January 22, 2026

OpenAI + Google Drive, shareable code scan reports

Lisa Granqvist Partner Workflow Automation Expert

Get a free AI assessment → ⬇️ Use template

You run a quick code scan, spot something worrying, then lose another hour turning messy notes into something you can actually send. The switching is the worst part. Tabs, screenshots, copy-paste, “where did that snippet come from?”

This kind of OpenAI Drive reports setup hits security consultants first, honestly. But in-house engineering leads and bug bounty hunters feel the same drag when they need clean evidence and a clear severity call.

This workflow runs static scans for JavaScript, PHP, or Python, then saves a client-ready HTML report to Google Drive. You’ll see what it automates, what you get out of it, and how to make it fit your own pipeline.

How This Automation Works

The full n8n workflow, from trigger to final output:

n8n Workflow Template: OpenAI + Google Drive, shareable code scan reports

Click to explore

flowchart LR

    subgraph sg0["Form Flow"]
        direction LR
        n0["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/form.svg' width='40' height='40' /></div><br/>Form"]
        n1@{ icon: "mdi:robot", form: "rounded", label: "JavaScript Expert Agent (Sin..", pos: "b", h: 48 }
        n2@{ icon: "mdi:brain", form: "rounded", label: "OpenAI JavaScript (Single URL)", pos: "b", h: 48 }
        n3@{ icon: "mdi:web", form: "rounded", label: "HTTP Request JavaScript (Sin..", pos: "b", h: 48 }
        n4["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/code.svg' width='40' height='40' /></div><br/>Prettify JavaScript Results .."]
        n5@{ icon: "mdi:swap-vertical", form: "rounded", label: "Split JavaScript Expert Resu..", pos: "b", h: 48 }
        n6@{ icon: "mdi:swap-horizontal", form: "rounded", label: "Remove JavaScript Empty Resu..", pos: "b", h: 48 }
        n7["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/html.dark.svg' width='40' height='40' /></div><br/>Create HTML Table JavaScript.."]
        n8["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/html.dark.svg' width='40' height='40' /></div><br/>Create HTML Template JavaScr.."]
        n9@{ icon: "mdi:robot", form: "rounded", label: "PHP Expert Agent (Single URL)", pos: "b", h: 48 }
        n10@{ icon: "mdi:brain", form: "rounded", label: "OpenAI PHP (Single URL)", pos: "b", h: 48 }
        n11@{ icon: "mdi:web", form: "rounded", label: "HTTP Request PHP (Single URL)", pos: "b", h: 48 }
        n12["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/code.svg' width='40' height='40' /></div><br/>Prettify PHP Results (Single.."]
        n13@{ icon: "mdi:swap-vertical", form: "rounded", label: "Split PHP Expert Results (Si..", pos: "b", h: 48 }
        n14@{ icon: "mdi:swap-horizontal", form: "rounded", label: "Remove PHP Empty Results (Si..", pos: "b", h: 48 }
        n15["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/html.dark.svg' width='40' height='40' /></div><br/>Create HTML Table PHP (Singl.."]
        n16["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/html.dark.svg' width='40' height='40' /></div><br/>Create HTML Template PHP (Si.."]
        n17@{ icon: "mdi:robot", form: "rounded", label: "Python Expert Agent (Single ..", pos: "b", h: 48 }
        n18@{ icon: "mdi:brain", form: "rounded", label: "OpenAI Python (Single URL)", pos: "b", h: 48 }
        n19@{ icon: "mdi:web", form: "rounded", label: "HTTP Request Python (Single ..", pos: "b", h: 48 }
        n20["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/code.svg' width='40' height='40' /></div><br/>Prettify Python Results (Sin.."]
        n21@{ icon: "mdi:swap-vertical", form: "rounded", label: "Split Python Expert Results ..", pos: "b", h: 48 }
        n22@{ icon: "mdi:swap-horizontal", form: "rounded", label: "Remove Python Empty Results ..", pos: "b", h: 48 }
        n23["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/html.dark.svg' width='40' height='40' /></div><br/>Create HTML Table Python (Si.."]
        n24["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/html.dark.svg' width='40' height='40' /></div><br/>Create HTML Template Python .."]
        n25@{ icon: "mdi:swap-vertical", form: "rounded", label: "Split AI-Powered Code Analyz..", pos: "b", h: 48 }
        n26@{ icon: "mdi:swap-horizontal", form: "rounded", label: "Python Expert (Single URL)", pos: "b", h: 48 }
        n27@{ icon: "mdi:swap-horizontal", form: "rounded", label: "PHP Expert (Single URL)", pos: "b", h: 48 }
        n28@{ icon: "mdi:swap-horizontal", form: "rounded", label: "JavaScript Expert (Single URL)", pos: "b", h: 48 }
        n29@{ icon: "mdi:cog", form: "rounded", label: "Upload HTML JavaScript Repor..", pos: "b", h: 48 }
        n30@{ icon: "mdi:cog", form: "rounded", label: "Upload HTML PHP Report (Sing..", pos: "b", h: 48 }
        n31@{ icon: "mdi:cog", form: "rounded", label: "Upload HTML Python Report (S..", pos: "b", h: 48 }
        n0 --> n25
        n10 -.-> n9
        n27 --> n9
        n18 -.-> n17
        n26 --> n17
        n11 -.-> n9
        n9 --> n12
        n28 --> n1
        n2 -.-> n1
        n19 -.-> n17
        n17 --> n20
        n12 --> n13
        n15 --> n16
        n3 -.-> n1
        n1 --> n4
        n20 --> n21
        n23 --> n24
        n16 --> n30
        n14 --> n15
        n13 --> n14
        n24 --> n31
        n4 --> n5
        n22 --> n23
        n21 --> n22
        n7 --> n8
        n25 --> n26
        n25 --> n27
        n25 --> n28
        n8 --> n29
        n6 --> n7
        n5 --> n6
    end

    %% Styling
    classDef trigger fill:#e8f5e9,stroke:#388e3c,stroke-width:2px
    classDef ai fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
    classDef aiModel fill:#e8eaf6,stroke:#3f51b5,stroke-width:2px
    classDef decision fill:#fff8e1,stroke:#f9a825,stroke-width:2px
    classDef database fill:#fce4ec,stroke:#c2185b,stroke-width:2px
    classDef api fill:#fff3e0,stroke:#e65100,stroke-width:2px
    classDef code fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
    classDef disabled stroke-dasharray: 5 5,opacity: 0.5
    class n0 trigger
    class n1,n9,n17 ai
    class n2,n10,n18 aiModel
    class n6,n14,n22,n26,n27,n28 decision
    class n3,n11,n19 api
    class n4,n12,n20 code
    classDef customIcon fill:none,stroke:none
    class n0,n4,n7,n8,n12,n15,n16,n20,n23,n24 customIcon

The Problem: Code scan results are hard to ship

Static analysis is supposed to be the “quick pass.” In reality, the scan is only half the job. The other half is turning raw findings into something structured, credible, and shareable. You end up reformatting output, hunting for the exact line numbers again, and rewriting the same severity explanations in slightly different words. One small mistake (wrong file URL, missing snippet, vague severity) and your report gets questioned, which means more back-and-forth and less time finding real issues.

The friction compounds. Here’s where it breaks down in day-to-day work.

Findings get scattered across tools, so the “final report” becomes a manual assembly project.
You spend about 1–2 hours per target just cleaning output and adding basic context.
Small formatting inconsistencies make results look less trustworthy, even when the vulnerability is real.
Sharing is awkward because raw logs don’t travel well, and screenshots don’t scale.

The Solution: AI-assisted static scans that publish clean HTML reports

This n8n workflow takes a code target, runs static security analysis with OpenAI-based agents, then produces a structured report you can send without apologizing for the formatting. It starts from a simple input form, where you choose the language analyzer (JavaScript, PHP, or Python) and provide the target details. For the selected language, the workflow fetches the relevant files (or URLs) using HTTP requests, then hands the content to a specialized AI “security agent” that looks for exploitable vulnerabilities using AST and regex-style heuristics. After that, it cleans and validates the returned JSON, builds a styled HTML table grouped by severity, and stores the finished HTML report in Google Drive.

The workflow begins with a form trigger, then routes you down the correct language branch. The agent produces strict JSON findings, n8n post-processes them, and Google Drive becomes your single place to grab the final client-ready report.

What You Get: Automation vs. Results

What This Workflow Automates

Results You’ll Get

You choose JavaScript, PHP, or Python analysis from one simple input form.
The workflow fetches code files via HTTP requests, so you are not copy-pasting blobs into chat windows.
OpenAI agents return strict JSON findings (URL, snippet, severity, vulnerability type).
n8n turns findings into styled HTML tables and saves them to Google Drive automatically.

A shareable report you can deliver in about 10 minutes, not an afternoon.
Cleaner vulnerability evidence because snippets and file references stay attached to each finding.
More consistent severity language across targets, which reduces stakeholder debates.
Fewer “can you resend that?” moments because Google Drive links are easy to share internally.
Less noise: the workflow focuses on exploitable findings and skips low-impact clutter.

Example: What This Looks Like

Say you review three small repos in a week (one JavaScript, one PHP, one Python). Manually, you might spend about 45 minutes per repo collecting snippets, rewriting into a table, and packaging it for sharing, so roughly 2–3 hours total. With this workflow, you submit each target in the form (a couple minutes), wait for analysis and HTML generation (often around 5–10 minutes), and then grab the finished report from Google Drive. That is usually a couple hours back per week, with reports that look consistent from the first run.

What You’ll Need

n8n instance (try n8n Cloud free)
Self-hosting option if you prefer (Hostinger works well)
OpenAI for AI-assisted vulnerability analysis
Google Drive to store shareable HTML reports
OpenAI API key (get it from your OpenAI dashboard)

Skill level: Intermediate. You’ll connect credentials, paste in keys, and verify a couple requests, but you won’t be writing a full app.

Don’t want to set this up yourself? Talk to an automation expert (free 15-minute consultation).

How It Works

You submit a target and pick a language analyzer. The workflow starts with an n8n form trigger. You choose JavaScript, PHP, or Python so the workflow routes your request to the right analysis branch.

Code is fetched from the source you provide. Each branch uses HTTP requests to pull file contents or URLs into the workflow. This keeps the evidence chain cleaner, because findings can reference the exact file path or URL they came from.

OpenAI agents generate exploitable findings in strict JSON. A language-specific security agent runs, backed by an OpenAI chat model tuned for that language. The response is constrained to a predictable JSON shape (URL, snippet, severity, vulnerability type), so it is usable downstream.

Results are cleaned, formatted, and published to Google Drive. n8n splits findings, drops empty items, then builds a styled HTML table and composes the final report. The last step stores that HTML file in Google Drive so you can share it with a link or attach it to a client email.

You can easily modify the severity rules to match your internal rubric based on your needs. See the full implementation guide below for customization options.

Step-by-Step Implementation Guide

Step 1: Configure the Form Trigger

Set up the user input form that starts the workflow and collects the target file URL plus analyzer choice.

Add and open Input Form Trigger.
Set Form Title to AI-Powered Code Analyzer.
Set Form Description to Only one option can be selected from the three: (GitHub Repository, Domain To Crawl, Single File URL)..
In Form Fields, include a text field labeled Single File URL with placeholder https://example.com/path/file.js.
Add a checkbox field labeled AI-Powered Code Analyzer with options AI JavaScript Expert, AI PHP Expert, and AI Python Expert, and mark it as required.

Tip: Only one analyzer should be selected, because the routing nodes look for a single matching option in AI-Powered Code Analyzer.

Step 2: Split and Route the Analyzer Choice

Split the selected analyzer and route it to the correct language branch.

Configure Split Analyzer Choice with Field To Split Out set to ["AI-Powered Code Analyzer"].
In Route JS Choice, set the rule to compare Left Value ={{ $json["[\"AI-Powered Code Analyzer\"]"] }} with Right Value AI JavaScript Expert.
In Route PHP Choice, set the rule to compare Left Value ={{ $json["[\"AI-Powered Code Analyzer\"]"] }} with Right Value AI PHP Expert.
In Route Python Choice, set the rule to compare Left Value ={{ $json["[\"AI-Powered Code Analyzer\"]"] }} with Right Value AI Python Expert.

Split Analyzer Choice outputs to both Route Python Choice, Route PHP Choice, and Route JS Choice in parallel.

⚠️ Common Pitfall: If the checkbox label or option text is changed, update the switch rules to match exactly or the routing will not trigger.

Step 3: Set Up the AI Security Agents and Models

Each branch uses a language-specific model and agent; the HTTP fetch tools are attached to the agents.

Open OpenAI JS Model and select model gpt-4.1-mini. Credential Required: Connect your openAiApi credentials.
Open OpenAI PHP Model and select model gpt-4.1-mini. Credential Required: Connect your openAiApi credentials.
Open OpenAI Python Model and select model gpt-4.1-mini. Credential Required: Connect your openAiApi credentials.
In JS Security Agent, set Text to ={{ $('Input Form Trigger').item.json['Single File URL'] }} and keep Prompt Type as define. Ensure OpenAI JS Model is connected as the language model for JS Security Agent.
In PHP Security Agent, set Text to ={{ $('Input Form Trigger').item.json['Single File URL'] }} and keep Prompt Type as define. Ensure OpenAI PHP Model is connected as the language model for PHP Security Agent.
In Python Security Agent, set Text to ={{ $('Input Form Trigger').item.json['Single File URL'] }} and keep Prompt Type as define. Ensure OpenAI Python Model is connected as the language model for Python Security Agent.
For each HTTP tool (JS File Fetch, PHP File Fetch, Python File Fetch), set URL to ={{ $('Input Form Trigger').item.json['Single File URL'] }} and keep Timeout at 20000.

Tip: JS File Fetch, PHP File Fetch, and Python File Fetch are AI tools. If they require credentials in your environment, add them to the parent nodes: JS Security Agent, PHP Security Agent, and Python Security Agent.

Step 4: Normalize and Filter the AI Results

Parse the model outputs into JSON, split findings, and remove empty results before report generation.

In Format JS Results, keep the provided JavaScript Code as-is to normalize output JSON.
In Format PHP Results and Format Python Results, keep the same parsing logic to handle string-wrapped JSON outputs.
Configure Split JS Findings, Split PHP Findings, and Split Python Findings with Field To Split Out set to results.
In Filter JS Blanks, Filter PHP Blanks, and Filter Python Blanks, ensure the condition checks Left Value ={{ $json.url }} with operator exists.

⚠️ Common Pitfall: If the AI returns invalid JSON, the parsing nodes will output an error object. Validate your system prompts if you see Invalid JSON input.

Step 5: Build HTML Reports

Convert findings to HTML tables and wrap them in a styled HTML template for each language branch.

Set Build JS HTML Table, Build PHP HTML Table, and Build Python HTML Table to Operation convertToHtmlTable.
In Compose JS HTML, Compose PHP HTML, and Compose Python HTML, keep the HTML template and ensure it injects the table using {{ $json.table }}.

Tip: All three Compose nodes include responsive table CSS; keep the template intact to avoid formatting issues in the stored reports.

Step 6: Configure Google Drive Report Storage

Save each HTML report to Google Drive with a timestamped filename.

Open Store JS HTML Report and set Operation to createFromText, Content to ={{ $json.html }}, and keep the dynamic Name expression =JavaScript Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html. Credential Required: Connect your googleDriveOAuth2Api credentials.
Open Store PHP HTML Report and set Operation to createFromText, Content to ={{ $json.html }}, and keep the dynamic Name expression =PHP Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html. Credential Required: Connect your googleDriveOAuth2Api credentials.
Open Store Python HTML Report and set Operation to createFromText, Content to ={{ $json.html }}, and keep the dynamic Name expression =Python Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html. Credential Required: Connect your googleDriveOAuth2Api credentials.

Tip: The default Drive is My Drive and Folder is / (Root folder). Adjust if you want reports stored elsewhere.

Step 7: Test and Activate Your Workflow

Validate each branch with real inputs, confirm report generation, and enable the workflow.

Click Execute Workflow and submit the form in Input Form Trigger with a valid Single File URL and one analyzer option.
Confirm the flow runs through the correct branch (JS, PHP, or Python) and that Format Results → Split Findings → Filter Blanks nodes produce items.
Verify the HTML output is created in the corresponding Store JS HTML Report, Store PHP HTML Report, or Store Python HTML Report node and appears in Google Drive.
If all outputs look correct, switch the workflow to Active so users can submit audits via the form.

🔒

Unlock Full Step-by-Step Guide

Get the complete implementation guide + downloadable template

Common Gotchas

Google Drive credentials can expire or need specific permissions. If things break, check the connected Google account access and the n8n credential status first.
If you’re using Wait nodes or external rendering, processing times vary. Bump up the wait duration if downstream nodes fail on empty responses.
Default prompts in AI nodes are generic. Add your brand voice early or you’ll be editing outputs forever.

Frequently Asked Questions

How long does it take to set up this OpenAI Drive reports automation?

About 30 minutes if you already have your API keys ready.

Do I need coding skills to automate shareable code scan reports?

No. You’ll mostly connect credentials and edit a couple fields. If you can follow a checklist, you’re fine.

Is n8n free to use for this OpenAI Drive reports workflow?

Yes. n8n has a free self-hosted option and a free trial on n8n Cloud. Cloud plans start at $20/month for higher volume. You’ll also need to factor in OpenAI API usage costs (often a few dollars a month for light scanning).

Where can I host n8n to run this automation?

Two options: n8n Cloud (managed, easiest setup) or self-hosting on a VPS. For self-hosting, Hostinger VPS is affordable and handles n8n well. Self-hosting gives you unlimited executions but requires basic server management.

Can I customize this OpenAI Drive reports workflow for GitHub repos instead of file URLs?

Yes, but you’ll swap the HTTP Request “file fetch” part to pull from GitHub’s API (or your repo source) before the JS/PHP/Python Security Agent runs. Common customizations include changing the input form fields, adding repo authentication, and adjusting the HTML template to match your client branding. If you keep the JSON schema the same, the formatting and Google Drive storage steps usually stay untouched.

Why is my Google Drive connection failing in this workflow?

Usually it’s an expired Google authorization or the connected account lost permission to write to the destination folder. Reconnect the Google Drive credential in n8n and confirm the folder location is still accessible. If you’re in a workspace, admin restrictions can also block file creation.

How many files can this OpenAI Drive reports automation handle?

It depends on your n8n plan and how many files you feed it per run, but most small codebases are fine.

Is this OpenAI Drive reports automation better than using Zapier or Make?

For this use case, n8n is usually the better fit because it can handle branching (JS vs PHP vs Python) and structured post-processing without turning into a fragile chain of zaps. Self-hosting also matters if you’re scanning often, since you’re not paying per task in the same way. Zapier and Make can work, but multi-step formatting (split, filter blanks, compose HTML, store) gets tedious fast. n8n’s AI Agent style flow is also easier to keep consistent once you’ve tuned prompts. Talk to an automation expert if you want help deciding.

Clean findings, consistent severity, and a Google Drive report you can share immediately. Set it up once, then stop rebuilding the same deliverable every time you scan.

Need Help Setting This Up?

Our automation experts can build and customize this workflow for your specific needs. Free 15-minute consultation—no commitment required.

Lisa Granqvist

Workflow Automation Expert

Expert in workflow automation and no-code tools.

{
"id": "",
"name": "Automated Code Audit Reporting System",
"versionId": "",
"meta": {
"instanceId": "e4fe4b447a92c9a5e980f493a052153ae4ced7da92b6bea746e1d9c73a3302b8",
"templateId": null,
"templateCredsSetupCompleted": null
},
"nodes": [
{
"id": "flowpast-topbar-10801",
"name": "Flowpast Branding",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
20
],
"parameters": {
"color": 7,
"width": 2295,
"height": 80,
"content": "## Flowpast.com | Automation Workflow Library\n**\ud83d\udcd6 Full tutorial & setup guide:** flowpast.com"
},
"typeVersion": 1
},
{
"id": "b2d667b2-79bf-4735-b053-21247331b94e",
"name": "Input Form Trigger",
"type": "n8n-nodes-base.formTrigger",
"position": [
0,
180
],
"webhookId": "6b3adc74-85aa-4729-aea0-9602dcb663d3",
"parameters": {
"options": [],
"formTitle": "AI-Powered Code Analyzer",
"formFields": {
"values": [
{
"fieldLabel": "Single File URL",
"placeholder": "https://example.com/path/file.js"
},
{
"fieldType": "checkbox",
"fieldLabel": "AI-Powered Code Analyzer",
"fieldOptions": {
"values": [
{
"option": "AI JavaScript Expert"
},
{
"option": "AI PHP Expert"
},
{
"option": "AI Python Expert"
}
]
},
"requiredField": true
}
]
},
"formDescription": "Only one option can be selected from the three: (GitHub Repository, Domain To Crawl, Single File URL)."
},
"typeVersion": 2.3
},
{
"id": "b30a7b4e-fc15-4cf3-99d3-aee4ca45ea49",
"name": "Split Analyzer Choice",
"type": "n8n-nodes-base.splitOut",
"position": [
235,
215
],
"parameters": {
"options": [],
"fieldToSplitOut": "[\"AI-Powered Code Analyzer\"]"
},
"typeVersion": 1
},
{
"id": "6b57f602-1d06-43a9-98fa-a9c924181f2d",
"name": "Route JS Choice",
"type": "n8n-nodes-base.switch",
"position": [
515,
150
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "9a36ec9a-2f1e-44ab-b8ec-a39c73604021",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json[\"[\\\"AI-Powered Code Analyzer\\\"]\"] }}",
"rightValue": "AI JavaScript Expert"
}
]
}
}
]
},
"options": []
},
"typeVersion": 3.3
},
{
"id": "011dc1b8-22ed-42f9-9942-8df89e9469b8",
"name": "Route PHP Choice",
"type": "n8n-nodes-base.switch",
"position": [
520,
435
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "9a36ec9a-2f1e-44ab-b8ec-a39c73604021",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json[\"[\\\"AI-Powered Code Analyzer\\\"]\"] }}",
"rightValue": "AI PHP Expert"
}
]
}
}
]
},
"options": []
},
"typeVersion": 3.3
},
{
"id": "75349730-2ef1-494f-8afa-e9768292c1dd",
"name": "Route Python Choice",
"type": "n8n-nodes-base.switch",
"position": [
525,
725
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "9a36ec9a-2f1e-44ab-b8ec-a39c73604021",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json[\"[\\\"AI-Powered Code Analyzer\\\"]\"] }}",
"rightValue": "AI Python Expert"
}
]
}
}
]
},
"options": []
},
"typeVersion": 3.3
},
{
"id": "1a4de4a3-62df-416a-bf5f-6a734456a7ba",
"name": "OpenAI JS Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
760,
120
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": []
},
"credentials": {
"openAiApi": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 1.2
},
{
"id": "2b9de0ad-57ef-4bc0-9cbb-2f6d64fbb392",
"name": "JS Security Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"onError": "continueRegularOutput",
"position": [
960,
225
],
"parameters": {
"text": "={{ $('Input Form Trigger').item.json['Single File URL'] }}",
"options": {
"systemMessage": "=Eres un agente automatizado de auditor\u00eda de seguridad con 20 a\u00f1os de experiencia en ciberseguridad y especialidad en JavaScript. Sigue estas reglas sin excepci\u00f3n.\n\nEntrada: lista de URLs .js proporcionadas por el usuario. Nunca acceder a URLs fuera de esa lista.\n\nObjetivo: detectar \u00fanicamente vulnerabilidades explotables en cada archivo .js y reportarlas en JSON exacto (esquema abajo). No expliques nada. No incluyas payloads, pasos de explotaci\u00f3n, recomendaciones ni metadatos adicionales.\n\nProcedimiento:\n\nHacer HTTP GET.\n\nSi status != 200 o body vac\u00edo \u2192 registrar internamente y continuar.\n\nTruncar body a 20000 bytes si es mayor.\n\nParsear JS (AST + regex heur\u00edsticos).\n\nDetectar vulnerabilidades explotables: DOM XSS, reflected XSS, stored XSS, RCE v\u00eda eval/new/Function, insecure deserialization, CSRF en llamadas AJAX sin token, info-leak de secretos, insecure use of innerHTML/outerHTML/document.write with untrusted input, insecure direct object refs in client logic. Priorizar hallazgos con evidencia de cadena de flujo taint (entrada \u2192 sink).\n\nPara cada hallazgo generar evidencia m\u00ednima: fragmento de c\u00f3digo y n\u00famero de l\u00ednea(s).\n\nParar cuando: todas las URLs procesadas, alcanzado max_iteraciones o timeout_total.\n\nL\u00edmites operativos:\n\nmax_iteraciones: 50\n\ntasa: <= 5 requests/s\n\ntimeout por request: 10s\n\ntimeout_total ejecuci\u00f3n: 300s\n\ncheckpoint_interval: 5\n\ntama\u00f1o m\u00e1ximo por item: 20000 bytes (truncar)\n\nReglas firmes:\n\nNunca usar credenciales encontradas.\n\nTodos los resultados deben ser \u00fanicos y distintos de la entrada.\n\nNo devolver nada fuera del JSON final.\n\nSi la solicitud es ilegal u ofensiva, rechazar y devolver JSON vac\u00edo: {\"results\": []}.\n\nFormato de salida obligatorio (exacto, sin a\u00f1adidos):\n{\n\"results\": [\n{\n\"url\": \"<filename_or_url>\",\n\"code\": \"<breve: linea(s) y fragmento>\",\n\"severity\": \"medium|high|critical\",\n\"vuln\": \"<tipo de vulnerabilidad ejemplo (DOM XSS)>\"\n}\n]\n}\n\nSalida final: \u00fanica respuesta JSON v\u00e1lida que contenga solo el objeto anterior. Reportar \u00fanicamente vulnerabilidades explotables. Nada m\u00e1s."
},
"promptType": "define"
},
"typeVersion": 2.2
},
{
"id": "2c7a82e2-8621-47d1-ad13-7bf2040f0a92",
"name": "JS File Fetch",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
760,
330
],
"parameters": {
"url": "={{ $('Input Form Trigger').item.json['Single File URL'] }}",
"options": {
"timeout": 20000
}
},
"typeVersion": 4.2
},
{
"id": "1927e2e7-c928-4f1f-9544-a992d4f0a2db",
"name": "Format JS Results",
"type": "n8n-nodes-base.code",
"onError": "continueRegularOutput",
"position": [
1185,
250
],
"parameters": {
"jsCode": "return items.map(item => {\n  let raw = item.json.output;\n\n  try {\n    if (typeof raw === 'string') {\n      raw = raw.trim();\n      if (raw.startsWith('{') === false) {\n        raw = raw.replace(/^\"+|\"+$/g, '').replace(/\\\\\"/g, '\"');\n      }\n      raw = JSON.parse(raw);\n    }\n  } catch (err) {\n    return {\n      json: { error: 'Invalid JSON input', message: err.message, raw: item.json.output }\n    };\n  }\n\n  return {\n    json: raw\n  };\n});\n"
},
"typeVersion": 2
},
{
"id": "2996701f-4618-45f5-9fb6-71ff9fa15f96",
"name": "Split JS Findings",
"type": "n8n-nodes-base.splitOut",
"position": [
1385,
230
],
"parameters": {
"options": [],
"fieldToSplitOut": "results"
},
"typeVersion": 1
},
{
"id": "0ffc6d63-d2af-458b-8640-0d00de0d230b",
"name": "Filter JS Blanks",
"type": "n8n-nodes-base.filter",
"onError": "continueRegularOutput",
"position": [
1595,
260
],
"parameters": {
"options": [],
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "cf2d9759-b91c-451f-b830-5f33d0c38fee",
"operator": {
"type": "string",
"operation": "exists",
"singleValue": true
},
"leftValue": "={{ $json.url }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "17dd4580-e1b6-42ae-9b2b-e369b5e75593",
"name": "Build JS HTML Table",
"type": "n8n-nodes-base.html",
"position": [
1785,
235
],
"parameters": {
"options": {
"capitalize": true
},
"operation": "convertToHtmlTable"
},
"typeVersion": 1.2
},
{
"id": "3109c99e-aecd-4f08-a6fa-800b48e594f6",
"name": "Compose JS HTML",
"type": "n8n-nodes-base.html",
"position": [
1985,
265
],
"parameters": {
"html": "<style>\ntable {\n    width: 100%;\n    border-collapse: collapse;\n    font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n    box-shadow: 0 4px 20px rgba(0,0,0,0.1);\n    border-radius: 10px;\n    overflow: hidden;\n}\n\nthead th {\n    background-color: #1f78d1;\n    color: #ffffff;\n    text-align: left;\n    padding: 12px 15px;\n    font-size: 14px;\n    letter-spacing: 0.5px;\n}\n\ntbody tr {\n    background-color: #ffffff;\n    transition: background-color 0.3s ease;\n}\n\ntbody tr:nth-child(even) {\n    background-color: #f4f6f8;\n}\n\ntbody tr:hover {\n    background-color: #e1efff;\n}\n\ntbody td {\n    padding: 12px 15px;\n    font-size: 13px;\n    color: #333333;\n    border-bottom: 1px solid #e0e0e0;\n}\n\ntbody tr:last-child td {\n    border-bottom: none;\n}\n\n@media screen and (max-width: 768px) {\n    table {\n        display: block;\n        overflow-x: auto;\n        white-space: nowrap;\n    }\n}\n</style>\n\n{{ $json.table }}"
},
"typeVersion": 1.2
},
{
"id": "1b2eadfe-41cb-4b73-af3c-af5bd6e8624c",
"name": "Store JS HTML Report",
"type": "n8n-nodes-base.googleDrive",
"position": [
2195,
245
],
"parameters": {
"name": "=JavaScript Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html",
"content": "={{ $json.html }}",
"driveId": {
"__rl": true,
"mode": "list",
"value": "My Drive"
},
"options": [],
"folderId": {
"__rl": true,
"mode": "list",
"value": "root",
"cachedResultName": "/ (Root folder)"
},
"operation": "createFromText"
},
"credentials": {
"googleDriveOAuth2Api": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 3
},
{
"id": "b6280a47-cc56-4dfe-b770-4490853952a5",
"name": "OpenAI PHP Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
745,
400
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": []
},
"credentials": {
"openAiApi": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 1.2
},
{
"id": "e2399b44-f2d3-4148-8132-f1c7039353b7",
"name": "PHP Security Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"onError": "continueRegularOutput",
"position": [
950,
505
],
"parameters": {
"text": "={{ $('Input Form Trigger').item.json['Single File URL'] }}",
"options": {
"systemMessage": "=Eres un agente automatizado de auditor\u00eda de seguridad con 20 a\u00f1os de experiencia en ciberseguridad y especialidad en PHP. Sigue estas reglas sin excepci\u00f3n.\n\nEntrada: URL .php proporcionada por el usuario. Nunca acceder a URLs fuera de esa lista ni ejecutar c\u00f3digo remoto o local. S\u00f3lo an\u00e1lisis est\u00e1tico de los cuerpos que se obtengan por HTTP GET.\n\nObjetivo: detectar **\u00fanicamente** vulnerabilidades explotables en el archivo .php y reportarlas en JSON exacto (esquema abajo). **No expliques nada**. No incluyas payloads, pasos de explotaci\u00f3n, recomendaciones ni metadatos adicionales.\n\nProcedimiento:\n\n1. Hacer la petici\u00f3n.\n   * Hacer HTTP GET (solo a las URLs en la lista).\n   * Si `status != 200` o body vac\u00edo \u2192 registrar internamente y continuar con la siguiente URL.\n   * Truncar body a 20000 bytes si es mayor.\n   * Parsear PHP (AST est\u00e1tico cuando sea posible + heur\u00edsticos por regex).\n   * Detectar **vulnerabilidades explotables** (ver lista abajo). Priorizar hallazgos que incluyan evidencia de **cadena de flujo taint** (entrada \u2192 sink).\n   * Para cada hallazgo generar evidencia m\u00ednima: fragmento de c\u00f3digo y n\u00famero(s) de l\u00ednea.\n2. Guardar checkpoint cada `checkpoint_interval` iteraciones (estado interno).\n3. Parar cuando: todas las URLs procesadas, alcanzado `max_iteraciones` o `timeout_total`.\n\nVulnerabilidades a detectar (no exhaustivo; centrarse en hallazgos explotables):\n\n* SQL Injection (uso de `mysqli_query`, `PDO->query`, concatenaci\u00f3n en consultas sin prepared statements).\n* Remote/Local File Inclusion (RFI/LFI) via `include`, `require`, `include_once`, `require_once` con input controlable.\n* Command Injection / RCE v\u00eda `exec`, `system`, `passthru`, `shell_exec`, backticks (`` `cmd` ``), `popen`, `proc_open`.\n* Unsafe `eval`, `create_function`, `preg_replace` con la bandera `/e`, `assert()` con input, `eval()` en general.\n* Insecure deserialization (`unserialize` on untrusted input, `__wakeup`/`__destruct` gadget chains evidence).\n* Unsafe file operations: `file_put_contents`, `move_uploaded_file`, `fopen`, `fwrite` con rutas controlables (path traversal).\n* Insecure file uploads (no valid mime/type checks, control del nombre del archivo, extensi\u00f3n permitida por input).\n* Cross-Site Scripting (reflected/stored) en outputs no escapados (echo/print/printf/?> ... <?php) con input directo.\n* CSRF: formularios o endpoints que cambian estado sin token/CSRF protection detectable en c\u00f3digo cliente/servidor.\n* Information leakage: exposici\u00f3n de credenciales/keys/secrets en c\u00f3digo fuente o logs (reportar solo si evidencia clara).\n* Insecure cookie/session handling: falta de `HttpOnly`/`Secure`/`SameSite`, uso inseguro de `session_start()` sin regenerar ID en privilegio escalation flows.\n* Header injection via `header()` con input no sanitizado.\n* Insecure use of `file_get_contents`, `fopen` con URL wrappers (`http://`, `php://`) sobre input no fiable.\n* Unsafe use of `extract($_REQUEST|$_GET|$_POST)` or `foreach($_REQUEST as ...)` que introducen variables controlables.\n* Unsafe dynamic includes/variable variables (`$$var`) y construcciones que permiten control de rutas o nombres de funciones.\n* Insecure direct object references (ID manipulation) detectables en l\u00f3gica cliente/servidor.\n* Cualquier otra construcci\u00f3n en PHP que permita flujo explotable desde entrada (GET/POST/Cookie/Headers) hacia un sink cr\u00edtico.\n\nEvidencia requerida por hallazgo:\n\n* `\"code\"` debe contener **breve** evidencia: l\u00ednea(s) y fragmento de c\u00f3digo que muestre la relaci\u00f3n entrada\u2192sink (por ejemplo: `45: $q = \"SELECT ...\". $_GET['id']; mysqli_query($conn, $q);`).\n* Debe incluir n\u00fameros de l\u00ednea precisos relativos al cuerpo analizado (si se trunc\u00f3, l\u00ednea contigua aproximada).\n* No incluir payloads ni instrucciones de explotaci\u00f3n.\n\nL\u00edmites operativos:\n\n* `max_iteraciones`: 50\n* tasa: <= 5 requests/s\n* timeout por request: 10s\n* timeout_total ejecuci\u00f3n: 300s\n* `checkpoint_interval`: 5\n* tama\u00f1o m\u00e1ximo por item: 20000 bytes (truncar)\n\nReglas firmes:\n\n* Nunca ejecutar el c\u00f3digo PHP obtenido ni incluir/require recursos remotos.\n* Nunca usar credenciales encontradas.\n* Todos los resultados deben ser \u00fanicos y distintos de la entrada.\n* No devolver nada fuera del JSON final.\n* Si la solicitud es ilegal u ofensiva, rechazar y devolver JSON vac\u00edo: `{\"results\": []}`.\n* No proporcionar pasos de explotaci\u00f3n, payloads, recomendaciones, ni metadatos adicionales.\n\nFormato de salida obligatorio (exacto, sin a\u00f1adidos). La \u00fanica respuesta final debe ser **\u00fanico** JSON v\u00e1lido que contenga solo esto:\n{\n\"results\": [\n{\n\"url\": \"<filename_or_url>\",\n\"code\": \"<breve: linea(s) y fragmento>\",\n\"severity\": \"low|medium|high|critical\",\n\"vuln\": \"<tipo de vulnerabilidad ejemplo (SQL Injection)>\"\n}\n]\n}\n\nSalida final: \u00fanica respuesta JSON v\u00e1lida que contenga s\u00f3lo el objeto anterior. Reportar \u00fanicamente vulnerabilidades explotables. Nada m\u00e1s."
},
"promptType": "define"
},
"typeVersion": 2.2
},
{
"id": "360827e6-bb5a-4a63-8341-f94836c86f97",
"name": "PHP File Fetch",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
760,
585
],
"parameters": {
"url": "={{ $('Input Form Trigger').item.json['Single File URL'] }}",
"options": {
"timeout": 20000
}
},
"typeVersion": 4.2
},
{
"id": "009e395f-e2e2-40fa-8070-b529ca507be4",
"name": "Format PHP Results",
"type": "n8n-nodes-base.code",
"onError": "continueRegularOutput",
"position": [
1170,
525
],
"parameters": {
"jsCode": "return items.map(item => {\n  let raw = item.json.output;\n\n  try {\n    if (typeof raw === 'string') {\n      raw = raw.trim();\n      if (raw.startsWith('{') === false) {\n        raw = raw.replace(/^\"+|\"+$/g, '').replace(/\\\\\"/g, '\"');\n      }\n      raw = JSON.parse(raw);\n    }\n  } catch (err) {\n    return {\n      json: { error: 'Invalid JSON input', message: err.message, raw: item.json.output }\n    };\n  }\n\n  return {\n    json: raw\n  };\n});\n"
},
"typeVersion": 2
},
{
"id": "abe7ad7f-9434-4ecd-b3f0-c787523131ec",
"name": "Split PHP Findings",
"type": "n8n-nodes-base.splitOut",
"position": [
1365,
510
],
"parameters": {
"options": [],
"fieldToSplitOut": "results"
},
"typeVersion": 1
},
{
"id": "2954ff90-a5e1-47f4-933b-6ffe4cef1077",
"name": "Filter PHP Blanks",
"type": "n8n-nodes-base.filter",
"onError": "continueRegularOutput",
"position": [
1585,
545
],
"parameters": {
"options": [],
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "cf2d9759-b91c-451f-b830-5f33d0c38fee",
"operator": {
"type": "string",
"operation": "exists",
"singleValue": true
},
"leftValue": "={{ $json.url }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "dce1e187-414a-49a4-9c65-5c46cacce354",
"name": "Build PHP HTML Table",
"type": "n8n-nodes-base.html",
"position": [
1795,
525
],
"parameters": {
"options": {
"capitalize": true
},
"operation": "convertToHtmlTable"
},
"typeVersion": 1.2
},
{
"id": "2116cf2c-df44-4479-b3e9-1c787910651d",
"name": "Compose PHP HTML",
"type": "n8n-nodes-base.html",
"position": [
1980,
555
],
"parameters": {
"html": "<style>\ntable {\n    width: 100%;\n    border-collapse: collapse;\n    font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n    box-shadow: 0 4px 20px rgba(0,0,0,0.1);\n    border-radius: 10px;\n    overflow: hidden;\n}\n\nthead th {\n    background-color: #1f78d1;\n    color: #ffffff;\n    text-align: left;\n    padding: 12px 15px;\n    font-size: 14px;\n    letter-spacing: 0.5px;\n}\n\ntbody tr {\n    background-color: #ffffff;\n    transition: background-color 0.3s ease;\n}\n\ntbody tr:nth-child(even) {\n    background-color: #f4f6f8;\n}\n\ntbody tr:hover {\n    background-color: #e1efff;\n}\n\ntbody td {\n    padding: 12px 15px;\n    font-size: 13px;\n    color: #333333;\n    border-bottom: 1px solid #e0e0e0;\n}\n\ntbody tr:last-child td {\n    border-bottom: none;\n}\n\n@media screen and (max-width: 768px) {\n    table {\n        display: block;\n        overflow-x: auto;\n        white-space: nowrap;\n    }\n}\n</style>\n\n{{ $json.table }}"
},
"typeVersion": 1.2
},
{
"id": "6c8f063d-f098-48de-932a-c06fb5897ebe",
"name": "Store PHP HTML Report",
"type": "n8n-nodes-base.googleDrive",
"position": [
2205,
535
],
"parameters": {
"name": "=PHP Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html",
"content": "={{ $json.html }}",
"driveId": {
"__rl": true,
"mode": "list",
"value": "My Drive"
},
"options": [],
"folderId": {
"__rl": true,
"mode": "list",
"value": "root",
"cachedResultName": "/ (Root folder)"
},
"operation": "createFromText"
},
"credentials": {
"googleDriveOAuth2Api": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 3
},
{
"id": "48cf67e8-a491-4dca-b4f7-6234da633ae9",
"name": "OpenAI Python Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
755,
680
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": []
},
"credentials": {
"openAiApi": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 1.2
},
{
"id": "392421e5-6c85-4ab7-acf4-7cbebb169fed",
"name": "Python Security Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"onError": "continueRegularOutput",
"position": [
960,
780
],
"parameters": {
"text": "={{ $('Input Form Trigger').item.json['Single File URL'] }}",
"options": {
"systemMessage": "=Eres un agente automatizado de auditor\u00eda de seguridad con 20 a\u00f1os de experiencia en ciberseguridad y especialidad en Python. Sigue estas reglas sin excepci\u00f3n.\n\nEntrada: URL .py proporcionada por el usuario. Nunca acceder a URLs fuera de esa lista.\n\nObjetivo: detectar \u00fanicamente vulnerabilidades explotables en cada archivo .py y reportarlas en JSON exacto (esquema abajo). No expliques nada. No incluyas payloads, pasos de explotaci\u00f3n, recomendaciones ni metadatos adicionales.\n\nProcedimiento:\n\na. Hacer HTTP GET.\nb. Si status != 200 o body vac\u00edo \u2192 registrar internamente y continuar.\nc. Truncar body a 20000 bytes si es mayor.\nd. Parsear Python (AST + regex heur\u00edsticos).\ne. Detectar vulnerabilidades explotables. Buscar y priorizar hallazgos con evidencia de cadena de flujo taint (entrada \u2192 sink).\n\nPara cada hallazgo generar evidencia m\u00ednima: fragmento de c\u00f3digo y n\u00famero de l\u00ednea(s).\n\nGuardar checkpoint cada checkpoint_interval iteraciones.\n\nParar cuando: todas las URLs procesadas, alcanzado max_iteraciones o timeout_total.\n\nVulnerabilidades a detectar (no limitativo; s\u00f3lo reportar si hay evidencia explotable):\n\nRemote Code Execution via eval/exec/compile/importlib.exec_module/new module construction.\n\nCommand injection / shell injection via os.system, subprocess.call/Popen/run with shell=True o con argumentos concatenados.\n\nInsecure deserialization: pickle, cPickle, yaml.load (sin SafeLoader), marshal, jsonpickle u otros deserializadores inseguros.\n\nUnsafe use of subprocess with untrusted input.\n\nSQL injection en consultas construidas por string o f-strings hacia DB-APIs (execute, raw SQL en ORM).\n\nPath traversal / file overwrite via os.path.join/open con entradas controlables.\n\nServer-Side Template Injection (SSTI) en motores de plantillas usados de forma insegura (Jinja2.Template(...).render con input no saneado).\n\nCross-Site Request Forgery (CSRF) en endpoints/server-side handlers (faltan tokens CSRF en POST state-changing handlers) cuando sea detectable en c\u00f3digo.\n\nInsecure XML parsing / XXE via xml.etree, lxml, defusedxml no usado.\n\nServer-Side Request Forgery (SSRF) por requests/urllib llamadas con URLs controlables.\n\nInformation leakage de secretos (hardcoded keys/tokens) s\u00f3lo si comprobable en c\u00f3digo.\n\nInsecure use of tempfile / predictable filenames leading to TOCTOU.\n\nUnsafe dynamic import or attribute access (getattr import with user input).\n\nUse of insecure crypto primitives or misuse of crypto APIs that lead to exploitable weaknesses (por ejemplo, uso de ECB sin IV si es claramente inseguro y explotable).\n\nInsecure handling of JWTs, sessions, or auth tokens detectable en c\u00f3digo.\n\nInsecure use of eval/exec en f-strings o format con input externo.\n\nAny other server-side vulnerability where trazabilidad entrada\u2192sink es evidente.\n\nEvidencia y priorizaci\u00f3n:\n\nPriorizar hallazgos con cadena de flujo taint clara (input externo \u2192 procesamiento \u2192 sink).\n\nPara cada hallazgo incluir fragmento m\u00ednimo de c\u00f3digo y l\u00edneas afectadas.\n\nSeverity: medium|high|critical seg\u00fan impacto y facilidad de explotaci\u00f3n.\n\nL\u00edmites operativos:\n\nmax_iteraciones: 50\n\ntasa: <= 5 requests/s\n\ntimeout por request: 10s\n\ntimeout_total ejecuci\u00f3n: 300s\n\ncheckpoint_interval: 5\n\ntama\u00f1o m\u00e1ximo por item: 20000 bytes (truncar)\n\nReglas firmes:\n\nNunca usar credenciales encontradas.\n\nTodos los resultados deben ser \u00fanicos y distintos de la entrada.\n\nNo devolver nada fuera del JSON final.\n\nSi la solicitud es ilegal u ofensiva, rechazar y devolver JSON vac\u00edo: {\"results\": []}.\n\nNo incluir payloads, pasos, recomendaciones ni metadatos adicionales.\n\nFormato de salida obligatorio (exacto, sin a\u00f1adidos):\n{\n\"results\": [\n{\n\"url\": \"<filename_or_url>\",\n\"code\": \"<breve: linea(s) y fragmento>\",\n\"severity\": \"medium|high|critical\",\n\"vuln\": \"<tipo de vulnerabilidad ejemplo (RCE via eval/exec)>\"\n}\n]\n}\n\nSalida final: \u00fanica respuesta JSON v\u00e1lida que contenga solo el objeto anterior. Reportar \u00fanicamente vulnerabilidades explotables. Nada m\u00e1s."
},
"promptType": "define"
},
"typeVersion": 2.2
},
{
"id": "90e5e8c5-7608-41ea-8992-3f70e70114eb",
"name": "Python File Fetch",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
770,
865
],
"parameters": {
"url": "={{ $('Input Form Trigger').item.json['Single File URL'] }}",
"options": {
"timeout": 20000
}
},
"typeVersion": 4.2
},
{
"id": "b5a5a5af-5de7-4dca-b869-c6d42d5baba3",
"name": "Format Python Results",
"type": "n8n-nodes-base.code",
"onError": "continueRegularOutput",
"position": [
1175,
795
],
"parameters": {
"jsCode": "return items.map(item => {\n  let raw = item.json.output;\n\n  try {\n    if (typeof raw === 'string') {\n      raw = raw.trim();\n      if (raw.startsWith('{') === false) {\n        raw = raw.replace(/^\"+|\"+$/g, '').replace(/\\\\\"/g, '\"');\n      }\n      raw = JSON.parse(raw);\n    }\n  } catch (err) {\n    return {\n      json: { error: 'Invalid JSON input', message: err.message, raw: item.json.output }\n    };\n  }\n\n  return {\n    json: raw\n  };\n});\n"
},
"typeVersion": 2
},
{
"id": "44d18d07-1e5f-4037-97a8-24b4b5629abe",
"name": "Split Python Findings",
"type": "n8n-nodes-base.splitOut",
"position": [
1370,
780
],
"parameters": {
"options": [],
"fieldToSplitOut": "results"
},
"typeVersion": 1
},
{
"id": "6b911bfe-d17f-40b4-a88f-92d728f0ef8a",
"name": "Filter Python Blanks",
"type": "n8n-nodes-base.filter",
"onError": "continueRegularOutput",
"position": [
1590,
815
],
"parameters": {
"options": [],
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "cf2d9759-b91c-451f-b830-5f33d0c38fee",
"operator": {
"type": "string",
"operation": "exists",
"singleValue": true
},
"leftValue": "={{ $json.url }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "fc52a773-242d-4d21-b4a9-0e5843b1417b",
"name": "Build Python HTML Table",
"type": "n8n-nodes-base.html",
"position": [
1790,
795
],
"parameters": {
"options": {
"capitalize": true
},
"operation": "convertToHtmlTable"
},
"typeVersion": 1.2
},
{
"id": "34fa6102-9c34-477e-81de-cf1669cdf896",
"name": "Compose Python HTML",
"type": "n8n-nodes-base.html",
"position": [
1985,
825
],
"parameters": {
"html": "<style>\ntable {\n    width: 100%;\n    border-collapse: collapse;\n    font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n    box-shadow: 0 4px 20px rgba(0,0,0,0.1);\n    border-radius: 10px;\n    overflow: hidden;\n}\n\nthead th {\n    background-color: #1f78d1;\n    color: #ffffff;\n    text-align: left;\n    padding: 12px 15px;\n    font-size: 14px;\n    letter-spacing: 0.5px;\n}\n\ntbody tr {\n    background-color: #ffffff;\n    transition: background-color 0.3s ease;\n}\n\ntbody tr:nth-child(even) {\n    background-color: #f4f6f8;\n}\n\ntbody tr:hover {\n    background-color: #e1efff;\n}\n\ntbody td {\n    padding: 12px 15px;\n    font-size: 13px;\n    color: #333333;\n    border-bottom: 1px solid #e0e0e0;\n}\n\ntbody tr:last-child td {\n    border-bottom: none;\n}\n\n@media screen and (max-width: 768px) {\n    table {\n        display: block;\n        overflow-x: auto;\n        white-space: nowrap;\n    }\n}\n</style>\n\n{{ $json.table }}"
},
"typeVersion": 1.2
},
{
"id": "64798e6e-da1c-4906-9edd-2d683ed3f6c7",
"name": "Store Python HTML Report",
"type": "n8n-nodes-base.googleDrive",
"position": [
2195,
805
],
"parameters": {
"name": "=Python Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html",
"content": "={{ $json.html }}",
"driveId": {
"__rl": true,
"mode": "list",
"value": "My Drive"
},
"options": [],
"folderId": {
"__rl": true,
"mode": "list",
"value": "root",
"cachedResultName": "/ (Root folder)"
},
"operation": "createFromText"
},
"credentials": {
"googleDriveOAuth2Api": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 3
}
],
"pinData": [],
"connections": {
"Input Form Trigger": {
"main": [
[
{
"node": "Split Analyzer Choice",
"type": "main",
"index": 0
}
]
]
},
"OpenAI PHP Model": {
"ai_languageModel": [
[
{
"node": "PHP Security Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Route PHP Choice": {
"main": [
[
{
"node": "PHP Security Agent",
"type": "main",
"index": 0
}
]
]
},
"OpenAI Python Model": {
"ai_languageModel": [
[
{
"node": "Python Security Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Route Python Choice": {
"main": [
[
{
"node": "Python Security Agent",
"type": "main",
"index": 0
}
]
]
},
"PHP File Fetch": {
"ai_tool": [
[
{
"node": "PHP Security Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"PHP Security Agent": {
"main": [
[
{
"node": "Format PHP Results",
"type": "main",
"index": 0
}
]
]
},
"Route JS Choice": {
"main": [
[
{
"node": "JS Security Agent",
"type": "main",
"index": 0
}
]
]
},
"OpenAI JS Model": {
"ai_languageModel": [
[
{
"node": "JS Security Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Python File Fetch": {
"ai_tool": [
[
{
"node": "Python Security Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Python Security Agent": {
"main": [
[
{
"node": "Format Python Results",
"type": "main",
"index": 0
}
]
]
},
"Format PHP Results": {
"main": [
[
{
"node": "Split PHP Findings",
"type": "main",
"index": 0
}
]
]
},
"Build PHP HTML Table": {
"main": [
[
{
"node": "Compose PHP HTML",
"type": "main",
"index": 0
}
]
]
},
"JS File Fetch": {
"ai_tool": [
[
{
"node": "JS Security Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"JS Security Agent": {
"main": [
[
{
"node": "Format JS Results",
"type": "main",
"index": 0
}
]
]
},
"Format Python Results": {
"main": [
[
{
"node": "Split Python Findings",
"type": "main",
"index": 0
}
]
]
},
"Build Python HTML Table": {
"main": [
[
{
"node": "Compose Python HTML",
"type": "main",
"index": 0
}
]
]
},
"Compose PHP HTML": {
"main": [
[
{
"node": "Store PHP HTML Report",
"type": "main",
"index": 0
}
]
]
},
"Filter PHP Blanks": {
"main": [
[
{
"node": "Build PHP HTML Table",
"type": "main",
"index": 0
}
]
]
},
"Split PHP Findings": {
"main": [
[
{
"node": "Filter PHP Blanks",
"type": "main",
"index": 0
}
]
]
},
"Compose Python HTML": {
"main": [
[
{
"node": "Store Python HTML Report",
"type": "main",
"index": 0
}
]
]
},
"Format JS Results": {
"main": [
[
{
"node": "Split JS Findings",
"type": "main",
"index": 0
}
]
]
},
"Filter Python Blanks": {
"main": [
[
{
"node": "Build Python HTML Table",
"type": "main",
"index": 0
}
]
]
},
"Split Python Findings": {
"main": [
[
{
"node": "Filter Python Blanks",
"type": "main",
"index": 0
}
]
]
},
"Build JS HTML Table": {
"main": [
[
{
"node": "Compose JS HTML",
"type": "main",
"index": 0
}
]
]
},
"Split Analyzer Choice": {
"main": [
[
{
"node": "Route Python Choice",
"type": "main",
"index": 0
},
{
"node": "Route PHP Choice",
"type": "main",
"index": 0
},
{
"node": "Route JS Choice",
"type": "main",
"index": 0
}
]
]
},
"Compose JS HTML": {
"main": [
[
{
"node": "Store JS HTML Report",
"type": "main",
"index": 0
}
]
]
},
"Filter JS Blanks": {
"main": [
[
{
"node": "Build JS HTML Table",
"type": "main",
"index": 0
}
]
]
},
"Split JS Findings": {
"main": [
[
{
"node": "Filter JS Blanks",
"type": "main",
"index": 0
}
]
]
}
}
}