With the increasing complexity of modern applications, security vulnerabilities in code and deployed websites have become a major concern. Also, the amount of code generated by AI/LLMs has become a tremendous issue leading to a lot of security concerns making the software more prone to cyber attacks. Traditional security testing methods require deep technical expertise, making them inaccessible to non-technical users. This project was inspired by the need for a real-time, automated security solution that not only detects vulnerabilities but also explains, visualizes, and automates security workflows to help users fix them effectively.

Through this project, we explored:

• Common Security Issues: Covering vulnerabilities from OWASP Top 10 and SANS 25.
• Code and Deployment Security Scanning: Using Nmap, Gobuster, Nkito, SQLMap, and WPScan for detecting threats.
• Conversational AI for Security: Enabling users to "talk to their code" and get explanations on vulnerabilities.
• Automated Security Workflows: Allowing users to create custom no-code security workflows for continuous monitoring.
• Flowchart-Based Remediation: Providing step-by-step visual guides to help users fix vulnerabilities.
• GitHub API Integration: Implementing authentication, repository permissions, and access management.

This project integrates multiple components to provide a complete security automation solution.

• Users sign up using GitHub OAuth and grant selective or full repository permissions.
• For authorized repositories, we fetch access and refresh tokens to scan and analyze vulnerabilities in real time.
• Each repository has the "Talk to Your Code" feature, where users can interact with their code to identify vulnerabilities and get remediation steps with AI-generated flowcharts.

Users can create custom no-code workflows to automate security scanning for both code and deployed websites.

1. Trigger Node Setup: Users configure a trigger node by selecting a repository URL and setting the scan frequency.
2. Security Scan Nodes: Users select various security checks:
   • OWASP Check: Scans for vulnerabilities in the OWASP Top 10.
   • SANS AI Check: Identifies vulnerabilities based on SANS 25 guidelines.
   • Other Security Nodes: Additional security checks for code weaknesses and misconfigurations.
3. Flowchart Node: Generates an interactive flowchart explaining security flaws and how to fix them step-by-step.
4. Report Nodes: Users can select any/all of the following reporting methods:
   • Slack Alerts: Sends vulnerability reports to configured Slack channels.
   • GitHub Issues: Automatically creates GitHub issues for detected security threats.
   • Email Reports: Sends a detailed report via email.

1. Trigger Node Setup: Users provide a domain URL and select the scan frequency.
2. Security Scan Nodes: Users can select:
   • Gobuster: Scans for hidden directories and files.
   • Nkito: Checks for misconfigured security settings.
   • Nmap: Performs network vulnerability scanning.
   • SQLMap: Detects SQL injection vulnerabilities.
   • WPScan: Identifies vulnerabilities in WordPress deployments.
3. Flowchart Node: Generates a step-by-step remediation flowchart.
4. Report Nodes: Sends reports via Slack, GitHub Issues, or Email.

• All reports are stored for future reference.
• Users can regenerate any report with a single click for updated results.

We used a combination of backend, frontend, security, and automation tools:

• Backend: Python, Django, Node.js
• Security Tools: Nmap, Gobuster, SQLMap, WPScan, OWASP Top 10, SANS 25
• Frontend: React, TypeScript, Tailwind CSS, ShadCN
• No-Code Workflow Engine: Reactflow
• APIs & Integrations: GitHub API

• Balancing Real-Time Scanning & Accuracy: Ensuring fast scans while reducing false positives.
• Building a Conversational AI for Security: Making security insights easy to understand for developers.
• Automating No-Code Workflows: Designing a flexible and scalable security automation framework.
• Generating Actionable Flowcharts: Ensuring AI-generated step-by-step remediation guides are clear and effective. -Parallel Processing/Turn Around Time: Reducing the GoBuster Turn Around time from 15 mins to less than 5 mins.

This is the Django Microservices for AaaSLabs, which provides a security scanning API with a single endpoint:

/api/gobuster/scan/

This endpoint generates a security report for a given domain.

├── .gitignore
├── AaaSLabs
│   ├── __init__.py
│   ├── asgi.py
│   ├── settings.py
│   ├── urls.py
│   └── wsgi.py
├── Dockerfile
├── Gobuster
│   ├── __init__.py
│   ├── admin.py
│   ├── apps.py
│   ├── models.py
│   ├── tests.py
│   ├── urls.py
│   └── views.py
├── LICENSE
├── ZeroVuln
│   ├── __init__.py
│   ├── admin.py
│   ├── apps.py
│   ├── migrations
│   │   └── __init__.py
│   ├── models.py
│   ├── tests.py
│   ├── urls.py
│   └── views.py
├── docker-compose.yaml
├── manage.py
├── nmap_scan.log
├── requirements.txt
└── wordlist
    └── common.txt

Ensure you have the following installed on your system:

• Docker
• Docker Compose

git clone https://github.com/Utsavrai1/AaaS-Labs-Django-Backend.git
cd AaaS-Labs-Django-Backend

docker-compose up --build -d

Run Gobuster Scan:

curl -X POST http://localhost:8000/api/gobuster/scan/ \
     -H "Content-Type: application/json" \
     -d '{
    "url": "<Domain Url>",
    "run_nikto": true,
    "run_nmap": true,
    "run_sqlmap": true,
    "run_wpscan": true
    }'

docker-compose logs -f

docker-compose down

This project is licensed under the terms of the LICENSE file.