sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

feat: pentest feature improvements — streaming, pause/resume, encryption, browser tool, reports, docs

Browse Source 
- True SSE streaming via broadcast channels (DashMap per session)
- Session pause/resume with watch channels + dashboard buttons
- AES-256-GCM credential encryption at rest (PENTEST_ENCRYPTION_KEY)
- Concurrency limiter (Semaphore, max 5 sessions, 429 on overflow)
- Browser tool: headless Chrome CDP automation (navigate, click, fill, screenshot, evaluate)
- Report code-level correlation: SAST findings, code graph, SBOM linked per DAST finding
- Split html.rs (1919 LOC) into html/ module directory (8 files)
- Wizard: target/repo dropdowns from existing data, SSH key display, close button on all steps
- Auth: auto-register with optional registration URL (Playwright discovery), plus-addressing email, IMAP overrides
- Attack chain: tool input/output in detail panel, running node pulse animation
- Architecture docs with Mermaid diagrams + 8 screenshots

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
2026-03-17 00:07:50 +01:00
parent 11e1c5f438
commit a912ec9ad9
45 changed files with 5927 additions and 2133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
docs/features/pentest.md
View File

@@ -15,17 +15,47 @@ The dashboard shows:
## Starting a Pentest Session
1. Click **New Pentest** on the dashboard
2. Select a **DAST target** (must be configured under DAST > Targets first)
3. Choose a **strategy**:
Click **New Pentest** on the dashboard to open the 4-step onboarding wizard:
### Step 1 — Target & Scope
- **App URL** — enter manually or select from existing DAST targets (dropdown)
- **Git Repository URL** — enter manually or select from tracked repositories (dropdown). If an SSH URL is selected, the deploy key is displayed for easy copy
- **Branch / Commit** — auto-populated when you click **Lookup** for a tracked repo
- **App Type** and **Rate Limit**
### Step 2 — Authentication
- **None** — unauthenticated testing
- **Manual Credentials** — provide username/password (encrypted at rest with AES-256-GCM)
- **Auto-Register** — the orchestrator uses the browser tool (headless Chrome) to discover the registration page and create a test account:
- **Registration URL** (optional) — auto-discovered via Playwright if omitted
- **Verification Email** (optional) — override the agent's default mailbox. Uses plus-addressing (`base+sessionid@domain`) and polls IMAP for verification links
- **IMAP Settings** — collapsible section to override host/port/credentials
### Step 3 — Strategy & Instructions
| Strategy | Description |
|----------|-------------|
| **Comprehensive** | Full-spectrum test covering recon, API analysis, injection testing, auth checks, and more |
| **Focused** | Targets specific vulnerability categories based on initial reconnaissance |
| **Quick** | Focus on common/high-impact vulnerabilities with minimal tool invocations |
| **Targeted** | SAST-guided — prioritize areas where static analysis found issues |
| **Aggressive** | Maximum payloads, attempt full exploitation |
| **Stealth** | Minimal noise, passive analysis, targeted probes |
4. Optionally provide an initial **message** to guide the AI's focus
5. Click **Start** to begin the session
- **Initial Instructions** — free-text guidance for the AI
- **Scope Exclusions** — paths to skip
- **Max Duration**, **Tester Name/Email**, **Destructive Tests** toggle
### Step 4 — Disclaimer & Confirm
Review the configuration summary and accept the authorization disclaimer.
The wizard can be closed at any time via the **X** button (top-right corner) or by clicking outside the modal.
::: tip Architecture Deep-Dive
See [Pentest Orchestration Architecture](./pentest-architecture.md) for details on how the LLM loop works, what context is passed, and how findings are correlated to source code.
:::
The AI orchestrator will autonomously select and execute security tools in phases, using the output of each phase to inform the next.
@@ -65,9 +95,11 @@ A visual DAG (directed acyclic graph) showing the sequence of tools executed dur
- **Finding badges** — red badge showing the number of findings produced by each tool
- **Interactive** — hover for details, click to select, scroll to zoom, drag to pan
### Stopping a Session
### Pausing, Resuming & Stopping
Running sessions can be stopped from the dashboard by clicking the **Stop** button on the session card. This immediately halts all tool execution.
- **Pause** — click the **Pause** button on a running session to suspend the orchestrator loop. The session status changes to `paused` and the LLM stops iterating. SSE clients receive a `paused` event.
- **Resume** — click **Resume** on a paused session to continue from where it left off. The status returns to `running` and a `resumed` event is broadcast.
- **Stop** — click **Stop** to permanently halt the session. This marks it as `failed` with reason "Stopped by user".
## Exporting Reports