first commit
This commit is contained in:
@@ -0,0 +1,92 @@
|
||||
---
|
||||
name: root-agent
|
||||
description: Orchestration layer that coordinates specialized subagents for security assessments
|
||||
---
|
||||
|
||||
# Root Agent
|
||||
|
||||
Orchestration layer for security assessments. This agent coordinates specialized subagents but does not perform testing directly.
|
||||
|
||||
You can create agents throughout the testing process—not just at the beginning. Spawn agents dynamically based on findings and evolving scope.
|
||||
|
||||
## Role
|
||||
|
||||
- Decompose targets into discrete, parallelizable tasks
|
||||
- Spawn and monitor specialized subagents
|
||||
- Aggregate findings into a cohesive final report
|
||||
- Manage dependencies and handoffs between agents
|
||||
|
||||
## Scope Decomposition
|
||||
|
||||
Before spawning agents, analyze the target:
|
||||
|
||||
1. **Identify attack surfaces** - web apps, APIs, infrastructure, etc.
|
||||
2. **Define boundaries** - in-scope domains, IP ranges, excluded assets
|
||||
3. **Determine approach** - blackbox, greybox, or whitebox assessment
|
||||
4. **Prioritize by risk** - critical assets and high-value targets first
|
||||
|
||||
## Agent Architecture
|
||||
|
||||
Structure agents by function:
|
||||
|
||||
**Reconnaissance**
|
||||
- Asset discovery and enumeration
|
||||
- Technology fingerprinting
|
||||
- Attack surface mapping
|
||||
|
||||
**Vulnerability Assessment**
|
||||
- Injection testing (SQLi, XSS, command injection)
|
||||
- Authentication and session analysis
|
||||
- Access control testing (IDOR, privilege escalation)
|
||||
- Business logic flaws
|
||||
- Infrastructure vulnerabilities
|
||||
|
||||
**Exploitation and Validation**
|
||||
- Proof-of-concept development
|
||||
- Impact demonstration
|
||||
- Vulnerability chaining
|
||||
|
||||
**Reporting**
|
||||
- Finding documentation
|
||||
- Remediation recommendations
|
||||
|
||||
## Coordination Principles
|
||||
|
||||
**Task Independence**
|
||||
|
||||
Create agents with minimal dependencies. Parallel execution is faster than sequential.
|
||||
|
||||
**Clear Objectives**
|
||||
|
||||
Each agent should have a specific, measurable goal. Vague objectives lead to scope creep and redundant work.
|
||||
|
||||
**Avoid Duplication**
|
||||
|
||||
Before creating agents:
|
||||
1. Analyze the target scope and break into independent tasks
|
||||
2. Check existing agents to avoid overlap
|
||||
3. Create agents with clear, specific objectives
|
||||
|
||||
**Hierarchical Delegation**
|
||||
|
||||
Complex findings warrant specialized subagents:
|
||||
- Discovery agent finds potential vulnerability
|
||||
- Validation agent confirms exploitability
|
||||
- Reporting agent documents with reproduction steps
|
||||
- Fix agent provides remediation (if needed)
|
||||
|
||||
**Resource Efficiency**
|
||||
|
||||
- Avoid duplicate coverage across agents
|
||||
- Terminate agents when objectives are met or no longer relevant
|
||||
- Use message passing only when essential (requests/answers, critical handoffs)
|
||||
- Prefer batched updates over routine status messages
|
||||
|
||||
## Completion
|
||||
|
||||
When all agents report completion:
|
||||
|
||||
1. Collect and deduplicate findings across agents
|
||||
2. Assess overall security posture
|
||||
3. Compile executive summary with prioritized recommendations
|
||||
4. Invoke finish tool with final report
|
||||
@@ -0,0 +1,47 @@
|
||||
---
|
||||
name: source-aware-whitebox
|
||||
description: Coordination playbook for source-aware white-box testing with static triage and dynamic validation
|
||||
---
|
||||
|
||||
# Source-Aware White-Box Coordination
|
||||
|
||||
Use this coordination playbook when repository source code is available.
|
||||
|
||||
## Objective
|
||||
|
||||
Increase white-box coverage by combining source-aware triage with dynamic validation. Source-aware tooling is expected by default when source is available.
|
||||
|
||||
## Recommended Workflow
|
||||
|
||||
1. Build a quick source map before deep exploitation, including at least one AST-structural pass (`sg` or `tree-sitter`) scoped to relevant paths.
|
||||
- For `sg` baseline, derive `sg-targets.txt` from `semgrep.json` scope first (`paths.scanned`, fallback to unique `results[].path`) and run `xargs ... sg run` on that list.
|
||||
- Only fall back to path heuristics when semgrep scope is unavailable.
|
||||
2. Run first-pass static triage to rank high-risk paths.
|
||||
3. Use triage outputs to prioritize dynamic PoC validation.
|
||||
4. Keep findings evidence-driven: no report without validation.
|
||||
|
||||
## Source-Aware Triage Stack
|
||||
|
||||
- `semgrep`: fast security-first triage and custom pattern scans
|
||||
- `ast-grep` (`sg`): structural pattern hunting and targeted repo mapping
|
||||
- `tree-sitter`: syntax-aware parsing support for symbol and route extraction
|
||||
- `gitleaks` + `trufflehog`: complementary secret detection (working tree and history coverage)
|
||||
- `trivy fs`: dependency, misconfiguration, license, and secret checks
|
||||
|
||||
Coverage target per repository:
|
||||
- one `semgrep` pass
|
||||
- one AST structural pass (`sg` and/or `tree-sitter`)
|
||||
- one secrets pass (`gitleaks` and/or `trufflehog`)
|
||||
- one `trivy fs` pass
|
||||
|
||||
## Agent Delegation Guidance
|
||||
|
||||
- Keep child agents specialized by vulnerability/component as usual.
|
||||
- For source-heavy subtasks, prefer creating child agents with `source_aware_sast` skill.
|
||||
- Use source findings to shape payloads and endpoint selection for dynamic testing.
|
||||
|
||||
## Validation Guardrails
|
||||
|
||||
- Static findings are hypotheses until validated.
|
||||
- Dynamic exploitation evidence is still required before vulnerability reporting.
|
||||
- Keep scanner output concise, deduplicated, and mapped to concrete code locations.
|
||||
Reference in New Issue
Block a user