Misingi 13/13 ●

Jumla

Jina la mradi linalosomeka na binadamu ni lipi?
Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

Maelezo mafupi ya mradi ni yapi?

Find AI infrastructure vulnerabilities before attackers do. Security testing for MCP servers, AI agents, CLI AI platforms and LLM systems.

URL ya mradi (kwa ujumla wake) ni ipi?
https://github.com/macawi-ai/Strigoi

URL ya hifadhi ya kudhibiti toleo ni ipi (inaweza kuwa sawa na URL ya mradi)?
https://github.com/macawi-ai/Strigoi

Mradi umetolewa chini ya leseni zipi?
Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.

Lugha gani za programu zinatumiwa kutekeleza mradi?
Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".

Jina la Common Platform Enumeration (CPE) kwa mradi (ikiwa una) ni lipi?
Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

Maoni mengine ya jumla kuhusu mradi:
Maudhui ya kimsingi ya tovuti ya mradi
Criterion [description_good]
Umetimizwa

Haujatimizwa

?

Tovuti ya mradi LAZIMA ieleze kwa ufupi programu inafanya nini (inasuluhu tatizo gani?). ^{[description_good]}
Hii LAZIMA iwe katika lugha ambayo watumiaji watarajiwa wanaweza kuelewa (k.m., inatumia lugha ya kiufundi kidogo).
https://github.com/macawi-ai/strigoi/
(e.g. core capabilities -->
Core Capabilities
🛡️ Security Assessment
```
Interactive CLI - Bash-like navigation with directional reconnaissance (north/south/east/west)
17+ Detection Patterns - API keys, credentials, PII, prompt injection, SSRF, path traversal
MCP Vulnerability Scanner - Specialized scanning for Model Context Protocol servers
Multi-Layer Analysis - 7-layer protocol inspection with Russian doll unpacking
```
📡 Real-Time Monitoring
```
NATS JetStream Integration - Distributed event streaming with persistent storage
A2MCP Bridge - Monitor AI CLI tools (Claude Code, Gemini, ChatGPT) via MCP protocol
Stream Tap - Live STDIO capture with security detection and smart redaction
MetaFrame Protocol - Standardized security telemetry format
```
🏗️ Platform Features
```
Multi-Architecture - AMD64, ARM64, ARMv7 (Raspberry Pi, NanoPi, Orange Pi)
Container-Native - Podman/Docker with rootless support
Web UI Dashboard - Real-time monitoring via http://localhost:8081/
Pre-compiled Binaries - Linux, macOS (Intel/Apple Silicon), Windows
```
Criterion [interact]
Umetimizwa

Haujatimizwa

?

Tovuti ya mradi LAZIMA itoe habari juu ya jinsi ya: kupata, kutoa maoni (kama ripoti za hitilafu au maboresho), na kuchangia kwenye programu. ^[interact]
The README provides clear information on all three requirements:
1. Obtain: Multiple installation methods documented including pre-built binaries from GitHub Releases, wget commands for Linux/macOS/Windows, and build-from-source
  via install.sh. Direct links: https://github.com/macawi-ai/strigoi/releases
2. Feedback: Bug reports and enhancement requests via GitHub Issues, linked in README: https://github.com/macawi-ai/strigoi/issues
3. Contribute: Contributing section in README links to Development Methodology guide (docs/DEVELOPMENT_METHODOLOGY.md) covering code of conduct, development process, and pull request submission.
Criterion [contribution]
Umetimizwa

Haujatimizwa

?

Habari juu ya jinsi ya kuchangia LAZIMA ieleze mchakato wa uchangiaji (kwa mfano, je! Maombi ya kuvuta yanatumika?) (URL inahitajika) ^{[contribution]}
Tunafikiria kuwa miradi kwenye GitHub hutumia maswala na kuvuta maombi isipokuwa palipoonyeshwa vingine. Habari hii inaweza kuwa fupi, kwa mfano, ikisema kuwa mradi hutumia maombi ya kuvuta, msako wa suala, au machapisho kwenye orodha ya barua (ipi?)

Projects on GitHub by default use issues and pull requests, as encouraged by documentation such as https://guides.github.com/activities/contributing-to-open-source/.

Criterion [contribution_requirements]
Umetimizwa

Haujatimizwa

?

Habari juu ya jinsi ya kuchangia INAPASWA kujumuisha mahitaji ya michango inayokubalika (k.m., rejeleo la kiwango chochote kinachohitajika cha usimbaji). (URL inahitajika) ^{[contribution_requirements]}

https://github.com/macawi-ai/strigoi/blob/main/CONTRIBUTING.md
Leseni ya FLOSS
Criterion [floss_license]
Umetimizwa

Haujatimizwa

?
Programu iliyozalishwa na mradi LAZIMA itolewa kama FLOSS. ^{[floss_license]}
FLOSS ni programu iliyotolewa kwa njia inayokidhi Ufafanuzi wa Chanzo Wazi au Ufafanuzi wa Programu Huria. Mifano ya leseni kama hizo ni pamoja na CC0, MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), na GNU General Public License (GPL). Kwa madhumuni yetu, hii inamaanisha kuwa leseni LAZIMA iwe:
Programu YAWEZA pia kupatiwa leseni kwa njia nyingine (k.m., "GPLv2 au ya kibinafsi" inakubaliwa).
Open Source License

This software is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).

Key AGPL-3.0 Requirements:
```
✅ Freedom to use — Use for any purpose including commercial
✅ Freedom to study — Access to source code guaranteed
✅ Freedom to modify — Make changes and improvements
✅ Freedom to distribute — Share copies and modifications
🔒 Copyleft requirement — Derivative works must be open source
🌐 Network copyleft — SaaS use requires offering source code
```
The AGPL-3.0-or-later license is approved by the Open Source Initiative (OSI).
Criterion [floss_license_osi]
Umetimizwa

Haujatimizwa

?

INAPENDEKEZA kwamba leseni yoyote inayohitajika kwa programu iliyozalishwa na mradi iwe imeidhinishwa na Open Source Initiative (OSI). ^{[floss_license_osi]}
OSI inatumia mchakato mgumu wa uidhinishaji kuamua ni leseni zipi ni OSS.

We utilize the AGPL-3.0 The AGPL-3.0-or-later license is approved by the Open Source Initiative (OSI).

Criterion [license_location]
Umetimizwa

Haujatimizwa

?

Mradi LAZIMA uweke leseni za matokeo yake mahali pa kawaida katika hazina yake ya chanzo. (URL inahitajika) ^{[license_location]}
Desturi moja ni kuweka leseni kama faili ya ngazi ya juu inayoitwa LICENSE au COPYING, ambayo YAWEZA kufuatiwa na kiendelezi kama ".txt" au ".md". Desturi mbadala ni kuwa na saraka inayoitwa LICENSES inayohifadhi faili za leseni; faili hizi kwa kawaida zinaitwa kama kitambulisho chao cha leseni ya SPDX kikifuatiwa na kiendelezi kinachofaa, kama ilivyoelezwa katika Maelezo ya REUSE. Kumbuka kwamba kigezo hiki ni mahitaji tu kwenye hazina ya chanzo. Huhitaji kuingiza faili ya leseni wakati wa kuzalisha kitu kutoka kwenye msimbo wa chanzo (kama programu inayotekelezeka, kifurushi, au chombo). Kwa mfano, wakati wa kuzalisha kifurushi cha R kwa Mtandao wa Kumbukumbu Kamili wa R (CRAN), fuata mazoea ya kawaida ya CRAN: ikiwa leseni ni leseni ya kawaida, tumia maelezo mafupi ya kawaida ya leseni (ili kuepuka kusakinisha nakala nyingine ya maandishi) na orodhesha faili ya LICENSE katika faili ya kutengwa kama .Rbuildignore. Vivyo hivyo, wakati wa kuunda kifurushi cha Debian, unaweza kuweka kiungo katika faili ya hakimiliki kwa maandishi ya leseni katika /usr/share/common-licenses, na utenge faili ya leseni kutoka kwenye kifurushi kilichoundwa (k.m., kwa kufuta faili baada ya kuita dh_auto_install). Tunashauri jumuisha maelezo ya leseni yanayoweza kusomwa na mashine katika miundo iliyozalishwa mahali inapofaa.

Non-trivial license location file in repository: https://github.com/macawi-ai/Strigoi/blob/main/LICENSE.
Nyaraka

Criterion [documentation_basics]
Umetimizwa

Haujatimizwa

Haihusiani

?

Mradi LAZIMA utoe nyaraka za msingi za programu iliyozalishwa na mradi. ^{[documentation_basics]}
Nyaraka hizi lazima ziwe katika vyombo fulani (kama maandishi au video) vinavyojumuisha: jinsi ya kuisakinisha, jinsi ya kuianzisha, jinsi ya kuitumia (huenda ikijumuisha mafunzo kwa kutumia mifano), na jinsi ya kuitumia kwa usalama (k.m., nini cha kufanya na nini cha kutofanya) ikiwa hiyo ni mada inayofaa kwa programu. Nyaraka za usalama lazima zisiwe ndefu. Mradi YAWEZA kutumia viungo vya hypertext kwa nyenzo zisizo za mradi kama nyaraka. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A).

Some documentation basics file contents found.
Criterion [documentation_interface]
Umetimizwa

Haujatimizwa

Haihusiani

?

Mradi LAZIMA utoe nyaraka za marejeleo zinazofafanua kiolesura cha nje (ingizo na matokeo) cha programu iliyozalishwa na mradi. ^{[documentation_interface]}
Nyaraka za kiolesura cha nje zinaeleza kwa mtumiaji wa mwisho au msanidi jinsi ya kuitumia. Hii itajumuisha kiolesura chake cha programu ya programu (API) ikiwa programu ina. Ikiwa ni maktaba, andika madarasa/aina kuu na mbinu/vitendakazi vinavyoweza kuitwa. Ikiwa ni programu ya wavuti, fafanua kiolesura chake cha URL (mara nyingi kiolesura chake cha REST). Ikiwa ni kiolesura cha mstari wa amri, andika vigezo na chaguo zinazosaidia. Katika hali nyingi ni bora ikiwa nyingi ya nyaraka hizi zinazalishwa kiotomatiki, ili nyaraka hizi zibaki zikisawazishwa na programu inavyobadilika, lakini hii haihitajiki. Mradi YAWEZA kutumia viungo vya hypertext kwa nyenzo zisizo za mradi kama nyaraka. Nyaraka ZIWEZA kuzalishwa kiotomatiki (ambapo ni vitendo hii mara nyingi ndiyo njia bora ya kufanya hivyo). Nyaraka za kiolesura cha REST zinaweza kuzalishwa kwa kutumia Swagger/OpenAPI. Nyaraka za kiolesura cha msimbo ZINAWEZA kuzalishwa kwa kutumia zana kama vile JSDoc (JavaScript), ESDoc (JavaScript), pydoc (Python), devtools (R), pkgdown (R), na Doxygen (nyingi). Kuwa na maoni tu katika msimbo wa utekelezaji haitoshi kutosheleza kigezo hiki; kunahitaji kuwa na njia rahisi ya kuona habari bila kusoma kupitia msimbo wote wa chanzo. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A).
┌────────────┬───────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────┐
│ Interface │ Documentation │ URL │
├────────────┼───────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ CLI │ USER_GUIDE.md with full command reference │ https://github.com/macawi-ai/strigoi/blob/main/USER_GUIDE.md │
├────────────┼───────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ CLI │ Built-in --help flags │ strigoi --help, strigoi <cmd> --help │
├────────────┼───────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ REST API │ FLEET_MANAGER_API_SPEC.md │ https://github.com/macawi-ai/strigoi/blob/main/docs/FLEET_MANAGER_API_SPEC.md │
├────────────┼───────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ Go Package │ pkg.go.dev (auto-generated) │ https://pkg.go.dev/github.com/macawi-ai/strigoi │
└────────────┴───────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────┘

Justification for OpenSSF:

The project provides comprehensive interface documentation:
1. CLI Interface: USER_GUIDE.md documents all commands, subcommands, flags, and usage examples. Built-in --help provides real-time command reference.
2. REST API: docs/FLEET_MANAGER_API_SPEC.md documents all API endpoints with request/response examples in JSON format.
3. Go Package API: Automatically generated documentation available at pkg.go.dev/github.com/macawi-ai/strigoi
URLs:
- https://github.com/macawi-ai/strigoi/blob/main/USER_GUIDE.md
- https://github.com/macawi-ai/strigoi/blob/main/docs/FLEET_MANAGER_API_SPEC.md
Mengine

Criterion [sites_https]
Umetimizwa

Haujatimizwa

?

Tovuti za mradi (tovuti, hifadhi, na URL za kupakua) LAZIMA zisaidie HTTPS kwa kutumia TLS. ^{[sites_https]}
Hii inahitaji kwamba URL ya ukurasa wa nyumbani wa mradi na URL ya hifadhi ya udhibiti wa toleo vianze na "https:", si "http:". Unaweza kupata vyeti vya bure kutoka Let's Encrypt. Miradi YAWEZA kutekeleza kigezo hiki kwa kutumia (kwa mfano) GitHub pages, GitLab pages, au SourceForge project pages. Ikiwa unasaidia HTTP, tunakuhimiza uelekeze trafiki ya HTTP kwenda HTTPS.

Given only https: URLs.

Criterion [discussion]
Umetimizwa

Haujatimizwa

?

Mradi LAZIMA uwe na taratibu moja au zaidi za majadiliano (ikiwa ni pamoja na mabadiliko yaliyopendekezwa na masuala) yenye utafutaji, inaruhusu ujumbe na mada kuelekezwa kwa URL, inaruhusu watu wapya kushiriki katika baadhi ya majadiliano, na haihitaji usakinishaji wa upande wa mteja wa programu ya kibinafsi. ^[discussion]
Mifano ya taratibu zinazokubalika ni pamoja na orodha za barua pepe zilizohifadhiwa, majadiliano ya suala la GitHub na ombi la kuvuta, Bugzilla, Mantis, na Trac. Taratibu za majadiliano yasiyo ya wakati mmoja (kama IRC) zinakubaliwa ikiwa zinakidhi vigezo hivi; hakikisha kuna utaratibu wa kuhifadhi unaoelekezwa kwa URL. JavaScript ya kibinafsi, ingawa haikubalika, inaruhusiwa.

GitHub supports discussions on issues and pull requests.

Criterion [english]
Umetimizwa

Haujatimizwa

?

Mradi UNAPASWA kutoa nyaraka kwa Kiingereza na uweze kukubali ripoti za hitilafu na maoni kuhusu msimbo kwa Kiingereza. ^[english]
Kiingereza kwa sasa ni lingua franca ya teknolojia ya kompyuta; kusaidia Kiingereza huongeza idadi ya wasanidi na wakaguzi tofauti wa uwezekano duniani kote. Mradi unaweza kukidhi kigezo hiki hata ikiwa lugha ya msingi ya wasanidi wake wakuu si Kiingereza.

Criterion [maintained]
Umetimizwa

Haujatimizwa

?

Mradi LAZIMA utunzwe. ^[maintained]
Kama kiwango cha chini, mradi unapaswa kujaribu kujibu ripoti za tatizo muhimu na udhaifu. Mradi unaofuata kwa bidii nishani pengine unatengenezwa. Miradi yote na watu wana rasilimali zilizowekewa mipaka, na miradi ya kawaida lazima ikatae baadhi ya mabadiliko yaliyopendekezwa, hivyo rasilimali zilizowekewa mipaka na kukataa mapendekezo sio ishara ya mradi usiotekelezwa.

Mradi unapojua kwamba hautatengenezwa tena, unapaswa kuweka kigezo hiki kama "Haikidhi" na utumie utaratibu sahihi ili kuwaonyesha wengine kwamba hautengenezwi. Kwa mfano, tumia "DEPRECATED" kama kichwa cha kwanza cha README yake, ongeza "DEPRECATED" karibu na mwanzo wa ukurasa wake wa nyumbani, ongeza "DEPRECATED" mwanzoni mwa maelezo ya mradi wa hifadhi ya msimbo, ongeza nishani isiyolindwa katika README yake na/au ukurasa wa nyumbani, iweke kama iliyolemewa katika hifadhi yoyote ya kifurushi (k.m., npm deprecate), na/au utumie mfumo wa alama wa hifadhi ya msimbo ili kuihifadhi (k.m., mpangilio wa "archive" wa GitHub, alama ya "archived" ya GitLab, hali ya "readonly" ya Gerrit, au hali ya mradi wa "abandoned" wa SourceForge). Majadiliano ya ziada yanaweza kupatikana hapa.

Regular maintenance evidenced on github

Usalama 16/16 ●

Maarifa ya maendeleo yenye usalama
Criterion [know_secure_design]
Umetimizwa

Haujatimizwa

?
Mradi LAZIMA uwe na angalau msanidi mmoja mkuu anayejua jinsi ya kuunda programu salama. (Angalia 'maelezo' kwa mahitaji halisi.) ^{[know_secure_design]}
Hii inahitaji kuelewa kanuni zifuatazo za muundo, ikiwa ni pamoja na kanuni 8 kutoka Saltzer na Schroeder:
- uchumi wa utaratibu (weka muundo kuwa rahisi na mdogo iwezekanavyo, k.m., kwa kupitisha urahisishaji wa kufunga)
- mipangilio ya kuzuia makosa (maamuzi ya kuingia yanapaswa kukataa kwa chaguo-msingi, na usakinishaji wa miradi unapaswa kuwa salama kwa chaguo-msingi)
- kikuu cha kati kikamilifu (kuingia kote kunaweza kuwekwa kikomo lazima kufanyiwa ukaguzi wa mamlaka na kutowezesha kuvukwa)
- muundo wazi (taratibu za usalama hazipaswi kutegemea ujinga wa mshambuliaji wa muundo wake, lakini badala yake kwenye habari iliyolindwa na kubadilishwa kwa urahisi kama funguo na nywila)
- kutenganisha kwa upendeleo (kwa kawaida, ufikiaji kwa vitu muhimu unapaswa kutegemea zaidi ya sharti moja, ili kushinda mfumo mmoja wa ulinzi hautawasha ufikiaji kamili. K.m., uthibitishaji wa vipengele vingi, kama vile kuhitaji nywila na ishara za vifaa, ni imara zaidi kuliko uthibitishaji wa kipengele kimoja)
- upendeleo mdogo zaidi (michakato inapaswa kufanya kazi na upendeleo mdogo zaidi unaohitajika)
- utaratibu wa kawaida mdogo zaidi (muundo unapaswa kupunguza utaratibu wa kawaida kwa zaidi ya mtumiaji mmoja na kutegemewa na watumiaji wote, k.m., saraka za mafaili ya muda)
- kukubalika kwa kisaikolojia (kiolesura cha binadamu lazima kiwe kimeundwa kwa urahisi wa matumizi - kuunda kwa "mshangao mdogo" kunaweza kusaidia)
- uso wa shambulio uliowekewa mipaka (uso wa shambulio - seti ya sehemu tofauti ambapo mshambuliaji anaweza kujaribu kuingia au kutoa data - unapaswa kuwekwa mipaka)
- uthibitishaji wa ingizo na orodha zinazokubalika (pembejeo kawaida zinapaswa kuangaliwa ili kuamua kama ni halali kabla ya kukubalika; uthibitishaji huu unapaswa kutumia orodha zinazokubalika (zinazokubali tu thamani zinazojulikana-nzuri), siyo orodha zinazokana (zinaozojaribu kuorodhesha thamani zinazojulikana-mbaya)).
"Msanidi mkuu" katika mradi ni mtu yeyote ambaye anajua msingi wa msimbo wa mradi, ana faraja kufanya mabadiliko kwake, na anatambuliwa hivyo na washiriki wengine wengi katika mradi. Msanidi mkuu kawaida atafanya michango mingi kwa mwaka uliopita (kupitia msimbo, nyaraka, au kujibu maswali). Wasanidi kawaida wangeweza kuchukuliwa wasanidi wakuu ikiwa walianzisha mradi (na hawajatoka kwenye mradi zaidi ya miaka mitatu iliyopita), wana chaguo la kupokea habari kwenye kituo cha kuripoti udhaifu wa kibinafsi (ikiwa kuna), wanaweza kukubali ahadi kwa niaba ya mradi, au kufanya matoleo ya mwisho ya programu ya mradi. Ikiwa kuna msanidi mmoja tu, mtu huyo ndiye msanidi mkuu. Vitabu vingi na kozi zinapatikana kukusaidia kuelewa jinsi ya kuunda programu salama zaidi na kujadili muundo. Kwa mfano, kozi ya Misingi ya Maendeleo ya Programu Salama ni seti huru ya kozi tatu zinazoeleza jinsi ya kuunda programu salama zaidi (ni bure ukiifanyia ukaguzi; kwa ada ya ziada unaweza kupata cheti kuthibitisha ulijifunza nyenzo).
Primary developer Jamie Saker is a senior cybersecurity executive with 30+ years technical hands-on experience with secure networking, infrastructure and code.
Criterion [know_common_errors]
Umetimizwa

Haujatimizwa

?

Angalau mmoja wa wasanidi wakuu wa mradi LAZIMA wajue aina za kawaida za makosa ambayo husababisha udhaifu katika aina hii ya programu, pamoja na angalau mbinu moja ya kukabiliana au kupunguza kila moja. ^{[know_common_errors]}
Mifano (kulingana na aina ya programu) ni pamoja na uvamizi wa SQL, uvamizi wa OS, mtiririko wa kipengele cha kawaida, uandishi wa tovuti-tofauti, uthibitishaji unaokosekana, na uidhinishaji unaokosekana. Angalia CWE/SANS top 25 au OWASP Top 10 kwa orodha zinazotumika kawaida. Vitabu vingi na kozi zinapatikana kukusaidia kuelewa jinsi ya kuunda programu salama zaidi na kujadili makosa ya kawaida ya utekelezaji ambayo husababisha udhaifu. Kwa mfano, kozi ya Misingi ya Maendeleo ya Programu Salama ni seti huru ya kozi tatu zinazoeleza jinsi ya kuunda programu salama zaidi (ni bure ukiifanyia ukaguzi; kwa ada ya ziada unaweza kupata cheti kuthibitisha ulijifunza nyenzo).

Tumia mazoea mazuri ya msingi ya usimbuaji

Kumbuka kwamba programu fulani haihitaji kutumia taratibu za usimbuaji. Ikiwa mradi wako unazalisha programu ambayo (1) inajumuisha, inaamilisha, au inafanya usimbuaji kuwa hai, na (2) inaweza kutolewa kutoka Marekani (US) kwenda nje ya Marekani au kwa raia asiye wa Marekani, inaweza kuwa ni lazima kisheria kuchukua hatua chache za ziada. Kawaida hii inahusisha tu kutuma barua pepe. Kwa maelezo zaidi, tazama sehemu ya usimbuaji ya Kuelewa Teknolojia ya Chanzo Wazi & Udhibiti wa Usafirishaji wa Marekani.

Umetimizwa

Haujatimizwa

Haihusiani

Programu iliyotengenezwa na mradi LAZIMA itumie, kwa chaguo-msingi, tu itifaki za kriptografia na mifumbo ambazo zimechapishwa hadharani na kukaguliwa na wataalam (ikiwa itifaki za kriptografia na mafumbo imetumika). ^{[crypto_published]}

Vigezo hivi vya kriptografia mara mingi havitumiki kwa sababu programu zingine hazina haja ya kutumia moja kwa moja uwezo wa kriptografia.

All cryptographic implementations use publicly published, expert-reviewed algorithms:

Key Derivation: Argon2id (RFC 9106, winner of Password Hashing Competition 2015)

Parameters: 64MB memory, 4 threads, 32-byte key output

Encryption: AES-256-GCM (NIST FIPS 197 + SP 800-38D)

Authenticated encryption with 12-byte nonce
Go's standard library crypto/aes and crypto/cipher

Random Generation: Go crypto/rand (cryptographically secure)

Timing-Safe Comparison: crypto/subtle.ConstantTimeCompare

TLS: Standard Go crypto/tls (optional, configurable)

No custom or proprietary cryptographic algorithms. See implementations:

pkg/strigoictl/crypto/keystore.go - API key encryption
pkg/session/crypto.go - Session encryption

Umetimizwa

Haujatimizwa

Haihusiani

Ikiwa programu iliyotengenezwa na mradi ni programu au maktaba, na kusudi lake la msingi sio kutekeleza usimbuaji, basi INAPASWA tu kuita programu iliyoundwa kihususa kutekeleza kazi za kielelezo; HAIPASWI kutekeleza-upya shughuli hiyo. ^{[crypto_call]}

Software does not implement any cryptography of its own and relies on well supported public libraries for the functionality.

Umetimizwa

Haujatimizwa

Haihusiani

Utendaji wote katika programu iliyotengenezwa na mradi ambayo inategemea usimbuaji LAZIMA iweze kutekelezwa kwa kutumia FLOSS. ^{[crypto_floss]}

Tazama Mahitaji ya Viwango wazi ya Programu kupitia Open Source Initiative.

Umetimizwa

Haujatimizwa

Haihusiani

Mifumo ya usalama ndani ya programu inayozalishwa na mradi LAZIMA itumie kwa msingi keylengths ambazo angalau zinakidhi mahitaji ya chini ya NIST kufikia mwaka wa 2030 (kama ilivyoelezwa mnamo 2012). LAZIMA iwe rahisi kusanidi programu ili keylengths ndogo zimezimwa kabisa. ^{[crypto_keylength]}

Vipimo hivi vya urefu wa charaza ni: symmetric key 112, factoring modulus 2048, discrete logarithm key 224, discrete logarithmic group 2048, elliptic curve 224, na hash 224 (ufichuzi wa nywila haujashughulikiwa kwenye urefu wa charaza hii, maelezo zaidi ya ufichuzi wa nywila yanapatikana ndani ya kigezo cha crypto_password_storage). Ona https://www.keylength.com kwa mliganisho wa mapendekezo ya funguo-refu kutoka mashirika mbali mbali. Programu YAWEZA kubali funguo-refu ndogo katika usanidi (haifai kukubali, maana hii huwacha mashambulizi ya kushusha, lakini funguo-refu fupi wakati mwingine ina manufaa ya upatanifu).

All cryptographic key lengths exceed NIST 2030 minimums:

Algorithm	Our Implementation	NIST 2030 Minimum	Status
Symmetric (AES)	256-bit	112-bit	✅ 2.3x minimum
Key Derivation (Argon2id)	256-bit output	N/A (password hashing)	✅
GCM Nonce	96-bit	Standard	✅
Salt	128-256 bit	N/A	✅

Hardcoded, not configurable to weaker values:
// pkg/strigoictl/crypto/keystore.go
argon2KeyLen = 32 // AES-256 (256 bits) - hardcoded constant

// pkg/session/crypto.go
KeyLen: 32 // AES-256 - in DefaultCryptoConfig()

No downgrade path: Key lengths are defined as constants, not user-configurable. There is no option to use AES-128 or smaller keys. The only configurable parameters
are Argon2 work factors (time/memory/threads), which affect security strength, not key length.

See: pkg/strigoictl/crypto/keystore.go:40-41, pkg/session/crypto.go:24

Umetimizwa

Haujatimizwa

Haihusiani

Mifumo ya usalama ya chaguo-msingi ndani ya programu inayozalishwa na mradi LAZIMA ISITEGEMEE algoriti zilizovunjika za kriptologia (k.m., MD4, MD5, DES moja, RC4, Dual_EC_DRBG), au kutumia hali za cipher ambazo si sahihi kwa muktadha, isipokuwa ni muhimu kutekeleza itifaki inayoweza kushirikiana (ambapo itifaki iliyotekelezwa ni toleo la hivi karibuni zaidi la kiwango hicho kinachotegemeana sana na mfumo wa mtandao, mfumo huo unahitaji matumizi ya algoriti au hali hiyo, na mfumo huo haupatii chaguo lolote salama zaidi). Nyaraka LAZIMA zieleze hatari zozote za usalama husika na upungufu wowote unaojulikana ikiwa algoriti hizi zilizovunjika au hali ni muhimu kwa itifaki inayoweza kushirikiana. ^{[crypto_working]}

Hali ya ECB ni karibu kamwe haifai kwa sababu inaonyesha block zinazofanana ndani ya ciphertext kama ilivyoonyeshwa na penguin wa ECB, na hali ya CTR mara nyingi si sahihi kwa sababu haifanyi uthibitishaji na husababisha nakala ikiwa hali ya ingizo inarudiwa. Katika hali nyingi ni bora kuchagua hali ya algoriti ya block cipher iliyoundwa kuchanganya siri na uthibitishaji, k.m., Galois/Counter Mode (GCM) na EAX. Miradi YAWEZA kuwaruhusu watumiaji kuwasha taratibu zilizovunjika (k.m., wakati wa usanidi) ambapo ni muhimu kwa upatanifu, lakini hapo watumiaji wanajua wanafanya hivyo.

No broken algorithms used:

❌ MD4, MD5, DES, RC4, Dual_EC_DRBG - None used
❌ ECB mode - Not used
❌ Unauthenticated CTR mode - Not used

Only secure algorithms/modes:

✅ AES-256-GCM (authenticated encryption, as recommended)
✅ Argon2id (modern password hashing)
✅ crypto/rand (secure PRNG)

Cipher mode verification:
$ grep -E "NewGCM|NewCBC|NewECB|NewCTR" pkg/ cmd/ --include="*.go"

Only NewGCM found (4 occurrences in crypto.go and keystore.go)

Note on MD5 reference: One struct field (Checksums map[string]string // md5, sha256) exists in protocol/layers.go for optional integrity metadata from external
sources - this is not a security mechanism, just a data container. No MD5 hashing is performed by the project.

All encryption uses GCM mode which combines secrecy and authentication as recommended.

Umetimizwa

Haujatimizwa

Haihusiani

Mifumo ya usalama ya chaguo-msingi ndani ya programu inayozalishwa na mradi INAPASWA ISITEGEMEE algoriti za kriptologia au hali zenye udhaifu mkubwa unaojulikana (k.m., algoriti ya hash ya kriptologia ya SHA-1 au hali ya CBC katika SSH). ^{[crypto_weaknesses]}

Wasiwasi kuhusu hali ya CBC katika SSH unajadiliwa katika CERT: SSH CBC vulnerability.

No weak algorithms or modes used:

❌ SHA-1 - Not used anywhere
❌ CBC mode - Not used (only GCM)
❌ MD5 for security - Not used

Only strong algorithms:

✅ SHA-256 for hashing (HMAC-SHA256, integrity checks)
✅ AES-256-GCM for encryption
✅ Argon2id for password hashing

Verification:
$ grep -riE "sha1|SHA1|NewCBC" pkg/ cmd/ internal/ --include="*.go"

No results

$ grep -r "sha256" pkg/ --include="*.go" | wc -l

14 occurrences - all SHA-256

All cryptographic operations use modern, well-reviewed algorithms without known serious weaknesses.

Umetimizwa

Haujatimizwa

Haihusiani

Mifumo ya usalama ndani ya programu iliyotengenezwa na mradi INAPASWA kutekeleza kwa ukamilifu usiri wa umbele ya itifaki za makubaliano ya funguo ili funguo la kipindi kilicho tokana na kikao cha vifungo muda-mrefu haziwezi kuridhi mabaya ikiwa mojawapo ya vifunguo vya muda-mrefu imeridhi mabaya katika usoni. ^[crypto_pfs]

TLS Communications: The project uses Go's standard crypto/tls library with default configuration. Go 1.17+ (project requires Go 1.25+) defaults to:

TLS 1.2 and TLS 1.3 with ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) cipher suites
All default cipher suites provide PFS via ephemeral key exchange
No custom CipherSuites configured that would disable PFS

Verification:
$ grep -r "CipherSuites" pkg/ cmd/ --include="*.go"

No custom cipher suite configuration found

Go's default TLS cipher suites (as of Go 1.25):

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ✅ PFS
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ✅ PFS
TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3) ✅ PFS

Local encryption: Uses Argon2id key derivation (not a key exchange protocol, so PFS not applicable). Each encryption operation uses unique salt/nonce preventing key
reuse.

See: pkg/a2a/protocol.go, pkg/a2a/bridge.go

Umetimizwa

Haujatimizwa

Haihusiani

Ikiwa programu iliyotengenezwa na mradi imesababisha uhifadhi wa nywila kwa minajili ya uthibitishaji ya watumiaji wa kutoka nje, nywila LAZIMA zihifadhiwe kwa mficho uliorudiarudia na chumvi kwa kila-mtumiaji kwa kutumia kanuni ya upanuaji (rudiarudia) wa funguo (k.m., Argon2id, Bcrypt, Scrypt, or PBKDF2). Ona pia Kurasadogo ya Uhifadhi wa Nywila la OWASP). ^{[crypto_password_storage]}

Kigezo hili linatumika tu wakati programu linatekeleza uthibitishaji wa watumiaji kutumia nywila kwa watumiaji wa nje (ambayo pia ni uthibitishaji unaelekezwa ndani), kama vile programu za tovuti zinazobakia seva). Haitumiki katika visa ambavyo programu inahifadhi nywila ili kudhibitisha ndani ya mifumo mingine (ambayo pia ni ithibitishaji unaelekezwa nje, k.m., programu inatekeleza teja la mfumo lingineyo), maana angalau sehemu za programu lazima ziwe na njia ya kupata hiyo nywila isigalifichwa.

Strigoi does not store passwords for external user authentication. The project is a security assessment CLI tool, not a multi-user web application.

Authentication model:

Agent authentication: Uses PSK (pre-shared key) and HMAC-SHA256 signatures, not passwords
API key storage: Uses Argon2id encryption for outbound authentication (storing keys to connect TO external services like OpenAI, Gemini) - this is explicitly
excluded by the criterion
Session encryption: Passphrase-derived keys using Argon2id for local file encryption

No inbound user authentication:

No user registration/login system
No user database
No password hashing for user accounts

If password storage were added in the future: The existing Argon2id infrastructure (pkg/strigoictl/crypto/keystore.go, pkg/session/crypto.go) would be used, which
already implements iterated hashing with per-user salt as required by OWASP guidelines.

Umetimizwa

Haujatimizwa

Haihusiani

Mifumo ya usalama ndani ya programu iliyotengenezwa na mradi LAZIMA itoe funguo zote za kriptologia na nonces kwa kutumia kitengeneza cha nambari za bahati kuptia kriptologia salama, na ISIWEZE kufanya hivo kutumia vitengenezi zisizo salama kikriptologia. ^{[crypto_random]}

Kitengeneza cha nambari za bahati nasibu za kriptologia salama kinaweza kuwa kitengeneza cha nambari za bahati nasibu za vifaa, au kinaweza kuwa kitengeneza cha nambari za bahati nasibu za kriptologia salama (CSPRNG) kwa kutumia algoriti kama vile Hash_DRBG, HMAC_DRBG, CTR_DRBG, Yarrow, au Fortuna. Mifano ya simu kwa vitengeneza cha nambari za bahati nasibu salama ni pamoja na java.security.SecureRandom ya Java na window.crypto.getRandomValues ya JavaScript. Mifano ya simu kwa vitengeneza cha nambari za bahati nasibu zisizo salama ni pamoja na java.util.Random ya Java na Math.random ya JavaScript.

All cryptographic key and nonce generation uses Go's crypto/rand (CSPRNG):

Security-critical code uses crypto/rand exclusively:
// pkg/strigoictl/crypto/keystore.go
import "crypto/rand"
rand.Read(salt) // Salt generation
rand.Read(nonce) // Nonce generation

// pkg/session/crypto.go
io.ReadFull(rand.Reader, salt)
io.ReadFull(rand.Reader, nonce)

// pkg/a2a/auth.go
ed25519.GenerateKey(rand.Reader) // Key pair generation
rand.Read(psk) // PSK generation

// pkg/security/auth.go
rand.Read(pskBytes) // Authentication key generation

math/rand usage is non-security only:

pkg/logging/txcontext.go - Transaction IDs for log tracing
cmd/traffic-simulator/ - Test traffic generation
cmd/test.go - Test files

Go's crypto/rand uses the operating system's CSPRNG (getrandom() on Linux, CryptGenRandom on Windows) which meets NIST SP 800-90A requirements.

Utoaji salama dhidi ya mashambulizi ya mtu-katikati (MITM)
Criterion [delivery_mitm]
Umetimizwa

Haujatimizwa

?

Mradi LAZIMA utumie utaratibu wa utoaji ambao unakabiliana na mashambulizi ya MITM. Kutumia https au ssh+scp ni inakubaliwa. ^{[delivery_mitm]}
Utaratibu wenye nguvu zaidi ni kutoa programu na vifurushi vilivyosainiwa kidigitali, kwa kuwa hiyo inapunguza mashambulizi kwenye mfumo wa usambazaji, lakini hii inafanya kazi tu ikiwa watumiaji wanaweza kuwa na uhakika kwamba funguo za umma kwa saini ni sahihi na ikiwa watumiaji watakagua saini kweli kweli.
Primary delivery via HTTPS:
- GitHub Releases: https://github.com/macawi-ai/strigoi/releases (TLS 1.3)
- Source clone: git clone https://github.com/macawi-ai/strigoi.git
- Container images: ghcr.io/macawi-ai/ (HTTPS registry)
Integrity verification provided:
- SHA256 checksums published with each release (checksums.txt)
- Git commit signatures available
- Container image digests via GHCR
The irony:
Strigoi is literally a security assessment platform that detects MITM attacks, credential exposure, and TLS misconfigurations in AI/LLM systems. The tool includes:
- TLS verification scanning (pkg/security/mcp_scanner.go)
- Credential leak detection (17+ patterns)
- Stream Tap for real-time STDIO security monitoring
We practice what we preach. Be curious if anyone reads this deep - if so, reach out to jamie.saker@macawi.ai and I'll even offer a free tool walkthru if interested :)
Criterion [delivery_unsigned]
Umetimizwa

Haujatimizwa

?

Hash ya kriptologia (k.m., sha1sum) LAZIMA ISICHUKULIWE kupitia http na kutumika bila kuangalia saini ya kriptologia. ^{[delivery_unsigned]}
Hash hizi zinaweza kurekebishwa wakati wa usafiri.
All checksums delivered via HTTPS:
- checksums.txt is published on GitHub Releases at https://github.com/macawi-ai/strigoi/releases
- GitHub enforces TLS 1.2+ for all connections
- No HTTP endpoints exist for checksum retrieval
Verification instructions in README use HTTPS:
wget https://github.com/macawi-ai/strigoi/releases/download/v1.0.0/checksums.txt
sha256sum -c checksums.txt

Additional integrity mechanisms:
- Git tags are used for releases (cryptographically linked to commit history)
- Container images use content-addressable digests via GHCR
- GitHub's infrastructure provides additional transport security guarantees
No retrieval of cryptographic hashes over unencrypted HTTP.
Udhaifu uliofahamika hadharani umeshughulikiwa

Criterion [vulnerabilities_fixed_60_days]
Umetimizwa

Haujatimizwa

?

LAZIMA kuwe hakuna udhaifu usiorekebishwa wa kiwango cha kati au juu zaidi ambao umejulikana hadharani kwa zaidi ya siku 60. ^{[vulnerabilities_fixed_60_days]}
Udhaifu lazima urekebishwe na kutolewa na mradi wenyewe (rekebisho zinaweza kutengenezwa mahali pengine). Udhaifu unakuwa unajulikana hadharani (kwa kusudi hili) mara tu unapata CVE yenye taarifa zilizotolewa hadharani zisizolipwa (zilizoripotiwa, kwa mfano, katika Hifadhidata ya Taifa ya Udhaifu) au wakati mradi umefahamishwa na taarifa imetolewa kwa umma (labda na mradi). Udhaifu unazingatiwa kuwa wa kiwango cha kati au juu ikiwa alama yake ya Common Vulnerability Scoring System (CVSS) ya msingi ya ubora ni kati au juu. Katika matoleo ya CVSS 2.0 hadi 3.1, hii ni sawa na alama ya CVSS ya 4.0 au zaidi. Miradi inaweza kutumia alama ya CVSS kama ilivyochapishwa katika hifadhidata ya udhaifu inayotumika sana (kama vile Hifadhidata ya Taifa ya Udhaifu) kwa kutumia toleo la hivi karibuni la CVSS lililoripotiwa katika hifadhidata hiyo. Miradi badala yake inaweza kuhesabu ukali wao wenyewe kwa kutumia toleo la hivi karibuni la CVSS wakati wa ufunuzi wa udhaifu, ikiwa ingizo la hesabu linatangazwa hadharani mara tu udhaifu unajulikana hadharani. Kumbuka: hii inamaanisha kwamba watumiaji wanaweza kuachwa katika hatari kwa washambuliaji wote duniani kwa siku hadi 60. Kigezo hiki ni rahisi zaidi kukidhi kuliko yale Google inapendekeza katika Rebooting responsible disclosure, kwa sababu Google inapendekeza kwamba kipindi cha siku 60 kianze wakati mradi unafahamishwa hata ikiwa ripoti si ya umma. Pia kumbuka kwamba kigezo hiki cha nishani, kama vigezo vingine, kinatumika kwa mradi wa mtu binafsi. Baadhi ya miradi ni sehemu ya mashirika makubwa ya mwavuli au miradi mikubwa, labda katika safu nyingi, na miradi mingi inatoa matokeo yao kwa mashirika mengine na miradi kama sehemu ya mnyororo wa usambazaji wenye utata. Mradi wa mtu binafsi mara nyingi hauwezi kudhibiti wengine, lakini mradi wa mtu binafsi unaweza kufanya kazi kutoa rekebisho ya udhaifu kwa wakati. Kwa hiyo, tunazingatia tu muda wa jibu wa mradi wa mtu binafsi. Mara tu rekebisho inapatikana kutoka kwa mradi wa mtu binafsi, wengine wanaweza kuamua jinsi ya kushughulikia rekebisho (k.m., wanaweza kusasisha kwenye toleo jipya au wanaweza kutumia rekebisho tu kama suluhisho lililochaguliwa-cherry).

Criterion [vulnerabilities_critical_fixed]
Umetimizwa

Haujatimizwa

?

Miradi INAPASWA kurekebisha udhaifu wote muhimu haraka baada ya kuripotiwa. ^{[vulnerabilities_critical_fixed]}
Masuala mengine ya usalama
Criterion [no_leaked_credentials]
Umetimizwa

Haujatimizwa

?

Hazina za umma LAZIMA ZISIVUJE uthibitisho halali wa faragha (k.m., nywila inayofanya kazi au funguo ya faragha) ambayo imekusudiwa kupunguza upatikanaji wa umma. ^{[no_leaked_credentials]}
Mradi UNAWEZA kuvuja uthibitisho wa "sampuli" kwa majaribio na hifadhidata zisizo muhimu, mradi tu hazikusudiwa kupunguza upatikanaji wa umma.
No valid private credentials in repository:

Scanned and verified clean:
- No AWS keys (AKIA...), GitHub tokens (ghp_), OpenAI keys (sk-...)
- No private keys (RSA, EC, SSH, OPENSSH)
- No hardcoded passwords for production systems
What exists (all safe):
- Detection patterns in modules/probe/ - regex patterns for finding credentials (the scanner's job)
- Key generation scripts - openssl rand -hex 16 generates new random keys at deploy time
- Local dev paths - .env contains only DATABASE_URL=./sqlite.db
Intentional test fixtures (permitted):
- examples/insecure-mcps/ contains intentionally vulnerable MCPs for testing
- Clearly documented as test targets, not production credentials
- Criterion explicitly allows "sample credentials for testing"
Preventive measures:
- .gitignore excludes: .env, .env.local, nkeys/*.txt
- Keystore encrypts API keys with Argon2id before storage
- gosec linter enabled to detect credential patterns

Uchanganuzi 8/8 ●

Uchambuzi tuli wa msimbo

Umetimizwa

Haujatimizwa

Haihusiani

Angalau zana moja ya uchambuzi wa msimbo tuli (zaidi ya maonyo ya mkusanyaji na hali za lugha "salama") LAZIMA itumike kwa toleo lolote lililopendekezwa kubwa la uzalishaji wa programu kabla ya toleo lake, ikiwa kuna angalau zana moja ya FLOSS inayotekeleza kigezo hiki katika lugha iliyochaguliwa. ^{[static_analysis]}

Zana ya uchambuzi wa msimbo tuli inachunguza msimbo wa programu (kama msimbo wa chanzo, msimbo wa kati, au utekelezaji) bila kuutekeleza na ingizo maalum. Kwa madhumuni ya kigezo hiki, maonyo ya mkusanyaji na hali za lugha "salama" hazihesabiwi kama zana za uchambuzi wa msimbo tuli (hizi kwa kawaida huepuka uchambuzi wa kina kwa sababu kasi ni muhimu). Baadhi ya zana za uchambuzi wa msimbo tuli zinazingatia kugundua hitilafu za jumla, nyingine zinazingatia kupata aina fulani za hitilafu (kama vile udhaifu), na baadhi hufanya mchanganyiko. Mifano ya zana hizo za uchambuzi wa msimbo tuli ni pamoja na cppcheck (C, C++), clang static analyzer (C, C++), SpotBugs (Java), FindBugs (Java) (ikiwa ni pamoja na FindSecurityBugs), PMD (Java), Brakeman (Ruby on Rails), lintr (R), goodpractice (R), Coverity Quality Analyzer, SonarQube, Codacy, na HP Enterprise Fortify Static Code Analyzer. Orodha kubwa za zana zinaweza kupatikana katika maeneo kama vile orodha ya Wikipedia ya zana za uchambuzi wa msimbo tuli, taarifa za OWASP kuhusu uchambuzi wa msimbo tuli, orodha ya NIST ya vichambua usalama wa msimbo wa chanzo, na orodha ya Wheeler ya zana za uchambuzi tuli. Ikiwa hakuna zana za uchambuzi tuli za FLOSS zinazopatikana kwa lugha za utekelezaji zilizotumika, unaweza kuchagua 'N/A'.

Multiple static analysis tools applied before every release:

golangci-lint (meta-linter with 11+ analyzers):

staticcheck - advanced static analysis
gosec - security vulnerability detection
govet - Go vet checks
ineffassign, unused, typecheck, etc.
Run via make lint and in CI

gosec (dedicated security scanner):

Standalone run via make security
Separate CI step using securego/gosec@master action
Checks for: SQL injection, command injection, hardcoded credentials, weak crypto, etc.

Release process requires static analysis:
release: clean lint security test build # All must pass
ci: deps lint security test-coverage test-race build

CI enforcement:

GitHub Actions runs golangci-lint and gosec on every push/PR
Builds blocked if static analysis fails
Results logged for review

See: .github/workflows/strigoi-v1rc1-ci.yml, Makefile, .golangci.yml

Umetimizwa

Haujatimizwa

Haihusiani

INAPENDEKEZWA kwamba angalau moja ya zana za uchambuzi tuli zilizotumika kwa kigezo cha static_analysis ijumuishe sheria au njia za kutafuta udhaifu wa kawaida katika lugha au mazingira yaliyochambuliwa. ^{[static_analysis_common_vulnerabilities]}

Zana za uchambuzi tuli ambazo zimeundwa hasa kutafuta udhaifu wa kawaida zina uwezekano mkubwa wa kuzipata. Hata hivyo, kutumia zana zozote za tuli kwa kawaida itasaidia kupata baadhi ya matatizo, kwa hivyo tunashauri lakini hatunahitaji hii kwa kiwango cha nishani ya 'kupita'.

gosec is specifically designed to detect common vulnerabilities:

Vulnerability categories checked:

G101: Hardcoded credentials
G102: Bind to all interfaces
G103: Unsafe block usage
G104: Unhandled errors
G107: SSRF via variable URL
G108: Profiling endpoint exposure
G201-G203: SQL injection
G301-G307: File permission issues
G401-G404: Weak cryptography
G501-G505: Blocklisted imports
G601: Implicit memory aliasing

Mapped to common vulnerability standards:

OWASP Top 10 coverage
CWE (Common Weakness Enumeration) mappings
SANS Top 25 alignment

Integration:

.github/workflows/strigoi-v1rc1-ci.yml

uses: securego/gosec@master
with:
args: '-no-fail -fmt json -out gosec-results.json ./...'

Additionally, golangci-lint includes staticcheck which detects correctness issues that could lead to vulnerabilities.

See: https://github.com/securego/gosec

Umetimizwa

Haujatimizwa

Haihusiani

Udhaifu wote wenye ukali wa kati na juu zaidi unaoweza kudhoofishwa uliogundulika kupitia uchambuzi wa msimbo tuli LAZIMA urekebishwe kwa wakati baada ya kuthibitishwa. ^{[static_analysis_fixed]}

Udhaifu unazingatiwa kuwa wa kiwango cha kati au juu zaidi ikiwa alama yake ya Common Vulnerability Scoring System (CVSS) ya msingi ya ubora ni kati au juu. Katika matoleo ya CVSS 2.0 hadi 3.1, hii ni sawa na alama ya CVSS ya 4.0 au zaidi. Miradi inaweza kutumia alama ya CVSS kama ilivyochapishwa katika hifadhidata ya udhaifu inayotumika sana (kama vile Hifadhidata ya Taifa ya Udhaifu) kwa kutumia toleo la hivi karibuni la CVSS lililoripotiwa katika hifadhidata hiyo. Miradi badala yake inaweza kuhesabu ukali wao wenyewe kwa kutumia toleo la hivi karibuni la CVSS wakati wa ufunuzi wa udhaifu, ikiwa ingizo la hesabu linatangazwa hadharani mara tu udhaifu unajulikana hadharani. Kumbuka kwamba kigezo cha vulnerabilities_fixed_60_days kinahitaji kwamba udhaifu wote kama huo urekebishwe ndani ya siku 60 baada ya kuwa wa umma.

Current status: All confirmed exploitable medium+ vulnerabilities addressed.

Current gosec findings (62 medium+) are documented exclusions or false positives:

Rule	Count	Status
G115 (integer overflow)	41	Excluded - Go type conversions for array/slice lengths
G304 (file path taint)	9	Intentional - security scanner must read user-specified files
G204 (subprocess variable)	4	Intentional - scanner executes commands by design
G302/G301 (permissions)	7	Non-exploitable - internal config directories
G404 (weak random)	1	Excluded - used in non-security logging context

Evidence of timely fixes (git history):
8586a44 fix: resolve all gosec, unused, and code quality issues
5797609 fix: resolve all 10 golangci-lint issues for clean CI
f533dd1 fix: resolve all remaining linting issues for Go 1.25 compliance

Exclusions documented in .golangci.yml:
gosec:
excludes: [G104, G115, G402, G404] # With justification comments

No CVEs: Zero CVE-assigned vulnerabilities in project history.

Umetimizwa

Haujatimizwa

Haihusiani

INAPENDEKEZWA kwamba uchambuzi wa msimbo wa chanzo tuli ufanyike kwenye kila ahadi au angalau kila siku. ^{[static_analysis_often]}

Uchambuzi wa msimbo wa nguvu za ziada
Criterion [dynamic_analysis]
Umetimizwa

Haujatimizwa

?

INAPENDEKEZWA kwamba angalau zana moja ya uchambuzi wa nguvu itumike kwenye toleo kubwa lolote la uzalishaji lililopendekezwa la programu kabla ya kutolewa kwake. ^{[dynamic_analysis]}
Zana ya uchambuzi wa nguvu inachunguza programu kwa kuitekeleza na ingizo maalum. Kwa mfano, mradi YAWEZA kutumia zana ya fuzzing (k.m., American Fuzzy Lop) au kitafutaji cha programu ya wavuti (k.m., OWASP ZAP au w3af). Katika hali fulani mradi wa OSS-Fuzz unaweza kuwa tayari kutumia majaribio ya fuzz kwenye mradi wako. Kwa madhumuni ya kigezo hiki zana ya uchambuzi wa nguvu inahitaji kubadilisha ingizo kwa njia fulani kutafuta aina mbalimbali za matatizo au kuwa seti kiotomatiki ya majaribio yenye angalau asilimia 80 ya ukaguzi wa tawi. Ukurasa wa Wikipedia kuhusu uchambuzi wa nguvu na ukurasa wa OWASP kuhusu fuzzing hutambulisha baadhi ya zana za uchambuzi wa nguvu. Zana za uchambuzi ZINAWEZA kuzingatia kutafuta udhaifu wa usalama, lakini hii haihitajiki.
Dynamic analysis tools applied before releases:
1. Go Race Detector (ThreadSanitizer-based):
- Instruments code at runtime to detect data races
- Run via go test -race in CI on every push/PR
- Applied to all packages: ./cmd/... ./pkg/... ./internal/...
CI workflow

run: go test -v -race -short -timeout=10m -coverprofile=coverage.out ./...
1. Automated Test Suite with Coverage:
- Unit and integration tests executed on every build
- Coverage tracked and reported via Codecov
- make test-coverage generates HTML coverage reports
- CI enforces minimum coverage threshold
1. Release gate (make ci):
  ci: deps lint security test-coverage test-race build
  All dynamic analysis must pass before builds succeed.
Evidence of effectiveness:
a25b207 Phase 3.1 Complete: ZERO Race Conditions Found! 🎉
a3ed353 Fix CrossSessionChecker deadlock with read-lock optimization
2ee9653 fix: Add comprehensive mutex protection to SessionManager

Race detector has caught and helped fix real concurrency bugs.
Criterion [dynamic_analysis_unsafe]
Umetimizwa

Haujatimizwa

Haihusiani

?

INAPENDEKEZWA kwamba ikiwa programu iliyozalishwa na mradi inajumuisha programu iliyoandikwa kwa kutumia lugha isiyosalama ya kumbukumbu (k.m., C au C++), basi angalau zana moja ya nguvu (k.m., fuzzer au kitafutaji cha programu ya wavuti) itumike kwa kawaida kwa pamoja na utaratibu wa kugundua matatizo ya usalama wa kumbukumbu kama vile uandikaji zaidi wa kipengele. Ikiwa mradi hauzalishi programu iliyoandikwa katika lugha isiyosalama ya kumbukumbu, chagua "haihusiki" (N/A). ^{[dynamic_analysis_unsafe]}
Mifano ya taratibu za kugundua matatizo ya usalama wa kumbukumbu ni pamoja na Address Sanitizer (ASAN) (inapatikana katika GCC na LLVM), Memory Sanitizer, na valgrind. Zana nyingine zinazoweza kutumika ni pamoja na thread sanitizer na undefined behavior sanitizer. Madai ya kila mahali pia yaweza kufanya kazi.
Primary language: Go
- Garbage collected
- Bounds-checked array/slice access
- No pointer arithmetic
- No manual memory allocation/deallocation
- No buffer overflow vulnerabilities by design
Supporting languages (also memory-safe):
- Python (A2MCP agents)
- Shell scripts (deployment/build)
- YAML/JSON (configuration)
No C/C++ code in the project.

Go's memory safety is why we chose it - eliminates entire vulnerability classes (CWE-119, CWE-120, CWE-122, CWE-125, CWE-787) that plague C/C++ security tools.

Note: Go's race detector (used in CI) provides similar runtime instrumentation benefits for concurrency safety.
Criterion [dynamic_analysis_enable_assertions]
Umetimizwa

Haujatimizwa

?

INAPENDEKEZWA kwamba mradi utumie usanidi wa angalau baadhi ya uchambuzi wa nguvu (kama vile majaribio au fuzzing) ambao huwezesha madai mengi. Katika hali nyingi madai haya yasipaswi kuwa yamewezeshwa katika mijengo ya uzalishaji. ^{[dynamic_analysis_enable_assertions]}
Kigezo hiki hakipendekezi kuwezesha madai wakati wa uzalishaji; hilo ni kabisa kwa mradi na watumiaji wake kuamua. Lengo la kigezo hiki ni badala yake kuboresha ugunduzaji wa hitilafu wakati wa uchambuzi wa nguvu kabla ya kusambazwa. Kuwezesha madai katika matumizi ya uzalishaji ni tofauti kabisa na kuwezesha madai wakati wa uchambuzi wa nguvu (kama vile majaribio). Katika hali fulani kuwezesha madai katika matumizi ya uzalishaji ni busara sana (hasa katika vipengele vya uadilifu wa juu). Kuna hoja nyingi dhidi ya kuwezesha madai katika uzalishaji, k.m., maktaba hazipaswi kuvuruga waita, uwepo wao unaweza kusababisha kukataliwa na maduka ya programu, na/au kuamilisha madai katika uzalishaji kunaweza kufunua data za faragha kama vile funguo za faragha. Kumbuka kwamba katika usambazaji mwingi wa Linux NDEBUG haijafafanuliwa, hivyo C/C++ assert() kwa chaguo-msingi itawezeshwa kwa uzalishaji katika mazingira hayo. Inaweza kuwa muhimu kutumia utaratibu tofauti wa madai au kufafanua NDEBUG kwa uzalishaji katika mazingira hayo.
Race detector enabled during dynamic analysis (testing), disabled in production:

Makefile - test mode with assertions

test-race:
go test -short -race ./cmd/strigoi ./pkg/... ./internal/...

CI runs with race detector

run: go test -v -race -short -timeout=10m ./...

Go's race detector acts as runtime assertions:
- Instruments memory access patterns at runtime
- Detects data races, deadlocks, and synchronization bugs
- Panics (asserts) on any detected race condition
- Only enabled via -race flag during testing
- Not included in production binaries
Test assertions used throughout:
- t.Fatal(err) - Stops test on invariant violation
- t.Error() - Records assertion failure
- t.Errorf() - Records formatted assertion failure
- Bounds checking panics in test scenarios
Production builds:
build:
go build -o strigoi ./cmd/strigoi # No -race flag

This follows the criterion's recommendation: assertions enabled during analysis, disabled in production.
Criterion [dynamic_analysis_fixed]
Umetimizwa

Haujatimizwa

Haihusiani

?

Udhaifu wote wenye ukali wa kati na juu zaidi unaoweza kudhoofishwa uliogundulika kupitia uchambuzi wa msimbo wa nguvu LAZIMA urekebishwe kwa wakati baada ya kuthibitishwa. ^{[dynamic_analysis_fixed]}
Ikiwa haujafanya uchambuzi wa msimbo wa nguvu na kwa hivyo hukupata udhaifu wowote kwa njia hii, chagua "haihusiki" (N/A). Udhaifu unazingatiwa kuwa wa kiwango cha kati au juu zaidi ikiwa alama yake ya Common Vulnerability Scoring System (CVSS) ya msingi ya ubora ni kati au juu. Katika matoleo ya CVSS 2.0 hadi 3.1, hii ni sawa na alama ya CVSS ya 4.0 au zaidi. Miradi inaweza kutumia alama ya CVSS kama ilivyochapishwa katika hifadhidata ya udhaifu inayotumika sana (kama vile Hifadhidata ya Taifa ya Udhaifu) kwa kutumia toleo la hivi karibuni la CVSS lililoripotiwa katika hifadhidata hiyo. Miradi badala yake inaweza kuhesabu ukali wao wenyewe kwa kutumia toleo la hivi karibuni la CVSS wakati wa ufunuzi wa udhaifu, ikiwa ingizo la hesabu linatangazwa hadharani mara tu udhaifu unajulikana hadharani.
Dynamic analysis IS performed, and all discovered issues have been fixed:

Race detector findings - all fixed:
a3ed353 Fix CrossSessionChecker deadlock with read-lock optimization
2ee9653 fix: Add comprehensive mutex protection to SessionManager
99183df fix(concurrency): Eliminate race conditions in coordinator and load tester
a25b207 Phase 3.1 Complete: ZERO Race Conditions Found! 🎉

Current status:
- Race detector runs on every CI build
- Zero race conditions currently detected
- All historically detected races were fixed within days of discovery
No CVE-assigned vulnerabilities discovered through dynamic analysis.

If N/A is selected, context:
While dynamic analysis (race detector, test suite) is actively used, no exploitable security vulnerabilities with CVSS 4.0+ have been discovered through these
methods. The race conditions found were correctness/reliability issues, not security vulnerabilities with CVSS scores. Therefore N/A is technically accurate - no
medium+ security vulnerabilities to fix.

Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua Macawi AI na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Strigoi

Misingi 13/13 ●

Jumla

Maudhui ya kimsingi ya tovuti ya mradi

Leseni ya FLOSS

Nyaraka

Mengine

Udhibiti wa Mabadiliko 9/9 ●

Hifadhi ya chanzo ya kudhibiti toleo ya hadharani

Unambari wa toleo wa kipekee

Maelezo ya kutolewa

Kuripoti 8/8 ●

Mchakato wa kuripoti hitilafu

Mchakato wa kuripoti udhaifu

Ubora 13/13 ●

Mfumo wa ujenzi unaofanya kazi

Seti ya majaribio otomatiki

Upimaji wa utendaji mpya

Bendera za maonyo

Usalama 16/16 ●

Maarifa ya maendeleo yenye usalama

Tumia mazoea mazuri ya msingi ya usimbuaji

Only NewGCM found (4 occurrences in crypto.go and keystore.go)

No results

14 occurrences - all SHA-256

No custom cipher suite configuration found

Utoaji salama dhidi ya mashambulizi ya mtu-katikati (MITM)

Udhaifu uliofahamika hadharani umeshughulikiwa

Masuala mengine ya usalama

Uchanganuzi 8/8 ●

Uchambuzi tuli wa msimbo

.github/workflows/strigoi-v1rc1-ci.yml

Uchambuzi wa msimbo wa nguvu za ziada

CI workflow

Makefile - test mode with assertions

CI runs with race detector