security-use 0.2.7

Security scanning tool for dependencies and Infrastructure as Code

Comprehensive security scanning for modern applications

Installation • Quick Start • Features • Contributing

---

Overview

SecurityUse is a unified security scanning platform for Python applications. It detects vulnerabilities in dependencies, misconfigurations in Infrastructure as Code, and provides runtime attack detection for web applications.

$ security-use scan all ./my-project

 SecurityUse v0.2.6

 Scanning dependencies...
 ✓ Found 3 vulnerabilities in 47 packages

 Scanning IaC files...
 ✓ Found 2 misconfigurations in 5 files

 ┌─────────────────────────────────────────────────────────────────┐
 │ CRITICAL  1   │   HIGH  2   │   MEDIUM  2   │   LOW  0         │
 └─────────────────────────────────────────────────────────────────┘

 Results synced to dashboard (5 finding(s))

Features

Dependency Vulnerability Scanning

Detect known CVEs in your Python dependencies using the OSV database.

• Multi-format support: requirements.txt, Pipfile, pyproject.toml, poetry.lock, package.json, pom.xml
• Accurate matching: Uses package ecosystem data for precise vulnerability matching
• Severity scoring: CVSS-based severity ratings (Critical, High, Medium, Low)
• Fix suggestions: Recommends safe versions to upgrade to

Infrastructure as Code Scanning

Find security misconfigurations before they reach production.

Platform	Formats	Rules
Terraform	.tf, .tf.json	25+
CloudFormation	.yaml, .yml, .json	20+
AWS	S3, EC2, IAM, RDS, Lambda	Full coverage

Detects:

• Unencrypted storage and databases
• Overly permissive IAM policies
• Public access to sensitive resources
• Missing logging and monitoring
• Insecure network configurations

Runtime Security Sensor

Real-time attack detection middleware for FastAPI and Flask applications.

from fastapi import FastAPI
from security_use.sensor import SecurityMiddleware

app = FastAPI()
app.add_middleware(
    SecurityMiddleware,
    webhook_url="https://your-siem.com/alerts",
    block_on_detection=True,
)

Detects:

• SQL Injection (' OR 1=1--, UNION SELECT, etc.)
• Cross-Site Scripting (<script>, javascript:, event handlers)
• Path Traversal (../, %2e%2e%2f, etc.)
• Command Injection (;cat /etc/passwd, backticks, $())
• Rate limit violations
• Suspicious user agents (sqlmap, nikto, etc.)

Auto-Fix

Automatically remediate security issues with a single command.

security-use fix ./my-project

Dependency Fixes:

• Updates vulnerable packages to patched versions
• Supports requirements.txt, Pipfile, pyproject.toml

IaC Fixes:

Rule	Issue	Auto-Fix
CKV_AWS_19	S3 bucket without encryption	Adds AES256 server-side encryption
CKV_AWS_20	S3 bucket with public access	Changes ACL to private
CKV_AWS_3	EBS volume unencrypted	Sets encrypted = true
CKV_AWS_16	RDS instance unencrypted	Adds storage_encrypted = true
CKV_AWS_23	Open security group ingress	Restricts CIDR blocks

Dashboard Integration

Sync your scan results to the SecurityUse Dashboard for centralized monitoring, trend analysis, and team collaboration.

# Authenticate once
security-use auth login

# All scans now auto-sync to dashboard!
security-use scan all ./my-project
# → Results synced to dashboard (X finding(s))

Features:

• Automatic sync: Once logged in, all scan results are automatically uploaded
• Multi-repo support: Each repository is tracked separately with git metadata
• No extra commands: Just run your normal scans - syncing happens automatically

# Auth commands
security-use auth login     # Authenticate with dashboard
security-use auth status    # Check authentication status
security-use auth logout    # Clear credentials

# Manual sync (if needed)
security-use sync ./my-project --project "My App"

Installation

pip install security-use

With optional dependencies:

# For runtime sensor with FastAPI/Flask
pip install security-use[sensor]

# For development
pip install security-use[dev]

Requirements: Python 3.10+

Quick Start

Command Line Interface

# Scan dependencies for vulnerabilities
security-use scan deps ./my-project

# Scan Infrastructure as Code
security-use scan iac ./terraform

# Scan everything
security-use scan all ./my-project

# Output as JSON
security-use scan all ./my-project --format json

# Output as SARIF (for GitHub Code Scanning)
security-use scan all ./my-project --format sarif > results.sarif

# Auto-fix vulnerabilities and IaC misconfigurations
security-use fix ./my-project

# Auto-fix with options
security-use fix ./my-project --dry-run      # Preview changes
security-use fix ./my-project --deps-only    # Only fix dependencies
security-use fix ./my-project --iac-only     # Only fix IaC issues

# Dashboard integration (results auto-sync when logged in)
security-use auth login                       # Authenticate with dashboard
security-use auth status                      # Check auth status
security-use auth logout                      # Clear credentials

Python API

from security_use import scan_dependencies, scan_iac

# Scan dependencies
result = scan_dependencies("./my-project")

print(f"Found {len(result.vulnerabilities)} vulnerabilities")
for vuln in result.vulnerabilities:
    print(f"  {vuln.severity.value}: {vuln.package} - {vuln.title}")

# Scan IaC
result = scan_iac("./terraform")

for finding in result.iac_findings:
    print(f"  [{finding.severity.value}] {finding.rule_id}")
    print(f"    {finding.title}")
    print(f"    {finding.file_path}:{finding.line_number}")

Runtime Sensor

FastAPI (ASGI):

from fastapi import FastAPI
from security_use.sensor import SecurityMiddleware

app = FastAPI()

app.add_middleware(
    SecurityMiddleware,
    webhook_url="https://your-siem.com/webhook",
    block_on_detection=True,         # Return 403 on attacks
    excluded_paths=["/health", "/metrics"],
    rate_limit_threshold=100,        # Requests per minute per IP
)

@app.get("/api/users")
def get_users():
    return {"users": []}

Flask (WSGI):

from flask import Flask
from security_use.sensor import FlaskSecurityMiddleware

app = Flask(__name__)

app.wsgi_app = FlaskSecurityMiddleware(
    app.wsgi_app,
    webhook_url="https://your-siem.com/webhook",
    block_on_detection=False,  # Log only, don't block
)

@app.route("/api/users")
def get_users():
    return {"users": []}

Webhook Alert Format:

{
  "version": "1.0",
  "event": {
    "id": "evt_abc123def456",
    "type": "security_alert",
    "timestamp": "2024-01-25T12:00:00.000Z"
  },
  "alert": {
    "type": "sql_injection",
    "severity": "HIGH",
    "confidence": 0.95,
    "description": "SQL injection attempt detected"
  },
  "request": {
    "method": "POST",
    "path": "/api/users/search",
    "source_ip": "192.168.1.100",
    "headers": {}
  },
  "matched": {
    "pattern": "' OR 1=1--",
    "location": "body",
    "field": "search_query"
  },
  "action_taken": "blocked"
}

Supported Formats

Dependency Files

Ecosystem	File	Status
Python	requirements.txt	✅ Full support
Python	Pipfile / Pipfile.lock	✅ Full support
Python	pyproject.toml	✅ Full support
Python	poetry.lock	✅ Full support
JavaScript	package.json / package-lock.json	✅ Full support
Java	pom.xml	✅ Full support

IaC Formats

Platform	Format	Status
Terraform	.tf (HCL2)	✅ Full support
Terraform	.tf.json	✅ Full support
CloudFormation	.yaml / .yml	✅ Full support
CloudFormation	.json	✅ Full support

CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install SecurityUse
        run: pip install security-use

      - name: Run security scan
        run: security-use scan all . --format sarif > results.sarif

      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI

security-scan:
  image: python:3.11
  script:
    - pip install security-use
    - security-use scan all . --format json > security-report.json
  artifacts:
    reports:
      security: security-report.json

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: security-use
        name: Security Scan
        entry: security-use scan deps . --fail-on high
        language: python
        additional_dependencies: [security-use]
        pass_filenames: false

Configuration

Create a security-use.yaml in your project root:

# Dependency scanning
dependencies:
  enabled: true
  fail_on: high  # critical, high, medium, low
  ignore:
    - CVE-2021-12345  # Known false positive

# IaC scanning
iac:
  enabled: true
  fail_on: high
  exclude_paths:
    - "examples/"
    - "test/"

# Output
output:
  format: table  # table, json, sarif
  verbose: false

Contributing

We welcome contributions! Please see our Contributing Guide for details.

# Clone the repository
git clone https://github.com/security-use/security-use.git
cd security-use

# Install development dependencies
pip install -e ".[dev]"

# Run tests
pytest

# Run linting
ruff check .

Security

Found a security vulnerability? Please report it privately via security@security-use.dev or through GitHub Security Advisories.

License

MIT License - see the LICENSE file for details.

---

Website • GitHub • PyPI