Skip to content

Security: Benjaminfranck/cyber-security-plugin

Security

SECURITY.md

Security & Responsible Use

Posture

This is a defensive security tool. It finds, explains, prioritizes, and helps fix vulnerabilities in code and applications you own or are explicitly authorized to test.

  • Static analysis is read-only. The category hunters and scanners read your code; they never execute it.
  • Live/dynamic testing requires explicit authorization. /sec:dynamic refuses to send a single request unless security/sec.config.json contains an authorization block whose allowedOrigins cover the target — enforced in code (scripts/authz.mjs), not just prompts. Probes are non-destructive (GET-first, canary reflection only, no fuzzing; nuclei intrusive/fuzz/dos tags excluded).
  • Cloud reads are opt-in and read-only. /sec:nhi --cloud inherits your existing CLI sessions and only ever issues get/list/describe calls; the plugin never stores cloud credentials. It is account-allowlisted.
  • The fixer never weakens a control to silence a finding, and pauses for human review on any patch touching authentication or cryptography. /sec:rotate only plans a rotation; it never rotates a live secret.

Proof-of-concept evidence is generated only as far as needed to confirm a finding — never weaponized exploits, never against third-party systems.

About the test fixtures

fixtures/vuln-app/ is a deliberately vulnerable application used to measure the tool's recall and false-positive rate. It contains intentional, non-functional planted secrets — specifically AWS's documented example credentials (AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY), which GitHub and secret scanners recognize as fakes. There are no real credentials anywhere in this repository. Do not deploy the fixture app.

Reporting a vulnerability in this plugin

If you find a security issue in the plugin itself, please open a GitHub issue (for a non-sensitive report) or contact the maintainer privately for anything exploitable. There is no bug bounty; this is an open-source project.

There aren't any published security advisories