Web Security Auditor (Local Agentic Workflow)

This project is a local-first, non-destructive web security auditing workflow:

• Streamlit UI: app/frontend/app.py
• FastAPI backend: app/backend/main.py
• Agent service: app/backend/agent_service.py

The agent runs passive evidence collection via:

• skills/web-security-auditor/scripts/passive_web_scan.py

Intended usage (important)

• Use this workflow on your own localhost-hosted application whenever possible.
• Only scan targets you own or have explicit written authorization to assess.
• The app enforces:
  • Authorization confirmation
  • Authorization reference (ticket/email/contract ID)
  • Domain allowlist (target host must match)

1) Install dependencies

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

2) Run Streamlit (recommended)

streamlit run app/frontend/app.py

Frontend behavior:

• Defaults to backend http://localhost:8000
• If backend is not running and API base is localhost, the frontend auto-starts uvicorn

3) Optional: run backend manually

uvicorn app.backend.main:app --reload --host 127.0.0.1 --port 8000

Optional environment variable:

• API_BASE_URL (default: http://localhost:8000)

API endpoints:

• GET /health
• POST /audit

API request example (required fields)

{
  "url": "http://localhost:3000/login",
  "authorization_confirmed": true,
  "authorization_reference": "SEC-1234",
  "allowed_hosts": ["localhost", "127.0.0.1"],
  "additional_context": "Local test app, unauthenticated pages only",
  "passive_timeout": 8
}

Notes

• Assessments are passive and non-destructive.
• This is not an exploit framework; it is a defensive audit assistant.
• Live internet scanning quality depends on your runtime DNS/network access.