565 lines
23 KiB
Markdown
565 lines
23 KiB
Markdown
<p align="center">
|
|
<img src="logo.svg" alt="A-Team Security — Infrastructure & Security Agent Engineer" width="96" height="96">
|
|
</p>
|
|
|
|
<h1 align="center">A-Team Security — Infrastructure & Security Agent Engineer</h1>
|
|
|
|
<p align="center">
|
|
<strong>Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform</strong>
|
|
</p>
|
|
|
|
<p align="center">
|
|
<img src="https://img.shields.io/badge/version-1.0-C74634?style=flat-square" alt="Version">
|
|
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
|
|
<img src="https://img.shields.io/badge/docker-2496ED?style=flat-square" alt="Docker">
|
|
<img src="https://img.shields.io/badge/terraform-7B42BC?style=flat-square" alt="Terraform">
|
|
<img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="License">
|
|
</p>
|
|
|
|
---
|
|
|
|
## Overview
|
|
|
|
A-Team Security Agent is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
|
|
|
|
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single Docker image with a **React 19 SPA**, **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations.
|
|
|
|
---
|
|
|
|
## Container Image
|
|
|
|
The platform is distributed as a single Docker image on **Oracle Container Registry (OCIR)**:
|
|
|
|
```
|
|
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
|
```
|
|
|
|
- **Multi-architecture**: `linux/amd64` + `linux/arm64`
|
|
- **Single container**: nginx (frontend) + FastAPI (backend) + supervisord
|
|
- **Port**: `8080`
|
|
- **Volume**: `/data` (persistent storage — database, configs, reports, wallets)
|
|
|
|
---
|
|
|
|
## Features
|
|
|
|
### AI Chat Agent with RAG + MCP Tool Use
|
|
- **OCI Generative AI** integration via official SDK (`oci.generative_ai_inference`)
|
|
- **RAG (Retrieval-Augmented Generation)**: queries ADB vector store for relevant context before generating responses — single ADB connection per search, smart table skip, CIS recommendation text filter for exact matching, follow-up context enrichment
|
|
- **Source hierarchy**: findings tables > cisrecom (official remediation) > engineerknowledgebase (complementary) — temporal awareness with extract dates, tenancy isolation via JSON_VALUE filter
|
|
- **MCP Tool Use (Function Calling)**: GenAI models call tools from registered MCP servers during chat — supports Cohere and Generic (OpenAI-style) function calling with automatic tool execution loop (max 5 iterations)
|
|
- **Chat Memory Compaction**: automatic summarization of older messages when conversation exceeds ~6000 tokens — keeps 20 recent messages intact
|
|
- **Chat Sidebar**: collapsible panel with model parameters (temperature, max_tokens, top_p, top_k, penalties)
|
|
- **Multimodal Chat**: upload images (PNG/JPG/GIF/WebP), PDFs, and text files for AI analysis — up to 5 files per message via OCI GenAI `ImageContent` and `DocumentContent`
|
|
- **Async Background Processing**: chat requests return immediately, GenAI + MCP tools process in background via dedicated thread pool (10 threads), frontend polls for results
|
|
- 16 chat models + 3 embedding models across 5 providers: **Meta** (Llama 4), **Google** (Gemini 2.5), **OpenAI** (GPT-5.2/5.1/5 Mini/4.1/4o, o3/o4-mini), **xAI** (Grok 4/3)
|
|
- Full parameter control: temperature, max_tokens, top_p, top_k, frequency/presence penalty (when supported)
|
|
- Toggle MCP tools on/off per chat session
|
|
- Conversation history with session management
|
|
- On-Demand and Dedicated serving modes
|
|
|
|
### Terraform Agent (IaC)
|
|
- **AI-powered Terraform code generation** for OCI infrastructure provisioning
|
|
- Dedicated chat interface with OCI Terraform provider context
|
|
- **Workspace management**: create, plan, apply, destroy Terraform workspaces
|
|
- **Compartment-aware**: browse and select target compartment, with existing OCI resources injected as context
|
|
- **Plan/Apply/Destroy lifecycle**: full Terraform workflow with real-time output tracking
|
|
- **File management**: view generated `.tf` files, copy, download individually or as bundle
|
|
- **Inline file editor**: click any `.tf` file to edit in-place with monospace editor, Tab support, and save
|
|
- **Split-panel terminal**: real-time Plan/Apply/Destroy output in a dark terminal panel alongside files/plan/resources
|
|
- **Multi-file generation**: AI generates separate `.tf` files via `// filename:` markers (main.tf, variables.tf, outputs.tf, etc.)
|
|
- **Smart file correction**: when fixing errors, model generates only changed files — frontend merges with existing workspace, preserving untouched files
|
|
- **14-point validation checklist**: system prompt enforces cross-references, CIDRs, security lists, route tables, DRG attachments, RPC peering, HCL syntax, resource type validation, and variable declarations
|
|
- **Resource type validation**: SQLite-based validation of ~937 OCI resource types with `difflib.get_close_matches` suggestions
|
|
- **Terraform Resource Reference**: auto-generated OCI provider resource catalog (~937 resources) injected into system prompt
|
|
- **Official Resource Docs Injection**: on-demand fetch of Example Usage + Argument Reference from the official OCI Terraform provider docs — cached in SQLite
|
|
- **Prompt Generator**: dedicated sub-menu for AI-powered prompt generation
|
|
- Terraform CLI installed in container (v1.14.7)
|
|
|
|
### OCI Account Explorer
|
|
- **KPI stats bar**: real-time resource counts per category with tooltip breakdown
|
|
- **36 resource types** across 9 categories:
|
|
- **Compute**: Instances, Boot Volumes, Instance Pools
|
|
- **Networking**: VCNs, Subnets, Security Lists, NSGs, Route Tables, NAT/Internet/Service Gateways, Public IPs, Load Balancers
|
|
- **Storage**: Buckets, Block Volumes, File Systems, Mount Targets
|
|
- **Database**: Autonomous Databases, DB Systems, MySQL DB Systems
|
|
- **Containers**: Container Instances, OKE Clusters
|
|
- **Serverless**: Functions, API Gateways
|
|
- **Observability**: Alarms, Log Groups, Notification Topics, Events Rules
|
|
- **Security**: Vaults, DNS Zones, Network Firewalls, Firewall Policies
|
|
- **IAM**: Users, Groups, Policies, Dynamic Groups
|
|
- **Start/Stop** Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances
|
|
- **Tree-view navigation** with resizable compartment panel
|
|
- **Multi-region support** with checkbox selection
|
|
|
|
### OCI CLI Terminal
|
|
- **Linux-style web terminal** for OCI CLI interaction directly from the browser
|
|
- **Tab autocomplete**: auto-completes OCI CLI commands and subcommands
|
|
- **OCID auto-lookup**: paste any OCID (60+ resource types) — auto-detects type and runs the appropriate `get` command
|
|
- **`find` by name/IP**: search OCI resources by display name or IP address via OCI Search API
|
|
- Per-user command history, state persists across navigation
|
|
|
|
### OCI Services
|
|
- **Service Status**: auto-detect 6 security services (VSS, Data Safe, Cloud Guard, Bastion, Security Zones, Vault) per tenancy via OCI API with user overrides
|
|
- **OCI Health**: real-time Oracle service health from ocistatus.oraclecloud.com — 49 regions, search, geographic filters
|
|
|
|
### CIS Compliance Reports (Oracle Official Engine)
|
|
- Powered by Oracle's official `cis_reports.py` (48 CIS + 11 OBP checks)
|
|
- **Granular execution parameters**: CIS Level (1/2), OCI Best Practices, Raw Data, OCID Redaction
|
|
- **Multiple output formats**: HTML summary, CSV per section/finding, JSON summary, optional XLSX
|
|
- **Report history**: full execution history with status, tenancy filter, and download actions
|
|
- Region filtering with multi-select
|
|
- Real-time progress tracking with phase-based progress bar
|
|
- **CIS Engine auto-update**: check for new versions from Oracle's GitHub and update with one click
|
|
|
|
### LAD A-Team CIS Compliance Report
|
|
- **Professional compliance report** following Oracle Cloud Security Assessment format (cover page, purpose statement, disclaimer, copyright)
|
|
- **Table of Contents** with links to each section and recommendation
|
|
- **Security Overview**: 7 Oracle security pillars
|
|
- **OCI Services section**: summary table of 6 security services per tenancy + detailed descriptions + Cloud Guard recommendations table
|
|
- **CIS Assessment Summary**: Domains / Total Controls / Failed / Passed per section
|
|
- **Detailed findings**: per-recommendation cards with compliance percentage bar, result description, and remediation steps
|
|
- **RAG-powered remediation**: enriched remediation steps from ADB vector store
|
|
- **Download PDF** and **Download DOCX** with professional formatting
|
|
- **Progress bar during generation**: shows RAG progress, percentage, and current recommendation
|
|
|
|
### Built-in CIS MCP Server (Granular Per-Section)
|
|
- **Auto-registered** CIS Compliance Scanner MCP server — available out of the box
|
|
- **12 granular tools** instead of monolithic full-tenancy scan
|
|
- **Per-section data collection**: each scan tool collects only the OCI data needed for that section
|
|
- **Region-specific scanning**: all scan tools accept optional `regions` parameter
|
|
- **Session caching**: collected data cached per config+regions scope (2-hour TTL)
|
|
- **Parallelized data collection**: base and regional collectors run in parallel (up to 8 workers)
|
|
|
|
### MCP Server Registry + Tool Discovery
|
|
- Register multiple MCP servers (stdio, SSE, Python module)
|
|
- **Automatic tool discovery**: connect to MCP servers and discover available tools
|
|
- **Chat Agent integration**: discovered tools are automatically available as GenAI function calls
|
|
- Upload `.py` scripts directly to servers
|
|
- **Link MCP servers to ADB Vector** databases as tools
|
|
|
|
### Autonomous Database Vector Storage
|
|
- Oracle Autonomous Database connection with **mTLS Wallet** authentication
|
|
- `python-oracledb` Thin mode (no Oracle Client needed)
|
|
- **Multiple vector tables per ADB**: register, edit, toggle active/inactive
|
|
- **Multi-table RAG search**: queries all active tables across all ADB configs
|
|
- **Auto-resolve embedding config**: automatically uses existing OCI credentials for GenAI embeddings
|
|
|
|
### Embeddings & Knowledge Base
|
|
- **Auto-embed CIS Reports**: one-click embedding of all report CSVs
|
|
- **CIS PDF Chunker**: segments CIS PDF by recommendation number, target 7000 chars with 500-char overlap
|
|
- **Auto-detect embedding dimension**: detects table dimension from DDL and selects correct model automatically
|
|
- **Knowledge Base**: upload documents (`.txt`, `.pdf`, `.csv`, `.json`, `.md`) or **import URLs**
|
|
- **Consult Embeddings**: chat-like interface with tenancy selector — queries vector store with CIS number detection
|
|
- 11 ADB vector tables supported (9 CIS report + 2 knowledge base)
|
|
|
|
### User Management
|
|
- **Sub-menu**: Users, My Settings, Oracle IAM
|
|
- **My Settings**: per-user timezone, language preference (pt/en/es), password change (local users only), MFA toggle
|
|
- **Oracle IAM page**: OIDC configuration UI (issuer, client ID/secret, redirect URI, group-to-role mapping, test connection)
|
|
- **Users list**: admin view with role, status, MFA, auth provider badge (OIDC/Local)
|
|
|
|
### Security
|
|
- **JWT authentication** with configurable expiry
|
|
- **TOTP MFA** (Google Authenticator / Authy compatible)
|
|
- **Oracle IAM OIDC**: SSO via Oracle Identity Domains — authorization code flow, JWKS signature validation, JIT user provisioning, group-to-role mapping
|
|
- **Dual auth modes**: local only, OIDC only, or both simultaneously
|
|
- **RBAC** with 3 roles: Admin, User, Viewer
|
|
- **Fernet encryption** (AES-128-CBC + HMAC-SHA256) for credentials and sensitive settings
|
|
- **User isolation**: ownership checks on ~70 endpoints, `is_global` flag for shared resources, private reports, per-user embeddings
|
|
- **Force password change** on first login (random password generated at startup)
|
|
- Audit logging for all operations
|
|
- Rate limiting on login and OIDC endpoints (10 attempts / 5 min)
|
|
- Non-root container execution
|
|
|
|
### Theme & UI
|
|
- **Light/Dark mode** with Oracle Dark Premium design
|
|
- **KPI Dashboard**: compliance score gauge, pass/fail cards, donut chart, bar chart — powered by Recharts
|
|
- **20 pages**, code splitting, Zustand state persistence across navigation
|
|
- **i18n**: Portuguese, English, Spanish (850+ keys)
|
|
|
|
---
|
|
|
|
## Deployment
|
|
|
|
### Quick Setup (recommended)
|
|
|
|
One command — handles authentication, pull, and container startup automatically:
|
|
|
|
```bash
|
|
bash setup.sh
|
|
```
|
|
|
|
Output:
|
|
```
|
|
========================================
|
|
A-Team Security Agent — Setup
|
|
========================================
|
|
|
|
Authenticating...
|
|
Authenticated.
|
|
Pulling image...
|
|
Starting container on port 8080...
|
|
|
|
========================================
|
|
Setup Complete!
|
|
========================================
|
|
|
|
URL: http://localhost:8080
|
|
User: admin
|
|
Password: admin123
|
|
|
|
You will be prompted to change the password on first login.
|
|
========================================
|
|
```
|
|
|
|
Custom port: `PORT=9090 bash setup.sh`
|
|
|
|
### Prerequisites
|
|
|
|
- Docker installed
|
|
- Python 3 with `cryptography` package (auto-installed by setup.sh if missing)
|
|
|
|
---
|
|
|
|
### Alternative: Manual Docker Run
|
|
|
|
```bash
|
|
docker run -d \
|
|
--name oci-cis-agent \
|
|
-p 8080:8080 \
|
|
-v agent-data:/data \
|
|
-e APP_SECRET=$(openssl rand -hex 64) \
|
|
-e TZ=America/Sao_Paulo \
|
|
--restart unless-stopped \
|
|
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
|
```
|
|
|
|
> Requires OCIR authentication: `docker login us-ashburn-1.ocir.io`
|
|
|
|
---
|
|
|
|
### Option 2 — OCI Compute Instance (Terraform)
|
|
|
|
Automated production deployment on Oracle Cloud with Load Balancer, WAF, and SSL.
|
|
|
|
```bash
|
|
cd terraform
|
|
cp terraform.tfvars.example terraform.tfvars
|
|
# Edit terraform.tfvars with OCI credentials
|
|
|
|
terraform init
|
|
terraform plan
|
|
terraform apply
|
|
```
|
|
|
|
**Resources provisioned:**
|
|
|
|
| Resource | Description |
|
|
|----------|-------------|
|
|
| VCN | 10.0.0.0/16 with public/private subnets, gateways, security lists |
|
|
| Compute | VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible) |
|
|
| Block Volume | 50GB persistent storage for application data |
|
|
| Load Balancer | Flexible 10-100 Mbps with SSL |
|
|
| WAF | OWASP protection — XSS, SQL injection, path traversal + rate limiting |
|
|
| DNS | OCI DNS Zone + A record (conditional — when domain is configured) |
|
|
|
|
Access: `https://<load_balancer_ip>` (from `terraform output app_url`)
|
|
|
|
---
|
|
|
|
### Option 3 — OCI Container Instances
|
|
|
|
Run as a serverless container on OCI without managing VMs.
|
|
|
|
```bash
|
|
oci container-instances container-instance create \
|
|
--compartment-id <COMPARTMENT_OCID> \
|
|
--display-name "oci-cis-agent" \
|
|
--availability-domain <AD> \
|
|
--shape "CI.Standard.E4.Flex" \
|
|
--shape-config '{"ocpus": 2, "memoryInGBs": 16}' \
|
|
--containers '[{
|
|
"imageUrl": "us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest",
|
|
"displayName": "agent",
|
|
"environmentVariables": {
|
|
"APP_SECRET": "<YOUR_SECRET>",
|
|
"TZ": "America/Sao_Paulo"
|
|
}
|
|
}]' \
|
|
--vnics '[{"subnetId": "<SUBNET_OCID>"}]' \
|
|
--image-pull-secrets '[{
|
|
"registryEndpoint": "us-ashburn-1.ocir.io",
|
|
"secretType": "BASIC",
|
|
"username": "<OCIR_USER>",
|
|
"password": "<AUTH_TOKEN>"
|
|
}]'
|
|
```
|
|
|
|
---
|
|
|
|
### Option 4 — Kubernetes (OKE / any K8s cluster)
|
|
|
|
Deploy on Oracle Kubernetes Engine or any Kubernetes cluster.
|
|
|
|
```yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: oci-cis-agent
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: oci-cis-agent
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: oci-cis-agent
|
|
spec:
|
|
containers:
|
|
- name: agent
|
|
image: us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
|
ports:
|
|
- containerPort: 8080
|
|
env:
|
|
- name: APP_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: agent-secret
|
|
key: app-secret
|
|
- name: TZ
|
|
value: "America/Sao_Paulo"
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /data
|
|
resources:
|
|
requests:
|
|
memory: "2Gi"
|
|
limits:
|
|
memory: "4Gi"
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: agent-data
|
|
imagePullSecrets:
|
|
- name: ocir-credentials
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: oci-cis-agent
|
|
spec:
|
|
type: LoadBalancer
|
|
ports:
|
|
- port: 443
|
|
targetPort: 8080
|
|
selector:
|
|
app: oci-cis-agent
|
|
```
|
|
|
|
---
|
|
|
|
### First Login
|
|
|
|
After any deployment option, check the container logs for the initial admin password:
|
|
|
|
```bash
|
|
docker logs oci-cis-agent | grep "password"
|
|
# or
|
|
kubectl logs deployment/oci-cis-agent | grep "password"
|
|
```
|
|
|
|
> You will be prompted to change the password on first login.
|
|
|
|
---
|
|
|
|
## Configuration Guide
|
|
|
|
### Step 1 — OCI Credentials
|
|
|
|
Navigate to **OCI Credentials** tab and add:
|
|
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| Tenancy Name | Friendly name (e.g., `my-company`) |
|
|
| OCID Tenancy | `ocid1.tenancy.oc1..xxxxx` |
|
|
| OCID User | `ocid1.user.oc1..xxxxx` |
|
|
| Fingerprint | `aa:bb:cc:dd:ee:ff:...` |
|
|
| Region | `sa-saopaulo-1`, `us-ashburn-1`, etc. |
|
|
| Compartment OCID | `ocid1.compartment.oc1..xxxxx` |
|
|
| Private Key | `.pem` file |
|
|
| Key Passphrase | *(optional)* Only required if the private key is encrypted |
|
|
|
|
Click **Test** to validate the connection.
|
|
|
|
### Step 2 — GenAI Model
|
|
|
|
Navigate to **GenAI Config** tab:
|
|
|
|
1. Select the **OCI Credential** created in Step 1
|
|
2. Choose a **model** from the catalog (16 models across 5 providers)
|
|
3. Adjust the **GenAI region** if needed
|
|
4. Adjust parameters (temperature, max_tokens, etc.)
|
|
|
|
For **dedicated endpoints**, switch Serving Type to `DEDICATED` and provide the endpoint ID.
|
|
|
|
### Step 3 — MCP Servers (Optional)
|
|
|
|
Register MCP servers for extended task execution and **Chat Agent tool use**:
|
|
|
|
| Type | Use Case |
|
|
|------|----------|
|
|
| `stdio` | Local Python scripts (e.g., CIS check runner) |
|
|
| `SSE` | Remote HTTP servers |
|
|
| `module` | Upload `.py` files directly |
|
|
|
|
**Tool Discovery**: After registering a server, click **"Discover Tools"** to automatically discover available tools via MCP protocol. Discovered tools are automatically available as **function calls** in the Chat Agent.
|
|
|
|
### Step 4 — ADB Vector + RAG (Optional)
|
|
|
|
For persistent vector storage and RAG-powered chat:
|
|
|
|
1. Add DSN (TNS name from tnsnames.ora, e.g., `myatp_high`)
|
|
2. Set credentials (username/password)
|
|
3. Select an **Embedding Model** (Cohere Embed v4.0 recommended)
|
|
4. Upload Wallet ZIP (for mTLS)
|
|
5. Test the connection
|
|
6. **Register vector tables**: add the names of existing tables in your ADB
|
|
|
|
> GenAI Config is optional — the app auto-resolves embedding credentials from your existing OCI config.
|
|
|
|
#### Required ADB Vector Tables
|
|
|
|
All tables must use the following schema:
|
|
|
|
```sql
|
|
CREATE TABLE <table_name> (
|
|
ID RAW(16),
|
|
TEXT CLOB,
|
|
METADATA JSON,
|
|
EMBEDDING VECTOR
|
|
);
|
|
```
|
|
|
|
Run the SQL below to create all 11 required tables:
|
|
|
|
```sql
|
|
-- CIS Report tables (auto-populated via "Embed Report")
|
|
CREATE TABLE summaryreportcsvvector (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE identityandaccess (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE networking (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE computeinstances (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE loggingandmonitoring (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE objectstorage (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE storageblockvolume (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE filestorageservice (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE assetmanagement (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
|
|
-- Knowledge base tables (populated manually via Embeddings tab)
|
|
CREATE TABLE cisrecom (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
CREATE TABLE engineerknowledgebase (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
|
|
```
|
|
|
|
### Step 5 — Embeddings (Optional)
|
|
|
|
Navigate to the **Embeddings** tab to populate the vector store:
|
|
|
|
1. **CIS Recommendations**: Upload the CIS PDF to populate the `cisrecom` table
|
|
2. **Knowledge Base**: Upload documents or paste a URL to import web pages
|
|
3. **From CIS Reports**: Click "Embed Report" to auto-embed all findings CSVs
|
|
4. Browse and inspect embeddings per table
|
|
|
|
Once embeddings exist, the **chat automatically uses RAG**.
|
|
|
|
---
|
|
|
|
## OCI IAM Policies
|
|
|
|
The following policies are required in your tenancy:
|
|
|
|
```
|
|
Allow group <group-name> to use generative-ai-family in compartment <compartment-name>
|
|
Allow group <group-name> to read all-resources in tenancy
|
|
Allow group <group-name> to inspect compartments in tenancy
|
|
Allow group <group-name> to inspect autonomous-databases in compartment <compartment-name>
|
|
Allow group <group-name> to read virtual-network-family in compartment <compartment-name>
|
|
Allow group <group-name> to read instance-family in compartment <compartment-name>
|
|
Allow group <group-name> to read objectstorage-namespaces in tenancy
|
|
Allow group <group-name> to read buckets in compartment <compartment-name>
|
|
```
|
|
|
|
---
|
|
|
|
## Supported GenAI Models (16 Chat + 3 Embedding)
|
|
|
|
### Chat Models
|
|
|
|
| Provider | Model | Model ID |
|
|
|----------|-------|----------|
|
|
| Meta | Llama 4 Maverick | `meta.llama-4-maverick-17b-128e-instruct-fp8` |
|
|
| Meta | Llama 4 Scout | `meta.llama-4-scout-17b-16e-instruct` |
|
|
| Google | Gemini 2.5 Pro | `google.gemini-2.5-pro` |
|
|
| Google | Gemini 2.5 Flash | `google.gemini-2.5-flash` |
|
|
| OpenAI | GPT-5.2 | `openai.gpt-5.2` |
|
|
| OpenAI | GPT-5.1 | `openai.gpt-5.1` |
|
|
| OpenAI | GPT-5 Mini | `openai.gpt-5-mini` |
|
|
| OpenAI | **GPT-4.1 (Default)** | `openai.gpt-4.1` |
|
|
| OpenAI | GPT-4.1 Mini | `openai.gpt-4.1-mini` |
|
|
| OpenAI | GPT-4o | `openai.gpt-4o` |
|
|
| OpenAI | o4-mini | `openai.o4-mini` |
|
|
| OpenAI | o3 | `openai.o3` |
|
|
| xAI | Grok 4 | `xai.grok-4` |
|
|
| xAI | Grok 3 | `xai.grok-3` |
|
|
| xAI | Grok 3 Mini Fast | `xai.grok-3-mini-fast` |
|
|
|
|
### Embedding Models
|
|
|
|
| Provider | Model | Dimensions |
|
|
|----------|-------|------------|
|
|
| Cohere | Embed v4.0 (Multimodal) | 1536 |
|
|
| OpenAI | Text Embedding 3 Large | 3072 |
|
|
| OpenAI | Text Embedding 3 Small | 1536 |
|
|
|
|
---
|
|
|
|
## Environment Variables
|
|
|
|
| Variable | Required | Default | Description |
|
|
|----------|----------|---------|-------------|
|
|
| `APP_SECRET` | **Yes** | — | 64-byte hex key for JWT/encryption (`openssl rand -hex 64`) |
|
|
| `JWT_EXPIRY_HOURS` | No | `12` | Token expiry in hours |
|
|
| `CORS_ORIGINS` | No | — | Allowed origins (comma-separated) |
|
|
| `TZ` | No | `America/Sao_Paulo` | Timezone |
|
|
|
|
---
|
|
|
|
## Troubleshooting
|
|
|
|
**Cannot pull images from OCIR:**
|
|
Verify your `docker login` credentials and that the OCIR repository exists in your namespace.
|
|
|
|
**Backend health check fails:**
|
|
Check logs: `docker logs oci-cis-agent`. Ensure `APP_SECRET` is set.
|
|
|
|
**ADB connection fails (`DPY-6005`):**
|
|
Ensure the wallet ZIP contains `tnsnames.ora` and `ewallet.pem`. The DSN must match a service name in `tnsnames.ora`.
|
|
|
|
**GenAI returns 401/403:**
|
|
Verify the IAM policy `Allow group ... to use generative-ai-family in compartment ...` exists.
|
|
|
|
**OCI CLI test hangs with passphrase prompt:**
|
|
If your private key is encrypted, provide the passphrase in the **Key Passphrase** field when saving the credential.
|
|
|
|
---
|
|
|
|
## License
|
|
|
|
MIT
|
|
|
|
---
|
|
|
|
<p align="center">
|
|
<sub>Built for Oracle Cloud Infrastructure security compliance by LAD A-Team</sub>
|
|
</p>
|