diff --git a/src/network-services-pentesting/pentesting-web/code-review-tools.md b/src/network-services-pentesting/pentesting-web/code-review-tools.md index d63defac560..a11ac1b111f 100644 --- a/src/network-services-pentesting/pentesting-web/code-review-tools.md +++ b/src/network-services-pentesting/pentesting-web/code-review-tools.md @@ -92,6 +92,35 @@ These are especially relevant when a path passes through validation in wide-char There is a **free package to review PRs**. +### Agentic SAST pipelines + +Modern **AI-assisted code review** works better as a **staged pipeline** than as a single `scan this repo` prompt. A practical pattern used by tools such as **[Visa Vulnerability Agentic Harness (VVAH)](https://github.com/visa/visa-vulnerability-agentic-harness)** is: + +1. **Threat-model first**: inventory entrypoints, assets, trust boundaries, API boundaries, authz paths, taint candidates and reachable components before deep review. If available, enrich this with CMDB / known-CVE / control data so the model prioritizes realistic attack paths instead of isolated code smells. +2. **Split research by lens**: run separate passes for access control, business logic, crypto, deserialization, IaC, batch/ETL, or language-specific sinks instead of trusting one generic review. +3. **Require deterministic gates**: only promote a finding if it survives policy checks such as evidence completeness, majority voting, or repeated independent review. +4. **Add adversarial verification**: force a second pass that tries to prove the trust-boundary crossing and exploitability: attacker-controlled input, source-to-sink reachability, missing authorization, privilege boundary crossed, and realistic impact. +5. **Report chains, not only single bugs**: deduplicate related findings, map them to **CWE/CVSS**, and emit **SARIF** so the output can be ingested by code-scanning and vuln-management platforms. + +This usually produces fewer but **higher-signal triage candidates** and is especially useful in large repos where the bottleneck is analyst triage time rather than raw finding count. + +#### Quick start example with `vvaharness` + +```bash +python3 -m venv .venv +source .venv/bin/activate +pip install . +vvaharness doctor +vvaharness estimate --repo /path/to/target +vvaharness scan --repo /path/to/target --application-id 12345 +``` + +Useful operational details: + +- `vvaharness scan --resume` skips completed checkpoints after an interruption. +- Per-target output is written under `/security-scan/` as Markdown reports, `*.sarif`, and `*_errors.jsonl`. +- Treat results as **triage candidates**, not confirmed vulns: this kind of pipeline is best at prioritising manual review, not replacing it. + ### [**Semgrep**](https://github.com/returntocorp/semgrep) It's an **Open Source tool**. @@ -539,6 +568,9 @@ https://github.com/securego/gosec - [Trail of Bits blog: Master C and C++ with our new Testing Handbook chapter](https://blog.trailofbits.com/2026/04/09/master-c-and-c-with-our-new-testing-handbook-chapter/) - [Trail of Bits Testing Handbook: C/C++](https://appsec.guide/docs/languages/c-cpp/) - [DEVCORE: WorstFit - Unveiling Hidden Transformers in Windows ANSI](https://devco.re/blog/2025/01/09/worstfit-unveiling-hidden-transformers-in-windows-ansi/) +- [Visa Vulnerability Agentic Harness](https://github.com/visa/visa-vulnerability-agentic-harness) +- [VVAH Architecture](https://github.com/visa/visa-vulnerability-agentic-harness/blob/main/docs/architecture.md) +- [Anthropic Project Glasswing](https://www.anthropic.com/glasswing) {{#include ../../banners/hacktricks-training.md}}