raxit-core 0.1.2

Core security scanning engine for AI agent applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Security Analysis Modules
//!
//! This module provides five specialized analyzers for detecting security issues,
//! compliance violations, and data flow problems in AI agent codebases.
//!
//! ## Available Analyzers
//!
//! ### 1. Trust Boundary Analyzer
//!
//! Implements Meta's "Rule of Two" to detect unsafe components that violate
//! security boundaries. A component is flagged if it has ALL three characteristics:
//! - [A] Processes untrusted input (user input, API requests)
//! - [B] Accesses sensitive resources (secrets, databases, files)
//! - [C] Performs external actions (HTTP requests, subprocess execution)
//!
//! ### 2. Secret Detection Analyzer
//!
//! Detects exposed secrets and credentials using:
//! - Regex patterns for 11 common secret types (OpenAI, AWS, GitHub, etc.)
//! - Shannon entropy calculation for high-entropy strings
//! - Sensitive variable name detection
//! - Configurable false positive filtering
//!
//! ### 3. Memory Detection Analyzer
//!
//! Identifies memory and persistence usage including:
//! - Vector stores (Chroma, Pinecone, FAISS, Qdrant)
//! - Databases (SQLite, PostgreSQL, MongoDB, Redis)
//! - File-based persistence (shelve, pickle)
//! - Configuration extraction
//!
//! ### 4. Network Detection Analyzer
//!
//! Tracks network calls and external communications:
//! - HTTP libraries (requests, httpx, urllib, aiohttp)
//! - API clients (OpenAI, Anthropic, Google GenAI)
//! - URL and webhook detection
//! - HTTP method and endpoint extraction
//!
//! ### 5. Data Provenance Analyzer
//!
//! CaMeL-style taint analysis for tracking data flows:
//! - Identifies untrusted data sources
//! - Propagates taint through variable assignments
//! - Detects when tainted data reaches sensitive sinks
//! - Provides data flow paths for investigation
//!
//! ## Usage
//!
//! ```rust,no_run
//! use raxit_core::{scan, ScanConfig};
//!
//! let config = ScanConfig::default().with_path("./agent-project");
//! let result = scan(config)?;
//!
//! // Check trust boundary violations
//! for boundary in &result.trust_boundaries {
//!     if !boundary.compliant {
//!         println!("Trust violation: {}", boundary.violations.join(", "));
//!     }
//! }
//!
//! // Review secret findings
//! for secret in &result.secret_findings {
//!     if secret.severity == "critical" {
//!         println!("Critical secret at {}:{}", secret.location.file, secret.location.line);
//!     }
//! }
//!
//! // Analyze data flows
//! for finding in &result.provenance_findings {
//!     if finding.severity == "critical" {
//!         println!("Tainted data flow: {}", finding.message);
//!     }
//! }
//! # Ok::<(), raxit_core::RaxitError>(())
//! ```

pub mod call_graph;
pub mod data_flow;
pub mod data_provenance;
pub mod memory_detection;
pub mod network_detection;
pub mod secret_detection;
pub mod trust_boundary;

use crate::error::Result;
use crate::schema::{
    MemoryFinding, NetworkFinding, ProvenanceFinding, ScanResult, SecretFinding, TrustBoundary,
};

/// Analyze trust boundaries using Meta's "Rule of Two"
pub fn analyze_trust_boundaries(result: &ScanResult) -> Result<Vec<TrustBoundary>> {
    trust_boundary::analyze(result)
}

/// Analyze for exposed secrets
pub fn analyze_secrets(result: &ScanResult) -> Result<Vec<SecretFinding>> {
    secret_detection::analyze(result)
}

/// Analyze for memory and database usage
pub fn analyze_memory(result: &ScanResult) -> Result<Vec<MemoryFinding>> {
    memory_detection::analyze(result)
}

/// Analyze for network calls and API usage
pub fn analyze_network(result: &ScanResult) -> Result<Vec<NetworkFinding>> {
    network_detection::analyze(result)
}

/// Analyze data provenance and taint flows
pub fn analyze_provenance(result: &ScanResult) -> Result<Vec<ProvenanceFinding>> {
    data_provenance::analyze(result)
}

/// Build call graph from extracted assets
pub fn build_call_graph(result: &ScanResult) -> Result<crate::scanner::CallGraph> {
    call_graph::build(result)
}

/// Analyze data flows for CaMeL-style provenance
pub fn analyze_data_flows(result: &ScanResult) -> Result<()> {
    data_flow::analyze(result)
}

#[cfg(test)]
mod tests {
    #[test]
    fn test_analyzers_module() {
        // Placeholder test - module compiles successfully
    }
}