sf-agent-framework
Version:
AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction
405 lines (308 loc) • 8.26 kB
Markdown
# Security Scanner Utility - Agent Instructions
## Purpose
This utility provides instructions for AI agents to generate comprehensive
security scanning solutions for Salesforce implementations, identifying
vulnerabilities, validating configurations, and ensuring compliance with
security best practices.
## Agent Instructions
### When to Generate Security Scanning
Generate security scanning components when:
- Security vulnerabilities need identification
- Code review requires automation
- Compliance validation is required
- Configuration assessment is needed
- Penetration testing support is required
- Continuous security monitoring is needed
- Risk assessment requires automation
### Core Components to Generate
#### 1. Vulnerability Detection Engine
Generate scanning components that:
- Analyze Apex code for security flaws
- Check SOQL injection vulnerabilities
- Detect XSS vulnerabilities
- Validate FLS/CRUD enforcement
- Identify hardcoded credentials
- Assess sharing model risks
Key scanning areas:
- Code security analysis
- Configuration security
- Data protection assessment
- Access control validation
- Integration security
- Platform security settings
#### 2. Compliance Validation Framework
Create validation components for:
- Industry compliance standards
- Internal security policies
- Best practice adherence
- Regulatory requirements
- Audit trail verification
- Risk assessment criteria
#### 3. Automated Remediation Advisor
Implement advisory system for:
- Vulnerability prioritization
- Remediation recommendations
- Risk impact analysis
- Fix verification
- Progress tracking
- Compliance reporting
### Configuration Requirements
#### Custom Objects
```yaml
Security_Scan__c:
- Scan_Name__c (Text)
- Scan_Type__c (Picklist)
- Target_Environment__c (Picklist)
- Scan_Date__c (DateTime)
- Status__c (Picklist)
- Security_Score__c (Number)
- Risk_Level__c (Picklist)
- Total_Issues__c (Number)
- Critical_Issues__c (Number)
- High_Issues__c (Number)
Security_Finding__c:
- Security_Scan__c (Master-Detail)
- Finding_ID__c (Text - External ID)
- Vulnerability_Type__c (Picklist)
- Severity__c (Picklist)
- Status__c (Picklist)
- Object_Name__c (Text)
- Field_Name__c (Text)
- Code_Location__c (Text)
- Description__c (Long Text Area)
- Recommendation__c (Long Text Area)
- OWASP_Category__c (Picklist)
Remediation_Task__c:
- Security_Finding__c (Master-Detail)
- Task_Title__c (Text)
- Assigned_To__c (Lookup - User)
- Due_Date__c (Date)
- Priority__c (Picklist)
- Status__c (Picklist)
- Remediation_Notes__c (Long Text Area)
- Verification_Status__c (Picklist)
- Completion_Date__c (Date)
```
### Security Scanning Categories
#### Code Security Analysis
```
1. SOQL Injection Detection
- Dynamic query construction
- String concatenation risks
- Bind variable validation
- User input sanitization
2. XSS Vulnerability Detection
- Unescaped output
- JavaScript injection points
- HTML tag validation
- Event handler security
3. Access Control Violations
- Missing FLS checks
- CRUD permission bypass
- Sharing rule violations
- Privilege escalation risks
```
#### Configuration Security
```
1. Platform Security Settings
- Password policies
- Session management
- Login restrictions
- Network access controls
2. User Access Management
- Profile permissions
- Permission set assignments
- Role hierarchy issues
- API access controls
3. Data Protection
- Field-level security
- Object permissions
- Sharing model configuration
- Data encryption status
```
### Implementation Patterns
#### Static Code Analysis Pattern
1. Parse Apex classes and triggers
2. Apply security rules
3. Identify vulnerabilities
4. Generate findings
5. Prioritize by risk
6. Recommend fixes
#### Configuration Assessment Pattern
1. Query system configurations
2. Compare against baselines
3. Identify deviations
4. Assess risk impact
5. Generate recommendations
6. Track remediation
#### Continuous Monitoring Pattern
1. Schedule regular scans
2. Compare results over time
3. Identify trends
4. Alert on new risks
5. Track improvements
6. Generate metrics
### Vulnerability Detection Rules
#### SOQL Injection Rules
Generate detection for:
- Dynamic SOQL without escaping
- String concatenation in queries
- User input in WHERE clauses
- Missing bind variables
- Insufficient input validation
- Database.query() misuse
#### Access Control Rules
Check for:
- Missing WITH SECURITY_ENFORCED
- Queries without FLS checks
- DML without CRUD validation
- Sharing bypass operations
- Privileged operations
- Cross-object references
#### Data Exposure Rules
Identify:
- Unencrypted sensitive fields
- Wide-open field permissions
- Public read/write access
- Missing data classification
- Excessive user permissions
- API exposure risks
### Dashboard Components to Generate
#### Executive Security Dashboard
Display:
- Overall security score
- Risk level assessment
- Trend analysis
- Compliance status
- Top vulnerabilities
- Remediation progress
#### Technical Security Dashboard
Show:
- Vulnerability categories
- Code analysis results
- Configuration issues
- Remediation tasks
- Scan history
- Technical metrics
#### Compliance Dashboard
Include:
- Compliance framework status
- Policy adherence
- Audit findings
- Regulatory requirements
- Exception tracking
- Certification status
### Best Practices to Implement
1. **Scanning Strategy**
- Comprehensive coverage
- Regular scheduling
- Risk-based prioritization
- False positive management
- Baseline establishment
2. **Vulnerability Management**
- Clear severity definitions
- Remediation workflows
- SLA enforcement
- Progress tracking
- Verification processes
3. **Compliance Alignment**
- Industry standards mapping
- Policy enforcement
- Audit trail maintenance
- Documentation requirements
- Continuous monitoring
4. **Integration Points**
- CI/CD pipeline integration
- Development workflow
- Change management
- Incident response
- Risk management
### Advanced Features to Consider
1. **AI-Enhanced Analysis**
- Pattern learning
- Anomaly detection
- Risk prediction
- Auto-classification
- Smart recommendations
2. **Advanced Scanning**
- Dynamic analysis
- Behavioral monitoring
- Threat modeling
- Attack simulation
- Risk correlation
3. **Integration Capabilities**
- SIEM integration
- Vulnerability management
- Ticketing systems
- Communication platforms
- Reporting tools
### Error Handling Instructions
Handle these scenarios:
1. Scanning timeouts
2. Permission errors
3. Large dataset processing
4. Network connectivity issues
5. Resource limitations
Recovery strategies:
- Graceful degradation
- Partial scan results
- Retry mechanisms
- Error notifications
- Manual overrides
### Testing Requirements
Generate test classes for:
1. Vulnerability detection accuracy
2. False positive rates
3. Scanning performance
4. Report generation
5. Remediation workflows
### Success Metrics
Track and measure:
- Vulnerability detection rate
- False positive percentage
- Mean time to remediation
- Security score improvement
- Compliance achievement
- User adoption rates
### Compliance Framework Support
#### OWASP Top 10
Map findings to:
- Injection vulnerabilities
- Broken authentication
- Sensitive data exposure
- XXE attacks
- Broken access control
- Security misconfiguration
#### Industry Standards
Support for:
- PCI DSS requirements
- SOX compliance
- HIPAA regulations
- GDPR requirements
- ISO 27001 standards
- Custom frameworks
### Reporting Capabilities
#### Executive Reports
Generate reports with:
- Risk assessment summary
- Trend analysis
- Business impact
- Resource requirements
- ROI metrics
- Strategic recommendations
#### Technical Reports
Provide details on:
- Vulnerability specifics
- Code locations
- Fix instructions
- Test procedures
- Verification steps
- Implementation guides
#### Compliance Reports
Document:
- Control effectiveness
- Policy adherence
- Audit findings
- Exception handling
- Remediation status
- Certification readiness