create GTI modules

GoogleThreatIntelligence/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased

GoogleThreatIntelligence/Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3.11
+
+WORKDIR /app
+
+RUN pip install poetry
+
+# Install dependencies
+COPY poetry.lock pyproject.toml /app/
+RUN poetry config virtualenvs.create false && poetry install --only main
+
+COPY . .
+
+RUN useradd -ms /bin/bash sekoiaio-runtime
+USER sekoiaio-runtime
+
+ENTRYPOINT [ "python", "./main.py" ]

GoogleThreatIntelligence/README.md

@@ -0,0 +1,56 @@
+# README
+
+## **Key Features**
+
+### 1. **Security Enhancements**
+- API key loaded from environment variable (`VT_API_KEY`)
+- Validation to prevent running with hardcoded keys
+- Proper file existence checks before scanning
+
+### 2. **Error Handling**
+- Try-catch blocks for all API calls
+- Specific exception handling for `vt.APIError`, `FileNotFoundError`, `IOError`
+- Detailed error logging and tracking
+- Graceful degradation when tests fail
+
+### 3. **Official vt-py Library Usage**
+- `client.scan_url()` for URL scanning
+- `client.scan_file()` for file scanning
+- `client.get_object()` for retrieving reports
+- `client.get_json()` for raw JSON responses
+- `client.iterator()` for paginated results
+- Proper context manager usage (`with vt.Client()`)
+
+### 4. **Structured Results**
+- `TestResult` dataclass for type-safe result storage
+- JSON output with detailed success/error information
+- Summary statistics at the end
+
+### 5. **Comprehensive Coverage**
+All your required actions are covered:
+- ✅ Scan File
+- ✅ Get IOC Report (IP, URL, domain, file)
+- ✅ Get Comments
+- ✅ Get Vulnerability Associations
+- ✅ Get File Sandbox Report
+- ✅ Scan URL
+- ✅ Get Passive DNS Data
+- ✅ Get Vulnerability Report
+
+## **Usage**
+
+```bash
+# Install vt-py
+pip install vt-py
+
+# Set your API key
+export VT_API_KEY='your_actual_api_key'
+
+# Run the script
+python script.py
+
+# Optional: test with a file
+# Modify main() to include: tester.run_all_tests(test_file_path="your_file.png")
+```
+
+The script will generate `vt_test_results.json` with detailed results and print a summary to the console.

GoogleThreatIntelligence/action_get_comments.json

@@ -0,0 +1,109 @@
+{
+  "uuid": "a8e3b5f1-3f4a-4b2d-8f7e-1b2f6c9d5e11",
+  "name": "Get Comments",
+  "description": "Retrieve recent comments associated with a domain or IP from Google Threat Intelligence",
+  "docker_parameters": "get_comments",
+  "arguments": {
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+      "ip": {
+        "type": "string",
+        "description": "IP address to query (e.g., 8.8.8.8)",
+        "pattern": "^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$"
+      },
+      "domain": {
+        "type": "string",
+        "description": "Domain name to query (e.g., google.com)",
+        "pattern": "^[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]?\\.[a-zA-Z]{2,}$"
+      },
+      "url": {
+        "type": "string",
+        "description": "URL to query (e.g., https://example.com/path)",
+        "format": "uri"
+      },
+      "file_hash": {
+        "type": "string",
+        "description": "File hash to query (MD5, SHA1, or SHA256)",
+        "pattern": "^[a-fA-F0-9]{32}$|^[a-fA-F0-9]{40}$|^[a-fA-F0-9]{64}$"
+      }
+    },
+    "oneOf": [
+      {"required": ["ip"]},
+      {"required": ["domain"]},
+      {"required": ["url"]},
+      {"required": ["file_hash"]}
+    ]
+  },
+  "results": {
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "title": "Get Comments Results",
+    "properties": {
+      "success": { "type": "boolean" },
+      "data": {
+        "type": "object",
+        "description": "Container for the comments data",
+        "properties": {
+          "comments_count": {
+            "type": "integer",
+            "description": "Total number of comments retrieved"
+          },
+          "entity": {
+            "type": "string",
+            "description": "The entity (domain, IP, URL, or file hash) that was queried"
+          },
+          "comments": {
+            "type": "array",
+            "description": "Array of comment objects",
+            "items": {
+              "type": "object",
+              "properties": {
+                "type": {
+                  "type": "string",
+                  "description": "Type of the object (always 'comment')",
+                  "enum": ["comment"]
+                },
+                "id": {
+                  "type": "string",
+                  "description": "Unique identifier for the comment"
+                },
+                "text": {
+                  "type": "string",
+                  "description": "The comment text content"
+                },
+                "date": {
+                  "type": ["integer", "string"],
+                  "description": "Comment timestamp (Unix timestamp or ISO 8601 string)"
+                },
+                "votes": {
+                  "type": "object",
+                  "description": "Vote statistics for the comment",
+                  "properties": {
+                    "positive": {
+                      "type": "integer",
+                      "description": "Number of positive votes"
+                    },
+                    "negative": {
+                      "type": "integer",
+                      "description": "Number of negative votes"
+                    }
+                  },
+                  "required": ["positive", "negative"]
+                },
+                "author": {
+                  "type": ["string", "null"],
+                  "description": "Username of the comment author (may be null for anonymous)"
+                }
+              },
+              "required": ["text", "date", "votes"]
+            }
+          }
+        },
+        "required": ["comments_count", "entity", "comments"]
+      }
+
+    }
+  },
+  "slug": "get_comments_in_gti"
+}