From 5e4d4a195d57ef33e188f0d48a03fe7b8a1c0b0e Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 14:31:03 +0530 Subject: [PATCH 1/8] fix: add missing quote and backslash chars to sanitize_input to prevent command injection --- backend/secuscan/validation.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/secuscan/validation.py b/backend/secuscan/validation.py index 495edfa3..b6148609 100644 --- a/backend/secuscan/validation.py +++ b/backend/secuscan/validation.py @@ -198,7 +198,7 @@ def sanitize_input(value: str) -> str: Sanitized value """ # Remove shell metacharacters - dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r'] + dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r', "'", '"', '\\', '!', '{', '}'] for char in dangerous_chars: value = value.replace(char, '') From a38a0bd72736fc527ec7a1ea1d0a0546204d83c6 Mon Sep 17 00:00:00 2001 From: dinesh Date: Tue, 26 May 2026 14:34:33 +0530 Subject: [PATCH 2/8] docs: add incident response runbook for leaked vault keys and compromised plugins --- docs/incident-response-runbook.md | 58 +++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 docs/incident-response-runbook.md diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md new file mode 100644 index 00000000..aacd5be7 --- /dev/null +++ b/docs/incident-response-runbook.md @@ -0,0 +1,58 @@ +# Incident Response Runbook — SecuScan + +## 1. Leaked Vault Keys + +### Detection + +- Check logs for unauthorized access: `grep "vault" logs/secuscan.log` +- Verify key usage timestamps in audit trail + +### Response Steps + +1. **Immediately revoke** the compromised key +2. **Rotate** all vault keys: generate new keys, re-encrypt stored secrets +3. **Invalidate** all active sessions and tokens +4. **Audit** which reports used the compromised key +5. **Notify** affected users + +### Verification + +```bash +# Confirm new key is active +python -m secuscan verify-vault-keys + +# Confirm old key is revoked +python -m secuscan list-vault-keys --status +``` + +## 2. Compromised Plugins + +### Detection + +- Monitor plugin execution logs for anomalous behavior +- Check plugin integrity hashes + +### Response Steps + +1. **Isolate** — disable the plugin immediately +2. **Preserve logs** before any cleanup +3. **Audit** all scans that used the compromised plugin +4. **Restore** from last known clean state + +### Verification + +```bash +# List active plugins +python -m secuscan plugins --list + +# Disable compromised plugin +python -m secuscan plugins --disable +``` + +## 3. Restoring Clean State + +1. Stop all running scans +2. Rotate all credentials +3. Re-validate plugin integrity +4. Run full test suite: `pytest tests/` +5. Confirm system health before resuming From ff8e0f76e1d06e0d5a1fdfa0db02301a2de56030 Mon Sep 17 00:00:00 2001 From: dinesh Date: Thu, 28 May 2026 23:34:41 +0530 Subject: [PATCH 3/8] revert: remove unrelated validation.py change from docs PR --- backend/secuscan/validation.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/secuscan/validation.py b/backend/secuscan/validation.py index b6148609..495edfa3 100644 --- a/backend/secuscan/validation.py +++ b/backend/secuscan/validation.py @@ -198,7 +198,7 @@ def sanitize_input(value: str) -> str: Sanitized value """ # Remove shell metacharacters - dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r', "'", '"', '\\', '!', '{', '}'] + dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r'] for char in dangerous_chars: value = value.replace(char, '') From c829d1da814c5f53dad69059cff0f1f09888e04b Mon Sep 17 00:00:00 2001 From: dinesh Date: Thu, 28 May 2026 23:35:48 +0530 Subject: [PATCH 4/8] docs: replace non-existent commands with factual repo-supported commands in runbook --- docs/incident-response-runbook.md | 55 ++++++++++++++++++------------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md index aacd5be7..068f2a81 100644 --- a/docs/incident-response-runbook.md +++ b/docs/incident-response-runbook.md @@ -5,54 +5,63 @@ ### Detection - Check logs for unauthorized access: `grep "vault" logs/secuscan.log` -- Verify key usage timestamps in audit trail +- Review audit trail in `backend/secuscan/vault.py` for key usage ### Response Steps -1. **Immediately revoke** the compromised key -2. **Rotate** all vault keys: generate new keys, re-encrypt stored secrets -3. **Invalidate** all active sessions and tokens -4. **Audit** which reports used the compromised key -5. **Notify** affected users +1. **Immediately rotate** the compromised key — set a new `SECUSCAN_VAULT_KEY` in your `.env` file +2. **Re-encrypt** stored credentials — delete and re-add all vault entries using the new key +3. **Invalidate** all active sessions by restarting the backend service +4. **Audit** which reports and scans ran during the exposure window +5. **Notify** affected users if credentials were accessed ### Verification ```bash -# Confirm new key is active -python -m secuscan verify-vault-keys +# Confirm vault config is loaded correctly +grep "SECUSCAN_VAULT_KEY" .env -# Confirm old key is revoked -python -m secuscan list-vault-keys --status +# Confirm backend starts without vault errors +python -m uvicorn backend.secuscan.main:app --reload + +# Run vault-related tests +pytest tests/ -k "vault" -v ``` ## 2. Compromised Plugins ### Detection -- Monitor plugin execution logs for anomalous behavior -- Check plugin integrity hashes +- Review plugin execution logs for anomalous behavior +- Check plugin files in `backend/secuscan/plugins/` for unexpected changes ### Response Steps -1. **Isolate** — disable the plugin immediately -2. **Preserve logs** before any cleanup -3. **Audit** all scans that used the compromised plugin -4. **Restore** from last known clean state +1. **Isolate** — remove or rename the compromised plugin file immediately +2. **Preserve logs** before any cleanup: `cp logs/secuscan.log logs/secuscan.log.bak` +3. **Audit** all scans that used the compromised plugin via scan history +4. **Restore** plugin from last known clean git commit ### Verification ```bash -# List active plugins -python -m secuscan plugins --list +# List plugin files +ls backend/secuscan/plugins/ + +# Disable compromised plugin by removing it +rm backend/secuscan/plugins/.py + +# Restore clean plugin from git +git checkout main -- backend/secuscan/plugins/.py -# Disable compromised plugin -python -m secuscan plugins --disable +# Run plugin tests +pytest tests/ -k "plugin" -v ``` ## 3. Restoring Clean State 1. Stop all running scans -2. Rotate all credentials -3. Re-validate plugin integrity +2. Rotate all credentials in `.env` +3. Re-validate plugin files: `git diff main -- backend/secuscan/plugins/` 4. Run full test suite: `pytest tests/` -5. Confirm system health before resuming +5. Confirm system health before resuming operations From 01d62e90bd2769aa5dcc3d47d160159959df98ea Mon Sep 17 00:00:00 2001 From: dinesh Date: Sun, 31 May 2026 16:28:55 +0530 Subject: [PATCH 5/8] docs: fix invalid plugin references --- docs/incident-response-runbook.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md index 068f2a81..facfa5c2 100644 --- a/docs/incident-response-runbook.md +++ b/docs/incident-response-runbook.md @@ -25,7 +25,7 @@ grep "SECUSCAN_VAULT_KEY" .env python -m uvicorn backend.secuscan.main:app --reload # Run vault-related tests -pytest tests/ -k "vault" -v +pytest testing/backend/unit -k "vault" -v ``` ## 2. Compromised Plugins @@ -33,7 +33,7 @@ pytest tests/ -k "vault" -v ### Detection - Review plugin execution logs for anomalous behavior -- Check plugin files in `backend/secuscan/plugins/` for unexpected changes + Check plugin definitions in backend/secuscan/plugins.py and backend/secuscan/scanners/ for unexpected changes ### Response Steps @@ -46,22 +46,22 @@ pytest tests/ -k "vault" -v ```bash # List plugin files -ls backend/secuscan/plugins/ +ls backend/secuscan/scanners/ # Disable compromised plugin by removing it -rm backend/secuscan/plugins/.py +rm backend/secuscan/scanners/.py # Restore clean plugin from git -git checkout main -- backend/secuscan/plugins/.py +git checkout main -- backend/secuscan/scanners/.py # Run plugin tests -pytest tests/ -k "plugin" -v +pytest testing/backend/unit -k "plugin" -v ``` ## 3. Restoring Clean State 1. Stop all running scans 2. Rotate all credentials in `.env` -3. Re-validate plugin files: `git diff main -- backend/secuscan/plugins/` -4. Run full test suite: `pytest tests/` +3. git diff main -- backend/secuscan/plugins.py backend/secuscan/scanners/ +4. Run full test suite: pytest testing/backend/unit 5. Confirm system health before resuming operations From a07b15a3d9674ea20b33996c77cf5c4571335ab5 Mon Sep 17 00:00:00 2001 From: dinesh Date: Sun, 31 May 2026 18:52:16 +0530 Subject: [PATCH 6/8] docs: correct runbook repository paths --- docs/incident-response-runbook.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md index facfa5c2..39d744c8 100644 --- a/docs/incident-response-runbook.md +++ b/docs/incident-response-runbook.md @@ -25,7 +25,7 @@ grep "SECUSCAN_VAULT_KEY" .env python -m uvicorn backend.secuscan.main:app --reload # Run vault-related tests -pytest testing/backend/unit -k "vault" -v +pytest testing/backend/unit -k "plugin" -v ``` ## 2. Compromised Plugins @@ -33,7 +33,7 @@ pytest testing/backend/unit -k "vault" -v ### Detection - Review plugin execution logs for anomalous behavior - Check plugin definitions in backend/secuscan/plugins.py and backend/secuscan/scanners/ for unexpected changes + Check files in plugins/ for unexpected changes ### Response Steps @@ -46,13 +46,13 @@ pytest testing/backend/unit -k "vault" -v ```bash # List plugin files -ls backend/secuscan/scanners/ +ls plugins/ # Disable compromised plugin by removing it -rm backend/secuscan/scanners/.py +rm plugins/.py # Restore clean plugin from git -git checkout main -- backend/secuscan/scanners/.py +git checkout main -- plugins/.py # Run plugin tests pytest testing/backend/unit -k "plugin" -v @@ -62,6 +62,6 @@ pytest testing/backend/unit -k "plugin" -v 1. Stop all running scans 2. Rotate all credentials in `.env` -3. git diff main -- backend/secuscan/plugins.py backend/secuscan/scanners/ -4. Run full test suite: pytest testing/backend/unit -5. Confirm system health before resuming operations + 3.git diff main -- plugins/ +3. Run full test suite: pytest testing/backend/unit +4. Confirm system health before resuming operations From 60a69830c71e9ee0d2a3b344e44d690a6b6740c2 Mon Sep 17 00:00:00 2001 From: dinesh Date: Sun, 31 May 2026 18:55:15 +0530 Subject: [PATCH 7/8] docs: correct runbook repository paths --- docs/incident-response-runbook.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md index 39d744c8..0f34fb44 100644 --- a/docs/incident-response-runbook.md +++ b/docs/incident-response-runbook.md @@ -62,6 +62,6 @@ pytest testing/backend/unit -k "plugin" -v 1. Stop all running scans 2. Rotate all credentials in `.env` - 3.git diff main -- plugins/ -3. Run full test suite: pytest testing/backend/unit -4. Confirm system health before resuming operations +3. git diff main -- plugins/ +4. Run full test suite: pytest testing/backend/unit +5. Confirm system health before resuming operations From 5c95db8380c3f5b6385c4c6399596f64fe431743 Mon Sep 17 00:00:00 2001 From: Utkarsh Singh <183999732+utksh1@users.noreply.github.com> Date: Sun, 31 May 2026 21:35:21 +0530 Subject: [PATCH 8/8] docs: tighten incident response runbook commands --- docs/incident-response-runbook.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/incident-response-runbook.md b/docs/incident-response-runbook.md index 0f34fb44..8f449bc5 100644 --- a/docs/incident-response-runbook.md +++ b/docs/incident-response-runbook.md @@ -25,7 +25,7 @@ grep "SECUSCAN_VAULT_KEY" .env python -m uvicorn backend.secuscan.main:app --reload # Run vault-related tests -pytest testing/backend/unit -k "plugin" -v +pytest testing/backend/unit -k "vault" -v ``` ## 2. Compromised Plugins @@ -33,7 +33,7 @@ pytest testing/backend/unit -k "plugin" -v ### Detection - Review plugin execution logs for anomalous behavior - Check files in plugins/ for unexpected changes +- Check files in `plugins/` for unexpected changes ### Response Steps @@ -48,11 +48,11 @@ pytest testing/backend/unit -k "plugin" -v # List plugin files ls plugins/ -# Disable compromised plugin by removing it -rm plugins/.py +# Disable compromised plugin by moving its directory out of the active plugin tree +mv plugins/ plugins/.disabled # Restore clean plugin from git -git checkout main -- plugins/.py +git checkout main -- plugins/ # Run plugin tests pytest testing/backend/unit -k "plugin" -v @@ -62,6 +62,6 @@ pytest testing/backend/unit -k "plugin" -v 1. Stop all running scans 2. Rotate all credentials in `.env` -3. git diff main -- plugins/ -4. Run full test suite: pytest testing/backend/unit +3. Re-validate plugin files: `git diff main -- plugins/` +4. Run full test suite: `pytest testing/backend/unit` 5. Confirm system health before resuming operations