With the increasing complexity of modern applications, security vulnerabilities in code and deployed websites have become a major concern. Also, the amount of code generated by AI/LLMs has become a tremendous issue leading to a lot of security concerns making the software more prone to cyber attacks. Traditional security testing methods require deep technical expertise, making them inaccessible to non-technical users. This project was inspired by the need for a real-time, automated security solution that not only detects vulnerabilities but also explains, visualizes, and automates security workflows to help users fix them effectively.
Through this project, we explored:
- Common Security Issues: Covering vulnerabilities from OWASP Top 10 and SANS 25.
- Code and Deployment Security Scanning: Using Nmap, Gobuster, Nkito, SQLMap, and WPScan for detecting threats.
- Conversational AI for Security: Enabling users to "talk to their code" and get explanations on vulnerabilities.
- Automated Security Workflows: Allowing users to create custom no-code security workflows for continuous monitoring.
- Flowchart-Based Remediation: Providing step-by-step visual guides to help users fix vulnerabilities.
- GitHub API Integration: Implementing authentication, repository permissions, and access management.
This project integrates multiple components to provide a complete security automation solution.
- Users sign up using GitHub OAuth and grant selective or full repository permissions.
- For authorized repositories, we fetch access and refresh tokens to scan and analyze vulnerabilities in real time.
- Each repository has the "Talk to Your Code" feature, where users can interact with their code to identify vulnerabilities and get remediation steps with AI-generated flowcharts.
Users can create custom no-code workflows to automate security scanning for both code and deployed websites.
- Trigger Node Setup: Users configure a trigger node by selecting a repository URL and setting the scan frequency.
- Security Scan Nodes: Users select various security checks:
- OWASP Check: Scans for vulnerabilities in the OWASP Top 10.
- SANS AI Check: Identifies vulnerabilities based on SANS 25 guidelines.
- Other Security Nodes: Additional security checks for code weaknesses and misconfigurations.
- Flowchart Node: Generates an interactive flowchart explaining security flaws and how to fix them step-by-step.
- Report Nodes: Users can select any/all of the following reporting methods:
- Slack Alerts: Sends vulnerability reports to configured Slack channels.
- GitHub Issues: Automatically creates GitHub issues for detected security threats.
- Email Reports: Sends a detailed report via email.
- Trigger Node Setup: Users provide a domain URL and select the scan frequency.
- Security Scan Nodes: Users can select:
- Gobuster: Scans for hidden directories and files.
- Nkito: Checks for misconfigured security settings.
- Nmap: Performs network vulnerability scanning.
- SQLMap: Detects SQL injection vulnerabilities.
- WPScan: Identifies vulnerabilities in WordPress deployments.
- Flowchart Node: Generates a step-by-step remediation flowchart.
- Report Nodes: Sends reports via Slack, GitHub Issues, or Email.
- All reports are stored for future reference.
- Users can regenerate any report with a single click for updated results.
We used a combination of backend, frontend, security, and automation tools:
- Backend: Python, Django, Node.js
- Security Tools: Nmap, Gobuster, SQLMap, WPScan, OWASP Top 10, SANS 25
- Frontend: React, TypeScript, Tailwind CSS, ShadCN
- No-Code Workflow Engine: Reactflow
- APIs & Integrations: GitHub API
- Balancing Real-Time Scanning & Accuracy: Ensuring fast scans while reducing false positives.
- Building a Conversational AI for Security: Making security insights easy to understand for developers.
- Automating No-Code Workflows: Designing a flexible and scalable security automation framework.
- Generating Actionable Flowcharts: Ensuring AI-generated step-by-step remediation guides are clear and effective. -Parallel Processing/Turn Around Time: Reducing the GoBuster Turn Around time from 15 mins to less than 5 mins.
Ensure you have the following installed on your system:
git clone https://github.com/CHIRAG137/AaaS-Labs-Node-Backend.git
cd AaaS-Labs-Node-BackendUsing npm:
npm installUsing yarn:
yarn installCreate a .env file in the root directory and add the necessary configurations:
PORT=3000
MONGO_URI=mongo_uri
GITHUB_CLIENT_ID=github_client_id
GITHUB_CLIENT_SECRET=github_client_secret
SESSION_SECRET=session_secret
OPENAI_API_KEY=open_ai_api_keyUsing npm:
npm run devUsing yarn:
yarn devThe backend will run at http://localhost:3000.
backend/
βββ src/
β βββ controllers/ # API controllers
β βββ routes/ # Express routes
β βββ services/ # Business logic
β βββ middlewares/ # Authentication & validation
β βββ models/ # Mongoose models
β βββ config/ # Configuration files
βββ .env # Environment variables
βββ package.json # Dependencies & scripts
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/auth/github |
Initiates GitHub OAuth |
| GET | /api/auth/callback |
Handles GitHub OAuth |
| GET | /api/auth/user |
Fetch logged-in user info |
| GET | /api/auth/logout |
Logout user |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/github/repos |
Fetch user repositories |
| GET | /api/github/repo/:owner/:repo |
Fetch repository code |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/code/security |
Analyze code for vulnerabilities |
| POST | /api/code/query |
Query insights about the code |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/flowchart/generate |
Generate security remediation flowchart |
This project empowers developers, security teams, and organizations by providing: βοΈ: Real-time vulnerability detection βοΈ: Conversational AI for security insights βοΈ: Automated security workflows βοΈ: Visual remediation guides
By making security more accessible and automated, we aim to reduce vulnerabilities and enhance software security effortlessly.