websec-validator 0.2.7__tar.gz → 0.2.8__tar.gz

{websec_validator-0.2.7/src/websec_validator.egg-info → websec_validator-0.2.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.7
+Version: 0.2.8
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.7 → websec_validator-0.2.8}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.7"
+version = "0.2.8"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.7 → websec_validator-0.2.8}/src/websec_validator/scanners.py

@@ -217,6 +217,27 @@ def _generic_secret(rule: str) -> bool:
     return r in _GENERIC_SECRET_RULES or "generic" in r or "entropy" in r
 
 
+# Secrets matched in DOCUMENTATION / EXAMPLE files are overwhelmingly placeholders, not live
+# credentials — e.g. `curl -H "Authorization: Bearer <token>"` in a README/API doc, or a
+# value in `.env.example`. Tier those to LOW + a verify note (still visible — a real key CAN be
+# pasted into docs by mistake). Dogfooding flagged 4 HIGH curl-auth-header FPs across an API's
+# README + docs/*.md (bug below).
+_DOC_EXT = (".md", ".mdx", ".markdown", ".rst", ".txt", ".adoc")
+_DOC_DIR_MARKERS = ("/docs/", "/doc/", "/examples/", "/example/", "/samples/", "/sample/", "/.github/")
+_DOC_NAME_PREFIX = ("readme", "changelog", "contributing", "license", "authors", "history", "notice")
+_EXAMPLE_SUFFIX = (".example", ".sample", ".dist", ".template", ".tmpl")
+_DOC_NOTE = "in a documentation/example file — almost always a placeholder, verify before treating as real"
+
+
+def _is_doc_or_example(path: str) -> bool:
+    p = (path or "").replace("\\", "/").lower()
+    base = p.rsplit("/", 1)[-1]
+    return (p.endswith(_DOC_EXT)
+            or any(m in p for m in _DOC_DIR_MARKERS)
+            or any(base.startswith(m) for m in _DOC_NAME_PREFIX)
+            or any(s in base for s in _EXAMPLE_SUFFIX))
+
+
 def _norm_trivy(data: dict) -> list:
     out = []
     for res in (data.get("Results") or []):
@@ -231,6 +252,8 @@ def _norm_trivy(data: dict) -> list:
             sev, note = _aws_secret_tier(s.get("Match", ""), s.get("Code", "") or "")
             if not sev and _generic_secret(rid):
                 sev, note = "MEDIUM", _GENERIC_NOTE
+            if _is_doc_or_example(tgt):
+                sev, note = "LOW", (note + "; " if note else "") + _DOC_NOTE
             title = f"secret: {s.get('Title') or rid}" + (f" — {note}" if note else "")
             out.append({"tool": "trivy", "category": "secret", "severity": sev or _sev(s.get("Severity") or "HIGH"),
                         "key": rid, "file": tgt, "line": s.get("StartLine", 0),
@@ -250,6 +273,8 @@ def _norm_gitleaks(data) -> list:
         sev, note = _aws_secret_tier(x.get("Secret", ""), x.get("Match", ""))
         if not sev and _generic_secret(rule):
             sev, note = "MEDIUM", _GENERIC_NOTE
+        if _is_doc_or_example(f):
+            sev, note = "LOW", (note + "; " if note else "") + _DOC_NOTE
         title = f"secret: {(x.get('Description') or rule)[:80]}" + (f" — {note}" if note else "")
         out.append({"tool": "gitleaks", "category": "secret", "severity": sev or "HIGH",
                     "key": rule, "file": f, "line": x.get("StartLine", 0),

{websec_validator-0.2.7 → websec_validator-0.2.8/src/websec_validator.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.7
+Version: 0.2.8
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.7 → websec_validator-0.2.8}/tests/test_hardening.py

@@ -171,6 +171,34 @@ class SecretPrecisionTests(unittest.TestCase):
         self.assertEqual(hit["confidence"], "MEDIUM")
 
 
+class DocExampleSecretTests(unittest.TestCase):
+    """0.2.8: secrets in documentation/example files (curl examples in a README, .env.example
+    placeholders) tier to LOW + a verify note. Real code files are untouched."""
+
+    def test_is_doc_or_example(self):
+        self.assertTrue(scanners._is_doc_or_example("README.md"))
+        self.assertTrue(scanners._is_doc_or_example("docs/API-REFERENCE.md"))
+        self.assertTrue(scanners._is_doc_or_example(".env.example"))
+        self.assertTrue(scanners._is_doc_or_example("config/settings.sample.json"))
+        self.assertFalse(scanners._is_doc_or_example("src/app/route.ts"))
+
+    def test_gitleaks_doc_secret_to_low_code_stays_high(self):
+        rows = [
+            {"File": "README.md", "RuleID": "curl-auth-header", "Secret": "x" * 30, "Match": "Authorization: Bearer x", "StartLine": 1},
+            {"File": "src/server.ts", "RuleID": "private-key", "Secret": "-----BEGIN", "Match": "-----BEGIN", "StartLine": 1},
+        ]
+        by = {r["file"]: r for r in scanners._norm_gitleaks(rows)}
+        self.assertEqual(by["README.md"]["severity"], "LOW")
+        self.assertIn("documentation/example", by["README.md"]["title"])
+        self.assertEqual(by["src/server.ts"]["severity"], "HIGH")  # real code file untouched
+
+    def test_trivy_doc_secret_to_low(self):
+        data = {"Results": [{"Target": "docs/SECURITY.md", "Secrets": [
+            {"RuleID": "curl-auth-header", "Title": "Auth header", "Match": "Bearer x", "StartLine": 1}]}]}
+        secs = [f for f in scanners._norm_trivy(data) if f["category"] == "secret"]
+        self.assertEqual(secs[0]["severity"], "LOW")
+
+
 class CookieCoverageTests(unittest.TestCase):
     """0.2.7: extract auth cookie names so the forged-token engine covers cookie-ONLY apps."""