security-testing

The security-testing agent is a specialized quality engineering tool designed to harden software systems by systematically identifying and mitigating vulnerabilities throughout the development lifecycle. Built on the industry-standard OWASP Top 10 framework, it acts as an automated security auditor, allowing engineering teams to shift security to the left, catching critical flaws before they reach production environments. It is ideal for security engineers, DevOps professionals, and developers who need to perform continuous security validation without manual intervention.

• Systematic OWASP Top 10 vulnerability coverage, including Broken Access Control, Cryptographic Failures, Injection (SQL, XSS, Command), Insecure Design, and Security Misconfiguration.

• Multi-layer analysis capabilities covering Static Application Security Testing (SAST) via tools like Semgrep and SonarQube, Dynamic Application Security Testing (DAST) via OWASP ZAP, and dependency vulnerability scanning using npm audit and Snyk.

• Automated validation of authentication and authorization flows, including horizontal and vertical privilege escalation testing, MFA enforcement checks, and session management review.

• Integrated secret scanning to detect exposed credentials, API keys, and sensitive PII in codebases or logs, preventing accidental leakage.

• Full CI/CD compatibility with ready-to-use configuration patterns for GitHub Actions and other pipelines, enabling automated security gating and risk-weighted assessment.

• To get the best results, initiate scans during PR reviews or as part of the automated CI build process to ensure coverage gaps are prioritized by risk.

• Expected inputs include access to source code repositories, API endpoints for dynamic testing, and configuration for environmental constraints.

• The tool outputs structured test reports, identified vulnerability summaries, and actionable remediation recommendations for developers.

• Constraints include the need for appropriate network permissions when performing DAST scans on protected environments and the requirement for secure token management during auth-flow testing.

• Use in conjunction with qe-api-contract-validator to ensure that API endpoints comply with both functional specifications and security standards simultaneously.