add insecure-ai #91
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| FROM python:3.12-slim | ||
|
|
||
| WORKDIR /app | ||
|
|
||
| # Install system dependencies | ||
| RUN apt-get update && apt-get install -y \ | ||
| build-essential \ | ||
| graphviz \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
|
There was a problem hiding this comment. Security control: Docker Scan 'Apt-Get' Missing '--No-Install-Recommends' 'apt-get' install should use '--no-install-recommends' to minimize image size. Severity: HIGH Jit Bot commands and options (e.g., ignore issue)You can trigger Jit actions by commenting on this PR review:
|
||
|
|
||
| # Copy requirements first to leverage Docker cache | ||
| COPY requirements.txt . | ||
| RUN pip install --no-cache-dir -r requirements.txt gunicorn | ||
|
|
||
| # Copy the rest of the application | ||
| COPY . . | ||
|
|
||
| # Expose the port the app runs on | ||
| EXPOSE 5000 | ||
|
|
||
| # Set environment variables | ||
| ENV FLASK_APP=app.py | ||
| ENV FLASK_ENV=production | ||
|
|
||
| # Run the application with gunicorn | ||
| CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "4", "--timeout", "120", "--config", "python:app", "app:app"] | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| # Code Security Analyzer | ||
|
|
||
| A Flask web application that allows users to analyze their code for security issues using the `latio` package. | ||
|
|
||
| ## Features | ||
|
|
||
| - Paste code directly into the web interface | ||
| - Upload code as a ZIP file | ||
| - Real-time code analysis using `latio` | ||
| - Modern, responsive UI with syntax highlighting | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Python 3.7 or higher | ||
| - pip (Python package manager) | ||
| - `latio` package installed globally | ||
|
|
||
| ## Installation | ||
|
|
||
| 1. Clone this repository or download the files | ||
| 2. Create a virtual environment (recommended): | ||
| ```bash | ||
| python -m venv venv | ||
| source venv/bin/activate # On Windows: venv\Scripts\activate | ||
| ``` | ||
| 3. Install the required packages: | ||
| ```bash | ||
| pip install -r requirements.txt | ||
| ``` | ||
|
|
||
| ## Usage | ||
|
|
||
| 1. Start the Flask application: | ||
| ```bash | ||
| python app.py | ||
| ``` | ||
| 2. Open your web browser and navigate to `http://localhost:5000` | ||
| 3. Either paste your code into the text editor or upload a ZIP file containing your code | ||
| 4. Click "Analyze Code" to run the security analysis | ||
| 5. View the results in the results section below | ||
|
|
||
| ## Security Considerations | ||
|
|
||
| - The application uses temporary directories for file processing | ||
| - File uploads are limited to 16MB | ||
| - Only ZIP files are accepted for upload | ||
| - All uploaded files are processed in isolated temporary directories | ||
| - The application runs in debug mode for development purposes | ||
|
|
||
| ## License | ||
|
|
||
| MIT License |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Docker Scan
Image User Should Not Be 'Root'
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Learn more about this issue
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
docker run <image> whoami. If it returnsroot, then you should consider using a non-root user, by following one of the next steps:USERcommand to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>.Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Image user should not be 'root'" in insecure-ai/Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command