Enhance README.md with new features including email notifications for critical findings and detailed configuration options. Update EXTENDING.md to encourage contributions for specific Semgrep rules. Revise core_critical_rules.mdc to enforce file size limits for scripts. Improve task documentation in task_6.md and task_7.md by marking completed items. Refactor generate-html-report.py to streamline report generation and improve HTML output sections for ZAP, Semgrep, and Trivy. Update baseline.conf for API-specific adjustments in ZAP scanning. These changes aim to improve usability, documentation clarity, and security scanning capabilities.

Author: fr4iser90

.cursor/rules/core_critical_rules.mdc

@@ -19,6 +19,7 @@ The AI should do as much as possible. Minimize user interaction.
 *   The user should only provide the task and minimal feedback.
 *   The AI should generate all code and solutions.
 *   The user should not interfere with the AI's work.
+*   Each file should not exceed 200 lines. If a script is to big , try to refactor and split!
 
 **Prohibitions:**
 *   No user-generated code or solutions.

README.md

@@ -19,6 +19,37 @@ SecuLite is an all-in-one security toolkit for modern software projects. It comb
 - **Unified Reporting:** Results as TXT/JSON, clearly aggregated
 - **Extensible & Open:** Easily add your own rules, tools, workflows
 - **CI/CD-ready:** Docker-based, GitHub Actions workflow included
+- **Email Notifications:** Optional email alerts for critical/high severity findings.
+
+---
+
+## ⚙️ Configuration
+
+SecuLite can be configured using environment variables. Create a `.env` file in the project root or set them in your shell.
+
+### Core Configuration
+
+- `ZAP_TARGET`: The target URL for ZAP to scan (e.g., `http://localhost:8000`). Can also be passed as an argument to `security-check.sh`.
+- `HTML_REPORT`: Set to `1` to generate an HTML report (default is `0` for console-only, though the Docker setup typically generates it).
+
+### Email Notification Configuration (Optional)
+
+To enable email notifications for critical/high severity findings, set the following environment variables:
+
+- `NOTIFICATION_EMAIL_RECIPIENT`: Email address to send notifications to.
+- `SMTP_SERVER`: SMTP server address (e.g., `smtp.example.com`).
+- `SMTP_PORT`: SMTP server port (e.g., `587` or `465`).
+- `SMTP_USER`: Username for SMTP authentication.
+- `SMTP_PASSWORD`: Password for SMTP authentication.
+- `SMTP_SENDER_EMAIL`: The "From" email address for notifications (defaults to `SMTP_USER` if not set).
+
+### LLM Provider Configuration (Optional)
+
+For AI-powered explanations of findings in the HTML report:
+
+- `LLM_PROVIDER`: Choose from `openai`, `gemini`, `huggingface`, `groq`, `mistral`, `anthropic` (defaults to `openai`).
+- `<PROVIDER>_API_KEY`: API key for the chosen provider (e.g., `OPENAI_API_KEY`).
+- `<PROVIDER>_MODEL`: Specific model for the chosen provider (e.g., `OPENAI_MODEL=gpt-4`).
 
 ---
 
@@ -61,6 +92,21 @@ cd SimpleSecCheck
      ```
    - WebUI available at: [http://localhost:8080](http://localhost:8080)
 
+## 🛠️ Available Scans & Rules
+
+SecuLite utilizes the following tools and rule categories:
+
+- **OWASP ZAP:** Web application vulnerabilities (baseline scan).
+- **Semgrep:** Static code analysis for:
+    - Code Bugs (`rules/code-bugs.yml`)
+    - Secrets Detection (`rules/secrets.yml`)
+    - Prompt Injection (`rules/prompt-injection.yml`)
+    - API Security (`rules/api-security.yml`)
+    - LLM/AI Security (`rules/llm-ai-security.yml`)
+- **Trivy:** Dependency and container image scanning.
+
+---
+
 ## 🤝 Contributing & Extending
 
 - See [`doc/EXTENDING.md`](doc/EXTENDING.md) for adding your own rules, tools, workflows.

conf/fp_whitelist.json

@@ -0,0 +1,29 @@
+[
+  {
+    "tool": "semgrep",
+    "check_id": "generic.secrets.security.hardcoded-secret.hardcoded-secret",
+    "path_pattern": "src/examples/.*",
+    "line_content_pattern": "just_an_example_key",
+    "reason": "This is an example key in a demonstration file, not a real secret."
+  },
+  {
+    "tool": "semgrep",
+    "check_id": "python.django.security.debug-true.debug-true",
+    "path_pattern": "settings_dev.py",
+    "reason": "DEBUG=True is intentional for development settings file."
+  },
+  {
+    "tool": "zap",
+    "plugin_id": "10021",
+    "uri_pattern": "http://localhost:8000/test-endpoints/no-x-content-type-options",
+    "parameter_pattern": null,
+    "reason": "Test endpoint intentionally missing X-Content-Type-Options for specific test case."
+  },
+  {
+    "tool": "trivy",
+    "vulnerability_id": "CVE-2020-12345",
+    "package_name": "example-lib",
+    "package_version_pattern": "1.0.*",
+    "reason": "This CVE is for a feature not used in our project, risk accepted after review for v1.0.x."
+  }
+] 

docs/EXTENDING.md

@@ -4,7 +4,13 @@
 - **Semgrep:**
   - Place new YAML rule files in `/rules/`.
   - Use descriptive filenames (e.g., `injection-detection.yml`).
-  - Document the rule purpose at the top of the file.
+  - We particularly welcome contributions to:
+    - `rules/api-security.yml` (for common API vulnerabilities like auth, CORS, rate limiting)
+    - `rules/llm-ai-security.yml` (for LLM/AI specific issues like prompt injection, data leakage, insecure output handling)
+    - `rules/secrets.yml` (for detecting inadvertently committed secrets)
+    - `rules/code-bugs.yml` (for common coding errors leading to vulnerabilities)
+    - `rules/prompt-injection.yml` (for general prompt injection patterns)
+  - Document the rule purpose at the top of the file or within the rule's metadata.
 - **ZAP:**
   - Add new config files to `/zap/`.
   - Follow ZAP documentation for custom scan policies.

docs/plan/task_6.md

@@ -3,10 +3,10 @@
 - [x] Script to analyze all scan results (ZAP, Semgrep, Trivy)
 - [x] Sort and summarize findings by severity
 - [x] Explicitly output "All OK" sections
-- [ ] Generate to-do list for developers
-- [ ] Optionally: Generate HTML report
-- [ ] Optionally: Slack/Teams/Email notification for critical findings
-- [ ] Semgrep rules for API security (Auth, CORS, Rate Limiting)
-- [ ] Adjust ZAP policy for API endpoints
-- [ ] More Semgrep rules for LLM/AI security
-- [ ] Update documentation!
+- [x] Generate to-do list for developers
+- [x] Optionally: Generate HTML report
+- [x] Optionally: Slack/Teams/Email notification for critical findings
+- [x] Semgrep rules for API security (Auth, CORS, Rate Limiting)
+- [x] Adjust ZAP policy for API endpoints
+- [x] More Semgrep rules for LLM/AI security
+- [x] Update documentation!

docs/plan/task_7.md

@@ -1,14 +1,14 @@
 # Task List: Phase 7 – Advanced Automation, Integration & Developer Experience
 
-- [ ] Automatic mapping of all findings to OWASP Top 10, GDPR, NIST, etc.
-- [ ] Generate compliance report
-- [ ] Plug-in system for new tools/checks
-- [ ] Auto-fix suggestions for trivial findings
+- [x] Automatic mapping of all findings to OWASP Top 10, GDPR, NIST, etc.
+- [x] Generate compliance report
+- [x] Plug-in system for new tools/checks
+- [x] Auto-fix suggestions for trivial findings
 - [ ] False-positive handling (whitelist, suppression)
 - [ ] History/trend analysis of findings
 - [ ] Dashboard for security status and trends
 - [ ] Automatic detection of tech stack and adjustment of checks
 - [ ] Ticket creation for critical findings (Jira, GitHub Issues)
 - [ ] PDF export of the report
 - [ ] Troubleshooting/FAQ and example output in the documentation
-- [ ] Video/screen demo for onboarding 
+- [ ] Video/screen demo for onboarding

rules/api-security.yml

@@ -0,0 +1,68 @@
+rules:
+  - id: missing-api-authentication
+    patterns:
+      - pattern-either:
+          - pattern-inside: |
+              @app.route('/api/...')
+              def $FUNC(...):
+                ...
+          - pattern-inside: |
+              @api_view(['GET', 'POST'])
+              def $FUNC(...):
+                ...
+      - pattern-not: |
+          @login_required
+          ...
+      - pattern-not: |
+          permission_classes = [IsAuthenticated]
+          ...
+      - pattern-not-inside: |
+          if not request.user.is_authenticated:
+            ...
+    message: >-
+      API endpoint appears to be missing authentication. Ensure that all API
+      endpoints handling sensitive data or operations require proper
+      authentication.
+    languages:
+      - python
+    severity: HIGH
+
+  - id: overly-permissive-cors
+    patterns:
+      - pattern-either:
+          - pattern: |
+              set_header("Access-Control-Allow-Origin", "*")
+          - pattern: |
+              CORS(app, resources={r"/api/*": {"origins": "*"}})
+      - focus-metavariable: $ORIGIN
+        metavariable-regex:
+          metavariable: $ORIGIN
+          regex: \*
+    message: >-
+      Overly permissive CORS policy detected (Access-Control-Allow-Origin: *).
+      This can allow any domain to make requests to your API, potentially
+      leading to security vulnerabilities. Restrict origins to trusted domains.
+    languages:
+      - python
+      - javascript
+      - go
+    severity: MEDIUM
+
+  - id: potential-missing-rate-limiting
+    patterns:
+      - pattern-inside: |
+          @app.route('/api/...')
+          def $FUNC(...):
+            ...
+      - pattern-not: |
+          @limiter.limit(...)
+          ...
+      - pattern-not-inside: |
+          rate_limit_check(...)
+          ...
+    message: >-
+      This API endpoint does not seem to have explicit rate limiting.
+      Consider adding rate limiting to prevent abuse and ensure availability.
+    languages:
+      - python
+    severity: MEDIUM 

rules/llm-ai-security.yml

@@ -0,0 +1,51 @@
+rules:
+  - id: exposed-llm-api-key
+    patterns:
+      - pattern-either:
+          - pattern: |
+              OPENAI_API_KEY = "sk-..."
+          - pattern: |
+              HF_TOKEN = "hf_..."
+          - pattern: |
+              GOOGLE_API_KEY = "AIza..."
+      - pattern-inside: |
+          ... = os.environ.get("...") # Good: loaded from env
+        message: "Potential hardcoded LLM API key. Load keys from environment variables or a secure vault."
+        languages:
+          - python
+        severity: CRITICAL
+
+  - id: llm-direct-html-output
+    patterns:
+      - pattern: |
+          response = llm.generate(...)
+          ...
+          return f"<html>{response}</html>"
+      - pattern-not: |
+          response = llm.generate(...)
+          ...
+          safe_response = html.escape(response) # Good: sanitized
+          return f"<html>{safe_response}</html>"
+    message: >-
+      LLM output is directly rendered in HTML without sanitization.
+      This could lead to XSS if the LLM generates malicious HTML/JavaScript.
+      Always sanitize LLM outputs before rendering them in web contexts.
+    languages:
+      - python
+    severity: HIGH
+
+  - id: llm-prompt-concatenation-user-input
+    patterns:
+      - pattern: |
+          prompt = "Translate to French: " + user_input
+          llm.generate(prompt)
+      - pattern: |
+          prompt = f"Summarize this: {user_text}"
+          llm.generate(prompt)
+    message: >-
+      User input is directly concatenated into an LLM prompt. This is a common
+      source of prompt injection vulnerabilities. Consider using structured input,
+      input validation, and output encoding, or specific libraries designed to prevent prompt injection.
+    languages:
+      - python
+    severity: HIGH