DEV Community: Raghava Chellu

Omni Security & Intelligence Python Library AI · MFT · GCS · CyberSecurity · Internet

Raghava Chellu — Tue, 03 Mar 2026 00:15:55 +0000

OmniSec is a unified Python library that brings together five essential domains under one consistent API:

Module Description

This platform combines AI-driven intelligence, secure file transfer, cloud storage integration, and advanced security analysis into a unified enterprise solution. It leverages the Claude API for text analysis, classification, summarization, and automated threat reporting. Managed File Transfer (MFT) is supported over SFTP/FTPS with AES-256 encryption and detailed audit logging to ensure secure and compliant data exchange. Native integration with Google Cloud Storage enables uploads, downloads, signed URLs, and metadata management. The security engine provides hashing, AES/RSA encryption, password analysis, IoC extraction, and header scoring. Additionally, built-in network capabilities such as HTTP client operations, DNS analysis, port scanning, SSL inspection, and IP geolocation enable comprehensive monitoring and threat assessment.

Installation

Base install

pip install omnisec

With specific extras

pip install omnisec[ai]        # Anthropic Claude support
pip install omnisec[mft]       # SFTP + AES encryption
pip install omnisec[gcs]       # Google Cloud Storage
pip install omnisec[security]  # Full cryptography suite
pip install omnisec[internet]  # HTTP + DNS support
pip install omnisec[all]       # Everything

Quick Start

import omnisec

# ── AI Engine ──────────────────────────────────────────────────
engine = omnisec.AIEngine(api_key="your-anthropic-key")

summary = engine.summarize("Long document text...", max_sentences=3)
labels  = engine.classify("Suspicious email body", ["phishing", "spam", "legitimate"])
threat  = engine.analyze_security_log("Failed SSH from 10.0.0.5 - 50 attempts")

print(threat)
# {
#   "threat_level": "high",
#   "threat_type": "brute_force",
#   "indicators": ["10.0.0.5", "SSH port 22", "50 failed attempts"],
#   "recommendation": "Block IP 10.0.0.5 and enable fail2ban",
#   "summary": "Brute-force SSH attack detected from 10.0.0.5"
# }

── MFT Client ──

with omnisec.MFTClient(
    host="sftp.example.com",
    username="user",
    key_path="~/.ssh/id_rsa",
    encrypt_transfers=True,
) as mft:
    record = mft.upload("report.pdf", "/remote/reports/report.pdf")
    print(f"SHA-256: {record.sha256}")
    mft.export_audit_csv("audit.csv")


# ── GCS Client ──

gcs = omnisec.GCSClient(project="my-project", bucket="my-bucket")
gcs.upload("local/data.csv", "datasets/data.csv")
url = gcs.signed_url("datasets/data.csv", expiry_minutes=60)
objects = gcs.list_objects(prefix="datasets/")


# ── Security Toolkit ──

sec = omnisec.SecurityToolkit()


# Hashing

h = sec.hash("password123", "sha256")
file_hash = sec.hash_file("/var/log/syslog", "sha512")


# AES-256-GCM Encryption

key, nonce, ct = sec.aes_encrypt(b"sensitive data")
plaintext = sec.aes_decrypt(key, nonce, ct)


# String encryption

enc = sec.aes_encrypt_string("top secret message")
plain = sec.aes_decrypt_string(enc)

# Password tools

pwd = sec.generate_password(length=20, use_symbols=True)
strength = sec.check_password_strength("P@ssw0rd!")
print(strength)


# {"score": 72, "strength": "good", "feedback": ["Add uppercase letters."]}

# IoC extraction

iocs = sec.extract_iocs("Malware from 192.168.1.50 hit CVE-2023-1234 via evil.com")
print(iocs["cves"]) # ['CVE-2023-1234']
print(iocs["ipv4"]) # ['192.168.1.50']
print(iocs["domains"]) # ['evil.com']


# Security header analysis

headers = {"Strict-Transport-Security": "max-age=31536000", "X-Frame-Options": "DENY"}
analysis = sec.analyze_headers(headers)
print(f"Score: {analysis['score']}/100 Grade: {analysis['grade']}")

# PBKDF2 password hashing

h, salt = sec.pbkdf2_hash("mypassword")
assert sec.pbkdf2_verify("mypassword", h, salt)


# ── Internet Toolkit ──

net = omnisec.InternetToolkit(timeout=10, retries=3)

# HTTP

resp = net.get("https://api.ipify.org?format=json")
print(resp["json"]["ip"])

# Port scanning

result = net.port_scan("192.168.1.1", ports=[22, 80, 443, 3306])
for p in result["open_ports"]:
print(f" {p['port']}/TCP {p['service']}")


# SSL inspection

cert = net.ssl_info("google.com")
print(f"Expires in {cert['days_remaining']} days")
print(f"Issuer: {cert['issuer'].get('organizationName')}")

# DNS

records = net.dns_resolve("example.com", "A")
hostname = net.reverse_dns("8.8.8.8")

# IP intelligence

info = net.ip_info("8.8.8.8")
print(f"{info['org']} — {info['city']}, {info['country']}")

# URL monitoring

statuses = net.monitor_urls(["https://google.com", "https://github.com"])
for s in statuses:
status = "YES" if s["ok"] else "NO"
print(f"{status} {s['url']} {s['elapsed_ms']}ms")
CLI Usage


# Hash a string

omnisec hash sha256 "hello world"


# Generate a secure password

omnisec password generate --length 24


# Check password strength

omnisec password check "P@ssword123!"

# Port scan

omnisec port-scan 192.168.1.1 --ports 22 80 443 3306 5432

# SSL certificate info

omnisec ssl-info google.com

# IP geolocation

omnisec ip-info 8.8.8.8

# DNS lookup

omnisec dns google.com --type MX

# URL availability check

omnisec ping https://example.com

# Extract IoCs from text

omnisec extract-iocs "Attack from 10.0.0.1 via CVE-2024-1234"
Configuration
from omnisec import OmniConfig

# Programmatic configuration

cfg = OmniConfig(
ai_model="claude-sonnet-4-6",
gcs_bucket="my-bucket",
mft_host="sftp.example.com",
net_timeout=15,
)
cfg.save("omnisec.json")

# Reload from file

cfg = OmniConfig.load("omnisec.json")

# Environment variables (auto-detected)
# ANTHROPIC_API_KEY, GOOGLE_CLOUD_PROJECT, OMNISEC_GCS_BUCKET,
# OMNISEC_MFT_HOST, OMNISEC_NET_TIMEOUT, etc.

Project Structure
omnisec/
├── omnisec/
│ ├── init.py # Top-level exports
│ ├── cli.py # CLI entry point
│ ├── core/
│ │ ├── config.py # Centralised OmniConfig
│ │ └── logger.py # Structured colour logger
│ ├── ai/
│ │ └── init.py # AIEngine (Claude API)
│ ├── mft/
│ │ └── init.py # MFTClient (SFTP/FTPS + AES)
│ ├── gcs/
│ │ └── init.py # GCSClient (Google Cloud Storage)
│ ├── security/
│ │ └── init.py # SecurityToolkit (crypto + threat intel)
│ └── internet/
│ └── init.py # InternetToolkit (HTTP + DNS + scanning)
├── tests/
│ ├── test_security.py
│ ├── test_internet.py
│ └── test_mft.py
├── examples/
│ ├── ai_demo.py
│ ├── mft_demo.py
│ ├── gcs_demo.py
│ ├── security_demo.py
│ └── internet_demo.py
├── setup.py
├── pyproject.toml
└── README.md


Running Tests

pip install omnisec[all] pytest
pytest tests/ -v

# License

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Contributing
Pull requests are welcome. For major changes, open an issue first. Please ensure all tests pass and new features include docstrings and examples.

agentic‑bq — Guardrails for Agents Querying BigQuery

Raghava Chellu — Mon, 23 Feb 2026 02:48:39 +0000

Why I Built This

Large‑language‑model agents love data. Give them access to your enterprise warehouse and they’ll start generating SQL faster than any analyst.

That’s exciting — until an agent decides to run a DELETE FROM across an entire dataset or a multi‑terabyte query that costs hundreds of dollars.

To keep LLMs productive but safe, you need a BigQuery client with built‑in constraints, cost checks, and auditability.

Meet agentic‑bq.

What It Is

agentic‑bq is an agent‑safe BigQuery client that injects common‑sense guardrails for AI‑driven data access.

pip install agentic-bq

Features

The agentic‑bq library delivers a complete safety layer for AI agents that interact with BigQuery. It enforces parameterized queries to eliminate risky string concatenation and SQL injection, ensuring that every query uses bound parameters for predictability and security. A powerful denylist engine automatically blocks destructive SQL verbs like DROP, DELETE, ALTER, or TRUNCATE, shielding enterprise datasets from unintended modifications. To prevent resource exhaustion, agentic‑bq injects or overrides a LIMIT N clause on any SELECT statement, keeping query sizes manageable. Before execution, it performs a dry‑run cost check to estimate bytes processed and prevent agents from triggering expensive scans, giving you clear visibility into potential spend. For downstream orchestration, results are returned in clean, agent‑readable JSON, making it easy to chain outputs into other LLM tools or workflows. Finally, the client offers audit‑ready structured logging, enabling full traceability and compliance reporting whenever an agent issues a query. Together, these features turn BigQuery into a controlled, cost‑aware, and secure environment for agentic AI operations.

Getting Started

pip install agentic-bq

from agentic_bq import AgenticBQ

bq = AgenticBQ(project="my-gcp-project")

query = """
SELECT name, total_sales
FROM retail_dataset.sales
WHERE region = @region
ORDER BY total_sales DESC
"""

params = {"region": "US"}

result = bq.safe_query(query, params=params, limit=100)
print(result.to_json())

Use cases

The agentic‑bq library unlocks several practical use cases for organizations building AI agents that interact with enterprise data warehouses like BigQuery.

A LLM data assistant can safely execute parameterized SELECT queries without risking SQL injection or schema damage, allowing natural‑language agents to explore structured data securely. For FinOps‑aware data agents, agentic‑bq’s built‑in dry‑run checks estimate bytes processed before execution, so expensive queries can be blocked or re‑routed to summary tables, protecting cloud budgets in real time. Compliance data bots benefit from the library’s audit‑ready logging and denylist enforcement—every query structure, parameter, and cost estimate can be recorded automatically for governance or internal review. Finally, teams exposing enterprise analytics APIs can front BigQuery with an agentic‑bq layer to ensure every API‑generated query follows consistent safety, cost, and logging policies—giving external or internal agents controlled, policy‑compliant access to corporate data.

In a single call:

dynamic parameters are safely bound,
a LIMIT 100 is injected if missing,
any forbidden statements trigger an exception,
a dry‑run is performed to measure cost (bytes processed),
then the job executes only if safe.

Under the Hood

Wraps Google Cloud BigQuery Python Client
Uses BigQuery’s QueryJobConfig(dry_run=True) for cost estimation
Enforces SQL‑level regex guards before submission
Applies automatic row limits and parameter binding
Exposes results via pandas, JSON, or Pydantic‑style objects
Supports async execution for agent pipelines

Built for LLM Agents

When integrated into an agent framework (LangChain, CrewAI, AutoGen):

tool("bq_query", bq.safe_query, description="Run cost‑controlled BigQuery SQL")

Agents can then generate queries freely within your safety envelope.
You keep cost, security, and data integrity under control.

Example: Dry‑Run Validation

info = bq.dry_run(
    "SELECT COUNT(*) FROM massive_table"
)
print(f"Estimated bytes processed: {info.estimated_bytes_processed/1e9:.2f} GB")

Output before execution might read:

Estimated bytes processed: 3.25 GB
That number lets you cap budgets or throttle agent jobs dynamically.

Configuration

bq = AgenticBQ(
    project="my-project",
    max_cost_gb=5,          # deny if > 5 GB processed
    enforce_limit=200,      # default limit
    denylist=["DELETE", "DROP", "UPDATE"],
    log_dir="/var/log/agentic_bq"
)

Security Model

No ad‑hoc string execution
Fully parameterized queries
Pre‑execution dry runs to detect cost risk
Optional IAM role binding per agent service account

Design Principles

Least Privilege for Data Agents
Predictable Cost Profiles
Composability  – works as a drop‑in LangChain tool
Transparency  – logs intent before execution

Publishing (Developers)

python3 -m venv .venv
source .venv/bin/activate
pip install --upgrade build twine
python -m build
twine upload --repository testpypi dist/*
twine upload dist/*

Future Roadmap

v0.1 – Parameter binding + LIMIT enforcement
v0.2 – Async API support
v0.3 – Adaptive budgeting via BigQuery reservations API
v0.4 – LLM query explain‑plan visualizer
v1.0 – Production stability and OpenTelemetry metrics

 Closing Thought

LLMs are evolving into full‑blown data agents.
With agentic‑bq, you can let them explore BigQuery freely — without risking your budget, your data, or your sleep.

pip install agentic-bq

Bringing Async MCP to Google Cloud Run — Introducing cloudrun-mcp

Raghava Chellu — Mon, 23 Feb 2026 02:19:20 +0000

Bringing Async MCP to Google Cloud Run — Introducing cloudrun-mcp

When you design distributed AI or agentic workloads on Google Cloud’s Cloud Run, you often juggle three recurring problems:

How to authenticate workloads securely
How to maintain long-lived, event-driven sessions
How to stream model context data efficiently without blocking threads

cloudrun-mcp solves all three in one lightweight Python SDK.

What is MCP (Model Context Protocol)?

MCP — Model Context Protocol is an emerging open standard for exchanging context between AI models, tools, and environments.

Think of it as “WebSockets for AI knowledge.”

Instead of hardcoding API calls, your model connects to an MCP server and streams structured events such as:

context.create
document.attach
agent.reply

For developers deploying AI agents on Cloud Run, GKE, or hybrid workloads, an async client is essential for scalability.

Introducing cloudrun-mcp

Async MCP (Model Context Protocol) client for Cloud Run.

Built by Raghava Chellu (February 2026), cloudrun-mcp brings:

First-class async streaming
Automatic Cloud Run authentication
Agentic-AI-friendly APIs

to your production workloads.

How It Works

Under the hood:

The client uses aiohttp to maintain an HTTP/1.1 keep-alive streaming session.
Inside Cloud Run, it queries the metadata service to obtain a signed JWT:

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=<your-audience>

Each event from the MCP server arrives as a Server-Sent Event (SSE).
The SDK yields events as a Python async iterator, ready for real-time AI reasoning loops.

Installation

pip install cloudrun-mcp

Requirements

Python ≥ 3.10
Deployed on GCP (Cloud Run / GKE / GCE) with metadata-server access

Usage Example

import asyncio
from cloudrun_mcp import MCPClient

async def main():
    client = MCPClient(base_url="https://your-mcp-server.run.app")

    async for event in client.events():
        print(event)

asyncio.run(main())

Typical Output Stream

{"event":"context.create","status":"ok"}
{"event":"model.response","content":"42"}
{"event":"model.done"}

That’s it — you’ve connected an async agent running on Cloud Run to an MCP backend and are receiving real-time context updates.

Why Async MCP Matters

AI workloads are evolving from simple request-response APIs to long-running reasoning graphs.

Synchronous I/O becomes a bottleneck.

cloudrun-mcp leverages Python’s asyncio to keep event loops responsive across:

Streaming token generation
Function-calling orchestration
Multi-model chains

It’s especially powerful for Agentic AI, where orchestrators consume continuous model context (tool outputs, planning updates, memory events).

Authentication Deep Dive

The SDK automatically:

Discovers the metadata endpoint
Retrieves an ID token targeting your MCP server
Injects it into request headers

Authorization: Bearer <token>

Refreshes tokens every ~55 minutes

No OAuth flows.
No key.json files.
Perfect for production micro-agents.

Streaming with Back-Pressure Control

async for event in client.events(buffer=32):
    await handle_event(event)

Typical Deployment Pattern

[MCP Clients] <--SSE--> [cloudrun-mcp SDK] <--Auth--> [Cloud Run Service]
         \
          ↳ [Agent Processors / Vector DB / PubSub Pipelines]

cloudrun-mcp acts as the async bridge between Cloud identity and AI reasoning streams.

Real-World Use Cases

Event-Driven AI Agents

Agents listening to MCP streams and triggering workflows automatically.

🔹 LLM Orchestration Pipelines

Streaming intermediate reasoning steps to dashboards.

🔹 IoT Telemetry Ingestion

Continuous SSE device streams pushed to Pub/Sub.

🔹 Hybrid Edge Inference

Bridge local MCP hubs with Cloud Run decision services.

Design Philosophy

The SDK follows three principles:

Async First — built entirely on asyncio
Zero Secrets — uses Workload Identity exclusively
Agentic Friendly — integrates with frameworks like LangChain or CrewAI

SentinelMFT: AI-Powered Secure File Transfer & Network Firewall for Google Cloud

Raghava Chellu — Sun, 14 Sep 2025 18:19:43 +0000

Overview

sentinelmft is a Python library and CLI tool that provides secure, intelligent, and policy-driven file transfers across cloud and on-prem networks. It integrates Google Cloud services (GCS, Pub/Sub, Secret Manager) with AI-driven anomaly detection, cryptography (AES-256 + RSA), and a software-defined firewall layer for transfer sessions.

It’s like combining MFT + Firewall + AI Monitoring into one lightweight Python package.

Key Features

Security & Cryptography

AES-256-GCM encryption for file transfers.
RSA/ECC for key exchange.
Envelope encryption with Google Cloud KMS.
Secure token & secret retrieval from Secret Manager.

Managed File Transfer

Upload/download between GCS, databases, and local servers.
Policy-based transfer rules (size limits, allowed MIME types).
Scheduled/triggered transfers with Cloud Scheduler + Pub/Sub.
Retry, resumable transfers, and logging to BigQuery.

AI & Cybersecurity

Anomaly detection on transfer logs (Isolation Forest/Random Forest).
Predictive modeling of transfer times and failures.
AI-driven firewall rules — detect unusual IPs, ports, or traffic spikes.
Auto-block suspicious transfers and alert via Pub/Sub or Slack webhook.

Firewall + Network Layer

Lightweight Python-based firewall for transfer sessions (IP whitelisting, geofencing).
Logs connection attempts into BigQuery or Postgres.
AI engine detects brute force or abnormal packet patterns.

Database Security Integration

Secure transfer of database dumps (MySQL, Postgres) to GCS with encryption.
Verify dump integrity using digital signatures (SHA-256/ECDSA).
Auto-cleanup + lifecycle policies for compliance.

Example Usage

# Install
pip install sentinelmft

from sentinelmft import TransferManager, FirewallAI

# Transfer a file to GCS with encryption
tm = TransferManager()
tm.upload_secure("backup.sql", "my-bucket", "secure/backup.sql")

# Predict transfer time
print("Estimated time:", tm.predict_transfer_time("backup.sql"))

# Run AI firewall check
fw = FirewallAI()
if fw.is_suspicious("192.168.1.10"):
    print("Blocked suspicious IP!")

CLI

# Encrypt & transfer
sentinelmft transfer --src backup.sql --dst gs://my-bucket/secure/ --encrypt

# Train AI anomaly model
sentinelmft ai-train --logfile transfers.csv

# Run firewall in learning mode
sentinelmft firewall --mode ai

Tech Stack

Python 3.9+
Google Cloud SDKs (google-cloud-storage, google-cloud-secret-manager)
Cryptography (cryptography package)
AI/ML (scikit-learn, pandas)
Database (psycopg2, sqlalchemy)
Firewall (scapy or pydivert for traffic inspection)

Use Cases

Enterprises needing AI-driven MFT + firewall in one tool.
Healthcare/Finance — secure regulated data transfers with compliance logs.
DevOps — push encrypted DB backups to GCS + anomaly detection.
IoT/Edge — secure telemetry file transfer with auto-blocking of rogue nodes.

Why It’s Unique

Unlike typical MFT tools, sentinelmft combines:
File transfer + cryptography + AI predictions + firewall protection
Works across cloud + on-prem + databases
Provides a single package for security, automation, and intelligence

License

Copyright (c) 2025 Raghava Chellu

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

AI Meets Managed File Transfer: gcp-mft-ai for Google Cloud Storage, Filestore & STS

Raghava Chellu — Sun, 14 Sep 2025 18:08:39 +0000

Overview

AI-powered Managed File Transfer for Google Cloud (GCS, Filestore, Storage Transfer Service)

gcp-mft-ai is an open-source, production-grade Python library that transforms traditional file transfers on Google Cloud Platform (GCP) into intelligent, ML-optimized, secure operations.

It automates, predicts, protects, and optimizes file movement across:

Google Cloud Storage (GCS)
Cloud Filestore (NFS-based File System)
Storage Transfer Service (STS API)
Designed for large-scale enterprises, DevOps engineers, and AI/ML pipelines, gcp-mft-ai brings the future of AI-enhanced Managed File Transfer (MFT) into your cloud workflows.

Features

Upload/download large files intelligently
AES-256 encryption support
Predict transfer time with ML
Optimize best transfer windows
Detect anomalies in transfer logs

Core Capabilities

Multi-Service MFT: GCS bucket transfers, Filestore filesystem moves, GCP Storage Transfer Service orchestration
Encryption at Source: AES-256-GCM authenticated encryption (optional per transfer)
ML-Based Transfer Time Prediction: Predict upload/download times using Linear Regression or Random Forest models
Anomaly Detection: Identify unusual slowdowns, spikes, or transfer errors automatically using Isolation Forest
Transfer Window Optimization: Find the best network window (hour of day) to minimize congestion and maximize throughput
Resilient Transfers: Automatic retries, resumable uploads for large objects, GCP API throttling handling
Config-Driven Automation: Manage all settings via simple YAML or JSON configuration files

Internal Architecture

GCS Transfers: Built atop the google-cloud-storage SDK for resumable, secure, and reliable object transfers.

Filestore Transfers: Abstracted over NFS filesystem mounts, allowing simple shutil-based secure moves between instances or buckets.

Storage Transfer Service API: Dynamically creates and monitors cloud-to-cloud transfer jobs via authenticated REST API calls (fully IAM compliant).

Prediction Engine:
i) Trained on historical transfer data (file_size_mb, transfer_time_sec)supports
ii) Linear Regression (lightweight, fast)
iii) Random Forest (higher-accuracy, non-linear patterns)

Anomaly Detection: Isolation Forest model isolates unusual file size vs time behavior — flagging spikes, failures, and risks early.

Encryption Layer: AES-256 encryption with GCM mode ensures data integrity and confidentiality before movement.

Optimization Layer: Hour-by-hour analysis of historical transfer speeds to recommend the best operational windows.

Security-First Design

Encryption: Native AES-256-GCM encryption/decryption for any file before or after cloud storage.

Token Management: Secure OAuth2 token usage for Storage Transfer Service API access.

No plaintext secrets: Designed for service account usage via environment or config.

Usage Overview

Upload to GCS: upload_to_gcs(source_path, bucket, destination_path)
Download from GCS: download_from_gcs(blob_name, bucket, destination_path)
Upload to Filestore: upload_to_filestore(source_path, mount_point, relative_path)
Launch Storage Transfer Job: launch_storage_transfer_job(source_bucket, destination_bucket, project_id)
Predict Transfer Time: predict_transfer_time(file_size_mb)
Detect Anomalies: detect_transfer_anomalies(csv_log_path)
Find Best Transfer Window: find_best_transfer_window(csv_log_path)

Real-World Use Cases

Media & Entertainment: Migrate large UHD videos to GCS for editing pipelines
AI/ML Model Training: Transfer terabyte datasets securely and predictably to TPU training zones
Backup & Disaster Recovery: Automate and encrypt cross-region backup uploads with anomaly alerting
Healthcare & Finance: Securely move critical records across cloud environments with end-to-end encryption
Retail Analytics: Optimize massive log file ingestion pipelines to GCP data lakes

Technology Stack

Python 3.7+
Google Cloud SDKs (google-cloud-storage, requests)
Cryptography (AES-256-GCM secure cipher)
scikit-learn (ML Models: Linear Regression, Random Forest, Isolation Forest)
pandas (Data preparation for ML)
pyyaml (Config loading)
joblib (Model persistence)

MIT License

Author: Raghava Chellu

MIT License is freely usable for academic, personal, and commercial projects.

Installation

pip install gcp-mft-ai
Deployment Readiness
PyPI-ready (setup.py, pyproject.toml)

Full unit testing (unittest framework)

Full documentation (README.md, examples/)

Cloud deployment friendly (Docker/CI/CD pipelines)

Conclusion

Traditional file transfers are simple. Modern file transfers must be intelligent, secure, and predictive. gcp-mft-ai brings cutting-edge AI and cloud-native automation to Managed File Transfer on Google Cloud securing your data, optimizing your operations, and helping you move smarter, stronger, and faster.

vaultlock-py: Unified Secret Management & Encryption for GCP and HashiCorp Vault

Raghava Chellu — Sun, 14 Sep 2025 17:58:24 +0000

Overview

vaultlock-py is a secure Python library designed to unify and simplify secret management, cryptographic key handling, and secure operations across Google Cloud Secret Manager, Google Cloud KMS, and HashiCorp Vault.

Built with DevSecOps, cloud-native security, and modern cryptographic best practices in mind, this library allows Python developers and cloud engineers to lock down secrets, encrypt sensitive data, and securely integrate external key management systems into their apps or CI/CD pipelines.

Features

vaultlock-py offers a powerful and unified key management interface that allows developers to manage, rotate, and retrieve secrets securely across platforms such as Google Cloud Secret Manager, HashiCorp Vault, and Google Cloud KMS. It supports end-to-end encryption using robust standards like AES-256, and enables envelope encryption with cloud-managed keys for enhanced security. The library includes a suite of command-line tools that make it easy to encrypt and decrypt files, manage secrets, and validate secure access from any environment. Designed with compliance and traceability in mind, vaultlock-py provides audit-friendly logging and access visibility, making it ideal for regulated environments. Its modular and extensible architecture ensures that users can selectively adopt components based on their infrastructure needs, whether they're working solely with Vault, KMS, or Secret Manager. Built with cloud-native principles, the library integrates seamlessly into modern CI/CD pipelines, Kubernetes clusters, and cloud-based applications.

Use Cases

Encrypting sensitive config files before storage.
Centralized secret retrieval in production microservices.
Secure data exchange across cloud environments.
Building compliance-aware automation for regulated industries.

Technologies Used

Google Cloud Secret Manager
HashiCorp Vault
Google Cloud KMS
HashiCorp Vault via hvac library
Python 3.8+
Follows PEP 621 and pyproject.toml standards
Designed for use in CI/CD and container environments

Installation

pip install vaultlock-py

CLI Usage

python -m vaultlock.cli --mode gcp --action create --project_id=my-project --path=my-secret --value=secret123

License

This README provides an overview, installation, usage examples (CLI and code), and a brief mention of how it works and license. In an actual project, one might expand the README with troubleshooting tips or more details on authentication.

MIT License

Copyright (c) 2025 Raghava Chellu

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

PyPI Link:

[![PyPI Downloads](https://static.pepy.tech/personalized-badge/vaultlock-py?period=total&units=INTERNATIONAL_SYSTEM&left_color=BLACK&right_color=GREEN&left_text=downloads)](https://pepy.tech/projects/vaultlock-py)

netcryptx: Secure Socket Communication & Encrypted Tunneling for Python

Raghava Chellu — Sun, 14 Sep 2025 17:52:02 +0000

Overview

In today’s distributed systems and cloud-native apps, data-in-transit security is no longer optional — it’s mandatory. Whether you’re sending files, running IoT services, or just building a secure messaging protocol, you need encryption that’s easy to set up and hard to break.

That’s why I built netcrypt, a Python library for encrypted sockets and tunneling. It combines the simplicity of Python sockets with the strength of AES and RSA encryption, making it easier than ever to secure your networked applications.

Features

AES & Fernet Encryption — fast symmetric encryption for secure data-in-transit.
RSA Key Generation — asymmetric encryption support for key exchange & signing.
Encrypted TCP Sockets — secure client-server communication with minimal boilerplate.
Secure Tunneling — simple CLI to spin up encrypted tunnels (client/server).
Threaded Mode — run tunnels in the background for persistent services.
CLI Tools — manage keys, tunnels, and sessions directly from the terminal.

Installation

pip install netcryptx

Usage Examples

Generate AES Key
netcryptx keygen --generate --keyfile aes.key

Start a Secure Tunnel

Server:

netcryptx tunnel --mode server --keyfile aes.key --host 0.0.0.0 --port 9000

Client:

netcryptx tunnel --mode client --keyfile aes.key --host 127.0.0.1 --port 9000

Generate RSA Key Pair

netcryptx rsagen --out-private rsa_private.pem --out-public rsa_public.pem

Project Structure

netcryptx/
├── encryptors.py     # AES, RSA, Fernet encryption logic
├── key_manager.py    # Key handling & persistence
├── sockets.py        # Secure socket wrappers
├── tunnel.py         # Encrypted tunnel orchestration
├── cli.py            # Command-line interface
└── __init__.py

Run Tests

pytest tests/

Why Use netcryptx?

Secure-by-default — avoids insecure defaults, ships with AES-256 and RSA baked in.
Developer-friendly — run tunnels or manage keys with one-liners.
Lightweight — no heavy external dependencies, just clean Python.
Versatile — works for IoT devices, cloud services, or local dev setups.

License

MIT © 2025 Raghava Chellu

Installation

pip install netcryptx

Bringing Blockchain-Grade Security to IoT and Edge Systems with nanoedge-pki

Raghava Chellu — Sun, 14 Sep 2025 17:42:55 +0000

Overview

NanoEdge PKI is a high-performance, compact, and purpose-built cryptographic library that brings secure public key infrastructure (PKI) capabilities to environments where traditional security libraries may be too large or inefficient. This library is specifically optimized for resource-constrained devices, such as Internet of Things (IoT) sensors, edge gateways, wearables, industrial embedded systems, and nano-scale computing units that are increasingly deployed in the modern digital ecosystem.

As the need for decentralized, secure communication continues to grow—especially in smart manufacturing, healthcare, agriculture, and automotive telemetry—systems must exchange sensitive data without relying on centralized trust or powerful CPUs. nanoedge-pki helps bridge this gap by enabling each device to authenticate, sign, and verify messages using Elliptic Curve Cryptography (ECC), which offers strong cryptographic guarantees at a fraction of the computational cost of traditional algorithms like RSA.

This library uses the secp256k1 curve, the same proven curve used in Bitcoin and Ethereum blockchain technologies. It provides excellent security (128-bit strength) with very small key sizes, making it ideal for low-bandwidth networks and low-power processors. This is especially beneficial in mesh networks, telemetry buses, and rural edge deployments where every byte and CPU cycle counts.

By integrating nanoedge-pki, developers can:

Secure data-in-motion with digital signatures

Establish trust between previously unknown devices

Prevent tampering of transmitted commands or telemetry

Comply with data integrity requirements for regulated edge applications

The library is built entirely using Node.js's native crypto module, which ensures reliability, forward compatibility, and minimal external dependencies. This makes it portable and suitable for environments like Raspberry Pi, Jetson Nano, ESP32 gateways running Node.js, or serverless verification services in the cloud.

In essence, nanoedge-pki is not just a cryptographic utility—it is a foundational building block for zero-trust device ecosystems, where security must be enforced even between internal components. Whether you're building smart drones, remote monitoring stations, or micro-robotic systems, this library empowers you to secure your data streams at the edge—where it matters most.

GitHub: https://github.com/RaghavaCh440/nanoedge-pki

Generate elliptic curve key pairs (secp256k1):

This feature allows devices or applications to generate their own public-private key pairs using the secp256k1 elliptic curve, a cryptographic standard known for its efficiency and security. These keys form the backbone of device identity and secure communication.

Sign messages using ECDSA with SHA-256:

nanoedge-pki enables digital signing of messages using the Elliptic Curve Digital Signature Algorithm (ECDSA) combined with SHA-256 hashing. This ensures data integrity and non-repudiation, so recipients can verify that a message hasn't been tampered with and was sent by a trusted device.

Verify signatures against signed payloads:

With the ability to verify ECDSA signatures, devices or services can check whether incoming data truly originates from a known and trusted source, making it a crucial feature for mutual authentication and secure protocol handshakes.

Built using Node.js native crypto module (no external dependencies):

The library relies entirely on Node.js's built-in crypto module, which ensures high performance, long-term stability, and compatibility across environments without the need for compiling or installing native add-ons.

Suitable for secure nano/micro device authentication:

Designed with microcontrollers and nano-devices in mind, nanoedge-pki supports secure authentication between ultra-small hardware agents and edge nodes. This is essential in scenarios like secure firmware updates or telemetry reporting.

Lightweight and fast—perfect for edge computing, IoT, and embedded ML devices:

The small footprint and fast elliptic curve operations make this library ideal for low-latency environments such as real-time sensors, ML inferencing at the edge, or robotics, where every millisecond and byte counts.

Low-memory and low-CPU compatible:

ECC is significantly more efficient than RSA in constrained environments. This makes the library practical on devices with limited RAM and CPU power.

Plug-and-play integration:

The simple API allows developers to drop this library into any existing edge or server-side project to immediately add PKI support with minimal boilerplate.

Secure by design:

Keys are exported in PEM format, and cryptographic primitives follow modern standards, reducing the chances of accidental misconfiguration or cryptographic flaws.

Portable across platforms:

Runs on any system that supports Node.js, including Linux, macOS, Raspberry Pi, and even lightweight container environments like Alpine.

Installation

npm install nanoedge-pki
Usage
const { generateKeyPair, signMessage, verifyMessage } = require('nanoedge-pki');

// Step 1: Generate ECC key pair
const { publicKey, privateKey } = generateKeyPair();

// Step 2: Sign a message
const message = 'temperature=21.3&device_id=sensor001';
const signature = signMessage(message, privateKey);

// Step 3: Verify the message
const isValid = verifyMessage(message, signature, publicKey);
console.log('Signature valid:', isValid); // true or false

Directory Structure

nanoedge-pki/
├── index.js                # Public interface
├── lib/
│   └── crypto.js           # Core cryptographic logic
├── package.json
├── LICENSE
└── README.md

Cryptographic Notes

Uses secp256k1 (same as Bitcoin/Ethereum)
Fast and secure with compact key sizes
Ideal for nano-devices, mesh networks, and bandwidth-constrained systems

Use Cases

Secure authentication between sensor nodes and gateways
Lightweight digital signatures for data integrity in edge computing
Verifying firmware updates or data packets from constrained hardware

License

MIT License

Copyright (c) 2025 Raghava Chellu

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Author

Made with by Raghava Chellu
GitHub: @raghavachellu

secure-pubsub-bridge: End-to-End RSA Encryption for Google Cloud Pub/Sub

Raghava Chellu — Sun, 14 Sep 2025 17:32:13 +0000

Overview:

Cloud-native systems are becoming increasingly interconnected. Whether you’re building microservices, cross-cloud pipelines, or hybrid applications, secure message delivery is a critical requirement.

Google Cloud Pub/Sub is a fantastic messaging backbone, but by default, messages rely on IAM and TLS in transit — which is great, but not always enough for sensitive workloads that demand end-to-end encryption.

That’s where secure-pubsub-bridge comes in.

It’s a lightweight Node.js library that adds an extra layer of security by encrypting Pub/Sub messages with RSA public-key cryptography before publishing. On the subscriber side, you decrypt messages with your private key, ensuring that only trusted consumers can see the payload.

Features

RSA-based Encryption — Protects sensitive data beyond standard TLS.

Encrypted Publish — Seamlessly publish encrypted messages to Pub/Sub topics.

Secure Subscribe & Decrypt — Automatically decrypt messages when subscribing.

Key Management — Generate RSA key pairs for your apps.

Cloud-Native — Ideal for GCP services, Cloud Run, or multi-cloud bridges.

Installation

npm install secure-pubsub-bridge

Usage

Generate RSA Key Pair

const { generateKeyPair } = require('secure-pubsub-bridge');

const keys = generateKeyPair();
console.log("Public Key:", keys.publicKey);
console.log("Private Key:", keys.privateKey);

This gives you PEM-formatted RSA keys. You’ll typically store them in Secret Manager or as environment variables.

Publish an Encrypted Message

const { publishEncryptedMessage } = require('secure-pubsub-bridge');

await publishEncryptedMessage('my-topic', { secret: 'data' });

Instead of plain JSON, your payload is encrypted before it leaves your service.

Subscribe and Decrypt

const { subscribeAndDecrypt } = require('secure-pubsub-bridge');

subscribeAndDecrypt('my-subscription', (data) => {
  console.log('Decrypted Data:', data);
});

Consumers automatically decrypt messages using their private key, giving you true end-to-end confidentiality.

Environment Variables

PUBLIC_KEY="-----BEGIN PUBLIC KEY-----..."
PRIVATE_KEY="-----BEGIN PRIVATE KEY-----..."

Set these before running your service so the library knows how to encrypt/decrypt.

Why Use This?

Defense in Depth: Even if Pub/Sub logs, IAM roles, or transport security are compromised, your payloads stay safe.

Regulatory Compliance: Helps meet requirements for HIPAA, PCI-DSS, or GDPR by ensuring sensitive data isn’t transmitted in the clear.

Multi-Cloud Messaging: Securely bridge Google Cloud services with AWS, Azure, or on-prem systems.

Simplicity: Just drop in a few lines of code — no need to reinvent crypto pipelines.

Example Use Cases

Healthcare: Transmitting patient data between cloud services securely.

Finance: Sending transaction events without exposing raw payloads.

IoT: Encrypting device telemetry before it hits your processing pipeline.

Hybrid Cloud: Secure messaging between on-prem systems and GCP Pub/Sub.

License

MIT © 2025 Raghava Chellu

gitHub

https://github.com/RaghavaCh440/secure-pubsub-bridge

Try integrating it with Cloud Run or Workflows for secure, automated pipelines.

Contribute! PRs are welcome for adding support for AES session keys or KMS integration.

Stop Certificate Expiry Outages with certwatch-js: A Node.js SSL Health Monitor

Raghava Chellu — Sat, 14 Jun 2025 21:19:12 +0000

Overview

certwatch-js is a lightweight Node.js library designed to monitor the validity and configuration of SSL/TLS certificates used by web services, APIs, and infrastructure endpoints. It programmatically retrieves certificate metadata such as issuer, subject, validity period, and expiration date by establishing a secure connection to the target host. This information is then evaluated to determine whether the certificate is close to expiration or misconfigured.

By integrating certwatch-js into DevOps pipelines, you can proactively detect issues like upcoming certificate expiry, self-signed or untrusted certs, and misaligned subject details. This helps prevent production outages, security incidents, or compliance violations due to overlooked certificate renewals. The tool is ideal for security teams, cloud engineers, and platform reliability groups who want a programmatic safeguard against certificate-related risks.

It can be run as a simple CLI check, scheduled cron job, or embedded into CI/CD workflows using tools like Jenkins, GitHub Actions, or GitLab CI. With minimal setup and no third-party dependencies, certwatch-js offers an efficient and portable way to enforce SSL hygiene across distributed systems.

Installation

npm install certwatch-js

Usage

const { getCertificateInfo, checkCertExpiry } = require('certwatch-js');

// Get certificate metadata
getCertificateInfo("example.com").then(console.log);

// Alert if expiring within 15 days
checkCertExpiry("example.com", 15);

Output Example

[example.com] Certificate is valid. Expires in 75 days (on 2025-08-23)

API

getCertificateInfo(hostname, port = 443) Returns a Promise with:
subject, issuer
valid_from, valid_to
days_remaining
checkCertExpiry(hostname, daysThreshold = 30) Logs a warning if the cert expires within daysThreshold.

Use Cases

Monitor SSL expiry in CI/CD workflows
Trigger alerts for public-facing certs nearing expiration
Audit security posture of DevOps infrastructure
Integrate into logging/observability systems

Library Download

https://www.npmjs.com/package/certwatch-js
https://github.com/RaghavaCh440/certwatch-js

Security & Compliance

This library can help enforce certificate hygiene policies, reduce SSL-related outages, and support compliance goals such as PCI-DSS or SOC 2, where proactive certificate management is essential.

License

MIT License

Copyright (c) 2025 Raghava Chellu
Emailid : raghava.chellu@gmail.com

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the “Software”), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Introducing netsec-analyzer: A DevOps-Friendly CLI to Scan Ports, Audit TLS, and Secure Linux

Raghava Chellu — Sat, 14 Jun 2025 21:07:05 +0000

netsec-analyzer

A CLI tool to scan open ports, evaluate TLS configurations, and recommend Linux hardening practices.

netsec-analyzer is a powerful command-line utility designed to assist DevOps engineers, cybersecurity professionals, and system administrators in identifying network vulnerabilities and improving server hardening practices. This tool offers rapid scanning of commonly used ports, audits TLS/SSL configurations for misconfigurations or weak ciphers, and provides actionable security recommendations for strengthening Linux-based server deployments.

Key Features

Open Port Scanner Scans a set of well-known and commonly targeted ports (e.g., 22, 80, 443, 3306, 5432) on the specified host to detect potentially exposed services. This helps you identify unnecessary or misconfigured services that might be vulnerable to attacks.

TLS/SSL Configuration Inspector Connects securely to the server via TLS and inspects the encryption suite in use. It reports protocol versions (e.g., TLS 1.2, TLS 1.3) and cipher algorithms (e.g., AES-256-GCM), enabling you to verify if strong encryption is enforced and deprecated standards are avoided.

Linux Hardening Recommendations Offers a curated list of best practices for improving the baseline security posture of your Linux server. These include enforcing strong cipher policies, disabling unused services, applying patches, and securing SSH and firewall configurations.

Installation

Install netsec-analyzer globally using NPM:

npm install -g netsec-analyzer

This makes the netsec-analyzer CLI available system-wide.

Usage

Once installed, simply run the tool against a target host:

netsec-analyzer scan <host>

This command will:

Scan a predefined list of TCP ports on example.com to detect open services.
Initiate a secure TLS handshake with port 443 to extract cipher suite and protocol version information.
Output a list of system hardening tips relevant to Linux environments.

Scanning common ports on example.com...

Port 22 is open
Port 443 is open
Checking TLS config on example.com...
Cipher: TLS_AES_256_GCM_SHA384, Version: TLSv1.3

Hardening Suggestions:

Disable deprecated protocols (e.g., TLS 1.0/1.1)
Enforce strong cipher suites only
Enable SSH key-based login; disable root login
Close unused ports using iptables or firewalld
Apply OS patches and audit user access regularly

Use Cases

Audit your Linux servers before production deployment.
Periodically verify TLS security postures and cipher hygiene.
Educate junior DevOps/SRE team members on system hardening.
Integrate into CI/CD pipelines as a security gate.

NPM Download

https://www.npmjs.com/package/netsec-analyzer
https://github.com/RaghavaCh440/netsec-analyzer

Security Considerations

netsec-analyzer performs non-intrusive, read-only scans and does not attempt to exploit any vulnerabilities. It is intended solely for authorized internal use and ethical security auditing.

License

MIT License

Copyright (c) 2025 Raghava Chellu
Email: raghava.mftsolutions@gmail.com

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights  
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell     
copies of the Software, and to permit persons to whom the Software is         
furnished to do so, subject to the following conditions:                      

The above copyright notice and this permission notice shall be included in    
all copies or substantial portions of the Software.                           

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR    
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,      
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE   
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES S, OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Prevent File Transfer Breaches: Audit MFT Firewall Setup with mftfwscan

Raghava Chellu — Fri, 06 Jun 2025 22:32:57 +0000

Project description

mftfwscan is a specialized command-line toolkit designed to simulate, validate, and audit firewall and Network Address Translation (NAT) rules specifically tailored for Managed File Transfer (MFT) environments. In secure enterprise data flows, MFT protocols like SFTP, FTPS, AS2, and HTTPS typically require well-defined inbound and outbound port configurations, as well as NAT traversal setups to accommodate internal services behind firewalls or proxies. Misconfigured rules in these systems such as open high ports, overly permissive source IPs, or missing TLS protections can expose sensitive data or create compliance violations.

This tool enables system administrators, DevOps engineers, and security teams to programmatically define and simulate what a secure rule set should look like for a given MFT protocol, then audit real or proposed configurations for common misconfigurations. It outputs rule formats compatible with widely used firewall systems like iptables, Google Cloud Platform (GCP) firewall rules, and AWS Security Group policies. Furthermore, mftfwscan highlights potentially insecure practices such as "allow all" source ranges or unencrypted protocol ports, helping teams proactively harden their infrastructure.

By integrating MFT protocol awareness with static rule validation, mftfwscan fills a niche gap in firewall simulation tools bringing protocol specific insight into the traditionally generic firewall configuration space. This allows for both real-time validation during DevOps CI/CD workflows and offline auditing of legacy infrastructure policies.

Features

Simulate inbound port rules for SFTP, FTPS, AS2, and Passive FTP
Identify potential misconfigurations like open high ports or unrestricted sources
Export rules as iptables, GCP firewall, or AWS security group formats

Installation

$ pip install .

Usage

$ mftfwscan --service SFTP --export iptables

Requirements

Python 3.7+

Example Output

$ mftfwscan --service SFTP --export iptables
-A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -j ACCEPT
[!] Rule open to all IPs for port 22

Author and OpenSource Links

Raghava Chellu
raghava.chellu@gmail.com
https://pypi.org/project/mftfwscan/
https://github.com/RaghavaCh440/mftfwscan

== LICENSE (MIT) ==

MIT License

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

DEV Community: Raghava Chellu

Omni Security & Intelligence Python Library AI · MFT · GCS · CyberSecurity · Internet

Module Description

Installation

Base install

With specific extras

Quick Start

── MFT Client ──

agentic‑bq — Guardrails for Agents Querying BigQuery

Why I Built This

What It Is

Features

Getting Started

Use cases

In a single call:

Under the Hood

Built for LLM Agents

Example: Dry‑Run Validation

Configuration

Security Model

Design Principles

Publishing (Developers)

Future Roadmap

Closing Thought

Bringing Async MCP to Google Cloud Run — Introducing cloudrun-mcp

What is MCP (Model Context Protocol)?

Introducing cloudrun-mcp

How It Works

Installation

Requirements

Usage Example

Typical Output Stream

Why Async MCP Matters

Authentication Deep Dive

Streaming with Back-Pressure Control

Typical Deployment Pattern

Real-World Use Cases

Design Philosophy

SentinelMFT: AI-Powered Secure File Transfer & Network Firewall for Google Cloud

Overview

Key Features

CLI

License

AI Meets Managed File Transfer: gcp-mft-ai for Google Cloud Storage, Filestore & STS

Overview

Features

Core Capabilities

Internal Architecture

Security-First Design

Usage Overview

Real-World Use Cases

Technology Stack

MIT License

Installation

Conclusion

vaultlock-py: Unified Secret Management & Encryption for GCP and HashiCorp Vault

Overview

Features

Use Cases

Technologies Used

Installation

CLI Usage

License

MIT License

PyPI Link:

netcryptx: Secure Socket Communication & Encrypted Tunneling for Python

Overview

Features

Usage Examples

Start a Secure Tunnel

Generate RSA Key Pair

Project Structure

Run Tests

Why Use netcryptx?

License

Installation

Bringing Blockchain-Grade Security to IoT and Edge Systems with nanoedge-pki

Overview

Generate elliptic curve key pairs (secp256k1):

Sign messages using ECDSA with SHA-256:

Why I Built This

What It Is

Getting Started

Under the Hood

Built for LLM Agents

Example: Dry‑Run Validation

Security Model

Design Principles

Publishing (Developers)

Future Roadmap

 Closing Thought