#!/bin/bash # ============================================================================= # MASTER AUDIT RUNNER # Orchestrates all audit scripts and generates a consolidated report # ============================================================================= set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" TIMESTAMP=$(date +%Y%m%d-%H%M%S) MASTER_OUTPUT_DIR="$PROJECT_ROOT/audit-reports" CONSOLIDATED_REPORT="$MASTER_OUTPUT_DIR/consolidated-report-$TIMESTAMP.md" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' MAGENTA='\033[0;35m' CYAN='\033[0;36m' NC='\033[0m' BOLD='\033[1m' # Track results declare -A AUDIT_RESULTS declare -A AUDIT_TIMES TOTAL_START_TIME=$(date +%s) # ============================================================================= # FUNCTIONS # ============================================================================= print_banner() { echo "" echo -e "${MAGENTA}╔══════════════════════════════════════════════════════════════════╗${NC}" echo -e "${MAGENTA}║ ║${NC}" echo -e "${MAGENTA}║${BOLD} COPPERTONE.TECH COMPREHENSIVE AUDIT SUITE ${NC}${MAGENTA}║${NC}" echo -e "${MAGENTA}║ ║${NC}" echo -e "${MAGENTA}║${NC} ${CYAN}No Stone Unturned • No Feelings Spared • Maximum Critique${NC} ${MAGENTA}║${NC}" echo -e "${MAGENTA}║ ║${NC}" echo -e "${MAGENTA}╚══════════════════════════════════════════════════════════════════╝${NC}" echo "" echo -e "${YELLOW}Started: $(date)${NC}" echo -e "${YELLOW}Output Directory: $MASTER_OUTPUT_DIR${NC}" echo "" } run_audit() { local script_name="$1" local script_path="$SCRIPT_DIR/$script_name" local audit_name="${script_name%.sh}" if [ ! -f "$script_path" ]; then echo -e "${RED}[SKIP] $script_name not found${NC}" AUDIT_RESULTS["$audit_name"]="NOT_FOUND" return 1 fi if [ ! -x "$script_path" ]; then chmod +x "$script_path" fi echo "" echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" echo -e "${BOLD}Running: $script_name${NC}" echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" local start_time=$(date +%s) if "$script_path" 2>&1; then AUDIT_RESULTS["$audit_name"]="SUCCESS" echo -e "${GREEN}[✓] $script_name completed successfully${NC}" else AUDIT_RESULTS["$audit_name"]="COMPLETED_WITH_FINDINGS" echo -e "${YELLOW}[!] $script_name completed with findings${NC}" fi local end_time=$(date +%s) local duration=$((end_time - start_time)) AUDIT_TIMES["$audit_name"]="$duration" echo -e "${CYAN}Duration: ${duration}s${NC}" } generate_consolidated_report() { echo "" echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" echo -e "${BOLD}Generating Consolidated Report${NC}" echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" cat > "$CONSOLIDATED_REPORT" << EOF # Coppertone.tech Comprehensive Audit Report **Generated:** $(date) **Audit ID:** $TIMESTAMP --- ## Executive Summary This report consolidates findings from all automated audit scripts run against the coppertone.tech codebase and infrastructure. ### Audit Execution Summary | Audit | Status | Duration | |-------|--------|----------| EOF for audit in "${!AUDIT_RESULTS[@]}"; do local status="${AUDIT_RESULTS[$audit]}" local duration="${AUDIT_TIMES[$audit]:-N/A}" local status_emoji="" case "$status" in "SUCCESS") status_emoji="✅" ;; "COMPLETED_WITH_FINDINGS") status_emoji="⚠️" ;; "NOT_FOUND") status_emoji="❌" ;; *) status_emoji="❓" ;; esac echo "| $audit | $status_emoji $status | ${duration}s |" >> "$CONSOLIDATED_REPORT" done local total_end_time=$(date +%s) local total_duration=$((total_end_time - TOTAL_START_TIME)) cat >> "$CONSOLIDATED_REPORT" << EOF **Total Audit Duration:** ${total_duration} seconds --- ## Detailed Reports The following detailed reports have been generated: ### Go Backend Audit Location: \`audit-reports/go-audit/\` - Static analysis (go vet, staticcheck) - Security scanning (gosec, govulncheck) - Code complexity analysis - Dead code detection - Error handling patterns - Hardcoded secrets scan - Test coverage ### TypeScript/Vue Frontend Audit Location: \`audit-reports/frontend-audit/\` - TypeScript type checking (strict mode) - ESLint comprehensive analysis - Vue anti-pattern detection - Security audit (XSS, secrets, localStorage) - Dependency analysis - Bundle size analysis - Accessibility audit - Performance patterns - Code duplication - Test coverage - Dead code detection ### SQL/Database Audit Location: \`audit-reports/database-audit/\` - Migration file analysis - SQL injection vulnerability scan - Schema design review - Query performance patterns - Connection management - Data integrity checks - Sensitive data handling - Error handling in queries ### Security Audit Location: \`audit-reports/security-audit/\` - Hardcoded secrets (comprehensive) - Authentication implementation - Authorization (RBAC) review - Input validation - XSS/CSRF protection - Security headers - Rate limiting - File upload security - Cryptographic practices - Error information leakage - Logging and audit trails - Known vulnerabilities - Container security - Git security ### Infrastructure Audit Location: \`audit-reports/infrastructure-audit/\` - Container configurations - Compose file analysis - CI/CD pipeline review - Configuration management - Network security - Secrets management - Logging and monitoring - Backup and disaster recovery - Resource management - Dependency management - Documentation completeness --- ## Critical Items Checklist Review the individual reports for detailed findings. Priority items to check: ### 🔴 Critical (Fix Immediately) - [ ] Any hardcoded secrets or credentials - [ ] SQL injection vulnerabilities - [ ] Authentication bypass possibilities - [ ] Exposed sensitive data - [ ] Known CVEs in dependencies ### 🟠 High (Fix Before Production) - [ ] Authorization gaps (RBAC enforcement) - [ ] Missing input validation - [ ] XSS vulnerabilities - [ ] Insecure direct object references - [ ] Missing rate limiting ### 🟡 Medium (Address Soon) - [ ] Excessive code complexity - [ ] Missing error handling - [ ] Dead code - [ ] Accessibility issues - [ ] Performance anti-patterns ### 🟢 Low (Track for Improvement) - [ ] Code style inconsistencies - [ ] Missing tests - [ ] Documentation gaps - [ ] TODO/FIXME comments - [ ] Outdated dependencies (non-security) --- ## Recommendations 1. **Immediate Actions:** - Review all CRITICAL findings in each audit report - Rotate any exposed secrets immediately - Patch any known vulnerabilities 2. **Short-term (1-2 weeks):** - Address all HIGH severity findings - Implement missing authorization checks - Add input validation where missing 3. **Medium-term (1 month):** - Reduce code complexity in flagged functions - Increase test coverage - Address accessibility issues 4. **Ongoing:** - Integrate these audits into CI/CD pipeline - Run security scans on every PR - Regular dependency updates --- ## Report Locations All detailed reports are stored in: \`\`\` $MASTER_OUTPUT_DIR/ ├── go-audit/ ├── frontend-audit/ ├── database-audit/ ├── security-audit/ ├── infrastructure-audit/ └── consolidated-report-$TIMESTAMP.md \`\`\` --- *Generated by Coppertone.tech Audit Suite* *No stone unturned. No feelings spared.* EOF echo -e "${GREEN}Consolidated report generated: $CONSOLIDATED_REPORT${NC}" } print_summary() { echo "" echo -e "${MAGENTA}╔══════════════════════════════════════════════════════════════════╗${NC}" echo -e "${MAGENTA}║${BOLD} AUDIT COMPLETE ${NC}${MAGENTA}║${NC}" echo -e "${MAGENTA}╚══════════════════════════════════════════════════════════════════╝${NC}" echo "" local total_end_time=$(date +%s) local total_duration=$((total_end_time - TOTAL_START_TIME)) echo -e "${CYAN}Total Duration: ${total_duration} seconds${NC}" echo "" echo -e "${BOLD}Results Summary:${NC}" for audit in "${!AUDIT_RESULTS[@]}"; do local status="${AUDIT_RESULTS[$audit]}" local duration="${AUDIT_TIMES[$audit]:-N/A}" case "$status" in "SUCCESS") echo -e " ${GREEN}✓${NC} $audit (${duration}s)" ;; "COMPLETED_WITH_FINDINGS") echo -e " ${YELLOW}!${NC} $audit (${duration}s) - has findings" ;; "NOT_FOUND") echo -e " ${RED}✗${NC} $audit - script not found" ;; *) echo -e " ${RED}?${NC} $audit - unknown status" ;; esac done echo "" echo -e "${BOLD}Reports Location:${NC} $MASTER_OUTPUT_DIR" echo -e "${BOLD}Consolidated Report:${NC} $CONSOLIDATED_REPORT" echo "" echo -e "${YELLOW}Review all reports carefully. Address CRITICAL and HIGH severity issues first.${NC}" echo "" } show_help() { echo "Usage: $0 [OPTIONS]" echo "" echo "Options:" echo " -h, --help Show this help message" echo " -a, --all Run all audits (default)" echo " -g, --go Run only Go backend audit" echo " -f, --frontend Run only TypeScript/Vue frontend audit" echo " -d, --database Run only SQL/Database audit" echo " -s, --security Run only Security audit" echo " -i, --infrastructure Run only Infrastructure audit" echo " --live Include live system checks (requires running services)" echo "" echo "Examples:" echo " $0 Run all audits" echo " $0 -g -f Run Go and Frontend audits only" echo " $0 --security Run security audit only" echo " $0 --all --live Run all audits including live system checks" } # ============================================================================= # MAIN # ============================================================================= # Parse arguments RUN_GO=false RUN_FRONTEND=false RUN_DATABASE=false RUN_SECURITY=false RUN_INFRASTRUCTURE=false RUN_ALL=false INCLUDE_LIVE=false if [ $# -eq 0 ]; then RUN_ALL=true fi while [[ $# -gt 0 ]]; do case $1 in -h|--help) show_help exit 0 ;; -a|--all) RUN_ALL=true shift ;; -g|--go) RUN_GO=true shift ;; -f|--frontend) RUN_FRONTEND=true shift ;; -d|--database) RUN_DATABASE=true shift ;; -s|--security) RUN_SECURITY=true shift ;; -i|--infrastructure) RUN_INFRASTRUCTURE=true shift ;; --live) INCLUDE_LIVE=true export INCLUDE_LIVE_CHECKS=true shift ;; *) echo -e "${RED}Unknown option: $1${NC}" show_help exit 1 ;; esac done # If all flag is set, enable everything if [ "$RUN_ALL" = true ]; then RUN_GO=true RUN_FRONTEND=true RUN_DATABASE=true RUN_SECURITY=true RUN_INFRASTRUCTURE=true fi # Create output directory mkdir -p "$MASTER_OUTPUT_DIR" # Print banner print_banner # Run selected audits if [ "$RUN_GO" = true ]; then run_audit "01-go-audit.sh" fi if [ "$RUN_FRONTEND" = true ]; then run_audit "02-typescript-vue-audit.sh" fi if [ "$RUN_DATABASE" = true ]; then run_audit "03-sql-database-audit.sh" fi if [ "$RUN_SECURITY" = true ]; then run_audit "04-security-audit.sh" fi if [ "$RUN_INFRASTRUCTURE" = true ]; then run_audit "05-infrastructure-audit.sh" fi # Generate consolidated report generate_consolidated_report # Print summary print_summary exit 0