argus-appsec 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- argus_appsec-0.1.0/.dockerignore +21 -0
- argus_appsec-0.1.0/.env.example +15 -0
- argus_appsec-0.1.0/.gitattributes +9 -0
- argus_appsec-0.1.0/.github/CODEOWNERS +8 -0
- argus_appsec-0.1.0/.github/ISSUE_TEMPLATE/bug_report.yml +58 -0
- argus_appsec-0.1.0/.github/ISSUE_TEMPLATE/config.yml +8 -0
- argus_appsec-0.1.0/.github/ISSUE_TEMPLATE/feature_request.yml +38 -0
- argus_appsec-0.1.0/.github/PULL_REQUEST_TEMPLATE.md +27 -0
- argus_appsec-0.1.0/.github/workflows/argus-scan.yml +45 -0
- argus_appsec-0.1.0/.github/workflows/ci.yml +49 -0
- argus_appsec-0.1.0/.github/workflows/publish.yml +48 -0
- argus_appsec-0.1.0/.gitignore +34 -0
- argus_appsec-0.1.0/CODE_OF_CONDUCT.md +42 -0
- argus_appsec-0.1.0/CONTRIBUTING.md +67 -0
- argus_appsec-0.1.0/Dockerfile +36 -0
- argus_appsec-0.1.0/LICENSE +19 -0
- argus_appsec-0.1.0/Makefile +29 -0
- argus_appsec-0.1.0/PKG-INFO +246 -0
- argus_appsec-0.1.0/README.md +208 -0
- argus_appsec-0.1.0/RELEASING.md +89 -0
- argus_appsec-0.1.0/SECURITY.md +29 -0
- argus_appsec-0.1.0/docs/README.md +11 -0
- argus_appsec-0.1.0/docs/architecture.md +97 -0
- argus_appsec-0.1.0/docs/attack-simulation.md +69 -0
- argus_appsec-0.1.0/docs/ci-cd.md +66 -0
- argus_appsec-0.1.0/docs/configuration.md +111 -0
- argus_appsec-0.1.0/docs/fixing.md +88 -0
- argus_appsec-0.1.0/docs/plugins.md +146 -0
- argus_appsec-0.1.0/examples/vulnerable-app/Dockerfile +11 -0
- argus_appsec-0.1.0/examples/vulnerable-app/app.py +55 -0
- argus_appsec-0.1.0/examples/vulnerable-app/requirements.txt +4 -0
- argus_appsec-0.1.0/pyproject.toml +97 -0
- argus_appsec-0.1.0/src/argus/__init__.py +28 -0
- argus_appsec-0.1.0/src/argus/__main__.py +6 -0
- argus_appsec-0.1.0/src/argus/agents/__init__.py +21 -0
- argus_appsec-0.1.0/src/argus/agents/base.py +37 -0
- argus_appsec-0.1.0/src/argus/agents/enrichment.py +111 -0
- argus_appsec-0.1.0/src/argus/agents/exploit.py +173 -0
- argus_appsec-0.1.0/src/argus/agents/patch.py +82 -0
- argus_appsec-0.1.0/src/argus/ai/__init__.py +16 -0
- argus_appsec-0.1.0/src/argus/ai/anthropic_provider.py +47 -0
- argus_appsec-0.1.0/src/argus/ai/base.py +62 -0
- argus_appsec-0.1.0/src/argus/ai/factory.py +47 -0
- argus_appsec-0.1.0/src/argus/ai/heuristic.py +99 -0
- argus_appsec-0.1.0/src/argus/ai/ollama_provider.py +51 -0
- argus_appsec-0.1.0/src/argus/ai/openai_provider.py +43 -0
- argus_appsec-0.1.0/src/argus/analysis/__init__.py +5 -0
- argus_appsec-0.1.0/src/argus/analysis/languages.py +54 -0
- argus_appsec-0.1.0/src/argus/analysis/repository.py +217 -0
- argus_appsec-0.1.0/src/argus/cli/__init__.py +5 -0
- argus_appsec-0.1.0/src/argus/cli/main.py +441 -0
- argus_appsec-0.1.0/src/argus/core/__init__.py +1 -0
- argus_appsec-0.1.0/src/argus/core/config.py +101 -0
- argus_appsec-0.1.0/src/argus/core/engine.py +131 -0
- argus_appsec-0.1.0/src/argus/core/models.py +231 -0
- argus_appsec-0.1.0/src/argus/core/plugin.py +180 -0
- argus_appsec-0.1.0/src/argus/core/project.py +157 -0
- argus_appsec-0.1.0/src/argus/plugins.py +27 -0
- argus_appsec-0.1.0/src/argus/py.typed +0 -0
- argus_appsec-0.1.0/src/argus/remediation/__init__.py +10 -0
- argus_appsec-0.1.0/src/argus/remediation/applier.py +140 -0
- argus_appsec-0.1.0/src/argus/remediation/git_ops.py +131 -0
- argus_appsec-0.1.0/src/argus/remediation/hosting.py +140 -0
- argus_appsec-0.1.0/src/argus/remediation/pullrequest.py +213 -0
- argus_appsec-0.1.0/src/argus/remediation/rewrites.py +82 -0
- argus_appsec-0.1.0/src/argus/reporting/__init__.py +10 -0
- argus_appsec-0.1.0/src/argus/reporting/html.py +224 -0
- argus_appsec-0.1.0/src/argus/reporting/json_reporter.py +59 -0
- argus_appsec-0.1.0/src/argus/reporting/markdown.py +146 -0
- argus_appsec-0.1.0/src/argus/reporting/sarif.py +122 -0
- argus_appsec-0.1.0/src/argus/scanners/__init__.py +10 -0
- argus_appsec-0.1.0/src/argus/scanners/data/__init__.py +1 -0
- argus_appsec-0.1.0/src/argus/scanners/data/advisories.json +77 -0
- argus_appsec-0.1.0/src/argus/scanners/dependencies.py +169 -0
- argus_appsec-0.1.0/src/argus/scanners/iac.py +213 -0
- argus_appsec-0.1.0/src/argus/scanners/patterns.py +291 -0
- argus_appsec-0.1.0/src/argus/scanners/secrets.py +170 -0
- argus_appsec-0.1.0/src/argus/targets.py +122 -0
- argus_appsec-0.1.0/tests/__init__.py +0 -0
- argus_appsec-0.1.0/tests/conftest.py +58 -0
- argus_appsec-0.1.0/tests/test_analysis_and_plugins.py +59 -0
- argus_appsec-0.1.0/tests/test_engine_and_agents.py +80 -0
- argus_appsec-0.1.0/tests/test_models.py +84 -0
- argus_appsec-0.1.0/tests/test_remediation.py +169 -0
- argus_appsec-0.1.0/tests/test_reporters.py +65 -0
- argus_appsec-0.1.0/tests/test_scanners.py +74 -0
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# Copy to .env and fill in the providers you intend to use.
|
|
2
|
+
# Argus runs without any of these using the built-in heuristic provider.
|
|
3
|
+
|
|
4
|
+
# --- Cloud AI providers ---
|
|
5
|
+
ANTHROPIC_API_KEY=
|
|
6
|
+
OPENAI_API_KEY=
|
|
7
|
+
|
|
8
|
+
# --- Local AI provider (Ollama) ---
|
|
9
|
+
# Default endpoint; change if Ollama runs elsewhere.
|
|
10
|
+
OLLAMA_HOST=http://localhost:11434
|
|
11
|
+
|
|
12
|
+
# --- Git hosting integrations (for remote targets / PR creation) ---
|
|
13
|
+
GITHUB_TOKEN=
|
|
14
|
+
GITLAB_TOKEN=
|
|
15
|
+
BITBUCKET_TOKEN=
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
# Code owners are automatically requested for review on pull requests.
|
|
2
|
+
# The owner reviews and merges everything by default. Add more owners for
|
|
3
|
+
# specific paths as the project grows, e.g.:
|
|
4
|
+
# /src/argus/scanners/ @some-trusted-contributor
|
|
5
|
+
#
|
|
6
|
+
# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
|
|
7
|
+
|
|
8
|
+
* @hasipfaruk
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
name: Bug report
|
|
2
|
+
description: Report something that isn't working as expected in Argus.
|
|
3
|
+
labels: ["bug"]
|
|
4
|
+
body:
|
|
5
|
+
- type: markdown
|
|
6
|
+
attributes:
|
|
7
|
+
value: |
|
|
8
|
+
Thanks for taking the time to file a bug. Please fill in the sections below.
|
|
9
|
+
For a security vulnerability *in Argus itself*, do not open a public issue —
|
|
10
|
+
see SECURITY.md.
|
|
11
|
+
- type: textarea
|
|
12
|
+
id: what-happened
|
|
13
|
+
attributes:
|
|
14
|
+
label: What happened?
|
|
15
|
+
description: A clear description of the bug, and what you expected instead.
|
|
16
|
+
placeholder: When I run `argus scan ...`, I expected X but got Y.
|
|
17
|
+
validations:
|
|
18
|
+
required: true
|
|
19
|
+
- type: textarea
|
|
20
|
+
id: repro
|
|
21
|
+
attributes:
|
|
22
|
+
label: Steps to reproduce
|
|
23
|
+
description: The exact command(s) and, if possible, a minimal example.
|
|
24
|
+
placeholder: |
|
|
25
|
+
1. argus scan ./my-project -s secrets
|
|
26
|
+
2. ...
|
|
27
|
+
validations:
|
|
28
|
+
required: true
|
|
29
|
+
- type: textarea
|
|
30
|
+
id: logs
|
|
31
|
+
attributes:
|
|
32
|
+
label: Output / error
|
|
33
|
+
description: Paste the relevant output. This is automatically formatted as code.
|
|
34
|
+
render: shell
|
|
35
|
+
- type: input
|
|
36
|
+
id: version
|
|
37
|
+
attributes:
|
|
38
|
+
label: Argus version
|
|
39
|
+
description: Output of `argus version`.
|
|
40
|
+
placeholder: Argus v0.1.0
|
|
41
|
+
validations:
|
|
42
|
+
required: true
|
|
43
|
+
- type: dropdown
|
|
44
|
+
id: os
|
|
45
|
+
attributes:
|
|
46
|
+
label: Operating system
|
|
47
|
+
options:
|
|
48
|
+
- Linux
|
|
49
|
+
- macOS
|
|
50
|
+
- Windows
|
|
51
|
+
- Other
|
|
52
|
+
validations:
|
|
53
|
+
required: true
|
|
54
|
+
- type: input
|
|
55
|
+
id: python
|
|
56
|
+
attributes:
|
|
57
|
+
label: Python version
|
|
58
|
+
placeholder: "3.11"
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
blank_issues_enabled: true
|
|
2
|
+
contact_links:
|
|
3
|
+
- name: Report a security vulnerability in Argus (private)
|
|
4
|
+
url: https://github.com/hasipfaruk/Argus/security/advisories/new
|
|
5
|
+
about: Please report security issues privately, not as a public issue. See SECURITY.md.
|
|
6
|
+
- name: Questions & discussion
|
|
7
|
+
url: https://github.com/hasipfaruk/Argus/discussions
|
|
8
|
+
about: Ask questions and discuss ideas here (enable Discussions in repo settings).
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
name: Feature request
|
|
2
|
+
description: Suggest a new scanner, rule, report format, or capability.
|
|
3
|
+
labels: ["enhancement"]
|
|
4
|
+
body:
|
|
5
|
+
- type: textarea
|
|
6
|
+
id: problem
|
|
7
|
+
attributes:
|
|
8
|
+
label: What problem does this solve?
|
|
9
|
+
description: Describe the use case or the gap you're hitting.
|
|
10
|
+
validations:
|
|
11
|
+
required: true
|
|
12
|
+
- type: textarea
|
|
13
|
+
id: proposal
|
|
14
|
+
attributes:
|
|
15
|
+
label: Proposed solution
|
|
16
|
+
description: What you'd like Argus to do. If it's a new scanner/rule, note the
|
|
17
|
+
language and the vulnerability class (and a CWE if you know it).
|
|
18
|
+
validations:
|
|
19
|
+
required: true
|
|
20
|
+
- type: dropdown
|
|
21
|
+
id: area
|
|
22
|
+
attributes:
|
|
23
|
+
label: Area
|
|
24
|
+
options:
|
|
25
|
+
- New scanner or rule
|
|
26
|
+
- New language support
|
|
27
|
+
- New report format
|
|
28
|
+
- AI provider
|
|
29
|
+
- CLI / usability
|
|
30
|
+
- Fix / pull-request workflow
|
|
31
|
+
- Other
|
|
32
|
+
validations:
|
|
33
|
+
required: true
|
|
34
|
+
- type: textarea
|
|
35
|
+
id: alternatives
|
|
36
|
+
attributes:
|
|
37
|
+
label: Alternatives considered
|
|
38
|
+
description: Other approaches you thought about, or how you work around this today.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
<!-- Thanks for contributing to Argus! Fill this in so review is quick. -->
|
|
2
|
+
|
|
3
|
+
## What does this change?
|
|
4
|
+
|
|
5
|
+
<!-- A short description of the change and why it's needed. Link any related issue. -->
|
|
6
|
+
|
|
7
|
+
Closes #
|
|
8
|
+
|
|
9
|
+
## Type of change
|
|
10
|
+
|
|
11
|
+
- [ ] Bug fix
|
|
12
|
+
- [ ] New scanner / rule
|
|
13
|
+
- [ ] New reporter or AI provider
|
|
14
|
+
- [ ] Documentation
|
|
15
|
+
- [ ] Other (describe below)
|
|
16
|
+
|
|
17
|
+
## Checklist
|
|
18
|
+
|
|
19
|
+
- [ ] I ran `pytest` and all tests pass
|
|
20
|
+
- [ ] I ran `ruff check .` with no errors
|
|
21
|
+
- [ ] I added or updated tests for my change
|
|
22
|
+
- [ ] I updated docs if behavior or usage changed
|
|
23
|
+
- [ ] New findings (if any) include a CWE/OWASP mapping and remediation
|
|
24
|
+
|
|
25
|
+
## Notes for the reviewer
|
|
26
|
+
|
|
27
|
+
<!-- Anything that will help review: trade-offs, things you're unsure about, etc. -->
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Example: run Argus on every push/PR and upload results to GitHub Code Scanning.
|
|
2
|
+
#
|
|
3
|
+
# Copy this into your own repository's .github/workflows/ to get Argus findings
|
|
4
|
+
# as annotations on pull requests and in the Security tab. The SARIF upload maps
|
|
5
|
+
# Argus severities onto GitHub's alert levels.
|
|
6
|
+
name: Argus Security Scan
|
|
7
|
+
|
|
8
|
+
on:
|
|
9
|
+
push:
|
|
10
|
+
branches: [main]
|
|
11
|
+
pull_request:
|
|
12
|
+
|
|
13
|
+
permissions:
|
|
14
|
+
contents: read
|
|
15
|
+
security-events: write # required to upload SARIF
|
|
16
|
+
|
|
17
|
+
jobs:
|
|
18
|
+
argus:
|
|
19
|
+
runs-on: ubuntu-latest
|
|
20
|
+
steps:
|
|
21
|
+
- uses: actions/checkout@v4
|
|
22
|
+
|
|
23
|
+
- uses: actions/setup-python@v5
|
|
24
|
+
with:
|
|
25
|
+
python-version: "3.12"
|
|
26
|
+
|
|
27
|
+
- name: Install Argus
|
|
28
|
+
# This repo installs Argus from its own source. In your own project,
|
|
29
|
+
# replace this with `pip install argus-appsec` once Argus is on PyPI.
|
|
30
|
+
run: pip install .
|
|
31
|
+
|
|
32
|
+
- name: Run Argus
|
|
33
|
+
# Do not fail the job here; let the SARIF upload surface findings.
|
|
34
|
+
# Set --fail-on high to block merges on High+ instead.
|
|
35
|
+
run: argus scan src -f sarif -o argus.sarif --quiet
|
|
36
|
+
env:
|
|
37
|
+
# Optional: use a cloud model for richer analysis. Omit to run offline.
|
|
38
|
+
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
|
39
|
+
|
|
40
|
+
- name: Upload SARIF to Code Scanning
|
|
41
|
+
uses: github/codeql-action/upload-sarif@v3
|
|
42
|
+
if: always()
|
|
43
|
+
with:
|
|
44
|
+
sarif_file: argus.sarif
|
|
45
|
+
category: argus
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
name: CI
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [main]
|
|
6
|
+
pull_request:
|
|
7
|
+
|
|
8
|
+
permissions:
|
|
9
|
+
contents: read
|
|
10
|
+
|
|
11
|
+
jobs:
|
|
12
|
+
test:
|
|
13
|
+
name: Test (Python ${{ matrix.python-version }})
|
|
14
|
+
runs-on: ubuntu-latest
|
|
15
|
+
strategy:
|
|
16
|
+
fail-fast: false
|
|
17
|
+
matrix:
|
|
18
|
+
python-version: ["3.10", "3.11", "3.12"]
|
|
19
|
+
steps:
|
|
20
|
+
- uses: actions/checkout@v4
|
|
21
|
+
|
|
22
|
+
- name: Set up Python
|
|
23
|
+
uses: actions/setup-python@v5
|
|
24
|
+
with:
|
|
25
|
+
python-version: ${{ matrix.python-version }}
|
|
26
|
+
cache: pip
|
|
27
|
+
|
|
28
|
+
- name: Install
|
|
29
|
+
run: pip install -e ".[dev]"
|
|
30
|
+
|
|
31
|
+
- name: Lint
|
|
32
|
+
run: ruff check .
|
|
33
|
+
|
|
34
|
+
- name: Type check
|
|
35
|
+
run: mypy || true # advisory during alpha
|
|
36
|
+
|
|
37
|
+
- name: Test
|
|
38
|
+
run: pytest -q --cov=argus --cov-report=term-missing
|
|
39
|
+
|
|
40
|
+
build-image:
|
|
41
|
+
name: Build Docker image
|
|
42
|
+
runs-on: ubuntu-latest
|
|
43
|
+
needs: test
|
|
44
|
+
steps:
|
|
45
|
+
- uses: actions/checkout@v4
|
|
46
|
+
- name: Build
|
|
47
|
+
run: docker build -t argus:ci .
|
|
48
|
+
- name: Smoke test the image
|
|
49
|
+
run: docker run --rm -v "$PWD/examples/vulnerable-app:/work" argus:ci scan /work --min-severity high
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# Publish Argus to PyPI when a GitHub Release is published.
|
|
2
|
+
#
|
|
3
|
+
# Uses PyPI Trusted Publishing (OIDC) — no API token or secret is stored in the
|
|
4
|
+
# repo. You configure the trust relationship once on PyPI (see RELEASING.md).
|
|
5
|
+
name: Publish to PyPI
|
|
6
|
+
|
|
7
|
+
on:
|
|
8
|
+
release:
|
|
9
|
+
types: [published]
|
|
10
|
+
|
|
11
|
+
permissions:
|
|
12
|
+
contents: read
|
|
13
|
+
|
|
14
|
+
jobs:
|
|
15
|
+
build:
|
|
16
|
+
name: Build distributions
|
|
17
|
+
runs-on: ubuntu-latest
|
|
18
|
+
steps:
|
|
19
|
+
- uses: actions/checkout@v4
|
|
20
|
+
- uses: actions/setup-python@v5
|
|
21
|
+
with:
|
|
22
|
+
python-version: "3.12"
|
|
23
|
+
- name: Build sdist and wheel
|
|
24
|
+
run: |
|
|
25
|
+
python -m pip install --upgrade build twine
|
|
26
|
+
python -m build
|
|
27
|
+
python -m twine check dist/*
|
|
28
|
+
- uses: actions/upload-artifact@v4
|
|
29
|
+
with:
|
|
30
|
+
name: dist
|
|
31
|
+
path: dist/
|
|
32
|
+
|
|
33
|
+
publish:
|
|
34
|
+
name: Publish to PyPI
|
|
35
|
+
needs: build
|
|
36
|
+
runs-on: ubuntu-latest
|
|
37
|
+
environment:
|
|
38
|
+
name: pypi
|
|
39
|
+
url: https://pypi.org/project/argus-appsec/
|
|
40
|
+
permissions:
|
|
41
|
+
id-token: write # required for trusted publishing (OIDC)
|
|
42
|
+
steps:
|
|
43
|
+
- uses: actions/download-artifact@v4
|
|
44
|
+
with:
|
|
45
|
+
name: dist
|
|
46
|
+
path: dist/
|
|
47
|
+
- name: Publish
|
|
48
|
+
uses: pypa/gh-action-pypi-publish@release/v1
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# Python
|
|
2
|
+
__pycache__/
|
|
3
|
+
*.py[cod]
|
|
4
|
+
*.egg-info/
|
|
5
|
+
.eggs/
|
|
6
|
+
build/
|
|
7
|
+
dist/
|
|
8
|
+
.venv/
|
|
9
|
+
venv/
|
|
10
|
+
env/
|
|
11
|
+
|
|
12
|
+
# Tooling
|
|
13
|
+
.pytest_cache/
|
|
14
|
+
.mypy_cache/
|
|
15
|
+
.ruff_cache/
|
|
16
|
+
.coverage
|
|
17
|
+
htmlcov/
|
|
18
|
+
coverage.xml
|
|
19
|
+
|
|
20
|
+
# Argus output
|
|
21
|
+
.argus/
|
|
22
|
+
argus-report.*
|
|
23
|
+
*.sarif
|
|
24
|
+
|
|
25
|
+
# Environment / secrets
|
|
26
|
+
.env
|
|
27
|
+
.env.*
|
|
28
|
+
!.env.example
|
|
29
|
+
|
|
30
|
+
# Editors / OS
|
|
31
|
+
.idea/
|
|
32
|
+
.vscode/
|
|
33
|
+
.DS_Store
|
|
34
|
+
Thumbs.db
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# Contributor Code of Conduct
|
|
2
|
+
|
|
3
|
+
## Our pledge
|
|
4
|
+
|
|
5
|
+
We as members, contributors, and maintainers pledge to make participation in the
|
|
6
|
+
Argus community a harassment-free experience for everyone, regardless of age, body
|
|
7
|
+
size, visible or invisible disability, ethnicity, sex characteristics, gender
|
|
8
|
+
identity and expression, level of experience, education, socio-economic status,
|
|
9
|
+
nationality, personal appearance, race, religion, or sexual identity and
|
|
10
|
+
orientation.
|
|
11
|
+
|
|
12
|
+
## Our standards
|
|
13
|
+
|
|
14
|
+
Examples of behavior that contributes to a positive environment:
|
|
15
|
+
|
|
16
|
+
- Being respectful of differing opinions, viewpoints, and experiences.
|
|
17
|
+
- Giving and gracefully accepting constructive feedback.
|
|
18
|
+
- Focusing on what is best for the community and the project.
|
|
19
|
+
- Showing empathy toward other community members.
|
|
20
|
+
|
|
21
|
+
Examples of unacceptable behavior:
|
|
22
|
+
|
|
23
|
+
- Harassment, insults, or derogatory comments, and personal or political attacks.
|
|
24
|
+
- Publishing others' private information without explicit permission.
|
|
25
|
+
- Trolling or deliberately disruptive behavior.
|
|
26
|
+
- Other conduct which could reasonably be considered inappropriate in a
|
|
27
|
+
professional setting.
|
|
28
|
+
|
|
29
|
+
## Enforcement
|
|
30
|
+
|
|
31
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
|
32
|
+
reported to the project maintainer. All complaints will be reviewed and
|
|
33
|
+
investigated promptly and fairly. The maintainer is obligated to respect the
|
|
34
|
+
privacy and security of the reporter of any incident.
|
|
35
|
+
|
|
36
|
+
## Attribution
|
|
37
|
+
|
|
38
|
+
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
|
|
39
|
+
version 2.1, available at
|
|
40
|
+
https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
|
|
41
|
+
|
|
42
|
+
[homepage]: https://www.contributor-covenant.org
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
# Contributing to Argus
|
|
2
|
+
|
|
3
|
+
Thanks for considering a contribution. Argus is designed so that most
|
|
4
|
+
additions — new scanners, languages, compliance rules, report formats — land as
|
|
5
|
+
plugins and never touch the core. That keeps the barrier low and the core stable.
|
|
6
|
+
|
|
7
|
+
## Getting set up
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
git clone https://github.com/hasipfaruk/Argus
|
|
11
|
+
cd argus
|
|
12
|
+
python -m venv .venv && . .venv/bin/activate # Windows: .venv\Scripts\activate
|
|
13
|
+
pip install -e ".[dev]"
|
|
14
|
+
```
|
|
15
|
+
|
|
16
|
+
Run the checks:
|
|
17
|
+
|
|
18
|
+
```bash
|
|
19
|
+
pytest # tests
|
|
20
|
+
ruff check . # lint
|
|
21
|
+
mypy # type check (advisory during alpha)
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
All three run in CI on every pull request; please make sure they pass locally
|
|
25
|
+
first.
|
|
26
|
+
|
|
27
|
+
## What makes a good contribution
|
|
28
|
+
|
|
29
|
+
- **New scanners and rules.** The highest-value contributions. See
|
|
30
|
+
[docs/plugins.md](docs/plugins.md). New rules for the built-in `patterns` and
|
|
31
|
+
`iac` scanners are just entries in a list.
|
|
32
|
+
- **Language support.** Extend `argus/analysis/languages.py` and add
|
|
33
|
+
language-specific rules or a dedicated scanner.
|
|
34
|
+
- **Report formats.** Subclass `Reporter`.
|
|
35
|
+
- **AI providers.** Wrap another model backend behind `AIProvider`.
|
|
36
|
+
|
|
37
|
+
## Standards
|
|
38
|
+
|
|
39
|
+
- **Tests are required** for new behavior. Put fixtures in `tests/conftest.py` and
|
|
40
|
+
keep tests deterministic — the default offline provider makes this easy.
|
|
41
|
+
- **Every finding must carry a CWE and OWASP mapping** and, ideally, the reasoning
|
|
42
|
+
fields so it is useful without a model.
|
|
43
|
+
- **Keep the core dependency-light.** New heavy dependencies belong behind an
|
|
44
|
+
optional extra (`pip install argus-appsec[...]`), like the cloud providers.
|
|
45
|
+
- **Match the house style.** Ruff enforces formatting and imports; follow the
|
|
46
|
+
patterns in the existing scanners.
|
|
47
|
+
|
|
48
|
+
## Security rules of the road
|
|
49
|
+
|
|
50
|
+
Argus is a security tool; contributions should reflect that.
|
|
51
|
+
|
|
52
|
+
- The Attack Simulation feature is **educational and non-executing** by design. Do
|
|
53
|
+
not add anything that runs generated exploits or sends traffic to live targets
|
|
54
|
+
without an explicit, opt-in, sandboxed design discussed in an issue first.
|
|
55
|
+
- If you find a vulnerability *in Argus itself*, please report it privately (see
|
|
56
|
+
[SECURITY.md](SECURITY.md)) rather than opening a public issue.
|
|
57
|
+
|
|
58
|
+
## Pull request process
|
|
59
|
+
|
|
60
|
+
1. Open an issue for anything non-trivial so we can agree on the approach.
|
|
61
|
+
2. Branch from `main`, keep the change focused.
|
|
62
|
+
3. Add tests and docs.
|
|
63
|
+
4. Ensure `pytest`, `ruff check .`, and `mypy` pass.
|
|
64
|
+
5. Describe the change and its motivation in the PR.
|
|
65
|
+
|
|
66
|
+
By contributing you agree that your contributions are licensed under the project's
|
|
67
|
+
Apache-2.0 license.
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
# Argus container image.
|
|
2
|
+
#
|
|
3
|
+
# Multi-stage build: install into a venv in the builder, copy the venv into a
|
|
4
|
+
# slim runtime. Includes git so remote repository targets can be cloned.
|
|
5
|
+
FROM python:3.12-slim AS builder
|
|
6
|
+
|
|
7
|
+
ENV PIP_NO_CACHE_DIR=1 \
|
|
8
|
+
PIP_DISABLE_PIP_VERSION_CHECK=1
|
|
9
|
+
|
|
10
|
+
WORKDIR /src
|
|
11
|
+
COPY pyproject.toml README.md ./
|
|
12
|
+
COPY src ./src
|
|
13
|
+
|
|
14
|
+
RUN python -m venv /opt/venv
|
|
15
|
+
ENV PATH="/opt/venv/bin:$PATH"
|
|
16
|
+
RUN pip install .
|
|
17
|
+
|
|
18
|
+
# --- runtime ---------------------------------------------------------------
|
|
19
|
+
FROM python:3.12-slim AS runtime
|
|
20
|
+
|
|
21
|
+
# git is needed to scan remote repositories.
|
|
22
|
+
RUN apt-get update \
|
|
23
|
+
&& apt-get install -y --no-install-recommends git \
|
|
24
|
+
&& rm -rf /var/lib/apt/lists/*
|
|
25
|
+
|
|
26
|
+
COPY --from=builder /opt/venv /opt/venv
|
|
27
|
+
ENV PATH="/opt/venv/bin:$PATH"
|
|
28
|
+
|
|
29
|
+
# Run as a non-root user.
|
|
30
|
+
RUN useradd --create-home --uid 10001 argus
|
|
31
|
+
USER argus
|
|
32
|
+
WORKDIR /work
|
|
33
|
+
|
|
34
|
+
# Mount the project to scan at /work.
|
|
35
|
+
ENTRYPOINT ["argus"]
|
|
36
|
+
CMD ["--help"]
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
http://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
Copyright 2026 Argus contributors
|
|
6
|
+
|
|
7
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
8
|
+
you may not use this file except in compliance with the License.
|
|
9
|
+
You may obtain a copy of the License at
|
|
10
|
+
|
|
11
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
12
|
+
|
|
13
|
+
Unless required by applicable law or agreed to in writing, software
|
|
14
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
15
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
16
|
+
See the License for the specific language governing permissions and
|
|
17
|
+
limitations under the License.
|
|
18
|
+
|
|
19
|
+
The full text of the Apache License 2.0 is available at the URL above.
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
# Developer convenience targets. See CONTRIBUTING.md.
|
|
2
|
+
.PHONY: install test lint typecheck fmt scan-example docker clean
|
|
3
|
+
|
|
4
|
+
install:
|
|
5
|
+
pip install -e ".[dev]"
|
|
6
|
+
|
|
7
|
+
test:
|
|
8
|
+
pytest -q
|
|
9
|
+
|
|
10
|
+
lint:
|
|
11
|
+
ruff check .
|
|
12
|
+
|
|
13
|
+
typecheck:
|
|
14
|
+
mypy
|
|
15
|
+
|
|
16
|
+
fmt:
|
|
17
|
+
ruff check . --fix
|
|
18
|
+
|
|
19
|
+
# Run a full scan on the bundled vulnerable example with all features on.
|
|
20
|
+
scan-example:
|
|
21
|
+
argus scan examples/vulnerable-app --attack-sim --patches
|
|
22
|
+
|
|
23
|
+
docker:
|
|
24
|
+
docker build -t argus:local .
|
|
25
|
+
|
|
26
|
+
clean:
|
|
27
|
+
rm -rf .pytest_cache .ruff_cache .mypy_cache htmlcov .coverage \
|
|
28
|
+
dist build src/*.egg-info examples/reports
|
|
29
|
+
find . -type d -name __pycache__ -prune -exec rm -rf {} +
|