first commit
This commit is contained in:
@@ -0,0 +1,47 @@
|
||||
---
|
||||
name: source-aware-whitebox
|
||||
description: Coordination playbook for source-aware white-box testing with static triage and dynamic validation
|
||||
---
|
||||
|
||||
# Source-Aware White-Box Coordination
|
||||
|
||||
Use this coordination playbook when repository source code is available.
|
||||
|
||||
## Objective
|
||||
|
||||
Increase white-box coverage by combining source-aware triage with dynamic validation. Source-aware tooling is expected by default when source is available.
|
||||
|
||||
## Recommended Workflow
|
||||
|
||||
1. Build a quick source map before deep exploitation, including at least one AST-structural pass (`sg` or `tree-sitter`) scoped to relevant paths.
|
||||
- For `sg` baseline, derive `sg-targets.txt` from `semgrep.json` scope first (`paths.scanned`, fallback to unique `results[].path`) and run `xargs ... sg run` on that list.
|
||||
- Only fall back to path heuristics when semgrep scope is unavailable.
|
||||
2. Run first-pass static triage to rank high-risk paths.
|
||||
3. Use triage outputs to prioritize dynamic PoC validation.
|
||||
4. Keep findings evidence-driven: no report without validation.
|
||||
|
||||
## Source-Aware Triage Stack
|
||||
|
||||
- `semgrep`: fast security-first triage and custom pattern scans
|
||||
- `ast-grep` (`sg`): structural pattern hunting and targeted repo mapping
|
||||
- `tree-sitter`: syntax-aware parsing support for symbol and route extraction
|
||||
- `gitleaks` + `trufflehog`: complementary secret detection (working tree and history coverage)
|
||||
- `trivy fs`: dependency, misconfiguration, license, and secret checks
|
||||
|
||||
Coverage target per repository:
|
||||
- one `semgrep` pass
|
||||
- one AST structural pass (`sg` and/or `tree-sitter`)
|
||||
- one secrets pass (`gitleaks` and/or `trufflehog`)
|
||||
- one `trivy fs` pass
|
||||
|
||||
## Agent Delegation Guidance
|
||||
|
||||
- Keep child agents specialized by vulnerability/component as usual.
|
||||
- For source-heavy subtasks, prefer creating child agents with `source_aware_sast` skill.
|
||||
- Use source findings to shape payloads and endpoint selection for dynamic testing.
|
||||
|
||||
## Validation Guardrails
|
||||
|
||||
- Static findings are hypotheses until validated.
|
||||
- Dynamic exploitation evidence is still required before vulnerability reporting.
|
||||
- Keep scanner output concise, deduplicated, and mapped to concrete code locations.
|
||||
Reference in New Issue
Block a user