From 011bcd89ab2d62bb65099b5c8900e940ca29191e Mon Sep 17 00:00:00 2001 From: Daniyal-Rashid-00 Date: Fri, 27 Feb 2026 14:54:53 +0500 Subject: [PATCH 1/2] Updates --- GEMINI.md | 77 ------------------- README.md | 95 ++++++++++++++++++------ api/__pycache__/ai.cpython-313.pyc | Bin 5682 -> 7157 bytes api/__pycache__/scanner.cpython-313.pyc | Bin 8546 -> 8546 bytes api/ai.py | 23 ++++-- src/app/report/[id]/page.tsx | 23 ++++-- src/components/DomainInput.tsx | 12 +-- 7 files changed, 110 insertions(+), 120 deletions(-) delete mode 100644 GEMINI.md diff --git a/GEMINI.md b/GEMINI.md deleted file mode 100644 index ca8a616..0000000 --- a/GEMINI.md +++ /dev/null @@ -1,77 +0,0 @@ -# Project Overview - -This is a Next.js application with a Python FastAPI backend. The application, named "SentinelScan," is designed to scan domains for security vulnerabilities and generate reports. - -**Frontend:** -- Framework: Next.js (React) -- Language: TypeScript -- Styling: Tailwind CSS -- Key Libraries: Radix UI, Lucide React, Supabase Client - -**Backend:** -- Framework: FastAPI -- Language: Python -- Database: Supabase -- Key Libraries: `fastapi`, `uvicorn`, `httpx`, `supabase`, `python-dotenv`, `pydantic` - -**Architecture:** -The application is a monorepo with a Next.js frontend and a Python FastAPI backend. The frontend and backend are in the `src` and `api` directories, respectively. The frontend communicates with the backend through API endpoints. The backend handles the scanning logic and interacts with a Supabase database to store scan results. - -# Building and Running - -**Prerequisites:** -- Node.js and npm (or yarn/pnpm/bun) -- Python and pip - -**Installation:** -1. Install Node.js dependencies: - ```bash - npm install - ``` -2. Install Python dependencies: - ```bash - pip install -r requirements.txt - ``` - -**Running the application:** - -The application can be run in development mode with a single command that starts both the frontend and backend concurrently: - -```bash -npm run dev -``` - -Alternatively, you can run the frontend and backend separately: - -- **Frontend (Next.js):** - ```bash - npm run dev:ui - ``` -- **Backend (FastAPI):** - ```bash - npm run dev:api - ``` - -**Building for production:** - -```bash -npm run build -``` - -**Starting the production server:** - -```bash -npm run start -``` - -# Development Conventions - -- **Linting:** The project uses ESLint for code linting. Run the linter with: - ```bash - npm run lint - ``` -- **Styling:** The project uses Tailwind CSS for styling. Utility classes are used for styling components. -- **Components:** Reusable UI components are located in the `src/components` directory. -- **API:** The backend API is defined in the `api` directory. The main API logic is in `api/index.py`. -- **Database:** The project uses Supabase for its database. Database interactions are handled in `api/db.py`. -- **Secrets:** The project uses a `.env` file for environment variables. A `.env.example` file should be created to show the required environment variables. (TODO: Create `.env.example` file). diff --git a/README.md b/README.md index e215bc4..c568e5e 100644 --- a/README.md +++ b/README.md @@ -1,36 +1,85 @@ -This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app). +
+ SentinelScan Logo +
-## Getting Started +

SentinelScan v2.0

-First, run the development server: +

+ Automated Reconnaissance & AI-Powered Vulnerability Reporting
+ Lightning-fast reconnaissance layered with intelligent context. +

-```bash -npm run dev -# or -yarn dev -# or -pnpm dev -# or -bun dev -``` +

+ Next.js + FastAPI + Supabase + OpenRouter +

-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result. +--- -You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file. +## โšก Overview -This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel. +**SentinelScan** is a modern, serverless security scanning platform. It automates initial reconnaissance tasksโ€”such as subdomain enumeration, port scanning, and sensitive path probingโ€”and uses advanced Large Language Models (LLMs) to generate professional, compliance-ready vulnerability assessments in seconds. -## Learn More +## โœจ Features -To learn more about Next.js, take a look at the following resources: +- **๐Ÿš€ Concurrent Reconnaissance**: Runs multiple reconnaissance modules (DNS brute-forcing, Certificate Transparency logs, HTTP header analysis, sensitive directory probing) entirely in parallel using Python `asyncio`. +- **๐Ÿง  AI-Powered Assessment**: Feeds raw JSON recon data into an LLM (via OpenRouter) to write structured, actionable, and formatted Markdown reports adhering to industry standards. +- **๐ŸŒŠ Instant Streaming UI**: Employs real-time Server-Sent Events (SSE) to stream the AI report line-by-line while raw scan data populates instantly on the mobile-responsive Next.js frontend. +- **๐Ÿ”’ Consent Gated & Rate Limited**: Designed for ethical testing only. Integrates robust rate-limiting and private-IP blocking middleware. -- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API. -- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial. +## ๐Ÿ› ๏ธ Tech Stack -You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome! +- **Frontend**: Next.js 14 (App Router), React, Tailwind CSS, shadcn/ui +- **Backend**: Python 3, FastAPI, `httpx`, `asyncio` +- **Database**: Supabase (PostgreSQL) + Edge Functions +- **AI Integration**: OpenRouter API (`arcee-ai/trinity-large-preview:free` / `deepseek-r1`) +- **Hosting**: Vercel Serverless Functions -## Deploy on Vercel +## ๐Ÿš€ Getting Started Locally -The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js. +### Prerequisites +- Node.js 18+ +- Python 3.9+ +- A Supabase project (for Postgres DB) +- An OpenRouter API Key -Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details. +### Installation + +1. **Clone the repository:** + ```bash + git clone https://github.com/Daniyal-Rashid-00/SentinelScan.git + cd SentinelScan + ``` + +2. **Install dependencies:** + ```bash + npm install # Frontend deps + pip install -r requirements.txt # Backend deps + ``` + +3. **Set up Environment Variables:** + Create a `.env.local` file in the root directory: + ```env + NEXT_PUBLIC_SUPABASE_URL=your_supabase_url + NEXT_PUBLIC_SUPABASE_ANON_KEY=your_anon_key + SUPABASE_SERVICE_ROLE_KEY=your_service_role_key + OPENROUTER_API_KEY=your_openrouter_key + ``` + +4. **Run the Development Server:** + This customized command boots up both the Next.js UI frontend and the Python FastAPI backend proxy concurrently: + ```bash + npm run dev + ``` + Open [http://localhost:3000](http://localhost:3000) to view the application. + +## ๐Ÿ’ผ Hire a Professional + +Automated tools like SentinelScan are fantastic for initial surface reconnaissance, but they are no substitute for deep manual testing. If your organization requires deep-dive vulnerability analysis, business logic testing, and compliance-ready pentest reports, [contact me for a comprehensive security assessment](https://daniyal-rashid.vercel.app/). + +--- +
+

Developed with โค๏ธ by Daniyal Rashid

+
diff --git a/api/__pycache__/ai.cpython-313.pyc b/api/__pycache__/ai.cpython-313.pyc index 1ec20ccfa8cc1fa079a6a13630fb4755a21101e9..894204fcc81c3f7a76aeaa35a4e21548a0b5ff68 100644 GIT binary patch delta 2107 zcmZ8i&2Jk;6eme9HE9KhA|#-CqM|gbO`5bo)d(R%+E6~ygeLvqmhtYhca-stJ2Pv? zTwL)l_zysE0&YRDs#*b`puJ={9jU-e;Pn0#bg&!i=b`obJ8_gSF+pebT-x~%Wj`=(F8qP zUR=K4A)-~f_Q#Xib?m4E*9ChT>rlz@cEnB@Lr(i+Qr@%o11wrgySCB2GZQqXLOQ)& zKfAN|_7q)SlhY0gJ7l^{yBsQ8T4Vc@EK3DGa+-T6P_i$a?lO&K{IT-n3su)#(v{K< zl&*8~O*cJa9+_IcRH*P(vBGSArEO{}kfKWWzo^LYh)w>iy5JKgXvX$PH35|ajtE>- zwSL@SY=DR(9T&E)mG)i%46?PEpm^u{?D66oucgKhn!!Lh{S{NGeIZk0~+^z)8@dy9k820!lTx&-S}Pu&R}U~s3yDb61|+YG6fmSD^pr;upR39bSlwxSQ~ zh*eQR2x)&pFo{wPhXzw@(l#pVLIK!2x?knswbacZr_b#;r|Bm(ssLChPnmYooq651 z15lS{*%UNIe_P}$kUHmT7=Qr<9SpSIF1ank3m>O|h(;n9bcNUYYvhMqOm$BebAhzV z$f5oumZXt%U{|z9d@?kuj_ryn#?^#$AoL#~sdSVQCp7{m4e=umk?z{jZdtm!cL;}# zU<(>G@0%Kq>1qRvASfIx8yX`9>GH%v8&TsTMd1OhE*$#w- zL`qQr7x3ylAIP=*&QaKREbq_&)Xc~Z$P2aAX|hqW1K?0JW@C_OZI+ePZH(bSMtkH+ zXW_lsk4ta%5(@iCCfHOrgKjjLEEA>#*2uNv0R)&BgpVZg+WGe+^Drh4S|*VS6=Qp_ zgnY%*?60NQkyBBE(T-95;{O3+4*Z}RAq)!bId6jk$_Iq1fFwX_vU{nqN6ZS+5hyk? zF}E9rx*=A*CmD(`bUcs0ZB#bXrcBw{rg@9Eha(XnM%VHdsTl2wBVyS4c*5fbs?Z2u zaZ8M7WRYACaiBvXBi;?^K8aiS1Q?0YA@NN*LOWB(oAl`F#`+PI35e+tVIQ2OaT)Xh zVD#I%OtrC&Szuh}XBJ>k*Ef5Y2hza8zX(nr^zANY8AA&%F^l%%+n8~T;22B_=3AlU%OeB3VrVPUA zx*IVPxHYnBN-bf6qOv$mML7|d&h~@b z_(c6t^St9DSF%=$wC08;5X$0CiL9r;pE-JQ;pWp1U;6V5)Sg}VVd3HIw+riMS6)6| Pd~)vZ2Me?1S1$htKm*F} delta 677 zcmXw1PiqrF6nB%Nb|pc32-s421e7GiG->^Vxv5w@G*S$-9y~aieVYuK%!HZQZ1!=wZw>=>A}XzhgVmiP<|a|GRmz4UWov*2&1ABvmn zIZ8ZY)Ws|W!tx9S1E{5o;`Mpm-^u9rH8D8BB;0q7@i82bK5guo3OhwELcw!pLct*7 z1Q8lN$$bUPG0;jTPzy9D?Leqmrfe2TMVbdf3MbIk{aYE^V`Kpu=p#>i=Py6WB@PXp z0WvGKQKc@C+f$so5X zg>_BPhDb^EARz|IAY-UKq#`)^Uc7t-dpfTBcQS=fvxNIx8$3&Zk?BwfdRT0@lZhR( z`QG4E8`tvv2MAL``CDwIe^>9VWMQAa^Iu%@uAUYuKUTa-`g8rgcaXl>XkT2t(({f> Lzbfh1jT`>}E4AxD diff --git a/api/__pycache__/scanner.cpython-313.pyc b/api/__pycache__/scanner.cpython-313.pyc index e4e120607235f269bb15b61f885f5bc7997f14bd..d4f5e9403fdcdeeaf71ea5f73b9e628bf7427ce9 100644 GIT binary patch delta 20 acmaFl^vH?(GcPX}0}!mUT)2@tToC|BodzcW delta 20 acmaFl^vH?(GcPX}0}zx=oVk%ZToC|B{RTe( diff --git a/api/ai.py b/api/ai.py index 7161f5c..880914c 100644 --- a/api/ai.py +++ b/api/ai.py @@ -8,16 +8,23 @@ OPENROUTER_API_KEY = os.getenv("OPENROUTER_API_KEY") OPENROUTER_URL = "https://openrouter.ai/api/v1/chat/completions" -SYSTEM_PROMPT = """You are an elite Cybersecurity Analyst. You have been given structured JSON recon data from an automated scan. Generate a concise, professional vulnerability assessment report in clean Markdown with the following sections: +SYSTEM_PROMPT = """You are an elite Cybersecurity Assessor. Generate a highly structured, professional vulnerability assessment report adhering to international cybersecurity standards (e.g., CVSS-inspired, OWASP Top 10) based ONLY on the provided JSON recon data. Do not invent vulnerabilities. Format your response strictly in Markdown with these exact sections: -1. **Executive Summary** โ€” 2-3 sentence overall risk assessment with a rating: Low / Medium / High / Critical -2. **Attack Surface Overview** โ€” what was discovered (subdomains, open ports, exposed paths) -3. **Potential Attack Vectors** โ€” specific risks deduced from the data only (do not invent vulnerabilities) -4. **Header Security Analysis** โ€” grade each security header as Pass / Warn / Fail with brief explanation -5. **Actionable Remediation Steps** โ€” numbered list, ordered by severity (Critical โ†’ Low) -6. **Risk Score** โ€” a definitive score integer specifically between 0 and 10, clearly marked as "Score: X/10" at the very end of the report. +## 1. Executive Summary +Provide a high-level overview of the target's security posture. Include a definitive risk rating (Low / Medium / High / Critical) and key takeaways suitable for non-technical management. -Be precise. Only report on risks directly evidenced by the provided data.""" +## 2. Technical Attack Surface +Summarize the exposed assets: subdomains, open ports/services, security headers, and discovered sensitive paths. + +## 3. Vulnerability Assessment +Categorize identified risks (e.g., Misconfigurations, Information Disclosure). Detail the specific risk for each anomalous finding (like exposed admin panels, missing security headers, or open high-risk ports). + +## 4. Remediation Planning +Provide highly actionable, prioritized recommendations organized by severity (Critical โ†’ Low) to mitigate the identified risks. + +## 5. Risk Score +Conclude the report with a definitive single integer score out of 10 assessing overall risk. You must append exactly "Score: X/10" at the very end of the report where X is the score. +""" async def stream_ai_report(scan_id: str, raw_data: dict) -> StreamingResponse: """Streams the AI report back to the frontend and updates the database upon completion""" diff --git a/src/app/report/[id]/page.tsx b/src/app/report/[id]/page.tsx index 8aef0bd..3fc9a27 100644 --- a/src/app/report/[id]/page.tsx +++ b/src/app/report/[id]/page.tsx @@ -301,12 +301,23 @@ export default function ReportPage() { {/* CTA */} -
-

Want to test another domain?

- - - Start a new scan - +
+
+
+

Need comprehensive penetration testing?

+

+ Automated scans only scratch the surface. For deep-dive vulnerability analysis, business logic testing, and compliance-ready reports, consult a cybersecurity professional. +

+
+
+ + Hire a Professional + + + New Scan + +
+
diff --git a/src/components/DomainInput.tsx b/src/components/DomainInput.tsx index a43d7c5..584b76f 100644 --- a/src/components/DomainInput.tsx +++ b/src/components/DomainInput.tsx @@ -64,28 +64,28 @@ export function DomainInput() { return (
-
+
setDomain(e.target.value)} disabled={isScanning} - className="font-mono text-lg py-6 bg-zinc-900 border-zinc-800 text-zinc-100 placeholder:text-zinc-500 focus-visible:ring-emerald-500" + className="font-mono text-base sm:text-lg py-5 sm:py-6 bg-zinc-900 border-zinc-800 text-zinc-100 placeholder:text-zinc-500 focus-visible:ring-emerald-500" required />
From 5b488b937096ee59ebfaa9654430d65c37e9a5a2 Mon Sep 17 00:00:00 2001 From: Daniyal-Rashid-00 Date: Fri, 27 Feb 2026 16:46:52 +0500 Subject: [PATCH 2/2] Working --- src/components/DomainInput.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/components/DomainInput.tsx b/src/components/DomainInput.tsx index fc043bb..1d0a141 100644 --- a/src/components/DomainInput.tsx +++ b/src/components/DomainInput.tsx @@ -77,7 +77,7 @@ export function DomainInput() {