pwnguard 0.2.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pwnguard-0.2.4/.github/workflows/publish.yml +44 -0
- pwnguard-0.2.4/.gitignore +44 -0
- pwnguard-0.2.4/.gitlab-ci.example.yml +44 -0
- pwnguard-0.2.4/.pwnguard.env.example +46 -0
- pwnguard-0.2.4/LICENSE +34 -0
- pwnguard-0.2.4/PKG-INFO +692 -0
- pwnguard-0.2.4/README.md +633 -0
- pwnguard-0.2.4/SECURITY.md +19 -0
- pwnguard-0.2.4/audit.py +77 -0
- pwnguard-0.2.4/demo/fixed.php +75 -0
- pwnguard-0.2.4/demo/hard_test.diff +139 -0
- pwnguard-0.2.4/demo/vulnerable.php +56 -0
- pwnguard-0.2.4/demo/vulnerable_lab.py +160 -0
- pwnguard-0.2.4/docs/architecture.md +59 -0
- pwnguard-0.2.4/docs/development.md +50 -0
- pwnguard-0.2.4/docs/monitor-mode.md +161 -0
- pwnguard-0.2.4/docs/ollama-guide.md +90 -0
- pwnguard-0.2.4/docs/review-tui.md +31 -0
- pwnguard-0.2.4/install-hook.py +23 -0
- pwnguard-0.2.4/pwnguard/__init__.py +8 -0
- pwnguard-0.2.4/pwnguard/__main__.py +4 -0
- pwnguard-0.2.4/pwnguard/anchors.py +192 -0
- pwnguard-0.2.4/pwnguard/backends/__init__.py +73 -0
- pwnguard-0.2.4/pwnguard/backends/claude_api.py +74 -0
- pwnguard-0.2.4/pwnguard/backends/claude_code.py +73 -0
- pwnguard-0.2.4/pwnguard/backends/ollama.py +201 -0
- pwnguard-0.2.4/pwnguard/backends/openai_compat.py +343 -0
- pwnguard-0.2.4/pwnguard/cli.py +543 -0
- pwnguard-0.2.4/pwnguard/config.py +147 -0
- pwnguard-0.2.4/pwnguard/constants.py +109 -0
- pwnguard-0.2.4/pwnguard/data/__init__.py +0 -0
- pwnguard-0.2.4/pwnguard/data/pre-commit +65 -0
- pwnguard-0.2.4/pwnguard/diff.py +366 -0
- pwnguard-0.2.4/pwnguard/fetchers.py +413 -0
- pwnguard-0.2.4/pwnguard/installer.py +136 -0
- pwnguard-0.2.4/pwnguard/models.py +100 -0
- pwnguard-0.2.4/pwnguard/monitor.py +1086 -0
- pwnguard-0.2.4/pwnguard/parser.py +271 -0
- pwnguard-0.2.4/pwnguard/prompts.py +252 -0
- pwnguard-0.2.4/pwnguard/render.py +720 -0
- pwnguard-0.2.4/pwnguard/report.py +195 -0
- pwnguard-0.2.4/pwnguard/review.py +260 -0
- pwnguard-0.2.4/pwnguard/runtime.py +61 -0
- pwnguard-0.2.4/pwnguard/scan.py +404 -0
- pwnguard-0.2.4/pwnguard/security.py +44 -0
- pwnguard-0.2.4/pwnguard/tui.py +239 -0
- pwnguard-0.2.4/pwnguard/ui.py +523 -0
- pwnguard-0.2.4/pwnguard.yaml +96 -0
- pwnguard-0.2.4/pyproject.toml +42 -0
- pwnguard-0.2.4/tests/__init__.py +0 -0
- pwnguard-0.2.4/tests/conftest.py +64 -0
- pwnguard-0.2.4/tests/test_anchors.py +324 -0
- pwnguard-0.2.4/tests/test_audit_result.py +130 -0
- pwnguard-0.2.4/tests/test_diff_helpers.py +265 -0
- pwnguard-0.2.4/tests/test_fetch_url.py +241 -0
- pwnguard-0.2.4/tests/test_list_commits.py +197 -0
- pwnguard-0.2.4/tests/test_monitor_cycle.py +501 -0
- pwnguard-0.2.4/tests/test_monitor_state.py +181 -0
- pwnguard-0.2.4/tests/test_parse_response.py +244 -0
- pwnguard-0.2.4/tests/test_rendering.py +134 -0
- pwnguard-0.2.4/tests/test_security.py +98 -0
- pwnguard-0.2.4/tests/test_tui.py +193 -0
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
name: Publish to PyPI
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
tags:
|
|
6
|
+
- "v*"
|
|
7
|
+
|
|
8
|
+
jobs:
|
|
9
|
+
build-and-publish:
|
|
10
|
+
name: Build and publish PwnGuard to PyPI
|
|
11
|
+
runs-on: ubuntu-latest
|
|
12
|
+
environment:
|
|
13
|
+
name: pypi
|
|
14
|
+
url: https://pypi.org/p/pwnguard
|
|
15
|
+
permissions:
|
|
16
|
+
id-token: write
|
|
17
|
+
|
|
18
|
+
steps:
|
|
19
|
+
- name: Checkout
|
|
20
|
+
uses: actions/checkout@v4
|
|
21
|
+
|
|
22
|
+
- name: Set up Python
|
|
23
|
+
uses: actions/setup-python@v5
|
|
24
|
+
with:
|
|
25
|
+
python-version: "3.12"
|
|
26
|
+
|
|
27
|
+
- name: Install build tooling
|
|
28
|
+
run: python -m pip install --upgrade build
|
|
29
|
+
|
|
30
|
+
- name: Verify tag matches package version
|
|
31
|
+
run: |
|
|
32
|
+
TAG="${GITHUB_REF_NAME#v}"
|
|
33
|
+
PKG_VERSION=$(grep -E '^__version__' pwnguard/__init__.py | cut -d'"' -f2)
|
|
34
|
+
if [ "$TAG" != "$PKG_VERSION" ]; then
|
|
35
|
+
echo "::error::Tag $TAG does not match pwnguard/__init__.py version $PKG_VERSION"
|
|
36
|
+
exit 1
|
|
37
|
+
fi
|
|
38
|
+
echo "Tag and package version both at $TAG"
|
|
39
|
+
|
|
40
|
+
- name: Build wheel + sdist
|
|
41
|
+
run: python -m build
|
|
42
|
+
|
|
43
|
+
- name: Publish to PyPI via Trusted Publishing
|
|
44
|
+
uses: pypa/gh-action-pypi-publish@release/v1
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Secrets / local config
|
|
2
|
+
.env
|
|
3
|
+
.env.*
|
|
4
|
+
.pwnguard.env
|
|
5
|
+
!.env.example
|
|
6
|
+
!.pwnguard.env.example
|
|
7
|
+
pwnguard.local.yaml
|
|
8
|
+
.pwnguard.local.yaml
|
|
9
|
+
*.pem
|
|
10
|
+
*.key
|
|
11
|
+
credentials*
|
|
12
|
+
.netrc
|
|
13
|
+
|
|
14
|
+
# Python
|
|
15
|
+
__pycache__/
|
|
16
|
+
*.py[cod]
|
|
17
|
+
*$py.class
|
|
18
|
+
.venv/
|
|
19
|
+
venv/
|
|
20
|
+
env/
|
|
21
|
+
.pytest_cache/
|
|
22
|
+
.mypy_cache/
|
|
23
|
+
.ruff_cache/
|
|
24
|
+
*.egg-info/
|
|
25
|
+
build/
|
|
26
|
+
dist/
|
|
27
|
+
|
|
28
|
+
# Editors / OS
|
|
29
|
+
.DS_Store
|
|
30
|
+
.idea/
|
|
31
|
+
.vscode/
|
|
32
|
+
*.swp
|
|
33
|
+
*.swo
|
|
34
|
+
|
|
35
|
+
# Tool output
|
|
36
|
+
audit-report.*
|
|
37
|
+
*.log
|
|
38
|
+
|
|
39
|
+
# Monitor mode cache (per-cwd state file, never to be committed)
|
|
40
|
+
.pwnguard-monitor.json
|
|
41
|
+
|
|
42
|
+
# TUI export files (timestamped findings dumps from --review / --monitor)
|
|
43
|
+
pwnguard-findings-*.md
|
|
44
|
+
pwnguard-monitor-findings-*.md
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# .gitlab-ci.yml (add this stage to your existing pipeline)
|
|
2
|
+
#
|
|
3
|
+
# Option A: Ollama on self-hosted runner (no API key needed)
|
|
4
|
+
# Option B: Claude API (requires ANTHROPIC_API_KEY CI/CD variable)
|
|
5
|
+
#
|
|
6
|
+
# For MR comments, set GITLAB_TOKEN (personal access token, api scope)
|
|
7
|
+
# in Settings > CI/CD > Variables (masked, protected)
|
|
8
|
+
|
|
9
|
+
stages:
|
|
10
|
+
# ... your existing stages ...
|
|
11
|
+
- security
|
|
12
|
+
|
|
13
|
+
# --- Option A: Self-hosted runner with Ollama (recommended) ---
|
|
14
|
+
pwnguard:
|
|
15
|
+
stage: security
|
|
16
|
+
tags:
|
|
17
|
+
- security-runner # your self-hosted runner tag
|
|
18
|
+
rules:
|
|
19
|
+
- if: $CI_MERGE_REQUEST_IID
|
|
20
|
+
before_script:
|
|
21
|
+
- pip install pwnguard --quiet
|
|
22
|
+
# Ensure Ollama is running on the runner
|
|
23
|
+
- ollama list || echo "Warning: Ollama not available"
|
|
24
|
+
script:
|
|
25
|
+
- pwnguard --mode ci --mr-diff --backend ollama
|
|
26
|
+
allow_failure: false
|
|
27
|
+
|
|
28
|
+
# --- Option B: Claude API (if org has API access) ---
|
|
29
|
+
# pwnguard:
|
|
30
|
+
# stage: security
|
|
31
|
+
# image: python:3.12-slim
|
|
32
|
+
# rules:
|
|
33
|
+
# - if: $CI_MERGE_REQUEST_IID
|
|
34
|
+
# variables:
|
|
35
|
+
# PIP_CACHE_DIR: "$CI_PROJECT_DIR/.pip-cache"
|
|
36
|
+
# cache:
|
|
37
|
+
# key: pwnguard-pip
|
|
38
|
+
# paths:
|
|
39
|
+
# - .pip-cache/
|
|
40
|
+
# before_script:
|
|
41
|
+
# - pip install "pwnguard[claude-api]" --quiet
|
|
42
|
+
# script:
|
|
43
|
+
# - pwnguard --mode ci --mr-diff --backend claude-api
|
|
44
|
+
# allow_failure: false
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
# PwnGuard environment file (example)
|
|
2
|
+
#
|
|
3
|
+
# Copy this file to .pwnguard.env in the same directory and fill in the
|
|
4
|
+
# values you need. PwnGuard auto-loads .pwnguard.env (and .env) from
|
|
5
|
+
# the current working directory at startup. Process env vars exported
|
|
6
|
+
# in your shell always take precedence over what's loaded from a file.
|
|
7
|
+
#
|
|
8
|
+
# IMPORTANT: never commit a populated .pwnguard.env to git - it's
|
|
9
|
+
# already in .gitignore for this repo. Only this *.example file
|
|
10
|
+
# should ever be in version control.
|
|
11
|
+
|
|
12
|
+
# --- Backend tokens -------------------------------------------------------
|
|
13
|
+
|
|
14
|
+
# Required for --backend claude-api. Get one from the Anthropic console:
|
|
15
|
+
# https://console.anthropic.com/settings/keys
|
|
16
|
+
ANTHROPIC_API_KEY=
|
|
17
|
+
|
|
18
|
+
# Required for --backend openai-compat. Bearer token sent to any
|
|
19
|
+
# OpenAI-compatible Chat Completions endpoint (LiteLLM, vLLM, OpenRouter,
|
|
20
|
+
# Groq, Together, Fireworks, llama.cpp server, LM Studio, etc.). The
|
|
21
|
+
# env var name can be overridden via openai.api_key_env in pwnguard.yaml.
|
|
22
|
+
OPENAI_API_KEY=
|
|
23
|
+
|
|
24
|
+
# --- Remote diff fetching --------------------------------------------------
|
|
25
|
+
|
|
26
|
+
# Required for --from-url against GitLab MRs / commits.
|
|
27
|
+
# Personal Access Token with the `read_api` scope is enough.
|
|
28
|
+
# https://gitlab.com/-/user_settings/personal_access_tokens
|
|
29
|
+
GITLAB_TOKEN=
|
|
30
|
+
|
|
31
|
+
# Optional for --from-url against GitHub PRs / commits on public repos
|
|
32
|
+
# (lifts the anonymous rate limit). Required for private repos.
|
|
33
|
+
# https://github.com/settings/tokens
|
|
34
|
+
GITHUB_TOKEN=
|
|
35
|
+
|
|
36
|
+
# --- Behaviour toggles -----------------------------------------------------
|
|
37
|
+
|
|
38
|
+
# Set to 1 to bypass PwnGuard for a single commit without skipping all
|
|
39
|
+
# git hooks. Usually set inline at the commit ("PWNGUARD_SKIP=1 git commit")
|
|
40
|
+
# rather than persisted here, but the option exists.
|
|
41
|
+
# PWNGUARD_SKIP=
|
|
42
|
+
|
|
43
|
+
# Set to 1 to suppress the "large prompt" confirmation that --backend
|
|
44
|
+
# claude-api shows when a scan would exceed ~50k tokens. Useful for
|
|
45
|
+
# automated/scripted runs.
|
|
46
|
+
# PWNGUARD_NO_PROMPT=
|
pwnguard-0.2.4/LICENSE
ADDED
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
PwnGuard License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Power to Logic. All rights reserved.
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
6
|
+
this software and associated documentation files (the "Software"), to use the
|
|
7
|
+
Software for personal, educational, and internal business purposes.
|
|
8
|
+
|
|
9
|
+
The following conditions apply:
|
|
10
|
+
|
|
11
|
+
1. Redistribution of the Software, in whole or in part, in original or modified
|
|
12
|
+
form, requires prior written consent from the copyright holder.
|
|
13
|
+
|
|
14
|
+
2. Where redistribution is authorized, the following attribution must be
|
|
15
|
+
included in all copies or substantial portions of the Software and in any
|
|
16
|
+
accompanying documentation or distribution materials:
|
|
17
|
+
|
|
18
|
+
"PwnGuard by Power to Logic (https://powertologic.com)"
|
|
19
|
+
|
|
20
|
+
3. The Software may not be sold, sublicensed, or offered as a paid product or
|
|
21
|
+
service without prior written consent from the copyright holder.
|
|
22
|
+
|
|
23
|
+
4. Contributions submitted to the official repository (via pull requests,
|
|
24
|
+
patches, or other means) are granted to the copyright holder under the same
|
|
25
|
+
terms as this license, unless otherwise agreed in writing.
|
|
26
|
+
|
|
27
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
28
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
|
29
|
+
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
|
30
|
+
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
|
31
|
+
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
32
|
+
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
33
|
+
|
|
34
|
+
For redistribution inquiries, contact: privacy@powertologic.com
|