secator 0.10.1a11__py3-none-any.whl → 0.11.0__py3-none-any.whl

secator/tasks/gitleaks.py

@@ -0,0 +1,76 @@
+import click
+import os
+import yaml
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.runners import Command
+from secator.definitions import (OUTPUT_PATH)
+from secator.utils import caml_to_snake
+from secator.output_types import Tag, Info, Error
+
+
+@task()
+class gitleaks(Command):
+	"""Tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and stdin."""
+	cmd = 'gitleaks'
+	input_flag = None
+	json_flag = '-f json'
+	opt_prefix = '--'
+	opts = {
+		'ignore_path': {'type': str, 'help': 'Path to .gitleaksignore file or folder containing one'},
+		'mode': {'type': click.Choice(['git', 'dir']), 'default': 'dir', 'help': 'Gitleaks mode', 'internal': True, 'display': True},  # noqa: E501
+		'config': {'type': str, 'short': 'config', 'help': 'Gitleaks config file path'}
+	}
+	opt_key_map = {
+		"ignore_path": "gitleaks-ignore-path"
+	}
+	input_type = "folder"
+	output_types = [Tag]
+	output_map = {
+		Tag: {
+			'name': 'RuleID',
+			'match': lambda x: f'{x["File"]}:{x["StartLine"]}:{x["StartColumn"]}',
+			'extra_data': lambda x: {caml_to_snake(k): v for k, v in x.items() if k not in ['RuleID', 'File']}
+		}
+	}
+	install_pre = {'*': ['git', 'make']}
+	install_cmd = (
+		f'git clone https://github.com/gitleaks/gitleaks.git {CONFIG.dirs.share}/gitleaks || true &&'
+		f'cd {CONFIG.dirs.share}/gitleaks && make build &&'
+		f'mv {CONFIG.dirs.share}/gitleaks/gitleaks {CONFIG.dirs.bin}'
+	)
+	install_github_handle = 'gitleaks/gitleaks'
+
+	@staticmethod
+	def on_cmd(self):
+		# replace fake -mode opt by subcommand
+		mode = self.get_opt_value('mode')
+		self.cmd = self.cmd.replace(f'{gitleaks.cmd} ', f'{gitleaks.cmd} {mode} ')
+
+		# add output path
+		output_path = self.get_opt_value(OUTPUT_PATH)
+		if not output_path:
+			output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.json'
+		self.output_path = output_path
+		self.cmd += f' -r {self.output_path}'
+		self.cmd += ' --exit-code 0'
+
+	@staticmethod
+	def on_cmd_done(self):
+		if not os.path.exists(self.output_path):
+			yield Error(message=f'Could not find JSON results in {self.output_path}')
+			return
+
+		yield Info(message=f'JSON results saved to {self.output_path}')
+		with open(self.output_path, 'r') as f:
+			results = yaml.safe_load(f.read())
+		for result in results:
+			yield Tag(
+				name=result['RuleID'],
+				match='{File}:{StartLine}:{StartColumn}'.format(**result),
+				extra_data={
+					caml_to_snake(k): v for k, v in result.items()
+					if k not in ['RuleID', 'File']
+				}
+			)

secator/tasks/mapcidr.py

@@ -10,7 +10,7 @@ from secator.tasks._categories import ReconIp
 @task()
 class mapcidr(ReconIp):
 	"""Utility program to perform multiple operations for a given subnet/cidr ranges."""
-	cmd = 'mapcidr -silent'
+	cmd = 'mapcidr'
 	input_flag = '-cidr'
 	file_flag = '-cl'
 	install_pre = {

secator/tasks/naabu.py

@@ -10,7 +10,7 @@ from secator.tasks._categories import ReconPort
 @task()
 class naabu(ReconPort):
 	"""Port scanning tool written in Go."""
-	cmd = 'naabu -Pn -silent'
+	cmd = 'naabu -Pn'
 	input_flag = '-host'
 	file_flag = '-list'
 	json_flag = '-json'
@@ -62,6 +62,12 @@ class naabu(ReconPort):
 			if input == 'localhost':
 				self.inputs[ix] = '127.0.0.1'
 
+	@staticmethod
+	def on_cmd(self):
+		scan_type = self.get_opt_value('scan_type')
+		if scan_type == 's':
+			self.requires_sudo = True
+
 	@staticmethod
 	def on_item(self, item):
 		if item.host == '127.0.0.1':

secator/tasks/nmap.py

@@ -36,7 +36,7 @@ class nmap(VulnMulti):
 
 		# Script scanning
 		SCRIPT: {'type': str, 'default': None, 'help': 'NSE scripts'},
-		'script_args': {'type': str, 'default': None, 'help': 'NSE script arguments (n1=v1,n2=v2,...)'},
+		'script_args': {'type': str, 'short': 'sargs', 'default': None, 'help': 'NSE script arguments (n1=v1,n2=v2,...)'},
 
 		# Host discovery
 		'skip_host_discovery': {'is_flag': True, 'short': 'Pn', 'default': False, 'help': 'Skip host discovery (no ping)'},
@@ -44,42 +44,45 @@ class nmap(VulnMulti):
 		# Service and version detection
 		'version_detection': {'is_flag': True, 'short': 'sV', 'default': False, 'help': 'Enable version detection (slow)'},
 		'detect_all': {'is_flag': True, 'short': 'A', 'default': False, 'help': 'Enable OS detection, version detection, script scanning, and traceroute on open ports'},  # noqa: E501
-		'detect_os': {'is_flag': True, 'short': 'O', 'default': False, 'help': 'Enable OS detection'},
+		'detect_os': {'is_flag': True, 'short': 'O', 'default': False, 'help': 'Enable OS detection', 'requires_sudo': True},
 
 		# Scan techniques
-		'tcp_syn_stealth': {'is_flag': True, 'short': 'sS', 'default': False, 'help': 'TCP SYN Stealth'},
+		'tcp_syn_stealth': {'is_flag': True, 'short': 'sS', 'default': False, 'help': 'TCP SYN Stealth', 'requires_sudo': True},  # noqa: E501
 		'tcp_connect': {'is_flag': True, 'short': 'sT', 'default': False, 'help': 'TCP Connect scan'},
-		'udp_scan': {'is_flag': True, 'short': 'sU', 'default': False, 'help': 'UDP scan'},
-		'tcp_null_scan': {'is_flag': True, 'short': 'sN', 'default': False, 'help': 'TCP Null scan'},
-		'tcp_fin_scan': {'is_flag': True, 'short': 'sF', 'default': False, 'help': 'TCP FIN scan'},
-		'tcp_xmas_scan': {'is_flag': True, 'short': 'sX', 'default': False, 'help': 'TCP Xmas scan'},
-		'tcp_ack_scan': {'is_flag': True, 'short': 'sA', 'default': False, 'help': 'TCP ACK scan'},
-		'tcp_window_scan': {'is_flag': True, 'short': 'sW', 'default': False, 'help': 'TCP Window scan'},
-		'tcp_maimon_scan': {'is_flag': True, 'short': 'sM', 'default': False, 'help': 'TCP Maimon scan'},
-		'sctp_init_scan': {'is_flag': True, 'short': 'sY', 'default': False, 'help': 'SCTP Init scan'},
-		'sctp_cookie_echo_scan': {'is_flag': True, 'short': 'sZ', 'default': False, 'help': 'SCTP Cookie Echo scan'},
+		'udp_scan': {'is_flag': True, 'short': 'sU', 'default': False, 'help': 'UDP scan', 'requires_sudo': True},
+		'tcp_null_scan': {'is_flag': True, 'short': 'sN', 'default': False, 'help': 'TCP Null scan', 'requires_sudo': True},
+		'tcp_fin_scan': {'is_flag': True, 'short': 'sF', 'default': False, 'help': 'TCP FIN scan', 'requires_sudo': True},
+		'tcp_xmas_scan': {'is_flag': True, 'short': 'sX', 'default': False, 'help': 'TCP Xmas scan', 'requires_sudo': True},
+		'tcp_ack_scan': {'is_flag': True, 'short': 'sA', 'default': False, 'help': 'TCP ACK scan', 'requires_sudo': True},
+		'tcp_window_scan': {'is_flag': True, 'short': 'sW', 'default': False, 'help': 'TCP Window scan', 'requires_sudo': True},  # noqa: E501
+		'tcp_maimon_scan': {'is_flag': True, 'short': 'sM', 'default': False, 'help': 'TCP Maimon scan', 'requires_sudo': True},  # noqa: E501
+		'sctp_init_scan': {'is_flag': True, 'short': 'sY', 'default': False, 'help': 'SCTP Init scan', 'requires_sudo': True},
+		'sctp_cookie_echo_scan': {'is_flag': True, 'short': 'sZ', 'default': False, 'help': 'SCTP Cookie Echo scan', 'requires_sudo': True},  # noqa: E501
 		'ping_scan': {'is_flag': True, 'short': 'sn', 'default': False, 'help': 'Ping scan (disable port scan)'},
-		'ip_protocol_scan': {'type': str, 'short': 'sO', 'default': None, 'help': 'IP protocol scan'},
+		'ip_protocol_scan': {'type': str, 'short': 'sO', 'default': None, 'help': 'IP protocol scan', 'requires_sudo': True},
 		'script_scan': {'is_flag': True, 'short': 'sC', 'default': False, 'help': 'Enable default scanning'},
-		'zombie_host': {'type': str, 'short': 'sI', 'default': None, 'help': 'Use a zombie host for idle scan'},
+		'zombie_host': {'type': str, 'short': 'sI', 'default': None, 'help': 'Use a zombie host for idle scan', 'requires_sudo': True},  # noqa: E501
 		'ftp_relay_host': {'type': str, 'short': 'sB', 'default': None, 'help': 'FTP bounce scan relay host'},
 
 		# Firewall / IDS evasion and spoofing
 		'spoof_source_port': {'type': int, 'short': 'g', 'default': None, 'help': 'Send packets from a specific port'},
 		'spoof_source_ip': {'type': str, 'short': 'S', 'default': None, 'help': 'Spoof source IP address'},
 		'spoof_source_mac': {'type': str, 'short': 'spoofmac', 'default': None, 'help': 'Spoof MAC address'},
-		'fragment': {'is_flag': True, 'short': 'fragment', 'default': False, 'help': 'Fragment packets'},
-		'mtu': {'type': int, 'short': 'mtu', 'default': None, 'help': 'Fragment packets with given MTU'},
-		'ttl': {'type': int, 'short': 'ttl', 'default': None, 'help': 'Set TTL'},
-		'badsum': {'is_flag': True, 'short': 'badsum', 'default': False, 'help': 'Create a bad checksum in the TCP header'},
+		'fragment': {'is_flag': True, 'short': 'fragment', 'default': False, 'help': 'Fragment packets', 'requires_sudo': True},  # noqa: E501
+		'mtu': {'type': int, 'short': 'mtu', 'default': None, 'help': 'Fragment packets with given MTU', 'requires_sudo': True},  # noqa: E501
+		'ttl': {'type': int, 'short': 'ttl', 'default': None, 'help': 'Set TTL', 'requires_sudo': True},
+		'badsum': {'is_flag': True, 'short': 'badsum', 'default': False, 'help': 'Create a bad checksum in the TCP header', 'requires_sudo': True},  # noqa: E501
 		'ipv6': {'is_flag': True, 'short': 'ipv6', 'default': False, 'help': 'Enable IPv6 scanning'},
 
 		# Host discovery
-		'traceroute': {'is_flag': True, 'short': 'traceroute', 'default': False, 'help': 'Traceroute'},
-		'disable_arp_ping': {'is_flag': True, 'short': 'disable-arp-ping', 'default': False, 'help': 'Disable ARP ping'},
+		'traceroute': {'is_flag': True, 'short': 'traceroute', 'default': False, 'help': 'Traceroute', 'requires_sudo': True},
+		'disable_arp_ping': {'is_flag': True, 'short': 'dap', 'default': False, 'help': 'Disable ARP ping'},
 
 		# Misc
-		'output_path': {'type': str, 'short': 'oX', 'default': None, 'help': 'Output XML file path'},
+		'output_path': {'type': str, 'short': 'oX', 'default': None, 'help': 'Output XML file path', 'internal': True, 'display': False},  # noqa: E501
+		'debug': {'is_flag': True, 'short': 'd', 'default': False, 'help': 'Enable debug mode'},
+		'verbose': {'is_flag': True, 'short': 'v', 'default': False, 'help': 'Enable verbose mode'},
+		'timing': {'type': int, 'short': 'T', 'default': None, 'help': 'Timing template (0: paranoid, 1: sneaky, 2: polite, 3: normal, 4: aggressive, 5: insane)'},  # noqa: E501
 	}
 	opt_key_map = {
 		HEADER: OPT_NOT_SUPPORTED,
@@ -117,7 +120,7 @@ class nmap(VulnMulti):
 		'spoof_source_port': '-g',
 		'spoof_source_ip': '-S',
 		'spoof_source_mac': '--spoof-mac',
-		'fragmentation': '-f',
+		'fragment': '-f',
 		'mtu': '--mtu',
 		'ttl': '--ttl',
 		'badsum': '--badsum',
@@ -144,20 +147,17 @@ class nmap(VulnMulti):
 	profile = 'io'
 
 	@staticmethod
-	def on_init(self):
+	def on_cmd(self):
 		output_path = self.get_opt_value(OUTPUT_PATH)
 		if not output_path:
 			output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.xml'
 		self.output_path = output_path
 		self.cmd += f' -oX {self.output_path}'
-		tcp_syn_stealth = self.get_opt_value('tcp_syn_stealth')
-		tcp_connect = self.get_opt_value('tcp_connect')
-		udp_scan = self.get_opt_value('udp_scan')
-		if tcp_syn_stealth or udp_scan:
-			self.cmd = f'sudo {self.cmd}'
+		tcp_syn_stealth = self.cmd_options.get('tcp_syn_stealth')
+		tcp_connect = self.cmd_options.get('tcp_connect')
 		if tcp_connect and tcp_syn_stealth:
 			self._print(
-				'Options -sT (SYN stealth scan) and -sS (CONNECT scan) are conflicting. Keeping only -sT.',
+				'Options -sT (SYN stealth scan) and -sS (CONNECT scan) are conflicting. Keeping only -sS.',
 				'bold gold3')
 			self.cmd = self.cmd.replace('-sT ', '')
 

secator/tasks/subfinder.py

@@ -9,7 +9,7 @@ from secator.tasks._categories import ReconDns
 @task()
 class subfinder(ReconDns):
 	"""Fast passive subdomain enumeration tool."""
-	cmd = 'subfinder -silent -cs'
+	cmd = 'subfinder -cs'
 	file_flag = '-dL'
 	input_flag = '-d'
 	json_flag = '-json'

secator/tasks/testssl.py

@@ -0,0 +1,274 @@
+import json
+import os
+from datetime import datetime
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.output_types import Vulnerability, Certificate, Error, Info, Ip, Tag
+from secator.definitions import (PROXY, HOST, USER_AGENT, HEADER, OUTPUT_PATH,
+                                CERTIFICATE_STATUS_UNKNOWN, CERTIFICATE_STATUS_TRUSTED, CERTIFICATE_STATUS_REVOKED,
+                                TIMEOUT)
+from secator.tasks._categories import Command, OPTS
+
+
+@task()
+class testssl(Command):
+    """SSL/TLS security scanner, including ciphers, protocols and cryptographic flaws."""
+    cmd = 'testssl.sh'
+    input_type = HOST
+    input_flag = None
+    file_flag = '-iL'
+    file_eof_newline = True
+    version_flag = ''
+    opt_prefix = '--'
+    opts = {
+        'verbose': {'is_flag': True, 'default': False, 'internal': True, 'display': True, 'help': 'Record all SSL/TLS info, not only critical info'},  # noqa: E501
+        'parallel': {'is_flag': True, 'default': False, 'help': 'Test multiple hosts in parallel'},
+        'warnings': {'type': str, 'default': None, 'help': 'Set to "batch" to stop on errors, and "off" to skip errors and continue'},  # noqa: E501
+        'ids_friendly': {'is_flag': True, 'default': False, 'help': 'Avoid IDS blocking by skipping a few vulnerability checks'},  # noqa: E501
+        'hints': {'is_flag': True, 'default': False, 'help': 'Additional hints to findings'},
+        'server_defaults': {'is_flag': True, 'default': False, 'help': 'Displays the server default picks and certificate info'},  # noqa: E501
+    }
+    meta_opts = {
+        PROXY: OPTS[PROXY],
+        USER_AGENT: OPTS[USER_AGENT],
+        HEADER: OPTS[HEADER],
+        TIMEOUT: OPTS[TIMEOUT],
+    }
+    opt_key_map = {
+        PROXY: 'proxy',
+        USER_AGENT: 'user-agent',
+        HEADER: 'reqheader',
+        TIMEOUT: 'connect-timeout',
+        'ipv6': '-6',
+    }
+    output_types = [Certificate, Vulnerability, Ip, Tag]
+    proxy_http = True
+    proxychains = False
+    proxy_socks5 = False
+    profile = 'io'
+    install_pre = {
+        'apk': ['hexdump'],
+        'pacman': ['util-linux'],
+        '*': ['bsdmainutils']
+    }
+    install_cmd = (
+        f'git clone --depth 1 https://github.com/drwetter/testssl.sh.git {CONFIG.dirs.share}/testssl.sh || true && '
+        f'ln -sf {CONFIG.dirs.share}/testssl.sh/testssl.sh {CONFIG.dirs.bin}'
+    )
+
+    @staticmethod
+    def on_cmd(self):
+        output_path = self.get_opt_value(OUTPUT_PATH)
+        if not output_path:
+            output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.json'
+        self.output_path = output_path
+        self.cmd += f' --jsonfile {self.output_path}'
+
+        # Hack because target needs to be the last argument in testssl.sh
+        if len(self.inputs) == 1:
+            target = self.inputs[0]
+            self.cmd = self.cmd.replace(f' {target}', '')
+            self.cmd += f' {target}'
+
+    @staticmethod
+    def on_cmd_done(self):
+        if not os.path.exists(self.output_path):
+            yield Error(message=f'Could not find JSON results in {self.output_path}')
+            return
+        yield Info(message=f'JSON results saved to {self.output_path}')
+
+        verbose = self.get_opt_value('verbose')
+        with open(self.output_path, 'r') as f:
+            data = json.load(f)
+            bad_cyphers = {}
+            retrieved_certificates = {}
+            ignored_item_ids = ["scanTime", "overall_grade", "DNS_CAArecord"]
+            ip_addresses = []
+            host_to_ips = {}
+
+            for item in data:
+                host, ip = tuple(item['ip'].split('/'))
+                id = item['id']
+                # port = item['port']
+                finding = item['finding']
+                severity = item['severity'].lower()
+                cwe = item.get('cwe')
+                vuln_tags = ['ssl', 'tls']
+                if cwe:
+                    vuln_tags.append(cwe)
+
+                # Skip ignored items
+                if id.startswith(tuple(ignored_item_ids)):
+                    continue
+
+                # Add IP to address pool
+                host_to_ips.setdefault(host, []).append(ip)
+                if ip not in ip_addresses:
+                    ip_addresses.append(ip)
+                    yield Ip(
+                        host=host,
+                        ip=ip,
+                        alive=True
+                    )
+
+                # Process errors
+                if id.startswith("scanProblem"):
+                    yield Error(message=finding)
+
+                # Process bad ciphers
+                elif id.startswith('cipher-'):
+                    splited_item = item["finding"].split(" ")
+                    concerned_protocol = splited_item[0]
+                    bad_cypher = splited_item[-1]
+                    bad_cyphers.setdefault(ip, {}).setdefault(concerned_protocol, []).append(bad_cypher)  # noqa: E501
+
+                # Process certificates
+                elif id.startswith('cert_') or id.startswith('cert '):
+                    retrieved_certificates.setdefault(ip, []).append(item)
+
+                # Process intermediate certificates
+                elif id.startswith('intermediate_cert_'):
+                    # TODO: implement this
+                    pass
+
+                # If info or ok, create a tag only if 'verbose' option is set
+                elif severity in ['info', 'ok']:
+                    if not verbose:
+                        continue
+                    yield Tag(
+                        name=f'SSL/TLS [{id}]',
+                        match=host,
+                        extra_data={
+                            'type': id,
+                            'finding': finding,
+                        }
+                    )
+
+                # Create vulnerability
+                else:
+                    if id in ['TLS1', 'TLS1_1']:
+                        human_name = f'SSL/TLS deprecated protocol offered: {id}'
+                    else:
+                        human_name = f'SSL/TLS {id}: {finding}'
+                    yield Vulnerability(
+                        name=human_name,
+                        matched_at=host,
+                        ip=ip,
+                        tags=vuln_tags,
+                        severity=severity,
+                        confidence='high',
+                        extra_data={
+                            'id': id,
+                            'finding': finding
+                        }
+                    )
+
+            # Creating vulnerability for the deprecated ciphers
+            for ip, protocols in bad_cyphers.items():
+                for protocol, cyphers in protocols.items():
+                    yield Vulnerability(
+                        name=f'SSL/TLS vulnerability ciphers for {protocol} deprecated',
+                        matched_at=ip,
+                        ip=ip,
+                        confidence='high',
+                        severity='low',
+                        extra_data={
+                            'cyphers': cyphers
+                        }
+                    )
+
+            # Creating certificates for each founded target
+            host_to_ips = {k: set(v) for k, v in host_to_ips.items()}
+            for ip, certs in retrieved_certificates.items():
+                host = [k for k, v in host_to_ips.items() if ip in v][0]
+                cert_data = {
+                    'host': host,
+                    'ip': ip,
+                    'fingerprint_sha256': None,
+                    'subject_cn': None,
+                    'subject_an': None,
+                    'not_before': None,
+                    'not_after': None,
+                    'issuer_cn': None,
+                    'self_signed': None,
+                    'trusted': None,
+                    'status': None,
+                    'keysize': None,
+                    'serial_number': None,
+                }
+                for cert in certs:
+                    host = [k for k, v in host_to_ips.items() if ip in v][0]
+                    id = cert['id']
+                    finding = cert['finding']
+
+                    if id.startswith('cert_crlDistributionPoints') and finding != '--':
+                        # TODO not implemented, need to find a certificate that is revoked by CRL
+                        cert_data['status'] = CERTIFICATE_STATUS_UNKNOWN
+
+                    if id.startswith('cert_ocspRevoked'):
+                        if finding.startswith('not revoked'):
+                            cert_data['status'] = CERTIFICATE_STATUS_TRUSTED
+                        else:
+                            cert_data['status'] = CERTIFICATE_STATUS_REVOKED
+
+                    if id.startswith('cert_fingerprintSHA256'):
+                        cert_data['fingerprint_sha256'] = finding
+
+                    if id.startswith('cert_commonName'):
+                        cert_data['subject_cn'] = finding
+
+                    if id.startswith('cert_subjectAltName'):
+                        cert_data['subject_an'] = finding.split(" ")
+
+                    if id.startswith('cert_notBefore'):
+                        cert_data['not_before'] = datetime.strptime(finding, "%Y-%m-%d %H:%M")
+
+                    if id.startswith('cert_notAfter'):
+                        cert_data['not_after'] = datetime.strptime(finding, "%Y-%m-%d %H:%M")
+
+                    if id.startswith('cert_caIssuers'):
+                        cert_data['issuer_cn'] = finding
+
+                    if id.startswith('cert_chain_of_trust'):
+                        cert_data['self_signed'] = 'self signed' in finding
+
+                    if id.startswith('cert_chain_of_trust'):
+                        cert_data['trusted'] = finding.startswith('passed')
+
+                    if id.startswith('cert_keySize'):
+                        cert_data['keysize'] = int(finding.split(" ")[1])
+
+                    if id.startswith('cert_serialNumber'):
+                        cert_data['serial_number'] = finding
+
+                    if id.startswith('cert ') and finding.startswith('-----BEGIN CERTIFICATE-----'):
+                        cert_data['raw_value'] = finding
+
+                # For the following attributes commented, it's because at the time of writting it
+                # I did not found the value inside the result of testssl
+                cert = Certificate(
+                    **cert_data
+                    # issuer_dn='',
+                    # issuer='',
+                    # TODO: delete the ciphers attribute from certificate outputType
+                    # ciphers=None,
+                    # TODO: need to find a way to retrieve the parent certificate,
+                    # parent_certificate=None,
+                )
+                yield cert
+                if cert.is_expired():
+                    yield Vulnerability(
+                        name='SSL certificate expired',
+                        provider='testssl',
+                        description='The SSL certificate is expired. This can easily lead to domain takeovers',
+                        matched_at=host,
+                        ip=ip,
+                        tags=['ssl', 'tls'],
+                        severity='medium',
+                        confidence='high',
+                        extra_data={
+                            'id': id,
+                            'expiration_date': Certificate.format_date(cert.not_after)
+                        }
+                    )

secator/tasks/trivy.py

@@ -0,0 +1,95 @@
+import click
+import os
+import yaml
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.definitions import (THREADS, OUTPUT_PATH, OPT_NOT_SUPPORTED, HEADER, DELAY, FOLLOW_REDIRECT,
+								PROXY, RATE_LIMIT, RETRIES, TIMEOUT, USER_AGENT)
+from secator.tasks._categories import Vuln
+from secator.output_types import Vulnerability, Tag, Info, Error
+
+
+@task()
+class trivy(Vuln):
+	"""Comprehensive and versatile security scanner."""
+	cmd = 'trivy'
+	input_flag = None
+	json_flag = '-f json'
+	opts = {
+		"mode": {"type": click.Choice(['image', 'fs', 'repo']), 'default': 'image', 'help': 'Trivy mode', 'required': True}  # noqa: E501
+	}
+	opt_key_map = {
+		THREADS: OPT_NOT_SUPPORTED,
+		HEADER: OPT_NOT_SUPPORTED,
+		DELAY: OPT_NOT_SUPPORTED,
+		FOLLOW_REDIRECT: OPT_NOT_SUPPORTED,
+		PROXY: OPT_NOT_SUPPORTED,
+		RATE_LIMIT: OPT_NOT_SUPPORTED,
+		RETRIES: OPT_NOT_SUPPORTED,
+		TIMEOUT: OPT_NOT_SUPPORTED,
+		USER_AGENT: OPT_NOT_SUPPORTED
+	}
+	output_types = [Tag, Vulnerability]
+	install_cmd = (
+		'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh |'
+		f'sudo sh -s -- -b {CONFIG.dirs.bin} v0.61.1'
+	)
+	install_github_handle = 'aquasecurity/trivy'
+	install_github_handle = 'aquasecurity/trivy'
+
+	@staticmethod
+	def on_cmd(self):
+		mode = self.get_opt_value('mode')
+		output_path = self.get_opt_value(OUTPUT_PATH)
+		if not output_path:
+			output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.json'
+		self.output_path = output_path
+		self.cmd = self.cmd.replace(f' -mode {mode}', '').replace('trivy', f'trivy {mode}')
+		self.cmd += f' -o {self.output_path}'
+
+	@staticmethod
+	def on_cmd_done(self):
+		if not os.path.exists(self.output_path):
+			yield Error(message=f'Could not find JSON results in {self.output_path}')
+			return
+
+		yield Info(message=f'JSON results saved to {self.output_path}')
+		with open(self.output_path, 'r') as f:
+			results = yaml.safe_load(f.read()).get('Results', [])
+		for item in results:
+			for vuln in item.get('Vulnerabilities', []):
+				vuln_id = vuln['VulnerabilityID']
+				extra_data = {}
+				if 'PkgName' in vuln:
+					extra_data['product'] = vuln['PkgName']
+				if 'InstalledVersion' in vuln:
+					extra_data['version'] = vuln['InstalledVersion']
+				cvss = vuln.get('CVSS', {})
+				cvss_score = -1
+				for _, cvss_data in cvss.items():
+					cvss_score = cvss_data.get('V3Score', -1) or cvss_data.get('V2Score', -1)
+				data = {
+					'name': vuln_id,
+					'id': vuln_id,
+					'provider': vuln.get('DataSource', {}).get('ID', ''),
+					'description': vuln.get('Description'),
+					'matched_at': self.inputs[0],
+					'confidence': 'high',
+					'severity': vuln['Severity'].lower(),
+					'cvss_score': cvss_score,
+					'reference': vuln.get('PrimaryURL', ''),
+					'references': vuln.get('References', []),
+					'extra_data': extra_data
+				}
+				if vuln_id.startswith('CVE'):
+					remote_data = Vuln.lookup_cve(vuln_id)
+					if remote_data:
+						data.update(remote_data)
+				yield Vulnerability(**data)
+			for secret in item.get('Secrets', []):
+				yield Tag(
+					name=secret['RuleID'],
+					match=secret['Match'],
+					extra_data={k: v for k, v in secret.items() if k not in ['RuleID', 'Match']}
+				)