Skip to content

Add genai command for interacting with LLMs for generating IaC files #213

Merged
santoshkal merged 41 commits intopre-mainfrom
genai-new
Nov 13, 2024
Merged

Add genai command for interacting with LLMs for generating IaC files #213
santoshkal merged 41 commits intopre-mainfrom
genai-new

Conversation

@santoshkal
Copy link
Copy Markdown
Collaborator

@santoshkal santoshkal commented Nov 12, 2024

Adds Genai command to interact with LLM Backends and generate IaC files

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 12, 2024
edited
Loading

DryRun Security Summary

The pull request covers a wide range of functionality related to a command-line application called "GenAI" that interacts with Large Language Models (LLMs) to generate secure infrastructure-as-code (IaC) configurations, with a focus on user input handling, configuration management, file integrity validation, dependency management, and secure coding practices.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of functionality related to a command-line application called "GenAI" that interacts with Large Language Models (LLMs) to generate secure infrastructure-as-code (IaC) configurations. The changes include the addition of new commands, the management of LLM resources, the handling of user input and configuration, and the implementation of file integrity validation mechanisms.

From an application security perspective, the key areas that require careful review and consideration are:

  1. User Input Handling: Ensure that all user-provided inputs, such as model, endpoint, prompt, and system prompt, are properly sanitized and validated to prevent potential injection attacks.
  2. Configuration Management: Verify that sensitive information, like API keys and endpoints, are stored and managed securely, and that the configuration loading process is robust and secure.
  3. File Integrity Validation: Review the implementation of the file integrity validation mechanisms to ensure that the remote file URLs are trusted and that the downloaded files are properly verified for authenticity and integrity.
  4. Dependency Management: Closely monitor the dependencies used in the application, especially the third-party libraries, to ensure that they are up-to-date and do not introduce any known vulnerabilities.
  5. Secure Coding Practices: Ensure that the application follows secure coding practices throughout, such as proper error handling, secure file I/O operations, and the secure integration with external services.

Files Changed:

  • cmd/genai.go: This file handles user input and configuration for the "genai" command-line application. Ensure that all user-provided inputs are properly sanitized and validated.
  • .gitignore: The changes to the .gitignore file should be reviewed to ensure that no important or sensitive files are being ignored unintentionally.
  • cmd/genai_gendoc.go: This file introduces a new "gendoc" command that generates code explanation documents. Review the input validation and file handling mechanisms to prevent potential security vulnerabilities.
  • cmd/genai_init.go: This file adds a new "genaiInitCmd" command to initialize the GenAI configurations. Ensure that the DownloadLLMResources() function is implemented securely.
  • go.mod: The changes to the project dependencies should be reviewed to ensure that the new dependencies are from trusted sources and do not introduce any known vulnerabilities.
  • demos/notes.md: The hardcoded secrets and the generation of sensitive content should be carefully reviewed and addressed to ensure the overall security of the system.
  • deploy.json: The Kubernetes Deployment configuration should be reviewed to ensure that appropriate security measures, such as resource limits and network policies, are in place.
  • cmd/regx.go: The implementation of the regex-based scanning utility should be reviewed to ensure that the regex patterns are not vulnerable to ReDoS attacks and that the output handling is secure.
  • llm/common.go: The use of hardcoded paths and URLs should be reviewed and, if possible, replaced with more flexible and secure alternatives.
  • llm/README.md: The configuration options for the LLM should be carefully reviewed to ensure that they are properly secured and validated.
  • llm/assistant.go: The file path handling and input validation mechanisms should be reviewed to prevent potential file path traversal vulnerabilities.
  • llm/llm-utils.go: The GitHub API usage and the file I/O operations should be reviewed to ensure that they are implemented securely.
  • llm/types.go: The handling of sensitive information, such as API keys, should be reviewed to ensure that they are properly secured and managed.
  • pkg/regx/regx.go: The regex-based scanning utility should be reviewed to ensure that the regex patterns are not vulnerable to ReDoS attacks and that the error handling is robust.
  • templates/defaultpolicies/genai/charan-config.yaml: The hardcoded API keys and the overall configuration should be reviewed to ensure that sensitive information is properly secured.
  • templates/defaultpolicies/genai/config.yaml: The API key exposure and the input validation mechanisms should be reviewed to address potential security concerns.
  • templates/defaultpolicies/genai/new-config.yaml: The hardcoded API key and the configuration parameters should be reviewed to ensure that they are properly secured and validated.
  • templates/defaultpolicies/genai/updated-config.yaml: The API key exposure and the prompt file security should be addressed to mitigate potential security risks.
  • `templates/

Code Analysis

We ran 9 analyzers against 22 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@santoshkal santoshkal changed the title Genai new Add genai command for interacting with LLMs for generating IaC files Nov 12, 2024
@santoshkal
Initial regex command files
c44f166
@santoshkal
Initial regex command files with table output
ab98ca0
@santoshkal
First cut of Llama3 integration with Ollama APIs
60afb6c 
Signed-off-by: Santosh <ksantosh@intelops.dev>
@santoshkal
Initialize the config in llm
d618f89
@santoshkal
Make NewOllamaClient a method on Config
fa62e55
@santoshkal
More updateds to llm pkg
6c9259c 
Merged OllamaClient in the config struct and removed a redunant
ollamaClient struct.
@santoshkal
Make endpoint dynamic
ae3656c 
created a function to create a default endpoint and use it incase
--endpoint == "", else use e.Host, e.Port

Update envconfig to use env variables for LLM parameters
@santoshkal
Fix Scheme
6521d68
@santoshkal
More Endpoint fixes
9cdcb3f
@santoshkal
Add PoC for OpenAI integration
a1488c8 
Signed-off-by: Santosh <ksantosh@intelops.dev>
@santoshkal
WIP - Enhancing system prompts with examples
5bc2226
@santoshkal
WIP: integrating charmbraclet/bubbletea
155b783
@santoshkal
WIP: working bubbletea integration for --assistant and --prompt
b1a2949
@santoshkal
first working code for textarea for user-prompt with cursor movements
26bbded
@santoshkal
Add Regx policy generation to AI
33506db
@santoshkal
Initial set of files for new setup
b952260
@santoshkal
Initial AI files
ab64ead
@santoshkal
Initial working code for genai init command
25cfaec
@santoshkal
Extract supported tools out of code to init directory
a5af4d8 
remove backend and API configs collection from init command

First working code for
- genai init command that downloads all the required systemPrompts and list of supported tools to user's local directory
- genai command that pulls the markdown file from local and check is the user has provided a supported tool in genai args
- Mapps supported tool with the available systemPrompt stored in users local and pulls for generateing the Chat completion

First working code for
- genai init command that downloads all the required systemPrompts and list of supported tools to user's local directory
- genai command that pulls the markdown file from local and check is the user has provided a supported tool in genai args
- Mapps supported tool with the available systemPrompt stored in users local and pulls for generateing the Chat completion
@santoshkal
Initial set of updated genai command with config yaml support
60b9a85
@santoshkal
Initial set of updated genai command with config yaml support-1
380f771
@santoshkal
Initial set of updated genai command with config yaml support-2
c2dad9f 
TODO: Add validation to check if valid parameters are supplied by the user
@santoshkal
First working implementation of genai with config YAML integration
c5e094b
@santoshkal
Implementation that accepts config yaml and CLI flags to interact wit…
08a6a31 
…h LLM
@santoshkal
Update genai command with config flag to accept YAML configuration
715acc5
@santoshkal
Add new sample config files
18b3580
@santoshkal
Add initial config
e774c00
@santoshkal
Imcomplete code
ca366df
@santoshkal santoshkal merged commit 886c542 into pre-main Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@santoshkal