So it begins.. Hai on HackerOne

.dockerignore

@@ -0,0 +1 @@
+**/__pycache__

.env.sample

@@ -0,0 +1,10 @@
+API_NAME=
+API_KEY=
+PROGRAM_HANDLE=
+WEBHOOK_SECRET=
+CUSTOM_FIELD_ID_VALIDITY=
+CUSTOM_FIELD_ID_COMPLEXITY=
+CUSTOM_FIELD_ID_PRODUCT_AREA=
+CUSTOM_FIELD_ID_SQUAD_OWNER=
+OWNERSHIP_FILE="./cli/config/ownership.csv.sample"
+CSV_OUTPUT_FILE="./cli/data/hai-on-hackerone-output.csv"

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG] "
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Browser [e.g. stock browser, safari]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FEATURE] "
+labels: 'feature request'
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/pull_request_template.md

@@ -0,0 +1,29 @@
+## Issue number and link
+
+Add a link the the issue
+
+### 📝 Summary
+
+Provide a brief summary of the changes or features being added in this merge request.
+
+Example:
+
+_"This MR is linked to issue X. I chose to split up issue X in 3 parts, because ..."_
+
+### 🧪 Test Plan
+
+A step-by-step description of how to test the changes you've made.
+
+### 🤔 Additional remarks
+
+Any additional remarks or context about the changes.
+
+### ✅ Review Checklist
+
+* [ ] Linked to the relevant Github issue
+* [ ] MR status changed from draft to ready for review
+* [ ] Comprehensive summary of the changes is written
+* [ ] I ensured that unit, integration, regression, and end-to-end tests are added (if applicable)
+* [ ] I assessed the performance impact of the changes (if applicable)
+* [ ] I conducted a thorough self-review of the code on Github
+* [ ] I ensured that all documentation is updated to reflect the changes

.gitignore

@@ -0,0 +1,15 @@
+# hidden files
+.env
+
+# csv files 
+*.csv
+
+#directories
+.git/
+.vscode/
+webserver/data/
+cli/data/
+cli/htmlcov/
+**/__pycache__/
+**/.pytest_cache/
+watcher/__pycache__

.pylintrc

@@ -0,0 +1,10 @@
+[MESSAGES CONTROL]
+disable=W0603,C0103,R0913,C0301,R0914,E0401
+
+; Explanation of disabled linter messages:
+; W0603: Global variable used
+; C0103: Invalid name
+; R0913: Too many arguments
+; C0301: Line too long
+; R0914: Too many local variables
+; E0401: Unable to import module

README.md

@@ -0,0 +1,114 @@
+![image info](images/haigh-on-h1onh1.webp)
+
+# Hai on Hackerone
+
+Leveraging Hai through our API. This repository contains a few tools allowing retrieving and processing reports from the HackerOne API. It can fetch reports matching specified filters, send them to the Hai (HackerOne's AI Copilot) for triage, and perform actions like posting comments and populating custom fields based on the AI response.
+
+## Table of Contents
+
+- [Hai on Hackerone](#hai-on-hackerone)
+  - [Features at a Glance](#features-at-a-glance)
+  - [Quick Start](#quick-start)
+  - [Docker Usage](#docker-usage)
+  - [CLI Usage](#cli-usage)
+  - [CLI Example](#cli-examples)
+  - [Webhook Endpoint](#webhook-endpoint)
+  - [Testing](#testing)
+  - [Contributing](#contributing)
+  - [Troubleshooting](#troubleshooting)
+
+## Features at a Glance
+
+- **Fetching Reports**: The script retrieves reports that match our specified filters, such as program, severity, and state. This allows us to focus on the most critical issues first.
+
+- **AI-Powered Triage**: Reports are sent to HackerOne AI for assessment. The AI evaluates each report and provides insights, helping us determine the validity and urgency of the issues.
+
+- **Automated Actions**: Based on the AI’s response, the script can post private comments on reports, update custom fields, and export responses to a CSV file for further analysis.
+
+## Quick Start
+
+To install this project, you can use Docker Compose. Here are the steps:
+
+1. Clone the repository: `git clone hai-on-hackerone`
+2. Create a new file named `.env` in the root directory of the project with the following content (see .env.sample)
+
+```bash
+API_NAME=
+API_KEY=
+PROGRAM_HANDLE=
+WEBHOOK_SECRET=
+CUSTOM_FIELD_ID_VALIDITY=
+CUSTOM_FIELD_ID_COMPLEXITY=
+CUSTOM_FIELD_ID_PRODUCT_AREA=
+CUSTOM_FIELD_ID_SQUAD_OWNER=
+OWNERSHIP_FILE="./cli/config/ownership.csv.sample"
+CSV_OUTPUT_FILE="./cli/data/hai-on-hackerone-output.csv"
+```
+
+## Docker Usage
+
+To run the script, simply execute the following command:
+
+```bash
+docker-compose up
+```
+
+This will start the Python script and begin processing reports.
+
+## CLI Usage
+
+The CLI tool accepts the following arguments:
+
+- `--report`: Specific report ID(s) to retrieve
+- `-r, --rating`: Filter reports based on severity **rating**
+- `-s, --state`: Filter reports based on report **state**
+- `-i, --reference`: Filter reports based on **NOT** having an **issue** tracker reference
+- `-c, --comment_hai`: Post private comment based on HackerOne AI response
+- `-f, --custom_field_hai`: Update custom fields based on HackerOne AI response
+- `-o, --csv_output`: Output HackerOne AI responses to CSV file
+- `-v, --verbose`: Increase output verbosity
+
+## CLI Examples
+
+This will retrieve critical vulnerability reports for the specified program:
+
+```python
+python3 main.py -r critical
+```
+
+This will retrieve a specific report to be assessed on validity and its custom field will be updated:
+
+```python
+python3 main.py --report 12345 --custom_field_hai
+```
+
+## Webhook Endpoint
+
+The project also includes a webhook endpoint that can be used to receive and process reports. To use this endpoint, you'll need to configure your HackerOne API settings in the `.env` file.
+
+Here's an example of how you can use the webhook endpoint:
+
+```bash
+curl -X POST \
+  http://localhost:5000/webhook \
+  -H 'Content-Type: application/json' \
+  -d '{"data": {"report": {"id": "12345"}}}'
+```
+
+This will trigger the webhook endpoint to process the report with ID `12345`.
+
+## Testing
+
+Tests will run on each pull request and merge to the primary branch. To run them locally:
+
+```bash
+pytest 
+```
+
+## Contributing
+
+Contributions are welcome! Please open an issue or PR for any enhancements.
+
+## Troubleshooting
+
+If you encounter any issues, please report them.

build/Dockerfile

@@ -0,0 +1,23 @@
+FROM python:3.12-alpine
+
+# Set the work directory to the app folder.
+WORKDIR /hai-on-hackerone
+
+# Install Python dependencies.
+COPY requirements.txt /hai-on-hackerone
+RUN  pip3 install --no-cache-dir --disable-pip-version-check -r requirements.txt
+
+# Copy only the relevant Python files into the container.
+COPY requirements.txt /hai-on-hackerone
+COPY webserver /hai-on-hackerone/webserver
+COPY watcher /hai-on-hackerone/watcher
+COPY cli /hai-on-hackerone/cli
+
+# Expose the port that the app runs on.
+EXPOSE 5000
+
+# Set the environment variable for the Flask app.
+ENV FLASK_APP=webserver/app.py
+
+# Run the Bash script and the Flask app using a process manager
+CMD ["sh", "-c", "python ./watcher/watch_reports.py & flask run --host 0.0.0.0"]