2.1 KiB
2.1 KiB
name, description
| name | description |
|---|---|
| source-aware-whitebox | Coordination playbook for source-aware white-box testing with static triage and dynamic validation |
Source-Aware White-Box Coordination
Use this coordination playbook when repository source code is available.
Objective
Increase white-box coverage by combining source-aware triage with dynamic validation. Source-aware tooling is expected by default when source is available.
Recommended Workflow
- Build a quick source map before deep exploitation, including at least one AST-structural pass (
sgortree-sitter) scoped to relevant paths.- For
sgbaseline, derivesg-targets.txtfromsemgrep.jsonscope first (paths.scanned, fallback to uniqueresults[].path) and runxargs ... sg runon that list. - Only fall back to path heuristics when semgrep scope is unavailable.
- For
- Run first-pass static triage to rank high-risk paths.
- Use triage outputs to prioritize dynamic PoC validation.
- Keep findings evidence-driven: no report without validation.
Source-Aware Triage Stack
semgrep: fast security-first triage and custom pattern scansast-grep(sg): structural pattern hunting and targeted repo mappingtree-sitter: syntax-aware parsing support for symbol and route extractiongitleaks+trufflehog: complementary secret detection (working tree and history coverage)trivy fs: dependency, misconfiguration, license, and secret checks
Coverage target per repository:
- one
semgreppass - one AST structural pass (
sgand/ortree-sitter) - one secrets pass (
gitleaksand/ortrufflehog) - one
trivy fspass
Agent Delegation Guidance
- Keep child agents specialized by vulnerability/component as usual.
- For source-heavy subtasks, prefer creating child agents with
source_aware_sastskill. - Use source findings to shape payloads and endpoint selection for dynamic testing.
Validation Guardrails
- Static findings are hypotheses until validated.
- Dynamic exploitation evidence is still required before vulnerability reporting.
- Keep scanner output concise, deduplicated, and mapped to concrete code locations.