#!/bin/bash # ============================================================================= # COMPREHENSIVE SECURITY AUDIT SCRIPT # OWASP Top 10, Authentication, Authorization, Secrets, and more # ============================================================================= set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" OUTPUT_DIR="$PROJECT_ROOT/audit-reports/security-audit" TIMESTAMP=$(date +%Y%m%d-%H%M%S) # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' echo -e "${BLUE}========================================${NC}" echo -e "${BLUE} COMPREHENSIVE SECURITY AUDIT${NC}" echo -e "${BLUE}========================================${NC}" echo "" mkdir -p "$OUTPUT_DIR" # ============================================================================= # 1. SECRET SCANNING (CRITICAL) # ============================================================================= echo -e "${YELLOW}[1/15] Scanning for hardcoded secrets...${NC}" SECRETS_OUTPUT="$OUTPUT_DIR/secrets-$TIMESTAMP.txt" echo "# Hardcoded Secrets Scan - $TIMESTAMP" > "$SECRETS_OUTPUT" echo "SEVERITY: CRITICAL" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== API Keys ==" >> "$SECRETS_OUTPUT" grep -rniE "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{16,}['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.vue" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== Passwords ==" >> "$SECRETS_OUTPUT" grep -rniE "(password|passwd|pwd)\s*[:=]\s*['\"][^'\"]{4,}['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.vue" --include="*.json" --include="*.yml" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== Private Keys ==" >> "$SECRETS_OUTPUT" grep -rn "PRIVATE KEY\|-----BEGIN RSA\|-----BEGIN EC" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.pem" --include="*.key" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== JWT Secrets ==" >> "$SECRETS_OUTPUT" grep -rniE "jwt[_-]?secret\s*[:=]\s*['\"][^'\"]+['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.yml" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== Stripe Keys ==" >> "$SECRETS_OUTPUT" grep -rn "sk_live_\|sk_test_\|pk_live_\|pk_test_" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.vue" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== AWS Credentials ==" >> "$SECRETS_OUTPUT" grep -rniE "AKIA[0-9A-Z]{16}" "$PROJECT_ROOT" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo "" >> "$SECRETS_OUTPUT" echo "== Base64 Encoded Secrets ==" >> "$SECRETS_OUTPUT" grep -rnoE "['\"][A-Za-z0-9+/]{40,}={0,2}['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null | head -20 >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT" echo -e "${GREEN} Output: $SECRETS_OUTPUT${NC}" # ============================================================================= # 2. AUTHENTICATION AUDIT # ============================================================================= echo -e "${YELLOW}[2/15] Auditing authentication mechanisms...${NC}" AUTH_OUTPUT="$OUTPUT_DIR/authentication-$TIMESTAMP.txt" echo "# Authentication Audit - $TIMESTAMP" > "$AUTH_OUTPUT" echo "== JWT Implementation ==" >> "$AUTH_OUTPUT" grep -rn "jwt\|JWT\|token" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | head -50 >> "$AUTH_OUTPUT" || echo "None found" >> "$AUTH_OUTPUT" echo "" >> "$AUTH_OUTPUT" echo "== Token Expiration Settings ==" >> "$AUTH_OUTPUT" grep -rn "exp\|Expir\|ttl\|TTL" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTH_OUTPUT" || echo "None found - POTENTIAL ISSUE" >> "$AUTH_OUTPUT" echo "" >> "$AUTH_OUTPUT" echo "== Password Hashing ==" >> "$AUTH_OUTPUT" grep -rn "bcrypt\|argon2\|scrypt\|pbkdf2\|GenerateFromPassword" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTH_OUTPUT" || echo "No password hashing found - CRITICAL" >> "$AUTH_OUTPUT" echo "" >> "$AUTH_OUTPUT" echo "== Weak Hashing (MD5, SHA1) ==" >> "$AUTH_OUTPUT" grep -rn "md5\|sha1\|MD5\|SHA1" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTH_OUTPUT" || echo "None found - good" >> "$AUTH_OUTPUT" echo "" >> "$AUTH_OUTPUT" echo "== Session Management ==" >> "$AUTH_OUTPUT" grep -rn "session\|cookie\|Cookie" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null | head -30 >> "$AUTH_OUTPUT" || echo "None found" >> "$AUTH_OUTPUT" echo "" >> "$AUTH_OUTPUT" echo "== Refresh Token Implementation ==" >> "$AUTH_OUTPUT" grep -rn "refresh.*token\|refreshToken" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$AUTH_OUTPUT" || echo "No refresh token found - sessions may expire abruptly" >> "$AUTH_OUTPUT" echo -e "${GREEN} Output: $AUTH_OUTPUT${NC}" # ============================================================================= # 3. AUTHORIZATION AUDIT (RBAC/ABAC) # ============================================================================= echo -e "${YELLOW}[3/15] Auditing authorization controls...${NC}" AUTHZ_OUTPUT="$OUTPUT_DIR/authorization-$TIMESTAMP.txt" echo "# Authorization Audit - $TIMESTAMP" > "$AUTHZ_OUTPUT" echo "== Role Checks ==" >> "$AUTHZ_OUTPUT" grep -rn "role\|Role\|ROLE\|permission\|Permission" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | head -50 >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT" echo "" >> "$AUTHZ_OUTPUT" echo "== Admin-Only Endpoints ==" >> "$AUTHZ_OUTPUT" grep -rn "ADMIN\|admin\|requireRole.*ADMIN" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT" echo "" >> "$AUTHZ_OUTPUT" echo "== Ownership Checks (IDOR Prevention) ==" >> "$AUTHZ_OUTPUT" grep -rn "user_id\|userID\|client_id\|owner" "$PROJECT_ROOT/backend" --include="*.go" | grep -i "where\|if\|check" | head -30 >> "$AUTHZ_OUTPUT" || echo "None found - potential IDOR" >> "$AUTHZ_OUTPUT" echo "" >> "$AUTHZ_OUTPUT" echo "== Middleware Protection ==" >> "$AUTHZ_OUTPUT" grep -rn "middleware\|Middleware\|authMiddleware\|requireAuth" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT" echo "" >> "$AUTHZ_OUTPUT" echo "== Unprotected Routes ==" >> "$AUTHZ_OUTPUT" grep -rn 'http.HandleFunc\|HandleFunc' "$PROJECT_ROOT/backend" --include="*.go" | grep -v "auth\|middleware\|protected" >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT" echo -e "${GREEN} Output: $AUTHZ_OUTPUT${NC}" # ============================================================================= # 4. INPUT VALIDATION AUDIT # ============================================================================= echo -e "${YELLOW}[4/15] Auditing input validation...${NC}" INPUT_OUTPUT="$OUTPUT_DIR/input-validation-$TIMESTAMP.txt" echo "# Input Validation Audit - $TIMESTAMP" > "$INPUT_OUTPUT" echo "== JSON Decoding (check for validation after) ==" >> "$INPUT_OUTPUT" grep -rn "json.Decode\|json.Unmarshal" "$PROJECT_ROOT/backend" --include="*.go" -A 5 2>/dev/null | head -50 >> "$INPUT_OUTPUT" || echo "None found" >> "$INPUT_OUTPUT" echo "" >> "$INPUT_OUTPUT" echo "== Input Sanitization ==" >> "$INPUT_OUTPUT" grep -rn "sanitize\|Sanitize\|escape\|Escape\|html.EscapeString" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$INPUT_OUTPUT" || echo "No sanitization found - CHECK XSS" >> "$INPUT_OUTPUT" echo "" >> "$INPUT_OUTPUT" echo "== Regex Validation ==" >> "$INPUT_OUTPUT" grep -rn "regexp\|Regexp\|regex\|pattern" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$INPUT_OUTPUT" || echo "None found" >> "$INPUT_OUTPUT" echo "" >> "$INPUT_OUTPUT" echo "== Length/Size Validation ==" >> "$INPUT_OUTPUT" grep -rn "len(\|maxLength\|minLength\|MaxLength\|MinLength" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null | head -30 >> "$INPUT_OUTPUT" || echo "None found" >> "$INPUT_OUTPUT" echo -e "${GREEN} Output: $INPUT_OUTPUT${NC}" # ============================================================================= # 5. XSS VULNERABILITY SCAN # ============================================================================= echo -e "${YELLOW}[5/15] Scanning for XSS vulnerabilities...${NC}" XSS_OUTPUT="$OUTPUT_DIR/xss-$TIMESTAMP.txt" echo "# XSS Vulnerability Scan - $TIMESTAMP" > "$XSS_OUTPUT" echo "== v-html Usage (Vue XSS vector) ==" >> "$XSS_OUTPUT" grep -rn "v-html" "$PROJECT_ROOT/frontend" --include="*.vue" 2>/dev/null >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT" echo "" >> "$XSS_OUTPUT" echo "== innerHTML Usage ==" >> "$XSS_OUTPUT" grep -rn "innerHTML" "$PROJECT_ROOT" --include="*.ts" --include="*.vue" --include="*.go" 2>/dev/null >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT" echo "" >> "$XSS_OUTPUT" echo "== document.write Usage ==" >> "$XSS_OUTPUT" grep -rn "document.write" "$PROJECT_ROOT/frontend" --include="*.ts" --include="*.vue" 2>/dev/null >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT" echo "" >> "$XSS_OUTPUT" echo "== Template Literal Injection ==" >> "$XSS_OUTPUT" grep -rn '\${' "$PROJECT_ROOT/frontend" --include="*.vue" | grep -v "class\|style" | head -30 >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT" echo -e "${GREEN} Output: $XSS_OUTPUT${NC}" # ============================================================================= # 6. CSRF PROTECTION AUDIT # ============================================================================= echo -e "${YELLOW}[6/15] Auditing CSRF protection...${NC}" CSRF_OUTPUT="$OUTPUT_DIR/csrf-$TIMESTAMP.txt" echo "# CSRF Protection Audit - $TIMESTAMP" > "$CSRF_OUTPUT" echo "== CSRF Token Implementation ==" >> "$CSRF_OUTPUT" grep -rn "csrf\|CSRF\|xsrf\|XSRF" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$CSRF_OUTPUT" || echo "No CSRF protection found - CHECK IF NEEDED" >> "$CSRF_OUTPUT" echo "" >> "$CSRF_OUTPUT" echo "== SameSite Cookie Attribute ==" >> "$CSRF_OUTPUT" grep -rn "SameSite\|samesite" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$CSRF_OUTPUT" || echo "Not found" >> "$CSRF_OUTPUT" echo "" >> "$CSRF_OUTPUT" echo "== CORS Configuration ==" >> "$CSRF_OUTPUT" grep -rn "CORS\|cors\|Access-Control\|AllowOrigin" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.yml" 2>/dev/null >> "$CSRF_OUTPUT" || echo "Not found" >> "$CSRF_OUTPUT" echo -e "${GREEN} Output: $CSRF_OUTPUT${NC}" # ============================================================================= # 7. SECURITY HEADERS AUDIT # ============================================================================= echo -e "${YELLOW}[7/15] Auditing security headers...${NC}" HEADERS_OUTPUT="$OUTPUT_DIR/security-headers-$TIMESTAMP.txt" echo "# Security Headers Audit - $TIMESTAMP" > "$HEADERS_OUTPUT" echo "== Content-Security-Policy ==" >> "$HEADERS_OUTPUT" grep -rn "Content-Security-Policy\|CSP" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.html" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND - Should implement" >> "$HEADERS_OUTPUT" echo "" >> "$HEADERS_OUTPUT" echo "== X-Content-Type-Options ==" >> "$HEADERS_OUTPUT" grep -rn "X-Content-Type-Options\|nosniff" "$PROJECT_ROOT" --include="*.go" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND" >> "$HEADERS_OUTPUT" echo "" >> "$HEADERS_OUTPUT" echo "== X-Frame-Options ==" >> "$HEADERS_OUTPUT" grep -rn "X-Frame-Options\|DENY\|SAMEORIGIN" "$PROJECT_ROOT" --include="*.go" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND - Clickjacking risk" >> "$HEADERS_OUTPUT" echo "" >> "$HEADERS_OUTPUT" echo "== Strict-Transport-Security ==" >> "$HEADERS_OUTPUT" grep -rn "Strict-Transport-Security\|HSTS" "$PROJECT_ROOT" --include="*.go" --include="*.conf" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND" >> "$HEADERS_OUTPUT" echo "" >> "$HEADERS_OUTPUT" echo "== X-XSS-Protection ==" >> "$HEADERS_OUTPUT" grep -rn "X-XSS-Protection" "$PROJECT_ROOT" --include="*.go" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND" >> "$HEADERS_OUTPUT" echo -e "${GREEN} Output: $HEADERS_OUTPUT${NC}" # ============================================================================= # 8. RATE LIMITING AUDIT # ============================================================================= echo -e "${YELLOW}[8/15] Auditing rate limiting...${NC}" RATE_OUTPUT="$OUTPUT_DIR/rate-limiting-$TIMESTAMP.txt" echo "# Rate Limiting Audit - $TIMESTAMP" > "$RATE_OUTPUT" echo "== Rate Limiter Implementation ==" >> "$RATE_OUTPUT" grep -rn "rate\|Rate\|limit\|Limit\|throttle\|Throttle" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$RATE_OUTPUT" || echo "NO RATE LIMITING FOUND - CRITICAL for auth endpoints" >> "$RATE_OUTPUT" echo "" >> "$RATE_OUTPUT" echo "== Login Attempt Limiting ==" >> "$RATE_OUTPUT" grep -rn "attempt\|Attempt\|failed.*login\|lock.*account" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$RATE_OUTPUT" || echo "No brute force protection found" >> "$RATE_OUTPUT" echo -e "${GREEN} Output: $RATE_OUTPUT${NC}" # ============================================================================= # 9. FILE UPLOAD SECURITY # ============================================================================= echo -e "${YELLOW}[9/15] Auditing file upload security...${NC}" UPLOAD_OUTPUT="$OUTPUT_DIR/file-upload-$TIMESTAMP.txt" echo "# File Upload Security Audit - $TIMESTAMP" > "$UPLOAD_OUTPUT" echo "== File Upload Handlers ==" >> "$UPLOAD_OUTPUT" grep -rn "multipart\|FormFile\|upload\|Upload" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$UPLOAD_OUTPUT" || echo "No file uploads found" >> "$UPLOAD_OUTPUT" echo "" >> "$UPLOAD_OUTPUT" echo "== File Type Validation ==" >> "$UPLOAD_OUTPUT" grep -rn "mime\|MIME\|ContentType\|content-type" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$UPLOAD_OUTPUT" || echo "None found" >> "$UPLOAD_OUTPUT" echo "" >> "$UPLOAD_OUTPUT" echo "== Path Traversal Prevention ==" >> "$UPLOAD_OUTPUT" grep -rn "filepath.Clean\|path.Clean\|\.\.\/" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$UPLOAD_OUTPUT" || echo "None found - check for path traversal" >> "$UPLOAD_OUTPUT" echo -e "${GREEN} Output: $UPLOAD_OUTPUT${NC}" # ============================================================================= # 10. CRYPTOGRAPHY AUDIT # ============================================================================= echo -e "${YELLOW}[10/15] Auditing cryptography usage...${NC}" CRYPTO_OUTPUT="$OUTPUT_DIR/cryptography-$TIMESTAMP.txt" echo "# Cryptography Audit - $TIMESTAMP" > "$CRYPTO_OUTPUT" echo "== Random Number Generation ==" >> "$CRYPTO_OUTPUT" grep -rn "math/rand\|rand.Int\|rand.Read" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$CRYPTO_OUTPUT" || echo "None found" >> "$CRYPTO_OUTPUT" echo "" >> "$CRYPTO_OUTPUT" echo "== Cryptographically Secure Random ==" >> "$CRYPTO_OUTPUT" grep -rn "crypto/rand" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$CRYPTO_OUTPUT" || echo "NOT USING crypto/rand - use for security-sensitive randomness" >> "$CRYPTO_OUTPUT" echo "" >> "$CRYPTO_OUTPUT" echo "== Encryption Usage ==" >> "$CRYPTO_OUTPUT" grep -rn "aes\|AES\|encrypt\|Encrypt\|cipher" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$CRYPTO_OUTPUT" || echo "None found" >> "$CRYPTO_OUTPUT" echo "" >> "$CRYPTO_OUTPUT" echo "== TLS/SSL Configuration ==" >> "$CRYPTO_OUTPUT" grep -rn "tls\|TLS\|https\|HTTPS\|ssl\|SSL" "$PROJECT_ROOT" --include="*.go" --include="*.yml" 2>/dev/null | head -30 >> "$CRYPTO_OUTPUT" || echo "None found" >> "$CRYPTO_OUTPUT" echo -e "${GREEN} Output: $CRYPTO_OUTPUT${NC}" # ============================================================================= # 11. ERROR HANDLING & INFO LEAKAGE # ============================================================================= echo -e "${YELLOW}[11/15] Auditing error handling for info leakage...${NC}" ERRORS_OUTPUT="$OUTPUT_DIR/error-leakage-$TIMESTAMP.txt" echo "# Error Handling & Information Leakage - $TIMESTAMP" > "$ERRORS_OUTPUT" echo "== Stack Traces Exposed ==" >> "$ERRORS_OUTPUT" grep -rn "debug.PrintStack\|runtime.Stack\|panic.*err" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$ERRORS_OUTPUT" || echo "None found" >> "$ERRORS_OUTPUT" echo "" >> "$ERRORS_OUTPUT" echo "== Verbose Error Messages ==" >> "$ERRORS_OUTPUT" grep -rn 'http.Error.*err.Error\|json.Encode.*error' "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$ERRORS_OUTPUT" || echo "None found" >> "$ERRORS_OUTPUT" echo "" >> "$ERRORS_OUTPUT" echo "== Database Errors Exposed ==" >> "$ERRORS_OUTPUT" grep -rn "sql.*error\|database.*error" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | grep -i "http\|response\|json" >> "$ERRORS_OUTPUT" || echo "None found" >> "$ERRORS_OUTPUT" echo -e "${GREEN} Output: $ERRORS_OUTPUT${NC}" # ============================================================================= # 12. LOGGING AUDIT # ============================================================================= echo -e "${YELLOW}[12/15] Auditing logging practices...${NC}" LOGGING_OUTPUT="$OUTPUT_DIR/logging-$TIMESTAMP.txt" echo "# Logging Audit - $TIMESTAMP" > "$LOGGING_OUTPUT" echo "== Sensitive Data in Logs ==" >> "$LOGGING_OUTPUT" grep -rn "log.*password\|log.*token\|log.*secret\|log.*key" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$LOGGING_OUTPUT" || echo "None found" >> "$LOGGING_OUTPUT" echo "" >> "$LOGGING_OUTPUT" echo "== PII in Logs ==" >> "$LOGGING_OUTPUT" grep -rn "log.*email\|log.*phone\|log.*address" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$LOGGING_OUTPUT" || echo "None found" >> "$LOGGING_OUTPUT" echo "" >> "$LOGGING_OUTPUT" echo "== Structured Logging ==" >> "$LOGGING_OUTPUT" grep -rn "log.Printf\|log.Println\|fmt.Printf" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | wc -l >> "$LOGGING_OUTPUT" echo " unstructured log calls found (consider structured logging)" >> "$LOGGING_OUTPUT" echo -e "${GREEN} Output: $LOGGING_OUTPUT${NC}" # ============================================================================= # 13. DEPENDENCY VULNERABILITIES # ============================================================================= echo -e "${YELLOW}[13/15] Scanning dependency vulnerabilities...${NC}" VULN_OUTPUT="$OUTPUT_DIR/vulnerabilities-$TIMESTAMP.txt" echo "# Dependency Vulnerability Scan - $TIMESTAMP" > "$VULN_OUTPUT" echo "== Go Dependencies (govulncheck) ==" >> "$VULN_OUTPUT" if command -v govulncheck &> /dev/null; then for service_dir in "$PROJECT_ROOT/backend/functions"/*/; do if [ -f "$service_dir/go.mod" ]; then echo "Scanning: $(basename "$service_dir")" >> "$VULN_OUTPUT" (cd "$service_dir" && govulncheck ./... 2>&1) >> "$VULN_OUTPUT" || true echo "" >> "$VULN_OUTPUT" fi done else echo "govulncheck not installed" >> "$VULN_OUTPUT" fi echo "" >> "$VULN_OUTPUT" echo "== PNPM Dependencies (pnpm audit) ==" >> "$VULN_OUTPUT" if [ -d "$PROJECT_ROOT/frontend" ]; then (cd "$PROJECT_ROOT/frontend" && pnpm audit 2>&1) >> "$VULN_OUTPUT" || true fi echo -e "${GREEN} Output: $VULN_OUTPUT${NC}" # ============================================================================= # 14. CONTAINER SECURITY # ============================================================================= echo -e "${YELLOW}[14/15] Auditing container security...${NC}" CONTAINER_OUTPUT="$OUTPUT_DIR/container-security-$TIMESTAMP.txt" echo "# Container Security Audit - $TIMESTAMP" > "$CONTAINER_OUTPUT" echo "== Running as Root ==" >> "$CONTAINER_OUTPUT" grep -rn "USER\|user:" "$PROJECT_ROOT" --include="Containerfile" --include="Dockerfile" --include="*.yml" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "No USER directive found - likely running as root" >> "$CONTAINER_OUTPUT" echo "" >> "$CONTAINER_OUTPUT" echo "== Privileged Mode ==" >> "$CONTAINER_OUTPUT" grep -rn "privileged\|--privileged" "$PROJECT_ROOT" --include="*.yml" --include="*.yaml" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "None found" >> "$CONTAINER_OUTPUT" echo "" >> "$CONTAINER_OUTPUT" echo "== Exposed Ports ==" >> "$CONTAINER_OUTPUT" grep -rn "EXPOSE\|ports:" "$PROJECT_ROOT" --include="Containerfile" --include="Dockerfile" --include="*.yml" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "None found" >> "$CONTAINER_OUTPUT" echo "" >> "$CONTAINER_OUTPUT" echo "== Secrets in Container Build ==" >> "$CONTAINER_OUTPUT" grep -rn "ENV.*SECRET\|ENV.*PASSWORD\|ENV.*KEY" "$PROJECT_ROOT" --include="Containerfile" --include="Dockerfile" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "None found in build files" >> "$CONTAINER_OUTPUT" echo -e "${GREEN} Output: $CONTAINER_OUTPUT${NC}" # ============================================================================= # 15. GIT SECURITY # ============================================================================= echo -e "${YELLOW}[15/15] Auditing git security...${NC}" GIT_OUTPUT="$OUTPUT_DIR/git-security-$TIMESTAMP.txt" echo "# Git Security Audit - $TIMESTAMP" > "$GIT_OUTPUT" echo "== .gitignore Coverage ==" >> "$GIT_OUTPUT" if [ -f "$PROJECT_ROOT/.gitignore" ]; then cat "$PROJECT_ROOT/.gitignore" >> "$GIT_OUTPUT" else echo "NO .gitignore FILE FOUND - CRITICAL" >> "$GIT_OUTPUT" fi echo "" >> "$GIT_OUTPUT" echo "== Secrets in Git History ==" >> "$GIT_OUTPUT" echo "Run: git log -p --all -S 'password' to check history" >> "$GIT_OUTPUT" echo "Run: git log -p --all -S 'secret' to check history" >> "$GIT_OUTPUT" echo "Run: git log -p --all -S 'api_key' to check history" >> "$GIT_OUTPUT" echo "" >> "$GIT_OUTPUT" echo "== Sensitive Files in Repo ==" >> "$GIT_OUTPUT" find "$PROJECT_ROOT" -name ".env" -o -name "*.pem" -o -name "*.key" -o -name "credentials*" 2>/dev/null | grep -v node_modules >> "$GIT_OUTPUT" || echo "None found" >> "$GIT_OUTPUT" echo -e "${GREEN} Output: $GIT_OUTPUT${NC}" # ============================================================================= # SUMMARY # ============================================================================= echo "" echo -e "${BLUE}========================================${NC}" echo -e "${BLUE} SECURITY AUDIT COMPLETE${NC}" echo -e "${BLUE}========================================${NC}" echo "" echo -e "Reports generated in: ${GREEN}$OUTPUT_DIR${NC}" echo "" echo "Files generated:" ls -la "$OUTPUT_DIR"/*$TIMESTAMP* 2>/dev/null || echo "No files generated" # Critical findings summary echo "" echo -e "${RED}=== CRITICAL ITEMS TO REVIEW ===${NC}" echo "1. Check secrets-$TIMESTAMP.txt for hardcoded credentials" echo "2. Check authentication-$TIMESTAMP.txt for auth weaknesses" echo "3. Check authorization-$TIMESTAMP.txt for access control gaps" echo "4. Check vulnerabilities-$TIMESTAMP.txt for CVEs"