Share
## https://sploitus.com/exploit?id=78946AD8-B049-559F-B793-515B005E2842
# AppSec-Sentinel

AI-powered security scanner with **cross-file vulnerability analysis** and **automated remediation**. Supports 10+ languages with OpenAI, Claude, and AWS Bedrock.

> ๐Ÿ“– **Open Source** - Licensed under the MIT License. Free for personal and commercial use.

## Features

- **Multi-Scanner Engine** - Semgrep (SAST), Gitleaks (secrets), Trivy (dependencies) + code quality linters
- **Threat Modeling** - Automated STRIDE analysis, architecture mapping, and attack surface assessment
- **Code Quality Scanning** - ESLint, Pylint, Checkstyle, golangci-lint, RuboCop with bundled configs (no project setup needed)
- **Zero Configuration Required** - Works on any repo out-of-the-box with sensible defaults
- **Auto-Remediation** - Creates GitHub PRs with AI-generated code fixes (deterministic by default)
- **Cross-File Analysis** - Traces attack chains across multiple files and languages
- **Flexible AI Providers** - OpenAI (default), Claude, or AWS Bedrock
- **10+ Languages** - JavaScript, TypeScript, Python, Java, Go, Ruby, Rust, C#, PHP, Swift, Kotlin
- **3 Deployment Modes** - Web UI, CLI, and GitHub Actions CI/CD
- **MCP Server** - Model Context Protocol integration for Claude Desktop
- **Compliance** - Automatic SBOM generation (CycloneDX & SPDX)

## Quick Start

### What You Get Out-of-the-Box โœ…

**Security scanning works immediately** - no extra installations needed:
- โœ… Semgrep (SAST) - included
- โœ… Gitleaks (secrets) - auto-detects
- โœ… Trivy (dependencies) - bundled

**Code quality scanning is optional** - install what you need:
- ESLint (JavaScript/TypeScript) - `npm install -g eslint`
- Pylint (Python) - auto-installs if missing
- Checkstyle, golangci-lint, RuboCop, Clippy, PHPStan - install as needed

> ๐Ÿ’ก **Skip code quality?** Just ignore the "โš ๏ธ not installed" warnings - security scanning still works perfectly!

### Prerequisites

Configure AI provider in `.env` (only needed for AI auto-remediation):
```bash
cp env.example .env
# Edit .env and set:
# AI_PROVIDER=openai
# OPENAI_API_KEY=sk-...
# AI_MODEL=gpt-5-mini
```

> ๐Ÿ’ก **Alternative providers**: Also supports `AI_PROVIDER=claude` or `AI_PROVIDER=aws_bedrock` (see env.example for all options)

### Web Interface

```bash
./start_web.sh
# โ†’ Opens http://localhost:8000
```

**Features:**
- โœ… Tool selection via checkboxes (Semgrep, Trivy, Gitleaks, Code Quality, SBOM)
- ๐Ÿ“Š Visual reports with executive summaries
- ๐Ÿ“ฅ Download SBOM files (CycloneDX & SPDX)

### CLI Mode

```bash
./start_cli.sh
# โ†’ Interactive menu with tool selection, severity levels, and auto-fix options
```

**Features:**
- ๐Ÿ”ง Choose which tools to run (SAST, secrets, dependencies, code quality, SBOM)
- ๐ŸŽฏ Select scan level (critical-high or all)
- ๐Ÿค– Configure auto-remediation mode

### CI/CD Integration
```bash
# Copy workflow template
cp projects/security-scan.yml .github/workflows/

# Add GitHub secret:
#   - OPENAI_API_KEY (or CLAUDE_API_KEY, or AWS credentials)

git add .github/workflows/security-scan.yml
git commit -m "Add AppSec-Sentinel security scanning"
git push
```

## How It Works

1. **Scan** - Runs 3 scanners in parallel (SAST, secrets, dependencies)
2. **Analyze** - Cross-file analysis identifies attack chains across files
3. **Threat Model** - STRIDE analysis maps vulnerabilities to architectural threats
4. **Remediate** - AI generates fixes and creates separate PRs for code vs dependencies
5. **Report** - HTML reports + SBOM files + threat models (CycloneDX & SPDX)

## MCP Integration

Turn Claude Desktop into a conversational security expert - scan, analyze, and auto-remediate through natural language.

**Setup:** Add to Claude Desktop config:
- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
- Windows: `%APPDATA%/Claude/claude_desktop_config.json`

```json
{
  "mcpServers": {
    "appsec-sentinel": {
      "command": "/path/to/appsec-sentinel/.venv/bin/python",
      "args": ["/path/to/appsec-sentinel/mcp/appsec_mcp_server.py"],
      "cwd": "/path/to/appsec-sentinel",
      "env": {
        "PATH": "/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin",
        "PYTHONPATH": "/path/to/appsec-sentinel/src"
      }
    }
  }
}
```

> ๐Ÿ’ก Credentials in `mcp/mcp_env` - no secrets in config! Install gitleaks/trivy first.

**15 MCP Tools Available:**
- **Core:** `scan_repository` โ€ข `auto_remediate` โ€ข `get_report` โ€ข `view_report_html` โ€ข `health_check`
- **Analysis:** `cross_file_analysis` โ€ข `assess_business_impact` โ€ข `generate_sbom` โ€ข `generate_threat_model`
- **API Tools:** `get_scan_findings` โ€ข `get_semgrep_findings` โ€ข `get_trivy_findings` โ€ข `get_gitleaks_findings` โ€ข `get_code_quality_findings` โ€ข `get_sbom_data`

**Usage:** "Scan nodejs-goof for vulnerabilities" โ†’ detailed findings with file paths, line numbers, remediation

[Full MCP setup guide โ†’](mcp/README.md)

## Auto-Fix Modes
- **Mode 1**: SAST + secrets (1 PR)
- **Mode 2**: Dependencies only (1 PR)
- **Mode 3**: Both (2 separate PRs) โญ Recommended
- **Mode 4**: Scan only (no PRs)

## Cross-File Analysis

Traces attack paths across multiple files and languages:

- **Multi-Language AST** - Real code understanding (not regex)
- **Data Flow Tracing** - Entry points โ†’ attack paths โ†’ sensitive sinks
- **Framework-Aware** - Express, Spring, Django, Rails, Laravel, ASP.NET


## Architecture

```
Repository โ†’ [Semgrep + Gitleaks + Trivy] โ†’ Cross-File Analysis โ†’ AI (OpenAI/Claude/Bedrock) โ†’ PRs + Reports
```

## Code Quality Scanning

AppSec-Sentinel includes code quality scanning that works on any repository without configuration.

**Supported Languages:**
- โœ… **JavaScript/TypeScript** - ESLint (auto-detects v8 vs v9, uses bundled config)
- โœ… **Python** - Pylint (auto-installs to virtualenv)
- โœ… **Java** - Checkstyle (fully integrated in all modes)
- โœ… **Go** - golangci-lint (fully integrated in all modes)
- โœ… **Ruby** - RuboCop (fully integrated in all modes)
- โœ… **Rust** - Clippy (official Rust linter, 600+ checks)
- โœ… **PHP** - PHPStan (static analysis without running code)
- ๐Ÿ”œ **C#** - Coming soon (Roslyn Analyzers)
- ๐Ÿ”œ **Swift** - Coming soon (SwiftLint for iOS/macOS)
- ๐Ÿ”œ **Kotlin** - Coming soon (ktlint/detekt for Android/JVM)

**How It Works:**
1. Auto-detects languages by scanning file extensions
2. Checks for repo config (.eslintrc.json, etc.) - uses it if found
3. Falls back to bundled config if repo has none
4. Runs in parallel with security scanners (no performance penalty)

**Example:**
```bash
๐Ÿ“Š Detected languages: javascript, python
๐Ÿ” Starting scan (3 security + 2 code quality scanners)...
๐Ÿ“‹ No ESLint config in repo - using default config
โœ… ESLint (Code Quality): 106 code quality issues
โœ… Pylint (Code Quality): 23 code quality issues
๐ŸŽฏ Scan complete: 119 security issues + 129 code quality issues
```

**Zero configuration needed.** AppSec-Sentinel provides sensible defaults that work everywhere.

---

## Optional: Install Code Quality Linters

**Want code quality scanning?** Install the linters for your languages:

```bash
# JavaScript/TypeScript
npm install -g eslint

# Python (auto-installs if missing)
pip install pylint

# Java
brew install checkstyle  # macOS
# or download from https://checkstyle.org/

# Go
brew install golangci-lint  # macOS
# or: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh

# Ruby
gem install rubocop

# Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh  # Includes clippy

# PHP
composer global require phpstan/phpstan
```

**Don't want code quality?** Set `APPSEC_CODE_QUALITY=false` in `.env` to skip entirely.

---

## Configuration

Edit `.env` file:
```bash
# Tool Selection (CLI/Web only - CI/CD always runs all)
APPSEC_TOOLS=all                    # 'all' or comma-separated: semgrep,trivy,gitleaks,code_quality,sbom
                                    # Examples:
                                    #   all - Run all tools (default)
                                    #   semgrep,gitleaks - Only SAST + secrets
                                    #   trivy - Only dependency scanning

# Code quality scanning (enabled by default, gracefully skips if linters not installed)
APPSEC_CODE_QUALITY=true

# Scan level (only affects security findings)
APPSEC_SCAN_LEVEL=critical-high  # or 'all'

# AI determinism
APPSEC_AI_TEMPERATURE=0.0

# Auto-fix settings
APPSEC_AUTO_FIX=true
APPSEC_AUTO_FIX_MODE=3  # 1=SAST, 2=deps, 3=both, 4=scan only
```

**Bundled Configs** (project repos don't need these):
- `configs/eslint.config.js` / `eslintrc.v8.json` - JavaScript/TypeScript
- `configs/checkstyle.xml` - Java
- `configs/golangci.yml` - Go
- `configs/rubocop.yml` - Ruby
- `configs/clippy.toml` - Rust
- `configs/phpstan.neon` - PHP
- `configs/.gitleaks.toml` - Secrets

## Documentation

- **[Threat Modeling](THREAT_MODELING.md)** - Automated threat analysis using STRIDE framework
- **[MCP Setup](mcp/README.md)** - Model Context Protocol integration
- **[Project Setup](projects/SETUP.md)** - Project onboarding guide
- **[Architecture](ARCHITECTURE.md)** - System architecture and design patterns

## FAQ

**Q: Is AI-generated code safe to merge?**

A: All fixes require manual review via PR. We use deterministic AI (temperature=0.0) and only fix proven patterns (SQL injection, XSS, hardcoded secrets). Your existing tests validate changes. Separate PRs for code vs dependencies minimize risk. ~80% of fixes are production-ready after quick review.

**Q: What data gets sent to AI providers?**

A: Only vulnerability metadata (file path, line number, vulnerability type, code snippet). **Never** your full codebase. Secrets are flagged locally and **never** sent to AI. You control which findings trigger AI analysis.

**Q: Which mode should I use?**

- **GitHub Actions** - Automated security in CI/CD (scans every PR)
- **Web UI** - Visual reports for teams and management
- **CLI** - Deep-dive analysis for security consultants
- **MCP** - Conversational security with Claude Desktop

All modes use the same scanning engine. Choose based on your workflow.

**Q: Do I need to install linters for code quality?**

A: No - security scanning works without any linters. Code quality is **optional** and gracefully skips if tools aren't installed. Install linters (ESLint, Pylint, etc.) only if you want code smell detection. Set `APPSEC_CODE_QUALITY=false` to disable entirely.

**Q: How is this different from other security scanners?**

A: **Cross-file attack chain detection** - we trace vulnerabilities across multiple files and languages using AST analysis, not just single-file pattern matching. Plus automated threat modeling (STRIDE), AI-powered fixes, and zero-config SBOM generation.

**Q: What does automated threat modeling do?**

A: Generates STRIDE threat analysis, architecture diagrams, and attack surface assessment. **What it does:** Extracts real routes (GET /api/users), detects database types (PostgreSQL, MongoDB), maps components with file paths, color-codes vulnerabilities by severity, identifies trust boundaries. **What it can't do:** Doesn't replace manual threat modeling by security architects. Framework support varies - full route extraction for Express, Flask, Django, Spring, Laravel, FastAPI. Partial support for Rails, Go, Rust (generic endpoints only). No C#/Kotlin support yet. See [THREAT_MODELING.md](THREAT_MODELING.md) for details.

## Development

```bash
# Run tests
pytest tests/test_appsec.py -v
```

## Troubleshooting

```bash
# Permission issues
chmod +x start_web.sh start_cli.sh

# Dependency conflicts
rm -rf .venv && python -m venv .venv
source .venv/bin/activate && pip install -r requirements.txt

# Enable debug logging
export APPSEC_DEBUG=true
export APPSEC_LOG_LEVEL=DEBUG
```

## Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.