406 lines
23 KiB
Bash
Executable File
406 lines
23 KiB
Bash
Executable File
#!/bin/bash
|
|
# =============================================================================
|
|
# COMPREHENSIVE SECURITY AUDIT SCRIPT
|
|
# OWASP Top 10, Authentication, Authorization, Secrets, and more
|
|
# =============================================================================
|
|
|
|
set -e
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
|
OUTPUT_DIR="$PROJECT_ROOT/audit-reports/security-audit"
|
|
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
echo -e "${BLUE}========================================${NC}"
|
|
echo -e "${BLUE} COMPREHENSIVE SECURITY AUDIT${NC}"
|
|
echo -e "${BLUE}========================================${NC}"
|
|
echo ""
|
|
|
|
mkdir -p "$OUTPUT_DIR"
|
|
|
|
# =============================================================================
|
|
# 1. SECRET SCANNING (CRITICAL)
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[1/15] Scanning for hardcoded secrets...${NC}"
|
|
SECRETS_OUTPUT="$OUTPUT_DIR/secrets-$TIMESTAMP.txt"
|
|
echo "# Hardcoded Secrets Scan - $TIMESTAMP" > "$SECRETS_OUTPUT"
|
|
echo "SEVERITY: CRITICAL" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== API Keys ==" >> "$SECRETS_OUTPUT"
|
|
grep -rniE "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{16,}['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.vue" --include="*.json" --include="*.yml" --include="*.yaml" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== Passwords ==" >> "$SECRETS_OUTPUT"
|
|
grep -rniE "(password|passwd|pwd)\s*[:=]\s*['\"][^'\"]{4,}['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.vue" --include="*.json" --include="*.yml" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== Private Keys ==" >> "$SECRETS_OUTPUT"
|
|
grep -rn "PRIVATE KEY\|-----BEGIN RSA\|-----BEGIN EC" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.pem" --include="*.key" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== JWT Secrets ==" >> "$SECRETS_OUTPUT"
|
|
grep -rniE "jwt[_-]?secret\s*[:=]\s*['\"][^'\"]+['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.yml" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== Stripe Keys ==" >> "$SECRETS_OUTPUT"
|
|
grep -rn "sk_live_\|sk_test_\|pk_live_\|pk_test_" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.vue" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== AWS Credentials ==" >> "$SECRETS_OUTPUT"
|
|
grep -rniE "AKIA[0-9A-Z]{16}" "$PROJECT_ROOT" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo "" >> "$SECRETS_OUTPUT"
|
|
|
|
echo "== Base64 Encoded Secrets ==" >> "$SECRETS_OUTPUT"
|
|
grep -rnoE "['\"][A-Za-z0-9+/]{40,}={0,2}['\"]" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null | head -20 >> "$SECRETS_OUTPUT" || echo "None found" >> "$SECRETS_OUTPUT"
|
|
echo -e "${GREEN} Output: $SECRETS_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 2. AUTHENTICATION AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[2/15] Auditing authentication mechanisms...${NC}"
|
|
AUTH_OUTPUT="$OUTPUT_DIR/authentication-$TIMESTAMP.txt"
|
|
echo "# Authentication Audit - $TIMESTAMP" > "$AUTH_OUTPUT"
|
|
|
|
echo "== JWT Implementation ==" >> "$AUTH_OUTPUT"
|
|
grep -rn "jwt\|JWT\|token" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | head -50 >> "$AUTH_OUTPUT" || echo "None found" >> "$AUTH_OUTPUT"
|
|
echo "" >> "$AUTH_OUTPUT"
|
|
|
|
echo "== Token Expiration Settings ==" >> "$AUTH_OUTPUT"
|
|
grep -rn "exp\|Expir\|ttl\|TTL" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTH_OUTPUT" || echo "None found - POTENTIAL ISSUE" >> "$AUTH_OUTPUT"
|
|
echo "" >> "$AUTH_OUTPUT"
|
|
|
|
echo "== Password Hashing ==" >> "$AUTH_OUTPUT"
|
|
grep -rn "bcrypt\|argon2\|scrypt\|pbkdf2\|GenerateFromPassword" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTH_OUTPUT" || echo "No password hashing found - CRITICAL" >> "$AUTH_OUTPUT"
|
|
echo "" >> "$AUTH_OUTPUT"
|
|
|
|
echo "== Weak Hashing (MD5, SHA1) ==" >> "$AUTH_OUTPUT"
|
|
grep -rn "md5\|sha1\|MD5\|SHA1" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTH_OUTPUT" || echo "None found - good" >> "$AUTH_OUTPUT"
|
|
echo "" >> "$AUTH_OUTPUT"
|
|
|
|
echo "== Session Management ==" >> "$AUTH_OUTPUT"
|
|
grep -rn "session\|cookie\|Cookie" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null | head -30 >> "$AUTH_OUTPUT" || echo "None found" >> "$AUTH_OUTPUT"
|
|
echo "" >> "$AUTH_OUTPUT"
|
|
|
|
echo "== Refresh Token Implementation ==" >> "$AUTH_OUTPUT"
|
|
grep -rn "refresh.*token\|refreshToken" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$AUTH_OUTPUT" || echo "No refresh token found - sessions may expire abruptly" >> "$AUTH_OUTPUT"
|
|
echo -e "${GREEN} Output: $AUTH_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 3. AUTHORIZATION AUDIT (RBAC/ABAC)
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[3/15] Auditing authorization controls...${NC}"
|
|
AUTHZ_OUTPUT="$OUTPUT_DIR/authorization-$TIMESTAMP.txt"
|
|
echo "# Authorization Audit - $TIMESTAMP" > "$AUTHZ_OUTPUT"
|
|
|
|
echo "== Role Checks ==" >> "$AUTHZ_OUTPUT"
|
|
grep -rn "role\|Role\|ROLE\|permission\|Permission" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | head -50 >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT"
|
|
echo "" >> "$AUTHZ_OUTPUT"
|
|
|
|
echo "== Admin-Only Endpoints ==" >> "$AUTHZ_OUTPUT"
|
|
grep -rn "ADMIN\|admin\|requireRole.*ADMIN" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT"
|
|
echo "" >> "$AUTHZ_OUTPUT"
|
|
|
|
echo "== Ownership Checks (IDOR Prevention) ==" >> "$AUTHZ_OUTPUT"
|
|
grep -rn "user_id\|userID\|client_id\|owner" "$PROJECT_ROOT/backend" --include="*.go" | grep -i "where\|if\|check" | head -30 >> "$AUTHZ_OUTPUT" || echo "None found - potential IDOR" >> "$AUTHZ_OUTPUT"
|
|
echo "" >> "$AUTHZ_OUTPUT"
|
|
|
|
echo "== Middleware Protection ==" >> "$AUTHZ_OUTPUT"
|
|
grep -rn "middleware\|Middleware\|authMiddleware\|requireAuth" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT"
|
|
echo "" >> "$AUTHZ_OUTPUT"
|
|
|
|
echo "== Unprotected Routes ==" >> "$AUTHZ_OUTPUT"
|
|
grep -rn 'http.HandleFunc\|HandleFunc' "$PROJECT_ROOT/backend" --include="*.go" | grep -v "auth\|middleware\|protected" >> "$AUTHZ_OUTPUT" || echo "None found" >> "$AUTHZ_OUTPUT"
|
|
echo -e "${GREEN} Output: $AUTHZ_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 4. INPUT VALIDATION AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[4/15] Auditing input validation...${NC}"
|
|
INPUT_OUTPUT="$OUTPUT_DIR/input-validation-$TIMESTAMP.txt"
|
|
echo "# Input Validation Audit - $TIMESTAMP" > "$INPUT_OUTPUT"
|
|
|
|
echo "== JSON Decoding (check for validation after) ==" >> "$INPUT_OUTPUT"
|
|
grep -rn "json.Decode\|json.Unmarshal" "$PROJECT_ROOT/backend" --include="*.go" -A 5 2>/dev/null | head -50 >> "$INPUT_OUTPUT" || echo "None found" >> "$INPUT_OUTPUT"
|
|
echo "" >> "$INPUT_OUTPUT"
|
|
|
|
echo "== Input Sanitization ==" >> "$INPUT_OUTPUT"
|
|
grep -rn "sanitize\|Sanitize\|escape\|Escape\|html.EscapeString" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$INPUT_OUTPUT" || echo "No sanitization found - CHECK XSS" >> "$INPUT_OUTPUT"
|
|
echo "" >> "$INPUT_OUTPUT"
|
|
|
|
echo "== Regex Validation ==" >> "$INPUT_OUTPUT"
|
|
grep -rn "regexp\|Regexp\|regex\|pattern" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$INPUT_OUTPUT" || echo "None found" >> "$INPUT_OUTPUT"
|
|
echo "" >> "$INPUT_OUTPUT"
|
|
|
|
echo "== Length/Size Validation ==" >> "$INPUT_OUTPUT"
|
|
grep -rn "len(\|maxLength\|minLength\|MaxLength\|MinLength" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null | head -30 >> "$INPUT_OUTPUT" || echo "None found" >> "$INPUT_OUTPUT"
|
|
echo -e "${GREEN} Output: $INPUT_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 5. XSS VULNERABILITY SCAN
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[5/15] Scanning for XSS vulnerabilities...${NC}"
|
|
XSS_OUTPUT="$OUTPUT_DIR/xss-$TIMESTAMP.txt"
|
|
echo "# XSS Vulnerability Scan - $TIMESTAMP" > "$XSS_OUTPUT"
|
|
|
|
echo "== v-html Usage (Vue XSS vector) ==" >> "$XSS_OUTPUT"
|
|
grep -rn "v-html" "$PROJECT_ROOT/frontend" --include="*.vue" 2>/dev/null >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT"
|
|
echo "" >> "$XSS_OUTPUT"
|
|
|
|
echo "== innerHTML Usage ==" >> "$XSS_OUTPUT"
|
|
grep -rn "innerHTML" "$PROJECT_ROOT" --include="*.ts" --include="*.vue" --include="*.go" 2>/dev/null >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT"
|
|
echo "" >> "$XSS_OUTPUT"
|
|
|
|
echo "== document.write Usage ==" >> "$XSS_OUTPUT"
|
|
grep -rn "document.write" "$PROJECT_ROOT/frontend" --include="*.ts" --include="*.vue" 2>/dev/null >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT"
|
|
echo "" >> "$XSS_OUTPUT"
|
|
|
|
echo "== Template Literal Injection ==" >> "$XSS_OUTPUT"
|
|
grep -rn '\${' "$PROJECT_ROOT/frontend" --include="*.vue" | grep -v "class\|style" | head -30 >> "$XSS_OUTPUT" || echo "None found" >> "$XSS_OUTPUT"
|
|
echo -e "${GREEN} Output: $XSS_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 6. CSRF PROTECTION AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[6/15] Auditing CSRF protection...${NC}"
|
|
CSRF_OUTPUT="$OUTPUT_DIR/csrf-$TIMESTAMP.txt"
|
|
echo "# CSRF Protection Audit - $TIMESTAMP" > "$CSRF_OUTPUT"
|
|
|
|
echo "== CSRF Token Implementation ==" >> "$CSRF_OUTPUT"
|
|
grep -rn "csrf\|CSRF\|xsrf\|XSRF" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$CSRF_OUTPUT" || echo "No CSRF protection found - CHECK IF NEEDED" >> "$CSRF_OUTPUT"
|
|
echo "" >> "$CSRF_OUTPUT"
|
|
|
|
echo "== SameSite Cookie Attribute ==" >> "$CSRF_OUTPUT"
|
|
grep -rn "SameSite\|samesite" "$PROJECT_ROOT" --include="*.go" --include="*.ts" 2>/dev/null >> "$CSRF_OUTPUT" || echo "Not found" >> "$CSRF_OUTPUT"
|
|
echo "" >> "$CSRF_OUTPUT"
|
|
|
|
echo "== CORS Configuration ==" >> "$CSRF_OUTPUT"
|
|
grep -rn "CORS\|cors\|Access-Control\|AllowOrigin" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.yml" 2>/dev/null >> "$CSRF_OUTPUT" || echo "Not found" >> "$CSRF_OUTPUT"
|
|
echo -e "${GREEN} Output: $CSRF_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 7. SECURITY HEADERS AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[7/15] Auditing security headers...${NC}"
|
|
HEADERS_OUTPUT="$OUTPUT_DIR/security-headers-$TIMESTAMP.txt"
|
|
echo "# Security Headers Audit - $TIMESTAMP" > "$HEADERS_OUTPUT"
|
|
|
|
echo "== Content-Security-Policy ==" >> "$HEADERS_OUTPUT"
|
|
grep -rn "Content-Security-Policy\|CSP" "$PROJECT_ROOT" --include="*.go" --include="*.ts" --include="*.html" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND - Should implement" >> "$HEADERS_OUTPUT"
|
|
echo "" >> "$HEADERS_OUTPUT"
|
|
|
|
echo "== X-Content-Type-Options ==" >> "$HEADERS_OUTPUT"
|
|
grep -rn "X-Content-Type-Options\|nosniff" "$PROJECT_ROOT" --include="*.go" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND" >> "$HEADERS_OUTPUT"
|
|
echo "" >> "$HEADERS_OUTPUT"
|
|
|
|
echo "== X-Frame-Options ==" >> "$HEADERS_OUTPUT"
|
|
grep -rn "X-Frame-Options\|DENY\|SAMEORIGIN" "$PROJECT_ROOT" --include="*.go" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND - Clickjacking risk" >> "$HEADERS_OUTPUT"
|
|
echo "" >> "$HEADERS_OUTPUT"
|
|
|
|
echo "== Strict-Transport-Security ==" >> "$HEADERS_OUTPUT"
|
|
grep -rn "Strict-Transport-Security\|HSTS" "$PROJECT_ROOT" --include="*.go" --include="*.conf" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND" >> "$HEADERS_OUTPUT"
|
|
echo "" >> "$HEADERS_OUTPUT"
|
|
|
|
echo "== X-XSS-Protection ==" >> "$HEADERS_OUTPUT"
|
|
grep -rn "X-XSS-Protection" "$PROJECT_ROOT" --include="*.go" 2>/dev/null >> "$HEADERS_OUTPUT" || echo "NOT FOUND" >> "$HEADERS_OUTPUT"
|
|
echo -e "${GREEN} Output: $HEADERS_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 8. RATE LIMITING AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[8/15] Auditing rate limiting...${NC}"
|
|
RATE_OUTPUT="$OUTPUT_DIR/rate-limiting-$TIMESTAMP.txt"
|
|
echo "# Rate Limiting Audit - $TIMESTAMP" > "$RATE_OUTPUT"
|
|
|
|
echo "== Rate Limiter Implementation ==" >> "$RATE_OUTPUT"
|
|
grep -rn "rate\|Rate\|limit\|Limit\|throttle\|Throttle" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$RATE_OUTPUT" || echo "NO RATE LIMITING FOUND - CRITICAL for auth endpoints" >> "$RATE_OUTPUT"
|
|
echo "" >> "$RATE_OUTPUT"
|
|
|
|
echo "== Login Attempt Limiting ==" >> "$RATE_OUTPUT"
|
|
grep -rn "attempt\|Attempt\|failed.*login\|lock.*account" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$RATE_OUTPUT" || echo "No brute force protection found" >> "$RATE_OUTPUT"
|
|
echo -e "${GREEN} Output: $RATE_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 9. FILE UPLOAD SECURITY
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[9/15] Auditing file upload security...${NC}"
|
|
UPLOAD_OUTPUT="$OUTPUT_DIR/file-upload-$TIMESTAMP.txt"
|
|
echo "# File Upload Security Audit - $TIMESTAMP" > "$UPLOAD_OUTPUT"
|
|
|
|
echo "== File Upload Handlers ==" >> "$UPLOAD_OUTPUT"
|
|
grep -rn "multipart\|FormFile\|upload\|Upload" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$UPLOAD_OUTPUT" || echo "No file uploads found" >> "$UPLOAD_OUTPUT"
|
|
echo "" >> "$UPLOAD_OUTPUT"
|
|
|
|
echo "== File Type Validation ==" >> "$UPLOAD_OUTPUT"
|
|
grep -rn "mime\|MIME\|ContentType\|content-type" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$UPLOAD_OUTPUT" || echo "None found" >> "$UPLOAD_OUTPUT"
|
|
echo "" >> "$UPLOAD_OUTPUT"
|
|
|
|
echo "== Path Traversal Prevention ==" >> "$UPLOAD_OUTPUT"
|
|
grep -rn "filepath.Clean\|path.Clean\|\.\.\/" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$UPLOAD_OUTPUT" || echo "None found - check for path traversal" >> "$UPLOAD_OUTPUT"
|
|
echo -e "${GREEN} Output: $UPLOAD_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 10. CRYPTOGRAPHY AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[10/15] Auditing cryptography usage...${NC}"
|
|
CRYPTO_OUTPUT="$OUTPUT_DIR/cryptography-$TIMESTAMP.txt"
|
|
echo "# Cryptography Audit - $TIMESTAMP" > "$CRYPTO_OUTPUT"
|
|
|
|
echo "== Random Number Generation ==" >> "$CRYPTO_OUTPUT"
|
|
grep -rn "math/rand\|rand.Int\|rand.Read" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$CRYPTO_OUTPUT" || echo "None found" >> "$CRYPTO_OUTPUT"
|
|
echo "" >> "$CRYPTO_OUTPUT"
|
|
|
|
echo "== Cryptographically Secure Random ==" >> "$CRYPTO_OUTPUT"
|
|
grep -rn "crypto/rand" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$CRYPTO_OUTPUT" || echo "NOT USING crypto/rand - use for security-sensitive randomness" >> "$CRYPTO_OUTPUT"
|
|
echo "" >> "$CRYPTO_OUTPUT"
|
|
|
|
echo "== Encryption Usage ==" >> "$CRYPTO_OUTPUT"
|
|
grep -rn "aes\|AES\|encrypt\|Encrypt\|cipher" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$CRYPTO_OUTPUT" || echo "None found" >> "$CRYPTO_OUTPUT"
|
|
echo "" >> "$CRYPTO_OUTPUT"
|
|
|
|
echo "== TLS/SSL Configuration ==" >> "$CRYPTO_OUTPUT"
|
|
grep -rn "tls\|TLS\|https\|HTTPS\|ssl\|SSL" "$PROJECT_ROOT" --include="*.go" --include="*.yml" 2>/dev/null | head -30 >> "$CRYPTO_OUTPUT" || echo "None found" >> "$CRYPTO_OUTPUT"
|
|
echo -e "${GREEN} Output: $CRYPTO_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 11. ERROR HANDLING & INFO LEAKAGE
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[11/15] Auditing error handling for info leakage...${NC}"
|
|
ERRORS_OUTPUT="$OUTPUT_DIR/error-leakage-$TIMESTAMP.txt"
|
|
echo "# Error Handling & Information Leakage - $TIMESTAMP" > "$ERRORS_OUTPUT"
|
|
|
|
echo "== Stack Traces Exposed ==" >> "$ERRORS_OUTPUT"
|
|
grep -rn "debug.PrintStack\|runtime.Stack\|panic.*err" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$ERRORS_OUTPUT" || echo "None found" >> "$ERRORS_OUTPUT"
|
|
echo "" >> "$ERRORS_OUTPUT"
|
|
|
|
echo "== Verbose Error Messages ==" >> "$ERRORS_OUTPUT"
|
|
grep -rn 'http.Error.*err.Error\|json.Encode.*error' "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$ERRORS_OUTPUT" || echo "None found" >> "$ERRORS_OUTPUT"
|
|
echo "" >> "$ERRORS_OUTPUT"
|
|
|
|
echo "== Database Errors Exposed ==" >> "$ERRORS_OUTPUT"
|
|
grep -rn "sql.*error\|database.*error" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | grep -i "http\|response\|json" >> "$ERRORS_OUTPUT" || echo "None found" >> "$ERRORS_OUTPUT"
|
|
echo -e "${GREEN} Output: $ERRORS_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 12. LOGGING AUDIT
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[12/15] Auditing logging practices...${NC}"
|
|
LOGGING_OUTPUT="$OUTPUT_DIR/logging-$TIMESTAMP.txt"
|
|
echo "# Logging Audit - $TIMESTAMP" > "$LOGGING_OUTPUT"
|
|
|
|
echo "== Sensitive Data in Logs ==" >> "$LOGGING_OUTPUT"
|
|
grep -rn "log.*password\|log.*token\|log.*secret\|log.*key" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$LOGGING_OUTPUT" || echo "None found" >> "$LOGGING_OUTPUT"
|
|
echo "" >> "$LOGGING_OUTPUT"
|
|
|
|
echo "== PII in Logs ==" >> "$LOGGING_OUTPUT"
|
|
grep -rn "log.*email\|log.*phone\|log.*address" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null >> "$LOGGING_OUTPUT" || echo "None found" >> "$LOGGING_OUTPUT"
|
|
echo "" >> "$LOGGING_OUTPUT"
|
|
|
|
echo "== Structured Logging ==" >> "$LOGGING_OUTPUT"
|
|
grep -rn "log.Printf\|log.Println\|fmt.Printf" "$PROJECT_ROOT/backend" --include="*.go" 2>/dev/null | wc -l >> "$LOGGING_OUTPUT"
|
|
echo " unstructured log calls found (consider structured logging)" >> "$LOGGING_OUTPUT"
|
|
echo -e "${GREEN} Output: $LOGGING_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 13. DEPENDENCY VULNERABILITIES
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[13/15] Scanning dependency vulnerabilities...${NC}"
|
|
VULN_OUTPUT="$OUTPUT_DIR/vulnerabilities-$TIMESTAMP.txt"
|
|
echo "# Dependency Vulnerability Scan - $TIMESTAMP" > "$VULN_OUTPUT"
|
|
|
|
echo "== Go Dependencies (govulncheck) ==" >> "$VULN_OUTPUT"
|
|
if command -v govulncheck &> /dev/null; then
|
|
for service_dir in "$PROJECT_ROOT/backend/functions"/*/; do
|
|
if [ -f "$service_dir/go.mod" ]; then
|
|
echo "Scanning: $(basename "$service_dir")" >> "$VULN_OUTPUT"
|
|
(cd "$service_dir" && govulncheck ./... 2>&1) >> "$VULN_OUTPUT" || true
|
|
echo "" >> "$VULN_OUTPUT"
|
|
fi
|
|
done
|
|
else
|
|
echo "govulncheck not installed" >> "$VULN_OUTPUT"
|
|
fi
|
|
echo "" >> "$VULN_OUTPUT"
|
|
|
|
echo "== PNPM Dependencies (pnpm audit) ==" >> "$VULN_OUTPUT"
|
|
if [ -d "$PROJECT_ROOT/frontend" ]; then
|
|
(cd "$PROJECT_ROOT/frontend" && pnpm audit 2>&1) >> "$VULN_OUTPUT" || true
|
|
fi
|
|
echo -e "${GREEN} Output: $VULN_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 14. CONTAINER SECURITY
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[14/15] Auditing container security...${NC}"
|
|
CONTAINER_OUTPUT="$OUTPUT_DIR/container-security-$TIMESTAMP.txt"
|
|
echo "# Container Security Audit - $TIMESTAMP" > "$CONTAINER_OUTPUT"
|
|
|
|
echo "== Running as Root ==" >> "$CONTAINER_OUTPUT"
|
|
grep -rn "USER\|user:" "$PROJECT_ROOT" --include="Containerfile" --include="Dockerfile" --include="*.yml" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "No USER directive found - likely running as root" >> "$CONTAINER_OUTPUT"
|
|
echo "" >> "$CONTAINER_OUTPUT"
|
|
|
|
echo "== Privileged Mode ==" >> "$CONTAINER_OUTPUT"
|
|
grep -rn "privileged\|--privileged" "$PROJECT_ROOT" --include="*.yml" --include="*.yaml" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "None found" >> "$CONTAINER_OUTPUT"
|
|
echo "" >> "$CONTAINER_OUTPUT"
|
|
|
|
echo "== Exposed Ports ==" >> "$CONTAINER_OUTPUT"
|
|
grep -rn "EXPOSE\|ports:" "$PROJECT_ROOT" --include="Containerfile" --include="Dockerfile" --include="*.yml" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "None found" >> "$CONTAINER_OUTPUT"
|
|
echo "" >> "$CONTAINER_OUTPUT"
|
|
|
|
echo "== Secrets in Container Build ==" >> "$CONTAINER_OUTPUT"
|
|
grep -rn "ENV.*SECRET\|ENV.*PASSWORD\|ENV.*KEY" "$PROJECT_ROOT" --include="Containerfile" --include="Dockerfile" 2>/dev/null >> "$CONTAINER_OUTPUT" || echo "None found in build files" >> "$CONTAINER_OUTPUT"
|
|
echo -e "${GREEN} Output: $CONTAINER_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# 15. GIT SECURITY
|
|
# =============================================================================
|
|
echo -e "${YELLOW}[15/15] Auditing git security...${NC}"
|
|
GIT_OUTPUT="$OUTPUT_DIR/git-security-$TIMESTAMP.txt"
|
|
echo "# Git Security Audit - $TIMESTAMP" > "$GIT_OUTPUT"
|
|
|
|
echo "== .gitignore Coverage ==" >> "$GIT_OUTPUT"
|
|
if [ -f "$PROJECT_ROOT/.gitignore" ]; then
|
|
cat "$PROJECT_ROOT/.gitignore" >> "$GIT_OUTPUT"
|
|
else
|
|
echo "NO .gitignore FILE FOUND - CRITICAL" >> "$GIT_OUTPUT"
|
|
fi
|
|
echo "" >> "$GIT_OUTPUT"
|
|
|
|
echo "== Secrets in Git History ==" >> "$GIT_OUTPUT"
|
|
echo "Run: git log -p --all -S 'password' to check history" >> "$GIT_OUTPUT"
|
|
echo "Run: git log -p --all -S 'secret' to check history" >> "$GIT_OUTPUT"
|
|
echo "Run: git log -p --all -S 'api_key' to check history" >> "$GIT_OUTPUT"
|
|
echo "" >> "$GIT_OUTPUT"
|
|
|
|
echo "== Sensitive Files in Repo ==" >> "$GIT_OUTPUT"
|
|
find "$PROJECT_ROOT" -name ".env" -o -name "*.pem" -o -name "*.key" -o -name "credentials*" 2>/dev/null | grep -v node_modules >> "$GIT_OUTPUT" || echo "None found" >> "$GIT_OUTPUT"
|
|
echo -e "${GREEN} Output: $GIT_OUTPUT${NC}"
|
|
|
|
# =============================================================================
|
|
# SUMMARY
|
|
# =============================================================================
|
|
echo ""
|
|
echo -e "${BLUE}========================================${NC}"
|
|
echo -e "${BLUE} SECURITY AUDIT COMPLETE${NC}"
|
|
echo -e "${BLUE}========================================${NC}"
|
|
echo ""
|
|
echo -e "Reports generated in: ${GREEN}$OUTPUT_DIR${NC}"
|
|
echo ""
|
|
echo "Files generated:"
|
|
ls -la "$OUTPUT_DIR"/*$TIMESTAMP* 2>/dev/null || echo "No files generated"
|
|
|
|
# Critical findings summary
|
|
echo ""
|
|
echo -e "${RED}=== CRITICAL ITEMS TO REVIEW ===${NC}"
|
|
echo "1. Check secrets-$TIMESTAMP.txt for hardcoded credentials"
|
|
echo "2. Check authentication-$TIMESTAMP.txt for auth weaknesses"
|
|
echo "3. Check authorization-$TIMESTAMP.txt for access control gaps"
|
|
echo "4. Check vulnerabilities-$TIMESTAMP.txt for CVEs"
|