Initial commit of SecNode API framework

Author: vishnurajkv

.github/workflows/secnode-pentest.yml

@@ -0,0 +1,24 @@
+name: secnode-api-pentest
+
+on:
+  pull_request:
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install SecNode
+        run: pip install -r requirements.txt
+
+      - name: Run SecNode Scan
+        env:
+          SECNODE_LLM: ${{ secrets.SECNODE_LLM }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        run: python3 secnodeapi.py --target https://staging-api.example.com/swagger.json

.gitignore

@@ -0,0 +1,21 @@
+# Environments
+venv/
+env/
+.venv/
+.env
+
+# Application results
+results/
+
+# Python Cache
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+
+# macOS
+.DS_Store
+
+# IDEs
+.idea/
+.vscode/

CONTRIBUTING.md

@@ -0,0 +1,106 @@
+# Contributing to SecNode API
+
+Thank you for your interest in contributing to SecNode API! This guide will help you get started with development and contributions to our autonomous, AI-augmented black-box penetration testing framework.
+
+## 🚀 Development Setup
+
+### Prerequisites
+
+- Python 3.9+
+- Git
+
+### Local Development
+
+1. **Clone the repository**
+   ```bash
+   git clone https://github.com/secnode/secnodeapi.git
+   cd secnodeapi
+   ```
+
+2. **Set up a virtual environment**
+   ```bash
+   python3 -m venv venv
+   source venv/bin/activate
+   ```
+
+3. **Install dependencies**
+   ```bash
+   pip install -r requirements.txt
+   ```
+
+4. **Configure your LLM provider**
+   ```bash
+   export SECNODE_LLM="openai/gpt-4o"
+   export OPENAI_API_KEY="your-api-key"
+   ```
+
+5. **Run SecNode in development mode**
+   ```bash
+   python3 secnodeapi.py --target https://api.example.com/swagger.json
+   ```
+
+## 🧠 Enhancing the AI Engine
+
+SecNode relies heavily on its `ai_engine.py` component for cognitive test generation and verification. 
+
+### Quick Guide
+
+1. **Understand Pipeline Flow:** Familiarize yourself with how `schema_fetcher`, `ai_engine`, and `test_executor` interact.
+2. **Improve System Prompts:** If adding support for new vulnerability classes, update the system prompts inside `generate_test_cases()`.
+3. **Refine Heuristics:** If the engine is flagging false positives, refine the Chain-of-Thought heuristics inside `_evaluate_single_result()`.
+4. **Submit via PR** with clear descriptions of the accuracy/coverage improvement.
+
+## 🔧 Contributing Code
+
+### Pull Request Process
+
+1. **Create an issue first** - Describe the problem or feature you want to build.
+2. **Fork and branch** - Work from the `main` branch.
+3. **Make your changes** - Follow existing code style (use `structlog` for logging, fully type-hint signatures).
+4. **Write/update tests** - Ensure new parsing or networking logic handles edge cases.
+5. **Submit PR** - Link to the original issue and provide context.
+
+### PR Guidelines
+
+- **Clear description** - Explain what changed and why.
+- **Small, focused changes** - Do not submit massive rewrites; isolate one feature/fix per PR.
+- **Include examples** - Show before/after behavior (e.g., sample proxy output, generated findings).
+- **Update documentation** - If adding new CLI features, update `README.md`.
+
+### Code Style
+
+- Follow PEP 8 with a 100-character line limit.
+- Use Python type hints (`typing`) for all functions and Pydantic models.
+- Write docstrings for all public methods.
+- Keep functions tightly focused and under 100 lines.
+- No `print()` statements — use `structlog` (`logger.info()`, `logger.error()`).
+
+## 🐛 Reporting Issues
+
+When reporting bugs, please include:
+
+- Python version and OS
+- LLM Provider and Model being used
+- Target API structure (if possible to share safely)
+- Full error traceback
+- Steps to reproduce
+- Expected vs actual behavior
+
+## 💡 Feature Requests
+
+We heavily welcome new feature ideas! Please:
+
+- Check existing issues first.
+- Describe the core use case clearly.
+- Explain why it would benefit security engineers or developers.
+- Consider the technical implementation approach.
+
+## ✨ Recognition
+
+We value all contributions! Contributors will be:
+- Listed in our release notes
+- Formally recognized in the repository's contributors list
+
+---
+
+**Questions?** Create a GitHub Discussion or Issue. We're here to help you hack smarter!

README.md

@@ -0,0 +1,156 @@
+<div align="center">
+
+# SecNode API
+
+### Autonomous, AI-augmented black-box API penetration testing framework.
+
+<br/>
+
+<a href="https://github.com/secnode/secnodeapi"><img src="https://img.shields.io/github/stars/secnode/secnodeapi?style=flat-square" alt="GitHub Stars"></a>
+<a href="LICENSE"><img src="https://img.shields.io/badge/License-Apache%202.0-3b82f6?style=flat-square" alt="License"></a>
+<a href="https://pypi.org/project/secnodeapi/"><img src="https://img.shields.io/pypi/v/secnodeapi?style=flat-square" alt="PyPI Version"></a>
+
+</div>
+
+---
+
+## SecNode Overview
+SecNode API is an autonomous AI agentic penetration testing framework in Python. It ingests Swagger/OpenAPI schemas, reasons over the business context with an LLM, generates highly contextual and adversarial test cases, executes them concurrently, and automatically produces audit-grade vulnerability reports.
+
+Built for security engineers and developers who need robust Dynamic Application Security Testing (DAST) without the noise of false positives.
+
+**Key Capabilities:**
+
+- **Zero False Positives Workflow** via strict validation and deterministic re-execution.
+- **Deep Business Logic Analysis** tailored to your API's specific domain and trust boundaries.
+- **OWASP API Security Top 10 (2023) Coverage**, perfectly mapped to BOLA, BOPLA, BFLA, and more.
+- **Asynchronous Execution Engine** pushing high-volume, concurrent attack probes.
+- **Provider-Agnostic LLM Integration** powered by LiteLLM (OpenAI, Anthropic, Gemini, local models).
+- **Auto-Generated Reporting** producing actionable Markdown and machine-readable JSON outputs.
+
+## Use Cases
+- **Application Security Testing** - Detect and validate critical API vulnerabilities automatically in CI/CD.
+- **Rapid Penetration Testing** - Execute an entire API pentest in minutes rather than weeks.
+- **Bug Bounty Automation** - Automatically discover business logic flows and exploit chains.
+- **Continuous Compliance** - Maintain a continuous security posture aligned with OWASP Top 10.
+
+## 🚀 Quick Start
+**Prerequisites:**
+- Python 3.9+
+- An LLM API key (e.g. OpenAI)
+
+### Installation & First Scan
+```bash
+# Clone the repository
+git clone https://github.com/secnode/secnodeapi.git
+cd secnodeapi
+
+# Setup virtual environment and dependencies
+python3 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+
+# Configure your AI provider
+export SECNODE_LLM="openai/gpt-4o"
+export OPENAI_API_KEY="your-api-key"
+
+# Run your first security assessment
+python3 secnodeapi.py --target https://api.your-app.com/swagger.yaml
+```
+
+> [!NOTE]
+> Scan reports and findings are saved to timestamped directories in `results/<target_domain>_<timestamp>/`
+
+---
+
+## ✨ Features
+
+### Agentic Security Testing Engine
+SecNode operates via a strict agentic pipeline:
+
+- **Schema Fetcher** - Downloads, parses, and resolves complex OpenAPI definitions.
+- **Cognitive AI Engine** - Reads the API structure, deduces trust boundaries, and flags high-risk flows.
+- **Exploit Generator** - Specifically generates deep attack vectors like UUID swapping or parameter mass assignment.
+- **Parallel Test Executor** - Fires async requests rapidly while respecting internal rate limits.
+- **False-Positive Eliminator** - Uses `validate_and_retest` loop with deterministic re-execution and a "Chain-of-Thought" elite app-sec triage prompt.
+
+### Comprehensive Vulnerability Detection
+SecNode rigorously hunts for:
+
+- **Access Control** - BOLA (IDOR) and BFLA (Privilege Escalation).
+- **Mass Assignment** - BOPLA and sensitive field overriding.
+- **Resource Constraints** - Rate Limit bypasses, infinite pagination.
+- **Business Logic** - State machine skipping, negative price manipulation, validation bypass.
+
+---
+
+## Usage Examples
+
+### Basic Usage
+```bash
+# Scan an API using a remote Swagger JSON
+python3 secnodeapi.py --target http://vulnapi.your-app.com/swagger.json
+
+# Scan an API using a local OpenAPI YAML file
+python3 secnodeapi.py --target ./docs/openapi.yaml
+```
+
+### Advanced Testing Scenarios
+```bash
+# Authenticated Testing (using inline Bearer token)
+python3 secnodeapi.py --target https://api.your-app.com/docs \
+  --auth-header "Authorization: Bearer my-jwt-token"
+
+# Authenticated Testing (using a JSON auth file)
+python3 secnodeapi.py --target https://api.your-app.com/docs \
+  --auth-file ./config/auth.json
+
+# Proxy Traffic (e.g. send traffic through Burp Suite/ZAP for manual review)
+python3 secnodeapi.py --target https://api.your-app.com/docs \
+  --proxy http://127.0.0.1:8080
+
+# Control Concurrency (Scale execution speed)
+python3 secnodeapi.py --target https://api.your-app.com/docs \
+  --concurrency 10
+```
+
+### CI/CD (GitHub Actions)
+SecNode API can be easily integrated into your DevSecOps pipeline to scan staging APIs before deployment.
+
+```yaml
+name: secnode-api-pentest
+
+on:
+  pull_request:
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Install SecNode
+        run: pip install -r requirements.txt
+
+      - name: Run SecNode Scan
+        env:
+          SECNODE_LLM: ${{ secrets.SECNODE_LLM }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        run: python3 secnodeapi.py --target https://staging-api.example.com/swagger.json
+```
+
+### Configuration
+```bash
+# Default behavior uses GPT-4o
+export SECNODE_LLM="openai/gpt-4o"
+export OPENAI_API_KEY="sk-..."
+
+# Or use Anthropic
+export SECNODE_LLM="anthropic/claude-3-5-sonnet-20241022"
+export ANTHROPIC_API_KEY="sk-ant-..."
+```