mockupAWS/docs/SECURITY-AUDIT-v1.0.0.md

Security Audit Plan - mockupAWS v1.0.0

Version: 1.0.0
Author: @spec-architect
Date: 2026-04-07
Status: DRAFT - Ready for Security Team Review
Classification: Internal - Confidential

---

Executive Summary

This document outlines the comprehensive security audit plan for mockupAWS v1.0.0 production release. The audit covers OWASP Top 10 review, penetration testing, compliance verification, and vulnerability remediation.

Audit Scope

Component	Coverage	Priority
Backend API (FastAPI)	Full	P0
Frontend (React)	Full	P0
Database (PostgreSQL)	Full	P0
Infrastructure (Docker/AWS)	Full	P1
Third-party Dependencies	Full	P0

Timeline

Phase	Duration	Start Date	End Date
Preparation	3 days	Week 1 Day 1	Week 1 Day 3
Automated Scanning	5 days	Week 1 Day 4	Week 2 Day 1
Manual Penetration Testing	10 days	Week 2 Day 2	Week 3 Day 4
Remediation	7 days	Week 3 Day 5	Week 4 Day 4
Verification	3 days	Week 4 Day 5	Week 4 Day 7

---

1. Security Checklist

1.1 OWASP Top 10 Review

A01:2021 - Broken Access Control

Check Item	Status	Method	Owner
Verify JWT token validation on all protected endpoints	⬜	Code Review	Security Team
Check for direct object reference vulnerabilities	⬜	Pen Test	Security Team
Verify CORS configuration is restrictive	⬜	Config Review	DevOps
Test role-based access control (RBAC) enforcement	⬜	Pen Test	Security Team
Verify API key scope enforcement	⬜	Unit Test	Backend Dev
Check for privilege escalation paths	⬜	Pen Test	Security Team
Verify rate limiting per user/API key	⬜	Automated Test	QA

Testing Methodology:

# JWT Token Manipulation Tests
curl -H "Authorization: Bearer INVALID_TOKEN" https://api.mockupaws.com/scenarios
curl -H "Authorization: Bearer EXPIRED_TOKEN" https://api.mockupaws.com/scenarios

# IDOR Tests
curl https://api.mockupaws.com/scenarios/OTHER_USER_SCENARIO_ID

# Privilege Escalation
curl -X POST https://api.mockupaws.com/admin/users -H "Authorization: Bearer REGULAR_USER_TOKEN"

A02:2021 - Cryptographic Failures

Check Item	Status	Method	Owner
Verify TLS 1.3 minimum for all communications	⬜	SSL Labs Scan	DevOps
Check password hashing (bcrypt cost >= 12)	✅	Code Review	Done
Verify JWT algorithm is HS256 or RS256 (not none)	✅	Code Review	Done
Check API key storage (hashed, not encrypted)	✅	Code Review	Done
Verify secrets are not in source code	⬜	GitLeaks Scan	Security Team
Check for weak cipher suites	⬜	SSL Labs Scan	DevOps
Verify database encryption at rest	⬜	AWS Config Review	DevOps

Current Findings:

• ✅ Password hashing: bcrypt with cost=12 (good)
• ✅ JWT Algorithm: HS256 (acceptable, consider RS256 for microservices)
• ✅ API Keys: SHA-256 hash stored (good)
• ⚠️ JWT Secret: Currently uses default in dev (MUST change in production)

A03:2021 - Injection

Check Item	Status	Method	Owner
SQL Injection - Verify parameterized queries	✅	Code Review	Done
SQL Injection - Test with sqlmap	⬜	Automated Tool	Security Team
NoSQL Injection - Check MongoDB queries	N/A	N/A	N/A
Command Injection - Check os.system calls	⬜	Code Review	Security Team
LDAP Injection - Not applicable	N/A	N/A	N/A
XPath Injection - Not applicable	N/A	N/A	N/A
OS Injection - Verify input sanitization	⬜	Code Review	Security Team

SQL Injection Test Cases:

# Test payloads for sqlmap
payloads = [
    "' OR '1'='1",
    "'; DROP TABLE scenarios; --",
    "' UNION SELECT * FROM users --",
    "1' AND 1=1 --",
    "1' AND 1=2 --",
]

A04:2021 - Insecure Design

Check Item	Status	Method	Owner
Verify secure design patterns are documented	⬜	Documentation Review	Architect
Check for business logic flaws	⬜	Pen Test	Security Team
Verify rate limiting on all endpoints	⬜	Code Review	Backend Dev
Check for race conditions	⬜	Code Review	Security Team
Verify proper error handling (no info leakage)	⬜	Code Review	Backend Dev

A05:2021 - Security Misconfiguration

Check Item	Status	Method	Owner
Verify security headers (HSTS, CSP, etc.)	⬜	HTTP Headers Scan	DevOps
Check for default credentials	⬜	Automated Scan	Security Team
Verify debug mode disabled in production	⬜	Config Review	DevOps
Check for exposed .env files	⬜	Web Scan	Security Team
Verify directory listing disabled	⬜	Web Scan	Security Team
Check for unnecessary features enabled	⬜	Config Review	DevOps

Security Headers Checklist:

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

A06:2021 - Vulnerable and Outdated Components

Check Item	Status	Method	Owner
Scan Python dependencies for CVEs	⬜	pip-audit/safety	Security Team
Scan Node.js dependencies for CVEs	⬜	npm audit	Security Team
Check Docker base images for vulnerabilities	⬜	Trivy Scan	DevOps
Verify dependency pinning in requirements	⬜	Code Review	Backend Dev
Check for end-of-life components	⬜	Automated Scan	Security Team

Dependency Scan Commands:

# Python dependencies
pip-audit --requirement requirements.txt
safety check --file requirements.txt

# Node.js dependencies
cd frontend && npm audit --audit-level=moderate

# Docker images
trivy image mockupaws/backend:latest
trivy image postgres:15-alpine

A07:2021 - Identification and Authentication Failures

Check Item	Status	Method	Owner
Verify password complexity requirements	⬜	Code Review	Backend Dev
Check for brute force protection	⬜	Pen Test	Security Team
Verify session timeout handling	⬜	Pen Test	Security Team
Check for credential stuffing protection	⬜	Code Review	Backend Dev
Verify MFA capability (if required)	⬜	Architecture Review	Architect
Check for weak password storage	✅	Code Review	Done

A08:2021 - Software and Data Integrity Failures

Check Item	Status	Method	Owner
Verify CI/CD pipeline security	⬜	Pipeline Review	DevOps
Check for signed commits requirement	⬜	Git Config Review	DevOps
Verify dependency integrity (checksums)	⬜	Build Review	DevOps
Check for unauthorized code changes	⬜	Audit Log Review	Security Team

A09:2021 - Security Logging and Monitoring Failures

Check Item	Status	Method	Owner
Verify audit logging for sensitive operations	⬜	Code Review	Backend Dev
Check for centralized log aggregation	⬜	Infra Review	DevOps
Verify log integrity (tamper-proof)	⬜	Config Review	DevOps
Check for real-time alerting	⬜	Monitoring Review	DevOps
Verify retention policies	⬜	Policy Review	Security Team

Required Audit Events:

AUDIT_EVENTS = [
    "user.login.success",
    "user.login.failure",
    "user.logout",
    "user.password_change",
    "api_key.created",
    "api_key.revoked",
    "scenario.created",
    "scenario.deleted",
    "scenario.started",
    "scenario.stopped",
    "report.generated",
    "export.downloaded",
]

A10:2021 - Server-Side Request Forgery (SSRF)

Check Item	Status	Method	Owner
Check for unvalidated URL redirects	⬜	Code Review	Security Team
Verify external API call validation	⬜	Code Review	Security Team
Check for internal resource access	⬜	Pen Test	Security Team

---

1.2 Dependency Vulnerability Scan

Python Dependencies Scan

# Install scanning tools
pip install pip-audit safety bandit

# Generate full report
pip-audit --requirement requirements.txt --format=json --output=reports/python-audit.json

# High severity only
pip-audit --requirement requirements.txt --severity=high

# Safety check with API key for latest CVEs
safety check --file requirements.txt --json --output reports/safety-report.json

# Static analysis with Bandit
bandit -r src/ -f json -o reports/bandit-report.json

Current Dependencies Status:

Package	Version	CVE Status	Action Required
fastapi	0.110.0	Check	Scan required
sqlalchemy	2.0.x	Check	Scan required
pydantic	2.7.0	Check	Scan required
asyncpg	0.31.0	Check	Scan required
python-jose	3.3.0	Check	Scan required
bcrypt	4.0.0	Check	Scan required

Node.js Dependencies Scan

cd frontend

# Audit with npm
npm audit --audit-level=moderate

# Generate detailed report
npm audit --json > ../reports/npm-audit.json

# Fix automatically where possible
npm audit fix

# Check for outdated packages
npm outdated

Docker Image Scan

# Scan all images
trivy image --format json --output reports/trivy-backend.json mockupaws/backend:latest
trivy image --format json --output reports/trivy-postgres.json postgres:15-alpine
trivy image --format json --output reports/trivy-nginx.json nginx:alpine

# Check for secrets in images
trivy filesystem --scanners secret src/

---

1.3 Secrets Management Audit

Current State Analysis

Secret Type	Current Storage	Risk Level	Target Solution
JWT Secret Key	.env file	HIGH	HashiCorp Vault
DB Password	.env file	HIGH	AWS Secrets Manager
API Keys	Database (hashed)	MEDIUM	Keep current
AWS Credentials	.env file	HIGH	IAM Roles
Redis Password	.env file	MEDIUM	Kubernetes Secrets

Secrets Audit Checklist

• No secrets in Git history (git log --all --full-history -- .env)
• No secrets in Docker images (use multi-stage builds)
• Secrets rotated in last 90 days
• Secret access logged
• Least privilege for secret access
• Secrets encrypted at rest
• Secret rotation automation planned

Secret Scanning

# Install gitleaks
docker run --rm -v $(pwd):/code zricethezav/gitleaks detect --source=/code -v

# Scan for high-entropy strings
truffleHog --regex --entropy=False .

# Check specific patterns
grep -r "password\|secret\|key\|token" --include="*.py" --include="*.ts" --include="*.tsx" src/ frontend/src/

---

1.4 API Security Review

Rate Limiting Configuration

Endpoint Category	Current Limit	Recommended	Implementation
Authentication	5/min	5/min	Redis-backed
API Key Mgmt	10/min	10/min	Redis-backed
General API	100/min	100/min	Redis-backed
Ingest	1000/min	1000/min	Redis-backed
Reports	10/min	10/min	Redis-backed

Rate Limiting Test Cases

# Test rate limiting effectiveness
import asyncio
import httpx

async def test_rate_limit(endpoint: str, requests: int, expected_limit: int):
    """Verify rate limiting is enforced."""
    async with httpx.AsyncClient() as client:
        tasks = [client.get(endpoint) for _ in range(requests)]
        responses = await asyncio.gather(*tasks, return_exceptions=True)
        
    rate_limited = sum(1 for r in responses if r.status_code == 429)
    success = sum(1 for r in responses if r.status_code == 200)
    
    assert success <= expected_limit, f"Expected max {expected_limit} success, got {success}"
    assert rate_limited > 0, "Expected some rate limited requests"

Authentication Security

Check	Method	Expected Result
JWT without signature fails	Unit Test	401 Unauthorized
JWT with wrong secret fails	Unit Test	401 Unauthorized
Expired JWT fails	Unit Test	401 Unauthorized
Token type confusion fails	Unit Test	401 Unauthorized
Refresh token reuse detection	Pen Test	Old tokens invalidated
API key prefix validation	Unit Test	Fast rejection
API key rate limit per key	Load Test	Enforced

---

1.5 Data Encryption Requirements

Encryption in Transit

Protocol	Minimum Version	Configuration
TLS	1.3	ssl_protocols TLSv1.3;
HTTPS	HSTS	max-age=31536000; includeSubDomains
Database	SSL	sslmode=require
Redis	TLS	tls-port 6380

Encryption at Rest

Data Store	Encryption Method	Key Management
PostgreSQL	AWS RDS TDE	AWS KMS
S3 Buckets	AES-256	AWS S3-Managed
EBS Volumes	AWS EBS Encryption	AWS KMS
Backups	GPG + AES-256	Offline HSM
Application Logs	None required	N/A

---

2. Penetration Testing Plan

2.1 Scope Definition

In-Scope

Component	URL/IP	Testing Allowed
Production API	https://api.mockupaws.com	No (use staging)
Staging API	https://staging-api.mockupaws.com	Yes
Frontend App	https://app.mockupaws.com	Yes (staging)
Admin Panel	https://admin.mockupaws.com	Yes (staging)
Database	Internal	No (use test instance)

Out-of-Scope

• Physical security
• Social engineering
• DoS/DDoS attacks
• Third-party infrastructure (AWS, Cloudflare)
• Employee personal devices

2.2 Test Cases

SQL Injection Tests

# Test ID: SQL-001
# Objective: Test for SQL injection in scenario endpoints
# Method: Union-based injection

test_payloads = [
    "' OR '1'='1",
    "'; DROP TABLE scenarios; --",
    "' UNION SELECT username,password FROM users --",
    "1 AND 1=1",
    "1 AND 1=2",
    "1' ORDER BY 1--",
    "1' ORDER BY 100--",
    "-1' UNION SELECT null,null,null,null--",
]

# Endpoints to test
endpoints = [
    "/api/v1/scenarios/{id}",
    "/api/v1/scenarios?status={payload}",
    "/api/v1/scenarios?region={payload}",
    "/api/v1/ingest",
]

XSS (Cross-Site Scripting) Tests

# Test ID: XSS-001 to XSS-003
# Types: Reflected, Stored, DOM-based

xss_payloads = [
    # Basic script injection
    "<script>alert('XSS')</script>",
    # Image onerror
    "<img src=x onerror=alert('XSS')>",
    # SVG injection
    "<svg onload=alert('XSS')>",
    # Event handler
    "\" onfocus=alert('XSS') autofocus=\"",
    # JavaScript protocol
    "javascript:alert('XSS')",
    # Template injection
    "{{7*7}}",
    "${7*7}",
    # HTML5 vectors
    "<body onpageshow=alert('XSS')>",
    "<marquee onstart=alert('XSS')>",
    # Polyglot
    "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";",
]

# Test locations
# 1. Scenario name (stored)
# 2. Log message preview (stored)
# 3. Error messages (reflected)
# 4. Search parameters (reflected)

CSRF (Cross-Site Request Forgery) Tests

# Test ID: CSRF-001
# Objective: Verify CSRF protection on state-changing operations

# Test approach:
# 1. Create malicious HTML page
malicious_form = """
<form action="https://staging-api.mockupaws.com/api/v1/scenarios" method="POST" id="csrf-form">
    <input type="hidden" name="name" value="CSRF-Test">
    <input type="hidden" name="description" value="CSRF vulnerability test">
</form>
<script>document.getElementById('csrf-form').submit();</script>
"""

# 2. Trick authenticated user into visiting page
# 3. Check if scenario was created without proper token

# Expected: Request should fail without valid CSRF token

Authentication Bypass Tests

# Test ID: AUTH-001 to AUTH-010

auth_tests = [
    {
        "id": "AUTH-001",
        "name": "JWT Algorithm Confusion",
        "method": "Change alg to 'none' in JWT header",
        "expected": "401 Unauthorized"
    },
    {
        "id": "AUTH-002",
        "name": "JWT Key Confusion (RS256 to HS256)",
        "method": "Sign token with public key as HMAC secret",
        "expected": "401 Unauthorized"
    },
    {
        "id": "AUTH-003",
        "name": "Token Expiration Bypass",
        "method": "Send expired token",
        "expected": "401 Unauthorized"
    },
    {
        "id": "AUTH-004",
        "name": "API Key Enumeration",
        "method": "Brute force API key prefixes",
        "expected": "Rate limited, consistent timing"
    },
    {
        "id": "AUTH-005",
        "name": "Session Fixation",
        "method": "Attempt to reuse old session token",
        "expected": "401 Unauthorized"
    },
    {
        "id": "AUTH-006",
        "name": "Password Brute Force",
        "method": "Attempt common passwords",
        "expected": "Account lockout after N attempts"
    },
    {
        "id": "AUTH-007",
        "name": "OAuth State Parameter",
        "method": "Missing/invalid state parameter",
        "expected": "400 Bad Request"
    },
    {
        "id": "AUTH-008",
        "name": "Privilege Escalation",
        "method": "Modify JWT payload to add admin role",
        "expected": "401 Unauthorized (signature invalid)"
    },
    {
        "id": "AUTH-009",
        "name": "Token Replay",
        "method": "Replay captured token from different IP",
        "expected": "Behavior depends on policy"
    },
    {
        "id": "AUTH-010",
        "name": "Weak Password Policy",
        "method": "Register with weak passwords",
        "expected": "Password rejected if < 8 chars or no complexity"
    },
]

Business Logic Tests

# Test ID: LOGIC-001 to LOGIC-005

logic_tests = [
    {
        "id": "LOGIC-001",
        "name": "Scenario State Manipulation",
        "test": "Try to transition from draft to archived directly",
        "expected": "Validation error"
    },
    {
        "id": "LOGIC-002",
        "name": "Cost Calculation Manipulation",
        "test": "Inject negative values in metrics",
        "expected": "Validation error or absolute value"
    },
    {
        "id": "LOGIC-003",
        "name": "Race Condition - Double Spending",
        "test": "Simultaneous scenario starts",
        "expected": "Only one succeeds"
    },
    {
        "id": "LOGIC-004",
        "name": "Report Generation Abuse",
        "test": "Request multiple reports simultaneously",
        "expected": "Rate limited"
    },
    {
        "id": "LOGIC-005",
        "name": "Data Export Authorization",
        "test": "Export other user's scenario data",
        "expected": "403 Forbidden"
    },
]

2.3 Recommended Tools

Automated Scanning Tools

Tool	Purpose	Usage
OWASP ZAP	Web vulnerability scanner	zap-full-scan.py -t https://staging.mockupaws.com
Burp Suite Pro	Web proxy and scanner	Manual testing + automated crawl
sqlmap	SQL injection detection	sqlmap -u "https://api.mockupaws.com/scenarios?id=1"
Nikto	Web server scanner	nikto -h https://staging.mockupaws.com
Nuclei	Fast vulnerability scanner	nuclei -u https://staging.mockupaws.com

Static Analysis Tools

Tool	Language	Usage
Bandit	Python	bandit -r src/
Semgrep	Multi	semgrep --config=auto src/
ESLint Security	JavaScript	eslint --ext .ts,.tsx src/
SonarQube	Multi	Full codebase analysis
Trivy	Docker/Infra	trivy fs --scanners vuln,secret,config .

Manual Testing Tools

Tool	Purpose
Postman	API testing and fuzzing
JWT.io	JWT token analysis
CyberChef	Data encoding/decoding
Wireshark	Network traffic analysis
Browser DevTools	Frontend security testing

---

3. Compliance Review

3.1 GDPR Compliance Checklist

Lawful Basis and Transparency

Requirement	Status	Evidence
Privacy Policy Published	⬜	Document required
Terms of Service Published	⬜	Document required
Cookie Consent Implemented	⬜	Frontend required
Data Processing Agreement	⬜	For sub-processors

Data Subject Rights

Right	Implementation	Status
Right to Access	/api/v1/user/data-export endpoint	⬜
Right to Rectification	User profile update API	⬜
Right to Erasure	Account deletion with cascade	⬜
Right to Restrict Processing	Soft delete option	⬜
Right to Data Portability	JSON/CSV export	⬜
Right to Object	Marketing opt-out	⬜
Right to be Informed	Data collection notices	⬜

Data Retention and Minimization

# GDPR Data Retention Policy
gdpr_retention_policies = {
    "user_personal_data": {
        "retention_period": "7 years after account closure",
        "legal_basis": "Legal obligation (tax records)",
        "anonymization_after": "7 years"
    },
    "scenario_logs": {
        "retention_period": "1 year",
        "legal_basis": "Legitimate interest",
        "can_contain_pii": True,
        "auto_purge": True
    },
    "audit_logs": {
        "retention_period": "7 years",
        "legal_basis": "Legal obligation (security)",
        "immutable": True
    },
    "api_access_logs": {
        "retention_period": "90 days",
        "legal_basis": "Legitimate interest",
        "anonymize_ips": True
    }
}

GDPR Technical Checklist

• Pseudonymization of user data where possible
• Encryption of personal data at rest and in transit
• Breach notification procedure (72 hours)
• Privacy by design implementation
• Data Protection Impact Assessment (DPIA)
• Records of processing activities
• DPO appointment (if required)

3.2 SOC 2 Readiness Assessment

SOC 2 Trust Services Criteria

Criteria	Control Objective	Current State	Gap
Security	Protect system from unauthorized access	Partial	Medium
Availability	System available for operation	Partial	Low
Processing Integrity	Complete, valid, accurate, timely processing	Partial	Medium
Confidentiality	Protect confidential information	Partial	Medium
Privacy	Collect, use, retain, disclose personal info	Partial	High

Security Controls Mapping

SOC 2 CC6.1 - Logical Access Security
├── User authentication (JWT + API Keys) ✅
├── Password policies ⬜
├── Access review procedures ⬜
└── Least privilege enforcement ⬜

SOC 2 CC6.2 - Access Removal
├── Automated de-provisioning ⬜
├── Access revocation on termination ⬜
└── Regular access reviews ⬜

SOC 2 CC6.3 - Access Approvals
├── Access request workflow ⬜
├── Manager approval required ⬜
└── Documentation of access grants ⬜

SOC 2 CC6.6 - Encryption
├── Encryption in transit (TLS 1.3) ✅
├── Encryption at rest ⬜
└── Key management ⬜

SOC 2 CC7.2 - System Monitoring
├── Audit logging ⬜
├── Log monitoring ⬜
├── Alerting on anomalies ⬜
└── Log retention ⬜

SOC 2 Readiness Roadmap

Phase	Timeline	Activities
Phase 1: Documentation	Weeks 1-4	Policy creation, control documentation
Phase 2: Implementation	Weeks 5-12	Control implementation, tool deployment
Phase 3: Evidence Collection	Weeks 13-16	3 months of evidence collection
Phase 4: Audit	Week 17	External auditor engagement

---

4. Remediation Plan

4.1 Severity Classification

Severity	CVSS Score	Response Time	SLA
Critical	9.0-10.0	24 hours	Fix within 1 week
High	7.0-8.9	48 hours	Fix within 2 weeks
Medium	4.0-6.9	1 week	Fix within 1 month
Low	0.1-3.9	2 weeks	Fix within 3 months
Informational	0.0	N/A	Document

4.2 Remediation Template

## Vulnerability Report Template

### VULN-XXX: [Title]

**Severity:** [Critical/High/Medium/Low]
**Category:** [OWASP Category]
**Component:** [Backend/Frontend/Infrastructure]
**Discovered:** [Date]
**Reporter:** [Name]

#### Description
[Detailed description of the vulnerability]

#### Impact
[What could happen if exploited]

#### Steps to Reproduce
1. Step one
2. Step two
3. Step three

#### Evidence
[Code snippets, screenshots, request/response]

#### Recommended Fix
[Specific remediation guidance]

#### Verification
[How to verify the fix is effective]

#### Status
- [ ] Confirmed
- [ ] Fix in Progress
- [ ] Fix Deployed
- [ ] Verified

---

5. Audit Schedule

Week 1: Preparation

Day	Activity	Owner
1	Kickoff meeting, scope finalization	Security Lead
2	Environment setup, tool installation	Security Team
3	Documentation review, test cases prep	Security Team
4	Start automated scanning	Security Team
5	Automated scan analysis	Security Team

Week 2-3: Manual Testing

Activity	Duration	Owner
SQL Injection Testing	2 days	Pen Tester
XSS Testing	2 days	Pen Tester
Authentication Testing	2 days	Pen Tester
Business Logic Testing	2 days	Pen Tester
API Security Testing	2 days	Pen Tester
Infrastructure Testing	2 days	Pen Tester

Week 4: Remediation & Verification

Day	Activity	Owner
1	Final report delivery	Security Team
2-5	Critical/High remediation	Dev Team
6	Remediation verification	Security Team
7	Sign-off	Security Lead

---

Appendix A: Security Testing Tools Setup

OWASP ZAP Configuration

# Install OWASP ZAP
docker pull owasp/zap2docker-stable

# Full scan
docker run -v $(pwd):/zap/wrk/:rw \
  owasp/zap2docker-stable zap-full-scan.py \
  -t https://staging-api.mockupaws.com \
  -g gen.conf \
  -r zap-report.html

# API scan (for OpenAPI)
docker run -v $(pwd):/zap/wrk/:rw \
  owasp/zap2docker-stable zap-api-scan.py \
  -t https://staging-api.mockupaws.com/openapi.json \
  -f openapi \
  -r zap-api-report.html

Burp Suite Configuration

1. Set up upstream proxy for certificate pinning bypass
2. Import OpenAPI specification
3. Configure scan scope:
   - Include: https://staging-api.mockupaws.com/*
   - Exclude: https://staging-api.mockupaws.com/health
4. Set authentication:
   - Token location: Header
   - Header name: Authorization
   - Token prefix: Bearer
5. Run crawl and audit

CI/CD Security Integration

# .github/workflows/security-scan.yml
name: Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 0 * * 0'  # Weekly

jobs:
  dependency-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Python Dependency Audit
        run: |
          pip install pip-audit
          pip-audit --requirement requirements.txt
      
      - name: Node.js Dependency Audit
        run: |
          cd frontend
          npm audit --audit-level=moderate
      
      - name: Secret Scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: main
          head: HEAD

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Bandit Scan
        run: |
          pip install bandit
          bandit -r src/ -f json -o bandit-report.json
      
      - name: Semgrep Scan
        uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/security-audit
            p/owasp-top-ten
            p/cwe-top-25

---

Document Version: 1.0.0-Draft
Last Updated: 2026-04-07
Classification: Internal - Confidential
Owner: @spec-architect