OASIS – Secure Your Code with AI and Ollama

Today, we’re discussing a newcomer in the world of application security called OASIS (Ollama Automated Security Intelligence Scanner).

You probably know this already, but vulnerabilities in code are like food moths in a kitchen: there are always more than you think! And with the increasing complexity of modern applications, spotting these little pests becomes a real challenge. This is where OASIS comes in, helping you to see the reality of your code as it truly is.

What makes OASIS interesting is its use of models available in Ollama to analyze your code. Gone are the static rules that are as old as Methuselah; now it’s all about smart, contextual analysis!

And the tool doesn’t rely on just one AI model. It uses multiple models in parallel to analyze your code from different perspectives. This approach ensures a more precise and comprehensive detection of potential vulnerabilities. The models can include llama2 and codellama, each contributing its specific expertise.

Since time is money, its caching system stores the embeddings (vector representations) of your code for 7 days by default. These embeddings are saved in an embeddings_cache.pkl file in the input directory, allowing for ultra-fast repeated analyses. OASIS then generates an organized and comprehensive report structure: a folder for each model used, subfolders for each format (Markdown, PDF, HTML), detailed reports by vulnerability type, and executive summaries perfect for meetings.

Another powerful feature is the audit mode, which analyzes the distribution of embeddings in your code, providing a deeper overview of security patterns.

To use it, you’ll need Python > 3.7, and Ollama installed and operational.

1python3 -m pip install --user pipx
2python3 -m pipx ensurepath
3git clone https://github.com/psyray/oasis.git
4cd oasis
5pipx install --editable .

For a simple analysis:

1oasis /path/to/your/code

And for a customized analysis:

1oasis /path/to/your/code \
2--cache-days 7 \
3--threshold 0.5 \
4--vulns xss,sqli \
5--embed-model nomic-embed-text \
6--models llama2,codellama \
7--extensions .php,.js,.py \
8--audit

OASIS covers a wide range of vulnerabilities:

• SQLi: SQL Injection
• XSS: Cross-Site Scripting
• Input Validation: Insufficient Input Validation
• Data Exposure: Exposure of Sensitive Data
• Session Management: Session Management Issues
• Config: Security Misconfiguration
• Logging: Logging of Sensitive Data
• Crypto: Insecure Use of Cryptographic Functions

To optimize your use of OASIS, several best practices should be implemented. First, it’s crucial to automate analyses by integrating OASIS directly into your CI/CD pipeline, allowing for continuous and early detection of anomalies. Optimizing thresholds is also key, so take the time to adjust the threshold according to your specific needs and the desired level of sensitivity for your project.

Diversifying the models is another important aspect of optimization. By combining different analysis models, you achieve a more comprehensive and reliable coverage of your data.

Cache management should not be overlooked: regularly use the –clear-cache command to maintain optimal performance and avoid the buildup of outdated data.

With this, even though it won’t replace a solid team of pentesters, it will automate intelligent security checks on your code.

Source of the OASIS Project: OASIS Ollama Automated Security Intelligence Scanner 🛡️ An AI-powered security auditing tool that leverages Ollama models to detect and analyze potential security vulnerabilities in your code. Advanced code security analysis through the power of AI.

Features:

• 🔍 Multi-Model Analysis: Leverage multiple Ollama models for comprehensive security scanning
• 💾 Smart Caching: Efficient embedding caching system for faster repeated analyses
• 📊 Rich Reporting: Detailed reports in multiple formats (Markdown, PDF, HTML)
• 🔄 Parallel Processing: Optimized performance through parallel vulnerability analysis
• 📝 Executive Summaries: Clear overview of all detected vulnerabilities
• 🎯 Customizable Scans: Support for specific vulnerability types and file extensions
• 📈 Distribution Analysis: Advanced audit mode for embedding distribution analysis

Prerequisites:

• Python 3.7+
• Ollama installed and running
• pipx (for isolated installation)

Installation Clone the repository:

1git clone https://github.com/psyray/oasis.git
2cd oasis
3pipx install --editable .

Usage

Basic usage:

1oasis [path_to_analyze]

For a quick test using sample files:

1git clone https://github.com/psyray/oasis.git
2cd oasis
3pipx install --editable .
4oasis test_files/

This will analyze the provided test files and generate security reports in the test_files/security_reports/ directory.

Advanced options:

1oasis [path_to_analyze] \
2--cache-days 7 \
3--threshold 0.5 \
4--vulns xss,sqli \
5--embed-model nomic-embed-text \
6--models llama2,codellama

Command Line Arguments:

• input_path: Path to file, directory, or .txt file containing paths to analyze
• --cache-days: Maximum age of cache in days (default: 7)
• --threshold: Similarity threshold (default: 0.5)
• --vulns: Vulnerability types to check (comma-separated or ‘all’)
• --no-pdf: Skip PDF generation
• --debug: Enable debug mode
• --verbose: Enable verbose output
• --embed-model: Model to use for embeddings
• --models: Comma-separated list of models to use
• --list-models: List available models and exit
• --extensions: Custom file extensions to analyze
• --clear-cache: Clear embeddings cache before starting
• --audit: Run embedding distribution analysis

Supported Vulnerability Types:

• SQLi: SQL Injection
• XSS: Cross-Site Scripting
• Input: Insufficient Input Validation
• Data: Sensitive Data Exposure
• Session: Session Management Issues
• Config: Security Misconfiguration
• Logging: Sensitive Data Logging
• Crypto: Insecure Cryptographic Function Usage

Output Structure:

1security_reports/
2├── [model_name]/
3│   ├── markdown/
4│   │   ├── vulnerability_type.md
5│   │   └── executive_summary.md
6│   ├── pdf/
7│   │   ├── vulnerability_type.pdf
8│   │   └── executive_summary.pdf
9│   └── html/
10│       ├── vulnerability_type.html
11│       └── executive_summary.html

Cache Management: The tool maintains a cache of embeddings to improve performance:

• Default cache duration: 7 days
• Cache location: embeddings_cache.pkl in the input directory
• Use --clear-cache to force a fresh analysis

Audit Mode: Run OASIS in audit mode to analyze embedding distributions:

1oasis [path_to_analyze] --audit

Contributing: Contributions are welcome! Please feel free to submit a Pull Request. Check out our Contributing Guidelines for more details.

License: GPL v3 – feel free to use this project for your security needs.

Acknowledgments: Built with Ollama. Uses WeasyPrint for PDF generation. Special thanks to all contributors and the open-source community.

Support: If you encounter any issues or have questions, please file an issue.

Source