__.py +10 -0
  61. argus_appsec-0.1.0/src/argus/remediation/applier.py +140 -0
  62. argus_appsec-0.1.0/src/argus/remediation/git_ops.py +131 -0
  63. argus_appsec-0.1.0/src/argus/remediation/hosting.py +140 -0
  64. argus_appsec-0.1.0/src/argus/remediation/pullrequest.py +213 -0
  65. argus_appsec-0.1.0/src/argus/remediation/rewrites.py +82 -0
  66. argus_appsec-0.1.0/src/argus/reporting/__init__.py +10 -0
  67. argus_appsec-0.1.0/src/argus/reporting/html.py +224 -0
  68. argus_appsec-0.1.0/src/argus/reporting/json_reporter.py +59 -0
  69. argus_appsec-0.1.0/src/argus/reporting/markdown.py +146 -0
  70. argus_appsec-0.1.0/src/argus/reporting/sarif.py +122 -0
  71. argus_appsec-0.1.0/src/argus/scanners/__init__.py +10 -0
  72. argus_appsec-0.1.0/src/argus/scanners/data/__init__.py +1 -0
  73. argus_appsec-0.1.0/src/argus/scanners/data/advisories.json +77 -0
  74. argus_appsec-0.1.0/src/argus/scanners/dependencies.py +169 -0
  75. argus_appsec-0.1.0/src/argus/scanners/iac.py +213 -0
  76. argus_appsec-0.1.0/src/argus/scanners/patterns.py +291 -0
  77. argus_appsec-0.1.0/src/argus/scanners/secrets.py +170 -0
  78. argus_appsec-0.1.0/src/argus/targets.py +122 -0
  79. argus_appsec-0.1.0/tests/__init__.py +0 -0
  80. argus_appsec-0.1.0/tests/conftest.py +58 -0
  81. argus_appsec-0.1.0/tests/test_analysis_and_plugins.py +59 -0
  82. argus_appsec-0.1.0/tests/test_engine_and_agents.py +80 -0
  83. argus_appsec-0.1.0/tests/test_models.py +84 -0
  84. argus_appsec-0.1.0/tests/test_remediation.py +169 -0
  85. argus_appsec-0.1.0/tests/test_reporters.py +65 -0
  86. argus_appsec-0.1.0/tests/test_scanners.py +74 -0
@@ -0,0 +1,21 @@
1
+ .git
2
+ .github
3
+ .venv
4
+ venv
5
+ env
6
+ __pycache__
7
+ *.pyc
8
+ .pytest_cache
9
+ .mypy_cache
10
+ .ruff_cache
11
+ .coverage
12
+ htmlcov
13
+ dist
14
+ build
15
+ *.egg-info
16
+ examples/reports
17
+ docs
18
+ tests
19
+ .env
20
+ .env.*
21
+ !.env.example
@@ -0,0 +1,15 @@
1
+ # Copy to .env and fill in the providers you intend to use.
2
+ # Argus runs without any of these using the built-in heuristic provider.
3
+
4
+ # --- Cloud AI providers ---
5
+ ANTHROPIC_API_KEY=
6
+ OPENAI_API_KEY=
7
+
8
+ # --- Local AI provider (Ollama) ---
9
+ # Default endpoint; change if Ollama runs elsewhere.
10
+ OLLAMA_HOST=http://localhost:11434
11
+
12
+ # --- Git hosting integrations (for remote targets / PR creation) ---
13
+ GITHUB_TOKEN=
14
+ GITLAB_TOKEN=
15
+ BITBUCKET_TOKEN=
@@ -0,0 +1,9 @@
1
+ # Normalize line endings: text files use LF in the repository.
2
+ * text=auto eol=lf
3
+
4
+ # Binary/asset types git should not touch.
5
+ *.png binary
6
+ *.jpg binary
7
+ *.gif binary
8
+ *.ico binary
9
+ *.pdf binary
@@ -0,0 +1,8 @@
1
+ # Code owners are automatically requested for review on pull requests.
2
+ # The owner reviews and merges everything by default. Add more owners for
3
+ # specific paths as the project grows, e.g.:
4
+ # /src/argus/scanners/ @some-trusted-contributor
5
+ #
6
+ # Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
7
+
8
+ * @hasipfaruk
@@ -0,0 +1,58 @@
1
+ name: Bug report
2
+ description: Report something that isn't working as expected in Argus.
3
+ labels: ["bug"]
4
+ body:
5
+ - type: markdown
6
+ attributes:
7
+ value: |
8
+ Thanks for taking the time to file a bug. Please fill in the sections below.
9
+ For a security vulnerability *in Argus itself*, do not open a public issue —
10
+ see SECURITY.md.
11
+ - type: textarea
12
+ id: what-happened
13
+ attributes:
14
+ label: What happened?
15
+ description: A clear description of the bug, and what you expected instead.
16
+ placeholder: When I run `argus scan ...`, I expected X but got Y.
17
+ validations:
18
+ required: true
19
+ - type: textarea
20
+ id: repro
21
+ attributes:
22
+ label: Steps to reproduce
23
+ description: The exact command(s) and, if possible, a minimal example.
24
+ placeholder: |
25
+ 1. argus scan ./my-project -s secrets
26
+ 2. ...
27
+ validations:
28
+ required: true
29
+ - type: textarea
30
+ id: logs
31
+ attributes:
32
+ label: Output / error
33
+ description: Paste the relevant output. This is automatically formatted as code.
34
+ render: shell
35
+ - type: input
36
+ id: version
37
+ attributes:
38
+ label: Argus version
39
+ description: Output of `argus version`.
40
+ placeholder: Argus v0.1.0
41
+ validations:
42
+ required: true
43
+ - type: dropdown
44
+ id: os
45
+ attributes:
46
+ label: Operating system
47
+ options:
48
+ - Linux
49
+ - macOS
50
+ - Windows
51
+ - Other
52
+ validations:
53
+ required: true
54
+ - type: input
55
+ id: python
56
+ attributes:
57
+ label: Python version
58
+ placeholder: "3.11"
@@ -0,0 +1,8 @@
1
+ blank_issues_enabled: true
2
+ contact_links:
3
+ - name: Report a security vulnerability in Argus (private)
4
+ url: https://github.com/hasipfaruk/Argus/security/advisories/new
5
+ about: Please report security issues privately, not as a public issue. See SECURITY.md.
6
+ - name: Questions & discussion
7
+ url: https://github.com/hasipfaruk/Argus/discussions
8
+ about: Ask questions and discuss ideas here (enable Discussions in repo settings).
@@ -0,0 +1,38 @@
1
+ name: Feature request
2
+ description: Suggest a new scanner, rule, report format, or capability.
3
+ labels: ["enhancement"]
4
+ body:
5
+ - type: textarea
6
+ id: problem
7
+ attributes:
8
+ label: What problem does this solve?
9
+ description: Describe the use case or the gap you're hitting.
10
+ validations:
11
+ required: true
12
+ - type: textarea
13
+ id: proposal
14
+ attributes:
15
+ label: Proposed solution
16
+ description: What you'd like Argus to do. If it's a new scanner/rule, note the
17
+ language and the vulnerability class (and a CWE if you know it).
18
+ validations:
19
+ required: true
20
+ - type: dropdown
21
+ id: area
22
+ attributes:
23
+ label: Area
24
+ options:
25
+ - New scanner or rule
26
+ - New language support
27
+ - New report format
28
+ - AI provider
29
+ - CLI / usability
30
+ - Fix / pull-request workflow
31
+ - Other
32
+ validations:
33
+ required: true
34
+ - type: textarea
35
+ id: alternatives
36
+ attributes:
37
+ label: Alternatives considered
38
+ description: Other approaches you thought about, or how you work around this today.
@@ -0,0 +1,27 @@
1
+ <!-- Thanks for contributing to Argus! Fill this in so review is quick. -->
2
+
3
+ ## What does this change?
4
+
5
+ <!-- A short description of the change and why it's needed. Link any related issue. -->
6
+
7
+ Closes #
8
+
9
+ ## Type of change
10
+
11
+ - [ ] Bug fix
12
+ - [ ] New scanner / rule
13
+ - [ ] New reporter or AI provider
14
+ - [ ] Documentation
15
+ - [ ] Other (describe below)
16
+
17
+ ## Checklist
18
+
19
+ - [ ] I ran `pytest` and all tests pass
20
+ - [ ] I ran `ruff check .` with no errors
21
+ - [ ] I added or updated tests for my change
22
+ - [ ] I updated docs if behavior or usage changed
23
+ - [ ] New findings (if any) include a CWE/OWASP mapping and remediation
24
+
25
+ ## Notes for the reviewer
26
+
27
+ <!-- Anything that will help review: trade-offs, things you're unsure about, etc. -->
@@ -0,0 +1,45 @@
1
+ # Example: run Argus on every push/PR and upload results to GitHub Code Scanning.
2
+ #
3
+ # Copy this into your own repository's .github/workflows/ to get Argus findings
4
+ # as annotations on pull requests and in the Security tab. The SARIF upload maps
5
+ # Argus severities onto GitHub's alert levels.
6
+ name: Argus Security Scan
7
+
8
+ on:
9
+ push:
10
+ branches: [main]
11
+ pull_request:
12
+
13
+ permissions:
14
+ contents: read
15
+ security-events: write # required to upload SARIF
16
+
17
+ jobs:
18
+ argus:
19
+ runs-on: ubuntu-latest
20
+ steps:
21
+ - uses: actions/checkout@v4
22
+
23
+ - uses: actions/setup-python@v5
24
+ with:
25
+ python-version: "3.12"
26
+
27
+ - name: Install Argus
28
+ # This repo installs Argus from its own source. In your own project,
29
+ # replace this with `pip install argus-appsec` once Argus is on PyPI.
30
+ run: pip install .
31
+
32
+ - name: Run Argus
33
+ # Do not fail the job here; let the SARIF upload surface findings.
34
+ # Set --fail-on high to block merges on High+ instead.
35
+ run: argus scan src -f sarif -o argus.sarif --quiet
36
+ env:
37
+ # Optional: use a cloud model for richer analysis. Omit to run offline.
38
+ ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
39
+
40
+ - name: Upload SARIF to Code Scanning
41
+ uses: github/codeql-action/upload-sarif@v3
42
+ if: always()
43
+ with:
44
+ sarif_file: argus.sarif
45
+ category: argus
@@ -0,0 +1,49 @@
1
+ name: CI
2
+
3
+ on:
4
+ push:
5
+ branches: [main]
6
+ pull_request:
7
+
8
+ permissions:
9
+ contents: read
10
+
11
+ jobs:
12
+ test:
13
+ name: Test (Python ${{ matrix.python-version }})
14
+ runs-on: ubuntu-latest
15
+ strategy:
16
+ fail-fast: false
17
+ matrix:
18
+ python-version: ["3.10", "3.11", "3.12"]
19
+ steps:
20
+ - uses: actions/checkout@v4
21
+
22
+ - name: Set up Python
23
+ uses: actions/setup-python@v5
24
+ with:
25
+ python-version: ${{ matrix.python-version }}
26
+ cache: pip
27
+
28
+ - name: Install
29
+ run: pip install -e ".[dev]"
30
+
31
+ - name: Lint
32
+ run: ruff check .
33
+
34
+ - name: Type check
35
+ run: mypy || true # advisory during alpha
36
+
37
+ - name: Test
38
+ run: pytest -q --cov=argus --cov-report=term-missing
39
+
40
+ build-image:
41
+ name: Build Docker image
42
+ runs-on: ubuntu-latest
43
+ needs: test
44
+ steps:
45
+ - uses: actions/checkout@v4
46
+ - name: Build
47
+ run: docker build -t argus:ci .
48
+ - name: Smoke test the image
49
+ run: docker run --rm -v "$PWD/examples/vulnerable-app:/work" argus:ci scan /work --min-severity high
@@ -0,0 +1,48 @@
1
+ # Publish Argus to PyPI when a GitHub Release is published.
2
+ #
3
+ # Uses PyPI Trusted Publishing (OIDC) — no API token or secret is stored in the
4
+ # repo. You configure the trust relationship once on PyPI (see RELEASING.md).
5
+ name: Publish to PyPI
6
+
7
+ on:
8
+ release:
9
+ types: [published]
10
+
11
+ permissions:
12
+ contents: read
13
+
14
+ jobs:
15
+ build:
16
+ name: Build distributions
17
+ runs-on: ubuntu-latest
18
+ steps:
19
+ - uses: actions/checkout@v4
20
+ - uses: actions/setup-python@v5
21
+ with:
22
+ python-version: "3.12"
23
+ - name: Build sdist and wheel
24
+ run: |
25
+ python -m pip install --upgrade build twine
26
+ python -m build
27
+ python -m twine check dist/*
28
+ - uses: actions/upload-artifact@v4
29
+ with:
30
+ name: dist
31
+ path: dist/
32
+
33
+ publish:
34
+ name: Publish to PyPI
35
+ needs: build
36
+ runs-on: ubuntu-latest
37
+ environment:
38
+ name: pypi
39
+ url: https://pypi.org/project/argus-appsec/
40
+ permissions:
41
+ id-token: write # required for trusted publishing (OIDC)
42
+ steps:
43
+ - uses: actions/download-artifact@v4
44
+ with:
45
+ name: dist
46
+ path: dist/
47
+ - name: Publish
48
+ uses: pypa/gh-action-pypi-publish@release/v1
@@ -0,0 +1,34 @@
1
+ # Python
2
+ __pycache__/
3
+ *.py[cod]
4
+ *.egg-info/
5
+ .eggs/
6
+ build/
7
+ dist/
8
+ .venv/
9
+ venv/
10
+ env/
11
+
12
+ # Tooling
13
+ .pytest_cache/
14
+ .mypy_cache/
15
+ .ruff_cache/
16
+ .coverage
17
+ htmlcov/
18
+ coverage.xml
19
+
20
+ # Argus output
21
+ .argus/
22
+ argus-report.*
23
+ *.sarif
24
+
25
+ # Environment / secrets
26
+ .env
27
+ .env.*
28
+ !.env.example
29
+
30
+ # Editors / OS
31
+ .idea/
32
+ .vscode/
33
+ .DS_Store
34
+ Thumbs.db
@@ -0,0 +1,42 @@
1
+ # Contributor Code of Conduct
2
+
3
+ ## Our pledge
4
+
5
+ We as members, contributors, and maintainers pledge to make participation in the
6
+ Argus community a harassment-free experience for everyone, regardless of age, body
7
+ size, visible or invisible disability, ethnicity, sex characteristics, gender
8
+ identity and expression, level of experience, education, socio-economic status,
9
+ nationality, personal appearance, race, religion, or sexual identity and
10
+ orientation.
11
+
12
+ ## Our standards
13
+
14
+ Examples of behavior that contributes to a positive environment:
15
+
16
+ - Being respectful of differing opinions, viewpoints, and experiences.
17
+ - Giving and gracefully accepting constructive feedback.
18
+ - Focusing on what is best for the community and the project.
19
+ - Showing empathy toward other community members.
20
+
21
+ Examples of unacceptable behavior:
22
+
23
+ - Harassment, insults, or derogatory comments, and personal or political attacks.
24
+ - Publishing others' private information without explicit permission.
25
+ - Trolling or deliberately disruptive behavior.
26
+ - Other conduct which could reasonably be considered inappropriate in a
27
+ professional setting.
28
+
29
+ ## Enforcement
30
+
31
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
32
+ reported to the project maintainer. All complaints will be reviewed and
33
+ investigated promptly and fairly. The maintainer is obligated to respect the
34
+ privacy and security of the reporter of any incident.
35
+
36
+ ## Attribution
37
+
38
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage],
39
+ version 2.1, available at
40
+ https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
41
+
42
+ [homepage]: https://www.contributor-covenant.org
@@ -0,0 +1,67 @@
1
+ # Contributing to Argus
2
+
3
+ Thanks for considering a contribution. Argus is designed so that most
4
+ additions — new scanners, languages, compliance rules, report formats — land as
5
+ plugins and never touch the core. That keeps the barrier low and the core stable.
6
+
7
+ ## Getting set up
8
+
9
+ ```bash
10
+ git clone https://github.com/hasipfaruk/Argus
11
+ cd argus
12
+ python -m venv .venv && . .venv/bin/activate # Windows: .venv\Scripts\activate
13
+ pip install -e ".[dev]"
14
+ ```
15
+
16
+ Run the checks:
17
+
18
+ ```bash
19
+ pytest # tests
20
+ ruff check . # lint
21
+ mypy # type check (advisory during alpha)
22
+ ```
23
+
24
+ All three run in CI on every pull request; please make sure they pass locally
25
+ first.
26
+
27
+ ## What makes a good contribution
28
+
29
+ - **New scanners and rules.** The highest-value contributions. See
30
+ [docs/plugins.md](docs/plugins.md). New rules for the built-in `patterns` and
31
+ `iac` scanners are just entries in a list.
32
+ - **Language support.** Extend `argus/analysis/languages.py` and add
33
+ language-specific rules or a dedicated scanner.
34
+ - **Report formats.** Subclass `Reporter`.
35
+ - **AI providers.** Wrap another model backend behind `AIProvider`.
36
+
37
+ ## Standards
38
+
39
+ - **Tests are required** for new behavior. Put fixtures in `tests/conftest.py` and
40
+ keep tests deterministic — the default offline provider makes this easy.
41
+ - **Every finding must carry a CWE and OWASP mapping** and, ideally, the reasoning
42
+ fields so it is useful without a model.
43
+ - **Keep the core dependency-light.** New heavy dependencies belong behind an
44
+ optional extra (`pip install argus-appsec[...]`), like the cloud providers.
45
+ - **Match the house style.** Ruff enforces formatting and imports; follow the
46
+ patterns in the existing scanners.
47
+
48
+ ## Security rules of the road
49
+
50
+ Argus is a security tool; contributions should reflect that.
51
+
52
+ - The Attack Simulation feature is **educational and non-executing** by design. Do
53
+ not add anything that runs generated exploits or sends traffic to live targets
54
+ without an explicit, opt-in, sandboxed design discussed in an issue first.
55
+ - If you find a vulnerability *in Argus itself*, please report it privately (see
56
+ [SECURITY.md](SECURITY.md)) rather than opening a public issue.
57
+
58
+ ## Pull request process
59
+
60
+ 1. Open an issue for anything non-trivial so we can agree on the approach.
61
+ 2. Branch from `main`, keep the change focused.
62
+ 3. Add tests and docs.
63
+ 4. Ensure `pytest`, `ruff check .`, and `mypy` pass.
64
+ 5. Describe the change and its motivation in the PR.
65
+
66
+ By contributing you agree that your contributions are licensed under the project's
67
+ Apache-2.0 license.
@@ -0,0 +1,36 @@
1
+ # Argus container image.
2
+ #
3
+ # Multi-stage build: install into a venv in the builder, copy the venv into a
4
+ # slim runtime. Includes git so remote repository targets can be cloned.
5
+ FROM python:3.12-slim AS builder
6
+
7
+ ENV PIP_NO_CACHE_DIR=1 \
8
+ PIP_DISABLE_PIP_VERSION_CHECK=1
9
+
10
+ WORKDIR /src
11
+ COPY pyproject.toml README.md ./
12
+ COPY src ./src
13
+
14
+ RUN python -m venv /opt/venv
15
+ ENV PATH="/opt/venv/bin:$PATH"
16
+ RUN pip install .
17
+
18
+ # --- runtime ---------------------------------------------------------------
19
+ FROM python:3.12-slim AS runtime
20
+
21
+ # git is needed to scan remote repositories.
22
+ RUN apt-get update \
23
+ && apt-get install -y --no-install-recommends git \
24
+ && rm -rf /var/lib/apt/lists/*
25
+
26
+ COPY --from=builder /opt/venv /opt/venv
27
+ ENV PATH="/opt/venv/bin:$PATH"
28
+
29
+ # Run as a non-root user.
30
+ RUN useradd --create-home --uid 10001 argus
31
+ USER argus
32
+ WORKDIR /work
33
+
34
+ # Mount the project to scan at /work.
35
+ ENTRYPOINT ["argus"]
36
+ CMD ["--help"]
@@ -0,0 +1,19 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ Copyright 2026 Argus contributors
6
+
7
+ Licensed under the Apache License, Version 2.0 (the "License");
8
+ you may not use this file except in compliance with the License.
9
+ You may obtain a copy of the License at
10
+
11
+ http://www.apache.org/licenses/LICENSE-2.0
12
+
13
+ Unless required by applicable law or agreed to in writing, software
14
+ distributed under the License is distributed on an "AS IS" BASIS,
15
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16
+ See the License for the specific language governing permissions and
17
+ limitations under the License.
18
+
19
+ The full text of the Apache License 2.0 is available at the URL above.
@@ -0,0 +1,29 @@
1
+ # Developer convenience targets. See CONTRIBUTING.md.
2
+ .PHONY: install test lint typecheck fmt scan-example docker clean
3
+
4
+ install:
5
+ pip install -e ".[dev]"
6
+
7
+ test:
8
+ pytest -q
9
+
10
+ lint:
11
+ ruff check .
12
+
13
+ typecheck:
14
+ mypy
15
+
16
+ fmt:
17
+ ruff check . --fix
18
+
19
+ # Run a full scan on the bundled vulnerable example with all features on.
20
+ scan-example:
21
+ argus scan examples/vulnerable-app --attack-sim --patches
22
+
23
+ docker:
24
+ docker build -t argus:local .
25
+
26
+ clean:
27
+ rm -rf .pytest_cache .ruff_cache .mypy_cache htmlcov .coverage \
28
+ dist build src/*.egg-info examples/reports
29
+ find . -type d -name __pycache__ -prune -exec rm -rf {} +