Class: RailsAiContext::Tools::SecurityScan

Inherits:
BaseTool
  • Object
show all
Defined in:
lib/rails_ai_context/tools/security_scan.rb

Constant Summary collapse

CONFIDENCE_MAP = 
{ "high" => 0, "medium" => 1, "weak" => 2 }.freeze
CONFIDENCE_NAMES = 
{ 0 => "High", 1 => "Medium", 2 => "Weak" }.freeze
CHECK_ALIASES =

Map friendly short names to actual Brakeman check class names. Accepts: “sql”, “SQL”, “xss”, “XSS”, etc. Full Brakeman names (e.g. “CheckSQL”, “CheckCrossSiteScripting”) pass through unchanged.

{
  "sql" => "CheckSQL", "SQL" => "CheckSQL",
  "SQLInjection" => "CheckSQL",
  "xss" => "CheckCrossSiteScripting", "XSS" => "CheckCrossSiteScripting",
  "CheckXSS" => "CheckCrossSiteScripting", "CrossSiteScripting" => "CheckCrossSiteScripting",
  "csrf" => "CheckForgerySetting", "CSRF" => "CheckForgerySetting",
  "CheckCSRF" => "CheckForgerySetting",
  "mass_assignment" => "CheckMassAssignment", "MassAssignment" => "CheckMassAssignment",
  "redirect" => "CheckRedirect", "Redirect" => "CheckRedirect",
  "file_access" => "CheckFileAccess", "FileAccess" => "CheckFileAccess",
  "command_injection" => "CheckExecute", "CommandInjection" => "CheckExecute",
  "CheckCommandInjection" => "CheckExecute",
  "deserialize" => "CheckDeserialize", "Deserialize" => "CheckDeserialize"
}.freeze

Constants inherited from BaseTool

BaseTool::SESSION_CONTEXT, BaseTool::SHARED_CACHE

Class Method Summary collapse

Methods inherited from BaseTool

abstract!, abstract?, cache_key, cached_context, config, extract_method_source_from_file, extract_method_source_from_string, find_closest_match, fuzzy_find_key, inherited, not_found_response, paginate, rails_app, registered_tools, reset_all_caches!, reset_cache!, session_queries, session_record, session_reset!, set_call_params, text_response

Class Method Details

.call(files: nil, confidence: "weak", checks: nil, detail: "standard", server_context: nil) ⇒ Object 



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/rails_ai_context/tools/security_scan.rb', line 59

def self.call(files: nil, confidence: "weak", checks: nil, detail: "standard", server_context: nil)
  unless brakeman_available?
    return text_response(
      "Brakeman is not installed. Add it to your Gemfile:\n\n" \
      "```ruby\ngem 'brakeman', group: :development\n```\n\n" \
      "Then run `bundle install` and try again."
    )
  end

  min_confidence = CONFIDENCE_MAP[confidence] || 2

  options = {
    app_path: Rails.root.to_s,
    quiet: true,
    report_progress: false,
    min_confidence: min_confidence,
    print_report: false
  }

  if checks&.any?
    resolved = checks.map { |c| CHECK_ALIASES[c] || c }
    options[:run_checks] = Set.new(resolved)
  end

  tracker = begin
    Brakeman.run(options)
  rescue => e
    return text_response("Brakeman scan failed: #{e.message}")
  end

  warnings = tracker.filtered_warnings

  if files&.any?
    # Check if specified files exist
    missing = files.select { |f| !File.exist?(Rails.root.join(f)) }
    if missing.any? && missing.size == files.size
      return text_response("File(s) not found: #{missing.join(', ')}. Provide paths relative to Rails root.")
    end

    normalized = files.map { |f| f.delete_prefix("/") }
    warnings = warnings.select do |w|
      path = w.file.relative
      normalized.any? { |f| path == f || path.start_with?(f) }
    end
  end

  warnings = warnings.sort_by { |w| [ w.confidence, w.file.relative, w.line || 0 ] }

  format_response(warnings, tracker, detail, files)
end