Acuvity Risk Assessment Tool
1.9K
Description: Comprehensive risk assessment tool for AI services with advanced reachability checks and security log processing
Packaged by Acuvity for risk auditing in customer environments. Features automated browser testing, TLS certificate analysis, and security log processing capabilities.
At Acuvity, understanding AI service accessibility and security posture is critical for our mission. The Acuvity Risk Auditor addresses this need by providing comprehensive risk auditing with optional security log correlation for AI services across customer networks.
Maintained by:
Where to get help:
Supported host architectures:
amd64 - nativelyarm64 - via emulation with --platform linux/amd64, chrome browser which is required for advanced tests doesn't have build for arm64 linuxCurrent supported version:
latestNote
You can get your token on Acuvity console in Administration/Access/User Tokens.
# Set your Acuvity API token as environment variable first
export ACUVITY_TOKEN="your-token-here"
# Create directory structure
mkdir -p ./data/{input,output,logs}
# Optionally copy your security logs to input directory
cp your_security_logs.csv ./data/input/
# Run complete scan with security log processing and file output, leave out --security-log option if no logs are available
docker run --platform linux/amd64 --rm \
-v "$(pwd)/data:/app/data" \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--security-log /app/data/input/your_security_logs.csv \
--output-dir /app/data/output \
--log-file /app/data/logs/auditor.log
This example will:
./data/output/./data/logs/The auditor supports three main operational modes which can be combined together. Results are automatically uploaded to Acuvity platform.
Scan domains from Acuvity's AI domains database.
Scan specific domains on top of domains from Acuvity's database. Use --domains to specify which domains to test.
Note
If the domain is not in Acuvity Knowledge Base, it will still be part of the audit report, but the security risk assessment will not be available.
Process security logs to correlate with AI domain usage. Supports CSV format with automatic URL extraction. Have to be combined with either direct domains or Acuvity Knowledge Base domains.
The container uses /app/data as the main data directory. Create the following local directory structure based on the features you want to use.
mkdir -p ./data/{input,output,logs,certs}
./data/input/ - Security log file./data/output/ - Scan results./data/logs/ - Application log files for debugging./data/certs/ - Custom CA certificates (PEM format) to install in container if neededThe auditor supports the following key options:
Custom Domain Sources:
--domains domain1.com domain2.com - Scan specific domains directlyInput/Output:
--output-dir /path/to/output - Save results to directory (enables file persistence)--security-log /path/to/security.csv - Process security log file for correlationTesting Control:
--timeout 15 - Network timeout in seconds (default: 10)--skip-advanced-tests - Disable browser-based testingLogging:
--log-level DEBUG - Set logging level (DEBUG, INFO, WARNING, ERROR)--log-file /path/to/auditor.log - Save logs to fileMetadata:
In metadata you can specify any number of key=value pairs:
--metadata location=US team=QA# Set your Acuvity API token as environment variable first
export ACUVITY_TOKEN="your-token-here"
# Acuvity Knowledge Base scan with console output (no mounts needed)
docker run --platform linux/amd64 --rm \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest
# Acuvity Knowledge Base scan with file output
mkdir -p ./data/output
docker run --platform linux/amd64 --rm \
-v "$(pwd)/data:/app/data" \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--output-dir /app/data/output
# Set your Acuvity API token as environment variable first
export ACUVITY_TOKEN="your-token-here"
docker run --platform linux/amd64 --rm \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--domains chatgpt.com openai.com anthropic.com
# Scan with file output and logging
export ACUVITY_TOKEN="your-token-here"
mkdir -p ./data/{output,logs}
docker run --platform linux/amd64 --rm \
-v "$(pwd)/data:/app/data" \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--domains chatgpt.com openai.com anthropic.com \
--output-dir /app/data/output \
--log-file /app/data/logs/auditor.log
# Prepare security log file
mkdir -p ./data/input
cp your_security_logs.csv ./data/input/
# Process security logs with Acuvity Knowledge Base domains (set token first)
export ACUVITY_TOKEN="your-token-here"
mkdir -p ./data/{input,output}
docker run --platform linux/amd64 --rm \
-v "$(pwd)/data:/app/data" \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--security-log /app/data/input/your_security_logs.csv \
--output-dir /app/data/output
# Process security logs with specific domains
export ACUVITY_TOKEN="your-token-here"
docker run --platform linux/amd64 --rm \
-v "$(pwd)/data:/app/data" \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--security-log /app/data/input/your_security_logs.csv \
--domains chatgpt.com openai.com anthropic.com \
--output-dir /app/data/output \
# Copy CA certificates to local certs directory
cp /path/to/your/ca-certificates/*.pem ./data/certs/
# Run with custom CA certificates
export ACUVITY_TOKEN="your-token-here"
docker run --platform linux/amd64 --rm \
-v "$(pwd)/data:/app/data" \
-e ACUVITY_TOKEN \
acuvity/risk-auditor:latest \
--domains internal-domain.com \
--output-dir /app/data/output
For environments with custom certificate authorities, place PEM files in ./data/certs/ and the auditor will automatically install them in the container.
The auditor generates the following output files in the specified output directory:
results_<timestamp>.json: Main scan results in JSON formatpayload_<timestamp>.json: API payload format resultsThe auditor can process security logs in various CSV formats:
While some common header names can be automatically detected, for best results the log header names should be set to timestamp, username and destination_url for the URL the user was trying to reach. The log can contain any additional columns which will be ignored.
Examples of subdomain matching:
https://files01.api.chatgpt.com/uploads matches domain: chatgpt.comhttps://api.openai.com/v1/chat matches domain: openai.comhttps://claude.ai/chat matches domain: claude.aitimestamp,source_ip,destination_url,username,action
2024-01-15T10:30:00Z,192.168.1.100,https://chatgpt.com/chat,john.doe,ALLOW
2024-01-15T10:31:00Z,192.168.1.101,https://api.openai.com/v1/completions,jane.smith,ALLOW
Required for Acuvity Knowledge Base scanning and uploads:
ACUVITY_TOKEN: Bearer authentication token (required)ACUVITY_BASE_URL: API base URL - override option, by default it is extracted from tokenACUVITY_NAMESPACE: Namespace header value - override option, by default it is extracted from tokenContent type
Image
Digest
sha256:6c9de0517…
Size
543.2 MB
Last updated
6 months ago
docker pull acuvity/risk-auditor