# Security Scanning Configuration for Agent Orchestration Platform
# Advanced security scanning rules and vulnerability detection settings
# ============================================================================
# Bandit Security Configuration (Extended)
# ============================================================================
# Enhanced security scanning rules beyond pyproject.toml
[bandit]
exclude_dirs = [
"tests",
"venv",
".venv",
"build",
"dist",
".git",
"__pycache__",
".pytest_cache"
]
# Skip specific tests for legitimate use cases
skips = [
"B101", # assert_used - Allow asserts in test files
"B601", # paramiko_calls - Allow paramiko for legitimate SSH
"B603", # subprocess_without_shell_equals_true - Allow subprocess with validation
]
# Security tests to always run (high priority)
tests = [
"B102", # exec_used
"B103", # set_bad_file_permissions
"B104", # hardcoded_bind_all_interfaces
"B105", # hardcoded_password_string
"B106", # hardcoded_password_funcarg
"B107", # hardcoded_password_default
"B108", # hardcoded_tmp_directory
"B110", # try_except_pass
"B112", # try_except_continue
"B201", # flask_debug_true
"B301", # pickle
"B302", # marshal
"B303", # md5
"B304", # des
"B305", # cipher
"B306", # mktemp_q
"B307", # eval
"B308", # mark_safe
"B309", # httpsconnection
"B310", # urllib_urlopen
"B311", # random
"B312", # telnetlib
"B313", # xml_bad_cElementTree
"B314", # xml_bad_ElementTree
"B315", # xml_bad_expatreader
"B316", # xml_bad_expatbuilder
"B317", # xml_bad_sax
"B318", # xml_bad_minidom
"B319", # xml_bad_pulldom
"B320", # xml_bad_etree
"B321", # ftplib
"B322", # input
"B323", # unverified_context
"B324", # hashlib_new_insecure_functions
"B325", # tempnam
"B401", # import_telnetlib
"B402", # import_ftplib
"B403", # import_pickle
"B404", # import_subprocess
"B405", # import_xml_etree
"B406", # import_xml_sax
"B407", # import_xml_expat
"B408", # import_xml_minidom
"B409", # import_xml_pulldom
"B410", # import_lxml
"B411", # import_xmlrpclib
"B412", # import_httpoxy
"B413", # import_pycrypto
"B501", # request_with_no_cert_validation
"B502", # ssl_with_bad_version
"B503", # ssl_with_bad_defaults
"B504", # ssl_with_no_version
"B505", # weak_cryptographic_key
"B506", # yaml_load
"B507", # ssh_no_host_key_verification
"B601", # paramiko_calls
"B602", # subprocess_popen_with_shell_equals_true
"B604", # any_other_function_with_shell_equals_true
"B605", # start_process_with_a_shell
"B606", # start_process_with_no_shell
"B607", # start_process_with_partial_path
"B608", # hardcoded_sql_expressions
"B609", # linux_commands_wildcard_injection
"B610", # django_extra_used
"B611", # django_rawsql_used
"B701", # jinja2_autoescape_false
"B702", # use_of_mako_templates
"B703", # django_mark_safe
]
# Confidence levels for reporting
confidence = ["HIGH", "MEDIUM"]
# Output format preferences
format = "json"
output = "bandit-security-report.json"
# Security level for severity filtering
level = "LOW"
# ============================================================================
# Safety Configuration (Dependency Vulnerability Scanning)
# ============================================================================
[safety]
# Ignore specific vulnerabilities (with justification required)
ignore = [
# Add specific CVE numbers here with justification comments
# Example: "12345", # CVE-2023-12345: False positive for our use case
]
# Output format
output = "json"
json_report = "safety-vulnerability-report.json"
# Include full reports
full_report = true
# Check for vulnerabilities in development dependencies
include_dev = true
# Severity levels to report
severity = ["critical", "high", "medium"]
# ============================================================================
# Semgrep Security Rules Configuration
# ============================================================================
[semgrep]
# Custom rules for Agent Orchestration Platform security
rules = [
# Authentication and authorization
"python.lang.security.audit.dangerous-subprocess-use",
"python.lang.security.audit.dangerous-system-call",
"python.flask.security.audit.app-run-debug-true",
"python.requests.security.disabled-cert-validation",
# Input validation and injection prevention
"python.lang.security.audit.eval-use",
"python.lang.security.audit.exec-use",
"python.lang.security.audit.unquoted-sql-query",
"python.lang.security.audit.sql-injection",
# Cryptography and secrets
"python.cryptography.security.insecure-hash-algorithms",
"python.lang.security.audit.hardcoded-password",
"python.secrets.hardcoded-secret",
# File and path operations
"python.lang.security.audit.dangerous-file-permissions",
"python.lang.security.audit.path-traversal",
"python.lang.security.audit.tarfile-extractall-traversal",
# Network security
"python.urllib3.security.disabled-cert-validation",
"python.requests.security.disabled-cert-validation",
"python.httpx.security.disabled-cert-validation",
]
# Exclude test files from certain security checks
exclude = [
"tests/",
"*_test.py",
"test_*.py",
"conftest.py"
]
# Output configuration
output_format = "sarif"
output_file = "semgrep-security.sarif"
# ============================================================================
# Custom Security Rules for Agent Orchestration Platform
# ============================================================================
[custom_security_rules]
# Agent isolation violations
agent_isolation_rules = [
{
"rule_id": "AOP001",
"description": "Direct file system access without boundary validation",
"pattern": "open\\(.*\\)",
"severity": "HIGH",
"category": "agent_isolation"
},
{
"rule_id": "AOP002",
"description": "Process spawning without proper sandboxing",
"pattern": "subprocess\\.(run|call|Popen)",
"severity": "HIGH",
"category": "agent_isolation"
},
{
"rule_id": "AOP003",
"description": "Network access without authorization check",
"pattern": "requests\\.(get|post|put|delete)",
"severity": "MEDIUM",
"category": "agent_isolation"
}
]
# Session security violations
session_security_rules = [
{
"rule_id": "AOP101",
"description": "Session data stored without encryption",
"pattern": "json\\.dump.*session",
"severity": "HIGH",
"category": "session_security"
},
{
"rule_id": "AOP102",
"description": "Session ID generation without sufficient entropy",
"pattern": "uuid\\.uuid4\\(\\)\\.hex\\[:8\\]",
"severity": "MEDIUM",
"category": "session_security"
}
]
# Communication security violations
communication_rules = [
{
"rule_id": "AOP201",
"description": "Message content not properly sanitized",
"pattern": "send_message.*\\+.*user_input",
"severity": "HIGH",
"category": "communication_security"
},
{
"rule_id": "AOP202",
"description": "Agent prompt injection without validation",
"pattern": "prompt.*\\+.*user.*input",
"severity": "CRITICAL",
"category": "communication_security"
}
]
# ============================================================================
# Vulnerability Database Configuration
# ============================================================================
[vulnerability_db]
# Custom vulnerability patterns specific to our architecture
patterns = [
# Claude Code interaction vulnerabilities
{
"pattern": "claude_code.*shell=True",
"description": "Shell injection in Claude Code execution",
"severity": "CRITICAL"
},
{
"pattern": "iterm.*execute.*user_input",
"description": "Command injection in iTerm2 automation",
"severity": "HIGH"
},
# MCP protocol vulnerabilities
{
"pattern": "mcp.*eval\\(",
"description": "Code execution in MCP message handling",
"severity": "CRITICAL"
},
{
"pattern": "fastmcp.*__import__",
"description": "Dynamic import in FastMCP handler",
"severity": "HIGH"
},
# Agent state vulnerabilities
{
"pattern": "agent_state.*pickle\\.loads",
"description": "Insecure deserialization of agent state",
"severity": "CRITICAL"
},
{
"pattern": "session.*plain.*text",
"description": "Sensitive session data stored in plain text",
"severity": "HIGH"
}
]
# ============================================================================
# Security Testing Configuration
# ============================================================================
[security_testing]
# Penetration testing configuration
pentest_config = {
"enabled": true,
"target_endpoints": [
"create_agent",
"delete_agent",
"send_message_to_agent",
"create_session",
"delete_session"
],
"attack_vectors": [
"injection_attacks",
"path_traversal",
"privilege_escalation",
"resource_exhaustion",
"authentication_bypass"
],
"intensity": "medium", # low, medium, high
"duration_minutes": 30
}
# Fuzzing configuration
fuzz_config = {
"enabled": true,
"input_types": ["strings", "binary", "structured"],
"max_input_size": 10000,
"iterations": 1000,
"timeout_seconds": 5
}
# ============================================================================
# Compliance and Reporting
# ============================================================================
[compliance]
# Security standards compliance
standards = [
"OWASP_TOP_10",
"CWE_TOP_25",
"NIST_800_53",
"ISO_27001"
]
# Reporting configuration
reporting = {
"formats": ["json", "sarif", "html", "pdf"],
"include_metrics": true,
"include_trends": true,
"retention_days": 90
}
# Alert thresholds
thresholds = {
"critical_vulnerabilities": 0,
"high_vulnerabilities": 3,
"medium_vulnerabilities": 10,
"security_score_minimum": 85
}
