Engineering
security-testing avatar

security-testing

Automated security vulnerability scanner implementing OWASP Top 10 testing for SAST/DAST, dependency auditing, and auth/authorization validation in CI/CD pipelines.

CourseVibe Coding & Tech Startup CourseTurn ideas into shipped products with AI-assisted coding and startup essentials—structured lessons, hands-on builds, and a clear path from prototype to launch. Open the course page for the full syllabus, format, and how to join.View syllabus & course details →

Introduction

The security-testing agent provides a comprehensive, shift-left approach to software security by integrating automated vulnerability detection directly into the development lifecycle. It is designed for QA engineers, security researchers, and developers who need to move beyond manual checklists to systematic, code-aware security validation. By utilizing the OWASP Top 10 (2021) methodology, the agent helps teams identify, analyze, and mitigate common risks before they reach production.

  • Executes multi-layer SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) to uncover vulnerabilities like SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).

  • Performs automated dependency analysis via tools like npm audit and Snyk to identify vulnerable third-party packages and components.

  • Validates authentication and authorization workflows, including testing for horizontal and vertical privilege escalation, session fixation, and MFA enforcement.

  • Scans codebase and logs for exposed secrets, API keys, and sensitive PII to prevent credential leakage.

  • Ensures secure configuration by checking for verbose error messages, insecure headers, and hidden administrative endpoints.

  • Integrates seamlessly into CI/CD environments, allowing for continuous security monitoring within GitHub Actions and other automated pipelines.

  • The agent is best utilized when conducting security audits, reviewing pull requests, or during the TDD/BDD phase of development to ensure security is built in from the start.

  • Expected inputs include project source code repositories, API documentation, and CI/CD environment access; output includes actionable reports on detected vulnerabilities, failed security gates, and recommendations for remediation.

  • When defining security policies, it acts as a gatekeeper to verify that all endpoints adhere to the principle of least privilege.

  • Users are encouraged to combine this skill with the qe-api-contract-validator for API-specific security or the qe-quality-analyzer for deeper static analysis.

  • It enforces a proactive security culture, encouraging engineers to think like attackers while maintaining the robustness of a defender, ensuring compliance with standards like GDPR.

Repository Stats

Stars
329
Forks
65
Open Issues
4
Language
TypeScript
Default Branch
main
Sync Status
Idle
Last Synced
Apr 29, 2026, 06:45 AM
View on GitHub