Security Guardian
Static code analysis and active security scanning. Uneven Agent acts as a real-time security guardian running continuously alongside your code to detect vulnerabilities before they reach production.
Static Checks
Analyzes your source code locally without making any network requests or executing code. Safe for any environment including automated CI/CD pipelines.
uneven pentest --mode static
| Check | What it detects |
|---|---|
| OWASP Top 10 | Broken authentication, XSS, injections, misconfiguration patterns (A01–A10) |
| Exposed secrets | AWS keys, API keys, passwords, and JWT secrets hardcoded in source |
| Vulnerable deps | CVE database check + npm audit + OSV database lookup |
| Injection patterns | SQL (string concatenation), command injection, and path traversal vulnerabilities |
| Insecure headers | Missing CSP, X-Frame-Options, HSTS, and X-Content-Type-Options |
Active Checks
Performs localized, non-destructive security scans against your running application to verify vulnerability claims. Requires setting up an authorization scope configuration before running.
uneven pentest --declare-scope # interactive prompts: # authorized by: John Doe # targets: 192.168.1.0/24, http://staging.myapp.com # allowed modes: static, active # duration: 8h # → creates .uneven/pentest-scope.json (SHA-256 integrity hash)
uneven pentest --mode active
Access Control & Auth Checks
| Test | What it does |
|---|---|
| endpoints | Tests common passwords against your auth endpoints |
| detectRateLimit | Verifies if the API blocks repeated failed attempts |
| jwtWeak | Tests JWT tokens signed with predictable/common secrets |
| sessionExpiry | Verifies session expiration and invalidation |
Network & Firewall Checks
| Test | What it does |
|---|---|
| portScan | Detects unnecessarily exposed ports (DB ports, Redis, etc.) |
| cors | Detects overly permissive cross-origin policies |
| ssl | Verifies SSL/TLS versions and cipher suites |
| hsts | Checks for HTTP Strict Transport Security header |
| xFrameOptions | Checks for clickjacking protection |
Active Endpoint Checks
| Test | What it does |
|---|---|
| sqlInjection | Injects real test payloads into endpoints to confirm SQL injection claims |
| xssReflected | Tests standard XSS validator bypasses against routes |
| idor | Attempts to access resources belonging to other test users |
| directoryTraversal | Attempts to access files outside permitted public scopes |
| hiddenRoutes | Discovers undocumented but accessible endpoints in the application |
Severity Levels
Set severity thresholds when running the command to filter which findings get logged. Only findings at or above the threshold are written to .uneven/log.md.
| Level | Examples |
|---|---|
| critical | SQL injection, hardcoded secrets, active exploit confirmed |
| high | Missing rate limiting, XSS, brute force exposure |
| medium | Open ports, CORS misconfiguration, missing CSP |
| low | Missing security headers, outdated deps with low-risk CVEs |
Configuring the Security Guardian
All Security Guardian settings are managed directly from the agent chat using the /pentest command — no configuration files required. Just type / in the chat and follow the interactive menu, or use the shorthand commands below.
/pentest — Open Settings Menu
Running /pentest without arguments opens an interactive menu where you can toggle each check on or off and save your configuration:
/pentest # interactive menu: # ▶ Mode: Static (Toggle Static/Active) # ▶ Static - OWASP: false (Toggle) # ▶ Static - Secrets: false (Toggle) # ▶ Bruteforce: false (Toggle) # ▶ Firewall: false (Toggle) # ▶ Save and Exit # ▶ Cancel / Exit
| Setting | What it controls |
|---|---|
| Mode | Switch between Static (code-only, safe for CI) and Active (live endpoint probing) |
| Static — OWASP | Enable OWASP Top 10 source code checks (injections, XSS, misconfigs) |
| Static — Secrets | Scan for hardcoded API keys, tokens, and credentials in source files |
| Bruteforce | Test auth endpoints for missing rate limiting and weak credentials |
| Firewall | Run network and header checks (CORS, SSL/TLS, exposed ports) |
/pentest target — Set Scan Target
Sets the URL or host the active scanner will probe. Optionally, provide a scope file to authorize specific IP ranges or routes:
/pentest target http://localhost:3000 /pentest target http://staging.myapp.com ./pentest-scope.json
The scope file defines which hosts and CIDR ranges the active scanner is authorized to test. Public internet IPs outside the declared scope are blocked.
Malware Scanner
In addition to the guardian, uneven scan analyzes your project for malicious code patterns, backdoors, and compromised dependencies. Safe for CI/CD pipelines (returns exit code 1 on critical or high findings).
uneven scan # colored output grouped by category uneven scan --report # generate HTML + Markdown report uneven scan --json # raw JSON for CI pipelines
| Category | Severity | Examples |
|---|---|---|
| remote-shell | critical | /dev/tcp, nc -e, bash -i >& |
| supply-chain | critical | curl | bash in postinstall scripts |
| obfuscation | high | eval(atob()), large String.fromCharCode arrays |
| data-exfiltration | high | credential harvest + external upload |
| credential-theft | high | SSH key reads, /etc/passwd, ~/.aws/credentials |
| persistence | high | crontab writes, systemd units, shell profile modification |
| crypto-mining | high | stratum+tcp://, xmrig, cryptonight references |
| typosquatting | medium | Package names within Levenshtein distance ≤2 of popular packages |
Log Output Example
## [14:23:10] 🔐 Security Audit — SQL Injection **Mode:** Active **Endpoint:** `GET /api/users?id=1` **Severity:** `CRITICAL` **Payload:** `1' OR '1'='1` **Result:** Endpoint vulnerable. Returned all table records. **File:** `src/controllers/user.controller.ts` **Line:** 28 **Recommendation:** Use parameterized queries or an ORM. --- ## [14:22:10] 🔐 Security Audit — Brute Force **Mode:** Active **Endpoint:** `POST /auth/login` **Severity:** `HIGH` **Result:** No rate limiting. 50 attempts in 5s — not blocked. **Recommendation:** Implement rate-limiting. Block IP after 5 failures within 60 seconds.