Introduction
In response to growing cybersecurity concerns in AI systems, OpenAI has launched a comprehensive initiative called "Patch the Planet" to address open-source software vulnerabilities. This tutorial will guide you through creating a Python-based tool that can identify and report security vulnerabilities in open-source projects, similar to what OpenAI is doing with their GPT-5.5-Cyber model. You'll learn to scan code repositories for common security issues and generate actionable reports.
Prerequisites
To follow this tutorial, you should have:
- Basic Python programming knowledge
- Python 3.7 or higher installed
- Familiarity with Git and command-line operations
- Understanding of common software security vulnerabilities
Step-by-Step Instructions
Step 1: Set Up Your Development Environment
Install Required Dependencies
First, create a virtual environment and install the necessary packages for our vulnerability scanner:
python -m venv vulnerability_scanner
source vulnerability_scanner/bin/activate # On Windows: vulnerability_scanner\Scripts\activate
pip install requests gitpython bandit
Why this step? We're setting up a clean environment with essential tools: requests for API calls, gitpython for repository operations, and bandit for static code analysis.
Step 2: Create the Main Scanner Class
Initialize the Vulnerability Scanner
Create a file called vulnerability_scanner.py with the following content:
import os
import subprocess
import requests
from git import Repo
import json
class VulnerabilityScanner:
def __init__(self, repo_path):
self.repo_path = repo_path
self.vulnerabilities = []
def scan_repository(self):
"""Main method to scan repository for vulnerabilities"""
try:
repo = Repo(self.repo_path)
print(f"Scanning repository: {repo.remotes.origin.url}")
# Run bandit scan
self.run_bandit_scan()
# Check for common security issues
self.check_security_issues()
return self.vulnerabilities
except Exception as e:
print(f"Error scanning repository: {e}")
return []
def run_bandit_scan(self):
"""Run static code analysis using bandit"""
try:
result = subprocess.run([
'bandit', '-r', self.repo_path, '-f', 'json'
], capture_output=True, text=True)
if result.returncode == 0:
bandit_data = json.loads(result.stdout)
for issue in bandit_data.get('issues', []):
self.vulnerabilities.append({
'type': 'bandit_issue',
'severity': issue['severity'],
'filename': issue['filename'],
'line_number': issue['line_number'],
'issue': issue['issue_text'],
'confidence': issue['confidence']
})
except Exception as e:
print(f"Bandit scan failed: {e}")
Why this step? This sets up our core scanning class that will handle repository operations and integrate with existing security tools like Bandit.
Step 3: Add Custom Security Checks
Implement Additional Security Analysis
Continue adding to your vulnerability_scanner.py file:
def check_security_issues(self):
"""Custom checks for common security vulnerabilities"""
# Check for hardcoded secrets
self.check_hardcoded_secrets()
# Check for insecure HTTP usage
self.check_insecure_http()
# Check for SQL injection patterns
self.check_sql_injection()
def check_hardcoded_secrets(self):
"""Check for hardcoded API keys, passwords, etc."""
secret_patterns = [
r'password\s*=\s*["\'][^"\']*?["\']',
r'api_key\s*=\s*["\'][^"\']*?["\']',
r'secret\s*=\s*["\'][^"\']*?["\']',
r'key\s*=\s*["\'][^"\']*?["\']'
]
self.check_patterns_in_files(secret_patterns, 'hardcoded_secret')
def check_insecure_http(self):
"""Check for HTTP usage instead of HTTPS"""
http_patterns = [r'http://[^\s]+']
self.check_patterns_in_files(http_patterns, 'insecure_http')
def check_sql_injection(self):
"""Check for potential SQL injection vulnerabilities"""
sql_patterns = [
r'\bSELECT\b.*\bFROM\b.*\bWHERE\b.*\b=\b.*\b\$\w+',
r'\bINSERT\b.*\bVALUES\b.*\b\$\w+',
r'\bUPDATE\b.*\bSET\b.*\b\$\w+'
]
self.check_patterns_in_files(sql_patterns, 'potential_sql_injection')
def check_patterns_in_files(self, patterns, issue_type):
"""Check files for specific patterns"""
for root, dirs, files in os.walk(self.repo_path):
for file in files:
if file.endswith(('.py', '.js', '.java', '.php')):
file_path = os.path.join(root, file)
try:
with open(file_path, 'r', encoding='utf-8') as f:
content = f.read()
for pattern in patterns:
import re
matches = re.finditer(pattern, content, re.IGNORECASE)
for match in matches:
self.vulnerabilities.append({
'type': issue_type,
'filename': file_path,
'line_number': content[:match.start()].count('\n') + 1,
'issue': f'Potential {issue_type.replace("_", " ")} found',
'pattern': match.group()
})
except Exception as e:
print(f"Error reading file {file_path}: {e}")
Why this step? We're implementing custom checks that go beyond standard tools to detect specific security patterns that could be missed by automated scanners.
Step 4: Create a Reporting System
Generate Vulnerability Reports
Add the following method to your scanner class:
def generate_report(self, output_file='vulnerability_report.json'):
"""Generate a JSON report of all found vulnerabilities"""
report = {
'repository': self.repo_path,
'scan_date': str(datetime.now()),
'total_vulnerabilities': len(self.vulnerabilities),
'vulnerabilities': self.vulnerabilities
}
with open(output_file, 'w') as f:
json.dump(report, f, indent=2)
print(f"Report generated: {output_file}")
return report
def print_summary(self):
"""Print a summary of vulnerabilities"""
if not self.vulnerabilities:
print("No vulnerabilities found.")
return
print(f"\nVulnerability Summary:")
print(f"Total Issues Found: {len(self.vulnerabilities)}")
issue_types = {}
for vuln in self.vulnerabilities:
issue_type = vuln['type']
issue_types[issue_type] = issue_types.get(issue_type, 0) + 1
for issue_type, count in issue_types.items():
print(f"{issue_type}: {count} issues")
Why this step? This creates a structured reporting system that organizes findings in a way that's useful for security teams to prioritize fixes.
Step 5: Implement the Main Execution Script
Run the Vulnerability Scanner
Create a file called main.py with this content:
import os
import sys
from datetime import datetime
from vulnerability_scanner import VulnerabilityScanner
def main():
if len(sys.argv) < 2:
print("Usage: python main.py ")
sys.exit(1)
repo_path = sys.argv[1]
if not os.path.exists(repo_path):
print(f"Repository path does not exist: {repo_path}")
sys.exit(1)
# Initialize scanner
scanner = VulnerabilityScanner(repo_path)
# Scan repository
print("Starting vulnerability scan...")
vulnerabilities = scanner.scan_repository()
# Print summary
scanner.print_summary()
# Generate report
report = scanner.generate_report()
print("\nScan complete. Check vulnerability_report.json for details.")
if __name__ == "__main__":
main()
Why this step? This creates the entry point for our tool that handles command-line arguments and orchestrates the scanning process.
Step 6: Test Your Scanner
Run a Sample Scan
First, create a test repository with some sample code that contains vulnerabilities:
# Create a test repository
mkdir test_repo
cd test_repo
git init
# Create a Python file with a hardcoded secret
echo 'password = "secret123"' > test.py
# Create a file with insecure HTTP usage
echo 'import requests
response = requests.get("http://example.com")' > insecure.py
git add .
git commit -m "Initial commit"
Then run your scanner:
python main.py /path/to/test_repo
Why this step? Testing with a controlled example helps verify that our scanner works correctly before using it on real projects.
Summary
In this tutorial, you've built a vulnerability scanner tool that mimics OpenAI's approach to identifying security issues in open-source software. You learned to integrate static analysis tools like Bandit with custom pattern matching to detect various security vulnerabilities. The scanner can identify hardcoded secrets, insecure HTTP usage, and potential SQL injection patterns. This hands-on approach demonstrates how organizations like OpenAI are tackling cybersecurity challenges in AI systems by proactively patching vulnerabilities in open-source code. The tool generates detailed reports that can help developers prioritize security fixes, similar to what OpenAI's "Patch the Planet" initiative aims to achieve.



