Clone and adapt pentagi

[DevOpsMadDog]

Implements an enterprise-grade micro penetration testing platform by cloning and extending Pentagi.

This PR provides automated, targeted security validation with multi-tenancy, RBAC, compliance tracking, and advanced threat modeling for DevSecOps environments. It includes a core scanning engine, RESTful API, comprehensive test suite, and extensive documentation.

---

 

---

Summary by cubic

Cloned and adapted Pentagi into an enterprise micro penetration testing platform, now with a new engine and full PentAGI integration across REST APIs, docs, examples, and validation tools. Adds automated, targeted scans with threat modeling, compliance checks, risk scoring, and advanced ingestion/validation workflows.

• New Features

  • MicroPentestEngine with 8-phase scanning, MITRE/OWASP modeling, CVSS risk scoring, and audit logs.
  • v1 API under /micro-pentest to define attack surfaces, run scans, track status, and fetch results, with tenant authorization on execute/cancel.
  • PentAGI integration APIs (/pentagi, enhanced router) with multi-AI orchestration, exploit generation, continuous validation, and automated remediation.
  • Evidence export/lake, KEV waiver policy gate, CICD signature verification, and supporting metrics/explainability utilities, plus example script and implementation docs.

• Migration

  • Deploy with the new v1 micro-pentest and /pentagi routes enabled.
  • Run scripts/validate_micro_pentest.py, then examples/micro_pentest_demo.py to verify setup.

^{Written for commit 10681c2. Summary will update automatically on new commits.}

---

Note

Introduces an enterprise micro penetration testing engine with a full REST API, comprehensive tests, docs, examples, and validation tooling.

• Backend:
  • Engine: Add src/services/micro_pentest_engine.py implementing 8-phase scanning, 16 attack vectors, MITRE/OWASP modeling, CVSS scoring, compliance validation, audit logging, attack-path generation, rate limiting, and in-memory storage.
  • Exports: Export MicroPentestEngine and singleton in src/services/__init__.py.
• API:
  • Routes: Add src/api/v1/micro_pentest.py with endpoints: POST /scans, POST /scans/{id}/execute, GET /scans/{id}, GET /scans, POST /scans/{id}/cancel, GET /audit-logs, GET /health.
  • Integration: Include router in src/api/v1/__init__.py under /micro-pentest.
• Tests:
  • Add tests/test_micro_pentest_engine.py (18 async tests) covering scan execution, compliance, PoC generation, summaries, cancellation, audit logs, attack paths, and rate limiting.
• Docs:
  • Add docs/MICRO_PENTEST_README.md, docs/MICRO_PENTEST_EXAMPLES.md, docs/IMPLEMENTATION_SUMMARY.md, and PROJECT_COMPLETE.md with guides, API refs, and scenarios.
• Examples & Tools:
  • Add examples/micro_pentest_demo.py with 6 runnable scenarios.
  • Add scripts/validate_micro_pentest.py for implementation validation.

^{Written by Cursor Bugbot for commit 8472b38. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Bug: Duplicate route prefix causes incorrect API endpoint paths

The router is defined with prefix="/micro-pentest" in micro_pentest.py, and then included with the same prefix="/micro-pentest" in __init__.py. This causes all endpoints to be registered under a doubled path like /api/v1/micro-pentest/micro-pentest/scans instead of the intended /api/v1/micro-pentest/scans. Other routers like cicd.py correctly omit the prefix in their APIRouter() constructor and only apply it during include_router().

Additional Locations (1)

• fixops-enterprise/src/api/v1/__init__.py#L12-L13

 

[cursor]

Bug: Missing tenant authorization in execute and cancel scan endpoints

The execute_micro_scan and cancel_micro_scan endpoints don't verify that the scan belongs to the current user's tenant before performing operations. In contrast, get_micro_scan correctly checks result.config.tenant_id != current_user["tenant_id"] and returns 403 if they don't match. This allows any authenticated user to execute or cancel scans belonging to other tenants, breaking multi-tenant isolation.

Additional Locations (1)

• fixops-enterprise/src/api/v1/micro_pentest.py#L447-L479

 

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove duplicate micro-pentest router prefix

Including the micro_pentest router with prefix="/micro-pentest" here stacks on top of the router’s own /micro-pentest prefix (see micro_pentest.py:27), so the endpoints are exposed at /micro-pentest/micro-pentest/... instead of the documented /micro-pentest/..., breaking every route advertised in the new docs and scripts.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Enforce tenant check when executing scans

The execute endpoint invokes micro_pentest_engine.execute_micro_scan without verifying that the requested scan belongs to the caller’s tenant/organization, unlike the GET handler which explicitly checks result.config.tenant_id. Any authenticated user who guesses a scan_id can trigger another tenant’s queued scan, bypassing isolation expectations.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Protect cancel endpoint with tenant validation

Cancelling a scan similarly forwards directly to cancel_scan without checking that the scan belongs to the requesting tenant or org. An authenticated user who knows another tenant’s scan_id can cancel it, since no ownership/tenant check is performed before returning success.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

12 issues found across 11 files

Prompt for AI agents (all 12 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="examples/micro_pentest_demo.py">

<violation number="1" location="examples/micro_pentest_demo.py:5">
P3: Unused import: `datetime` is imported but never used in this file. Remove this import to keep the code clean.</violation>

<violation number="2" location="examples/micro_pentest_demo.py:13">
P3: Unused import: `RiskLevel` is imported but never used in this file. Consider removing it from the import statement.</violation>
</file>

<file name="fixops-enterprise/src/services/micro_pentest_engine.py">

<violation number="1" location="fixops-enterprise/src/services/micro_pentest_engine.py:9">
P3: Unused import `hashlib`. This module is imported but never used in the file.</violation>

<violation number="2" location="fixops-enterprise/src/services/micro_pentest_engine.py:17">
P3: Unused import `Set` from typing. Only `Any`, `Dict`, `List`, and `Optional` are used in this file.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/micro_pentest.py">

<violation number="1" location="fixops-enterprise/src/api/v1/micro_pentest.py:465">
P1: Cancelling a scan forwards the request straight to the engine with no tenant or organization verification, so a user can cancel another tenant’s scan if they know its ID. Retrieve the scan, ensure it exists and belongs to the caller’s tenant/org, and only then call cancel_scan.</violation>

<violation number="2" location="fixops-enterprise/src/api/v1/micro_pentest.py:485">
P1: The `resource_type` query parameter is defined but never passed to `get_audit_logs()`. Users filtering by resource type will receive unfiltered results.</violation>
</file>

<file name="tests/test_micro_pentest_engine.py">

<violation number="1" location="tests/test_micro_pentest_engine.py:3">
P3: Unused import: `asyncio` is imported but never used in this file. Consider removing it.</violation>

<violation number="2" location="tests/test_micro_pentest_engine.py:130">
P1: The execute endpoint invokes the engine without first verifying that the referenced scan belongs to the authenticated tenant, so any user who knows a scan_id can trigger another tenant’s queued scan. Fetch the scan, confirm its tenant/organization matches the caller, and only then execute.</violation>
</file>

<file name="docs/IMPLEMENTATION_SUMMARY.md">

<violation number="1" location="docs/IMPLEMENTATION_SUMMARY.md:340">
P3: Documentation states 9 created files but only 7 are listed. Either update the count to 7 or add the 2 missing files to the list.</violation>
</file>

<file name="scripts/validate_micro_pentest.py">

<violation number="1" location="scripts/validate_micro_pentest.py:270">
P1: Function always returns `True` regardless of validation results. Unlike similar functions (`validate_code_structure`, `validate_api_endpoints`), this doesn&#39;t track whether all checks passed, making the validation ineffective.</violation>
</file>

<file name="docs/MICRO_PENTEST_README.md">

<violation number="1" location="docs/MICRO_PENTEST_README.md:305">
P2: The polling loop in this CI/CD example can hang indefinitely if the scan status is never &#39;completed&#39; (e.g., &#39;failed&#39;, &#39;error&#39;, &#39;cancelled&#39;). Consider adding a timeout counter and handling non-success terminal states to prevent stuck pipelines.</violation>
</file>

<file name="fixops-enterprise/src/api/v1/__init__.py">

<violation number="1" location="fixops-enterprise/src/api/v1/__init__.py:13">
P1: Double prefix bug: `micro_pentest.router` is defined with `prefix=&quot;/micro-pentest&quot;` in its APIRouter constructor, but you&#39;re also adding `prefix=&quot;/micro-pentest&quot;` here. This will result in routes being mounted at `/micro-pentest/micro-pentest/...`. Either remove the prefix from `micro_pentest.py`&#39;s router definition (to match other modules like `artefacts`, `evidence`, etc.), or remove the prefix from this `include_router` call.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P3: Unused import: RiskLevel is imported but never used in this file. Consider removing it from the import statement.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At examples/micro_pentest_demo.py, line 13:

<comment>Unused import: `RiskLevel` is imported but never used in this file. Consider removing it from the import statement.</comment>

<file context>
@@ -0,0 +1,471 @@
+    ComplianceFramework,
+    MicroPentestEngine,
+    MicroScanConfig,
+    RiskLevel,
+    ScanMode,
+    ThreatCategory,
</file context>

[cubic-dev-ai]

P3: Unused import: datetime is imported but never used in this file. Remove this import to keep the code clean.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At examples/micro_pentest_demo.py, line 5:

<comment>Unused import: `datetime` is imported but never used in this file. Remove this import to keep the code clean.</comment>

<file context>
@@ -0,0 +1,471 @@
+
+import asyncio
+import json
+from datetime import datetime
+
+from fixops_enterprise.src.services.micro_pentest_engine import (
</file context>

[cubic-dev-ai]

P3: Unused import Set from typing. Only Any, Dict, List, and Optional are used in this file.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/services/micro_pentest_engine.py, line 17:

<comment>Unused import `Set` from typing. Only `Any`, `Dict`, `List`, and `Optional` are used in this file.</comment>

<file context>
@@ -0,0 +1,1041 @@
+from dataclasses import dataclass, field
+from datetime import datetime, timedelta
+from enum import Enum
+from typing import Any, Dict, List, Optional, Set
+
+logger = logging.getLogger(__name__)
</file context>

Suggested change

	from typing import Any, Dict, List, Optional, Set
	from typing import Any, Dict, List, Optional

[cubic-dev-ai]

P3: Unused import hashlib. This module is imported but never used in the file.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/services/micro_pentest_engine.py, line 9:

<comment>Unused import `hashlib`. This module is imported but never used in the file.</comment>

<file context>
@@ -0,0 +1,1041 @@
+&quot;&quot;&quot;
+
+import asyncio
+import hashlib
+import json
+import logging
</file context>

[cubic-dev-ai]

P1: The resource_type query parameter is defined but never passed to get_audit_logs(). Users filtering by resource type will receive unfiltered results.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 485:

<comment>The `resource_type` query parameter is defined but never passed to `get_audit_logs()`. Users filtering by resource type will receive unfiltered results.</comment>

<file context>
@@ -0,0 +1,568 @@
+@router.get(&quot;/audit-logs&quot;, response_model=List[AuditLogResponse])
+async def get_audit_logs(
+    action: Optional[str] = Query(None, description=&quot;Filter by action&quot;),
+    resource_type: Optional[str] = Query(None, description=&quot;Filter by resource type&quot;),
+    start_date: Optional[str] = Query(None, description=&quot;Start date (ISO format)&quot;),
+    end_date: Optional[str] = Query(None, description=&quot;End date (ISO format)&quot;),
</file context>

[cubic-dev-ai]

P1: Function always returns True regardless of validation results. Unlike similar functions (validate_code_structure, validate_api_endpoints), this doesn't track whether all checks passed, making the validation ineffective.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At scripts/validate_micro_pentest.py, line 270:

<comment>Function always returns `True` regardless of validation results. Unlike similar functions (`validate_code_structure`, `validate_api_endpoints`), this doesn&#39;t track whether all checks passed, making the validation ineffective.</comment>

<file context>
@@ -0,0 +1,334 @@
+        status = &quot;✓&quot; if present else &quot;✗&quot;
+        print(f&quot;  {status} {enum_name:25s} (expected ~{expected_count} values)&quot;)
+    
+    return True
+
+
</file context>

Suggested change

	return True
	def main():
	"""Run all validations."""
	print("\n")
	print("╔" + "=" * 78 + "╗")
	print("║" + " " * 78 + "║")
	all_present = True
	for enum_name, expected_count in enums.items():
	# Simple count - just check enum is present
	present = f"class {enum_name}(Enum)" in engine_code
	status = "✓" if present else "✗"
	print(f" {status} {enum_name:25s} (expected ~{expected_count} values)")
	if not present:
	all_present = False
	return all_present

[cubic-dev-ai]

P3: Unused import: asyncio is imported but never used in this file. Consider removing it.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At tests/test_micro_pentest_engine.py, line 3:

<comment>Unused import: `asyncio` is imported but never used in this file. Consider removing it.</comment>

<file context>
@@ -0,0 +1,486 @@
+&quot;&quot;&quot;Tests for Enterprise Micro Penetration Testing Engine.&quot;&quot;&quot;
+
+import asyncio
+import pytest
+from datetime import datetime
</file context>

[cubic-dev-ai]

P2: The polling loop in this CI/CD example can hang indefinitely if the scan status is never 'completed' (e.g., 'failed', 'error', 'cancelled'). Consider adding a timeout counter and handling non-success terminal states to prevent stuck pipelines.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/MICRO_PENTEST_README.md, line 305:

<comment>The polling loop in this CI/CD example can hang indefinitely if the scan status is never &#39;completed&#39; (e.g., &#39;failed&#39;, &#39;error&#39;, &#39;cancelled&#39;). Consider adding a timeout counter and handling non-success terminal states to prevent stuck pipelines.</comment>

<file context>
@@ -0,0 +1,472 @@
+            -H &quot;Authorization: Bearer $TOKEN&quot;
+          
+          # Wait for completion and check results
+          while true; do
+            STATUS=$(curl -X GET $PENTEST_API/scans/$SCAN_ID \
+              -H &quot;Authorization: Bearer $TOKEN&quot; | jq -r &#39;.status&#39;)
</file context>

[cubic-dev-ai]

P1: Double prefix bug: micro_pentest.router is defined with prefix="/micro-pentest" in its APIRouter constructor, but you're also adding prefix="/micro-pentest" here. This will result in routes being mounted at /micro-pentest/micro-pentest/.... Either remove the prefix from micro_pentest.py's router definition (to match other modules like artefacts, evidence, etc.), or remove the prefix from this include_router call.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/__init__.py, line 13:

<comment>Double prefix bug: `micro_pentest.router` is defined with `prefix=&quot;/micro-pentest&quot;` in its APIRouter constructor, but you&#39;re also adding `prefix=&quot;/micro-pentest&quot;` here. This will result in routes being mounted at `/micro-pentest/micro-pentest/...`. Either remove the prefix from `micro_pentest.py`&#39;s router definition (to match other modules like `artefacts`, `evidence`, etc.), or remove the prefix from this `include_router` call.</comment>

<file context>
@@ -2,13 +2,14 @@
 router.include_router(artefacts.router, prefix=&quot;/artefacts&quot;)
 router.include_router(enhanced.router, prefix=&quot;/enhanced&quot;)
 router.include_router(marketplace.router, prefix=&quot;/marketplace&quot;)
+router.include_router(micro_pentest.router, prefix=&quot;/micro-pentest&quot;)
 
 __all__ = [&quot;router&quot;]
</file context>

Suggested change

	router.include_router(micro_pentest.router, prefix="/micro-pentest")
	router.include_router(micro_pentest.router)

[cubic-dev-ai]

P1: Cancelling a scan forwards the request straight to the engine with no tenant or organization verification, so a user can cancel another tenant’s scan if they know its ID. Retrieve the scan, ensure it exists and belongs to the caller’s tenant/org, and only then call cancel_scan.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At fixops-enterprise/src/api/v1/micro_pentest.py, line 465:

<comment>Cancelling a scan forwards the request straight to the engine with no tenant or organization verification, so a user can cancel another tenant’s scan if they know its ID. Retrieve the scan, ensure it exists and belongs to the caller’s tenant/org, and only then call cancel_scan.</comment>

<file context>
@@ -0,0 +1,568 @@
+    Raises:
+        HTTPException: If scan not found or cannot be cancelled
+    &quot;&quot;&quot;
+    success = await micro_pentest_engine.cancel_scan(
+        scan_id=scan_id,
+        user_id=current_user[&quot;user_id&quot;],
</file context>

✅ Addressed in 766582b

[devin-ai-integration]

Closing as part of PR consolidation. Useful changes have been cherry-picked into PR #240.