|
| 1 | +# SPDX-FileCopyrightText: 2025 GitHub |
| 2 | +# SPDX-License-Identifier: MIT |
| 3 | + |
| 4 | +seclab-taskflow-agent: |
| 5 | + filetype: taskflow |
| 6 | + version: 1 |
| 7 | + |
| 8 | +model_config: seclab_taskflows.configs.model_config |
| 9 | + |
| 10 | +globals: |
| 11 | + repo: |
| 12 | + apache/allura |
| 13 | +# Taskflow to analyze the existing information |
| 14 | +taskflow: |
| 15 | + - task: |
| 16 | + must_complete: true |
| 17 | + headless: true |
| 18 | + model: general_tasks |
| 19 | + agents: |
| 20 | + - seclab_taskflow_agent.personalities.assistant |
| 21 | + user_prompt: | |
| 22 | + Clear the memory cache and clear the codeql_sqlite database for repo {{ GLOBALS_repo }}. |
| 23 | + toolboxes: |
| 24 | + - seclab_taskflow_agent.toolboxes.memcache |
| 25 | + - seclab_taskflows.toolboxes.codeql_python |
| 26 | + - task: |
| 27 | + model: general_tasks |
| 28 | + must_complete: true |
| 29 | + headless: true |
| 30 | + agents: |
| 31 | + - seclab_taskflow_agent.personalities.assistant |
| 32 | + user_prompt: | |
| 33 | + For the repo {{ GLOBALS_repo }} fetch the Python CodeQL database and find all remote flow sources using CodeQL. |
| 34 | + Store the value for CodeQL's 'relative_database_path' in 'codeql_relative_database_path' memory key. |
| 35 | + toolboxes: |
| 36 | + - seclab_taskflows.toolboxes.gh_code_scanning |
| 37 | + - seclab_taskflows.toolboxes.codeql_python |
| 38 | + - seclab_taskflow_agent.toolboxes.memcache |
| 39 | + - task: |
| 40 | + must_complete: true |
| 41 | + exclude_from_context: true |
| 42 | + model: general_tasks |
| 43 | + agents: |
| 44 | + - seclab_taskflow_agent.personalities.assistant |
| 45 | + user_prompt: | |
| 46 | + Fetch the sources from the repo {{ GLOBALS_repo }}. |
| 47 | + toolboxes: |
| 48 | + - seclab_taskflows.toolboxes.codeql_python |
| 49 | + - task: |
| 50 | + model: code_analysis |
| 51 | + must_complete: false |
| 52 | + repeat_prompt: true |
| 53 | + async: true |
| 54 | + async_limit: 5 |
| 55 | + max_steps: 100 |
| 56 | + name: source analysis |
| 57 | + description: Identify actions that untrusted users are allowed performed the source. |
| 58 | + agents: |
| 59 | + - seclab_taskflows.personalities.auditer |
| 60 | + user_prompt: | |
| 61 | + Retrieve the contents of the `codeql_relative_database_path` memory key, which represents the relative path to the CodeQL database for the repository {{ GLOBALS_repo }}. |
| 62 | + Using the CodeQL database located at that path, analyze the following source: |
| 63 | + The source is a {{ RESULT_type }} in {{ RESULT_repo }} in the location {{ RESULT_source_location }}. |
| 64 | + Analyze what the source endpoint is for and how it is used. |
| 65 | + Search for relevant code associated with each source. |
| 66 | + If it is a web endpoint, identify the routing path that reaches this source, HTTP method, |
| 67 | + any middlewares used, which roles are allowed to call it. |
| 68 | + Note which kind of authentication is required for that endpoint. |
| 69 | + It is possible that the source does not have require any authentication. |
| 70 | + If authorization is required, note the details. |
| 71 | + Analyze the code and identify if this source could lead to a security vulnerability. |
| 72 | +
|
| 73 | + Update the source entry in the codeql_sqlite database with your findings. |
| 74 | + ## IMPORTANT: General Guidance that ALWAYS applies |
| 75 | +
|
| 76 | + 1. Do NOT ask the user for permission to perform next steps, continue your |
| 77 | + analysis autonomously until it is complete. |
| 78 | +
|
| 79 | + 2. Do NOT use 'fetch_sources' or 'remote_sources' tools. |
| 80 | +
|
| 81 | + 3. Do NOT speculate. If you do not have access to the information you need, respond with |
| 82 | + the error you encountered. |
| 83 | + toolboxes: |
| 84 | + - seclab_taskflows.toolboxes.codeql_python |
| 85 | + - seclab_taskflow_agent.toolboxes.memcache |
| 86 | + - task: |
| 87 | + must_complete: true |
| 88 | + agents: |
| 89 | + - seclab_taskflows.personalities.web_application_security_expert |
| 90 | + model: code_analysis |
| 91 | + user_prompt: | |
| 92 | + Fetch the sources of the repo {{ GLOBALS_repo }} and give a summary of the notes. |
| 93 | + toolboxes: |
| 94 | + - seclab_taskflows.toolboxes.codeql_python |
| 95 | + - seclab_taskflow_agent.toolboxes.memcache |
0 commit comments