Metadata-Version: 2.4
Name: aiptx
Version: 5.0.3
Summary: AI-assisted security testing framework with SAST, DAST, business logic testing, and Active Directory penetration testing
Author-email: Satyam Rastogi <satyam@aiptx.io>
Maintainer-email: Satyam Rastogi <satyam@aiptx.io>
License: MIT License
        
        Copyright (c) 2025 Satyam Rastogi
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
        
Project-URL: Homepage, https://aiptx.io
Project-URL: Documentation, https://aiptx.io/docs
Project-URL: Repository, https://github.com/satyamrastogi/aiptx
Project-URL: Issues, https://github.com/satyamrastogi/aiptx/issues
Project-URL: Changelog, https://github.com/satyamrastogi/aiptx/blob/main/CHANGELOG.md
Project-URL: Community, https://aiptx.io/community
Keywords: security,penetration-testing,pentest,vulnerability-scanner,vulnerability-assessment,security-scanner,security-tools,security-automation,ai,llm,artificial-intelligence,machine-learning,gpt,chatgpt,cybersecurity,infosec,appsec,devsecops,vapt,dast,sast,bug-bounty,ethical-hacking,red-team,offensive-security,web-security,owasp,cve,exploit,sarif,cwe,nmap,nuclei,sqlmap,burp-suite,acunetix,nessus,zap,reconnaissance,recon,scanning,exploitation,graphql,websocket,spa,single-page-application,business-logic,race-condition,github-actions,cicd,pr-blocking,automation,cli,api,multi-agent,poc-validation,active-directory,ad-security,kerberos,ldap,ntlm,dcsync,kerberoasting,pass-the-hash,bloodhound,adcs,certificate-services,lateral-movement,privilege-escalation,domain-admin,impacket
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: Intended Audience :: Science/Research
Classifier: Topic :: Security
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Testing
Classifier: Topic :: Software Development :: Testing :: Acceptance
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Internet :: WWW/HTTP :: HTTP Servers
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: System :: Monitoring
Classifier: Topic :: Utilities
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Operating System :: POSIX :: Linux
Classifier: Operating System :: MacOS
Classifier: Operating System :: Microsoft :: Windows
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Typing :: Typed
Classifier: Framework :: FastAPI
Classifier: Natural Language :: English
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: litellm>=1.50.0
Requires-Dist: jinja2>=3.1.0
Requires-Dist: tiktoken>=0.5.0
Requires-Dist: requests>=2.31.0
Requires-Dist: httpx>=0.25.0
Requires-Dist: aiohttp>=3.9.0
Requires-Dist: fastapi>=0.104.0
Requires-Dist: uvicorn[standard]>=0.24.0
Requires-Dist: pydantic>=2.5.0
Requires-Dist: pydantic-settings>=2.0.0
Requires-Dist: slowapi>=0.1.9
Requires-Dist: sqlalchemy>=2.0.0
Requires-Dist: alembic>=1.13.0
Requires-Dist: textual>=0.44.0
Requires-Dist: rich>=13.7.0
Requires-Dist: click>=8.1.0
Requires-Dist: typer>=0.9.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: python-dotenv>=1.0.0
Requires-Dist: aiofiles>=23.0.0
Requires-Dist: structlog>=23.0.0
Requires-Dist: psutil>=5.9.0
Requires-Dist: websockets>=12.0
Provides-Extra: vps
Requires-Dist: asyncssh>=2.14.0; extra == "vps"
Provides-Extra: modern
Requires-Dist: playwright>=1.40.0; extra == "modern"
Requires-Dist: beautifulsoup4>=4.12.0; extra == "modern"
Requires-Dist: lxml>=5.0.0; extra == "modern"
Requires-Dist: aiohttp>=3.9.0; extra == "modern"
Requires-Dist: websockets>=12.0; extra == "modern"
Provides-Extra: sast
Requires-Dist: gitpython>=3.1.40; extra == "sast"
Requires-Dist: pyyaml>=6.0; extra == "sast"
Provides-Extra: full
Requires-Dist: sentence-transformers>=2.2.0; extra == "full"
Requires-Dist: numpy>=1.24.0; extra == "full"
Requires-Dist: torch>=2.0.0; extra == "full"
Requires-Dist: playwright>=1.40.0; extra == "full"
Requires-Dist: beautifulsoup4>=4.12.0; extra == "full"
Requires-Dist: lxml>=5.0.0; extra == "full"
Requires-Dist: gitpython>=3.1.40; extra == "full"
Requires-Dist: mitmproxy>=10.0.0; extra == "full"
Requires-Dist: docker>=7.0.0; extra == "full"
Requires-Dist: pexpect>=4.8.0; extra == "full"
Requires-Dist: paramiko>=3.4.0; extra == "full"
Requires-Dist: asyncssh>=2.14.0; extra == "full"
Requires-Dist: langchain-core>=0.1.0; extra == "full"
Requires-Dist: scikit-learn>=1.3.0; extra == "full"
Requires-Dist: scipy>=1.11.0; extra == "full"
Requires-Dist: pandas>=2.0.0; extra == "full"
Requires-Dist: impacket>=0.11.0; extra == "full"
Requires-Dist: ldap3>=2.9.0; extra == "full"
Requires-Dist: certipy-ad>=4.8.0; extra == "full"
Requires-Dist: lsassy>=3.1.0; extra == "full"
Requires-Dist: bloodhound>=1.7.0; extra == "full"
Requires-Dist: dnspython>=2.4.0; extra == "full"
Requires-Dist: pyasn1>=0.5.0; extra == "full"
Provides-Extra: cicd
Requires-Dist: jsonschema>=4.20.0; extra == "cicd"
Provides-Extra: dev
Requires-Dist: pytest>=7.4.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.21.0; extra == "dev"
Requires-Dist: pytest-cov>=4.1.0; extra == "dev"
Requires-Dist: pytest-mock>=3.12.0; extra == "dev"
Requires-Dist: black>=23.0.0; extra == "dev"
Requires-Dist: ruff>=0.1.0; extra == "dev"
Requires-Dist: mypy>=1.7.0; extra == "dev"
Requires-Dist: bandit>=1.7.0; extra == "dev"
Requires-Dist: pre-commit>=3.5.0; extra == "dev"
Requires-Dist: safety>=2.3.0; extra == "dev"
Provides-Extra: windows
Requires-Dist: pyreadline3>=3.4.0; extra == "windows"
Provides-Extra: ad
Requires-Dist: impacket>=0.11.0; extra == "ad"
Requires-Dist: ldap3>=2.9.0; extra == "ad"
Requires-Dist: certipy-ad>=4.8.0; extra == "ad"
Requires-Dist: lsassy>=3.1.0; extra == "ad"
Requires-Dist: bloodhound>=1.7.0; extra == "ad"
Requires-Dist: dnspython>=2.4.0; extra == "ad"
Requires-Dist: pyasn1>=0.5.0; extra == "ad"
Dynamic: license-file

<div align="center">

# AIPTX

### AI-Assisted Security Testing Framework

[![PyPI version](https://img.shields.io/pypi/v/aiptx?style=flat-square&logo=pypi&logoColor=white&color=3775A9)](https://pypi.org/project/aiptx/)
[![Python 3.9+](https://img.shields.io/badge/Python-3.9+-3776AB?style=flat-square&logo=python&logoColor=white)](https://www.python.org/downloads/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)

</div>

---

AIPTX is a security testing framework that uses LLMs to assist with vulnerability scanning, analysis, and reporting. It integrates with common security tools and provides SAST, DAST, and business logic testing capabilities.

## What It Does

- **Scan Orchestration** — Coordinates multiple security tools (nuclei, nikto, sqlmap, etc.)
- **LLM-Assisted Analysis** — Uses AI to help analyze findings and suggest attack paths
- **SAST** — Static analysis for Python, JavaScript, Java, and Go with 90+ security rules
- **DAST** — Dynamic testing with WebSocket, SPA, and GraphQL scanner support
- **Business Logic Testing** — 29 test patterns for race conditions, IDOR, price manipulation
- **CI/CD Integration** — SARIF output for GitHub Security tab, PR blocking support
- **Reporting** — HTML and JSON reports with findings

## What It Doesn't Do

- It's not fully autonomous — requires configuration and human judgment
- It won't replace manual penetration testing
- AI suggestions need verification before acting on them
- Enterprise scanner integration (Acunetix, Burp, Nessus) requires separate licenses

---

## Installation

```bash
# Basic installation
pip install aiptx

# With SPA/WebSocket testing (requires playwright)
pip install aiptx[modern]

# Full installation
pip install aiptx[full]
```

### Setup

```bash
# Configure LLM API key and preferences
aiptx setup

# Verify configuration
aiptx status
```

---

## Usage

```bash
# Basic scan
aiptx scan example.com

# Quick scan (skip enterprise scanners)
aiptx scan example.com --quick

# With AI assistance
aiptx scan example.com --ai

# SAST analysis on local code
aiptx scan ./my-project --sast

# Output SARIF for CI/CD
aiptx scan example.com --format sarif --output results.sarif

# Fail CI if high severity findings
aiptx scan example.com --format sarif --fail-on-severity high
```

---

## v4.0 Features

### SAST (Static Analysis)
- Python, JavaScript/TypeScript, Java, Go support
- 90+ security rules (SQL injection, XSS, command injection, secrets)
- GitHub repository scanning

### Modern App Testing
- **WebSocket Scanner** — Injection testing, CSWSH, replay attacks
- **SPA Scanner** — Browser-based testing with Playwright, DOM XSS detection
- **GraphQL Scanner** — Mutations, subscriptions, complexity attacks, schema analysis

### Business Logic Testing
- Race conditions (double-spend, TOCTOU)
- Price/amount manipulation
- Workflow bypass
- Access control (IDOR, privilege escalation)
- Rate limit bypass

### CI/CD Integration
- SARIF 2.1.0 output for GitHub Code Scanning
- GitHub Action available
- Exit codes based on finding severity

---

## Configuration

### LLM Provider

AIPTX uses LiteLLM and supports multiple providers:

```bash
# Anthropic (recommended)
export ANTHROPIC_API_KEY="your-key"

# OpenAI
export OPENAI_API_KEY="your-key"

# Local (Ollama)
export OLLAMA_API_BASE="http://localhost:11434"
export AIPT_LLM__MODEL="ollama/llama3"
```

### Enterprise Scanners (Optional)

Requires separate licenses:

```bash
# Acunetix
export ACUNETIX_URL="https://your-acunetix:3443"
export ACUNETIX_API_KEY="your-api-key"

# Burp Suite Enterprise
export BURP_URL="http://your-burp:1337/v0.1/"
export BURP_API_KEY="your-api-key"
```

---

## GitHub Action

```yaml
- name: AIPTX Security Scan
  run: |
    pip install aiptx
    aiptx scan . --sast --format sarif --output results.sarif --fail-on-severity high

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif
```

---

## Architecture

```
┌────────────────────────────────────────────────────────────┐
│                         AIPTX v4.0                         │
├────────────────────────────────────────────────────────────┤
│  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌──────────────┐  │
│  │  SAST   │  │  DAST   │  │ Business│  │   GraphQL/   │  │
│  │ Engine  │  │ Scanner │  │  Logic  │  │   WebSocket  │  │
│  └────┬────┘  └────┬────┘  └────┬────┘  └──────┬───────┘  │
│       └────────────┴────────────┴───────────────┘         │
│                           │                                │
│                    ┌──────▼──────┐                        │
│                    │  Findings   │                        │
│                    │ Repository  │                        │
│                    └──────┬──────┘                        │
│                           │                                │
│              ┌────────────┼────────────┐                  │
│              ▼            ▼            ▼                  │
│         ┌────────┐  ┌──────────┐  ┌────────┐             │
│         │  HTML  │  │   JSON   │  │  SARIF │             │
│         │ Report │  │  Export  │  │ Output │             │
│         └────────┘  └──────────┘  └────────┘             │
└────────────────────────────────────────────────────────────┘
```

---

## Output Formats

| Format | Use Case |
|--------|----------|
| `--format text` | Terminal output (default) |
| `--format json` | Programmatic processing |
| `--format sarif` | GitHub Security tab |
| `--format html` | Shareable reports |

---

## Integrated Tools

AIPTX can orchestrate these tools (must be installed separately):

| Category | Tools |
|----------|-------|
| Recon | subfinder, httpx, katana, waybackurls |
| Scanning | nuclei, nikto, ffuf |
| Exploitation | sqlmap, commix |
| Secrets | gitleaks, trufflehog |

---

## Requirements

- Python 3.9+
- LLM API key (Anthropic, OpenAI, or local)
- Optional: Security tools for full scanning
- Optional: Playwright for SPA testing (`pip install aiptx[modern]`)

---

## Limitations

- AI analysis quality depends on the LLM used
- Some features require additional tools to be installed
- Enterprise scanner integration requires separate licenses
- Business logic tests may produce false positives
- WebSocket/SPA scanning requires `playwright install`

---

## License

MIT License — See [LICENSE](LICENSE) for details.

---

## Links

- **PyPI**: [pypi.org/project/aiptx](https://pypi.org/project/aiptx/)
- **GitHub**: [github.com/aiptx/aiptx](https://github.com/aiptx/aiptx)
- **Issues**: [GitHub Issues](https://github.com/aiptx/aiptx/issues)
