A hands-on API security testing suite that runs four independent layers of security checks in CI against the Restful-Booker API — covering the three places a vulnerability hides: your dependencies, your repository, and the running service itself.
Every layer runs automatically on push, on every pull request, on a weekly schedule, and on demand, and uploads a downloadable report.
| # | Layer | Tool | Protects against | Type |
|---|---|---|---|---|
| 1 | SCA | npm audit |
Known-vulnerable dependencies | Static · supply-chain |
| 2 | Secret scanning | Gitleaks | Keys / passwords / tokens committed to git | Static · repo-history |
| 3 | DAST | OWASP ZAP | Insecure config & missing headers on the live API | Dynamic · black-box |
| 4 | API security | Newman + Postman | OWASP API Top 10 (auth, injection, error leakage) | Dynamic · assertion-based |
📖 Full technical write-up, tool-by-tool, with interview talking points:
SECURITY-TESTING.md
Security-Testing/
├── .github/workflows/
│ └── security.yml # CI pipeline — 4 security jobs
├── .zap/
│ └── rules.tsv # OWASP ZAP rule tuning
├── postman/
│ ├── Restful-Booker-Security-Tests.postman_collection.json # OWASP API Top 10 tests
│ └── environments/
│ └── qa.postman_environment.json # target base URL
├── .gitleaks.toml # secret-scan rules + allowlist
├── package.json # scripts + Newman devDeps
├── SECURITY-TESTING.md # deep-dive documentation
├── LICENSE
└── README.md
Software Composition Analysis. Gates the build on high/critical advisories in
production dependencies (--omit=dev — "gate on what ships"), and uploads a
full-tree JSON report covering dev tooling too ("report on everything").
Scans the entire git history (not just the latest commit) for accidentally
committed credentials, using 100+ built-in detection rules plus a small
allowlist in .gitleaks.toml for the public demo login.
Dynamic testing of the running API. A passive baseline scan (safe for a
shared practice server) checks for missing security headers, version disclosure,
cookie flags and cache-control issues. Findings are reported as artifacts, not
hard-gated, and tunable via .zap/rules.tsv.
13 explicit checks organised by the OWASP API Security Top 10:
| Folder | Category | Example check |
|---|---|---|
| A01 | Broken Access Control | DELETE/PUT/PATCH without a token → 401/403/405 |
| A07 | Authentication Failures | Invalid / empty credentials → no token issued |
| A03 | Injection | SQLi must not bypass auth; no DB-error / 500 leakage; XSS not reflected |
| A04 | Error Handling | Malformed JSON → no stack trace; missing resource → clean 404 |
| A05 | Security Misconfiguration | Security headers present; no version disclosure; TRACE disabled |
Access-control and injection checks are hard assertions; header/hardening
checks are informational findings surfaced in the report (the job runs with
--suppress-exit-code, the same philosophy as the ZAP baseline).
Prerequisites: Node.js 18+. Gitleaks and Docker are optional (only for layers 2 and 3 locally).
# install Newman + reporter
npm install
# 1 · SCA
npm run audit
# 4 · API security assertions (opens a report at newman-reports/security-report.html)
npm run test:securityOptional extra layers locally:
# 2 · Secret scan (brew install gitleaks / see gitleaks releases)
npm run gitleaks
# 3 · DAST (requires Docker)
npm run zapActions tab → Security Testing workflow → pick a run → Artifacts:
npm-audit-report— dependency advisories (JSON)zap-baseline-report— ZAP findings (HTML / MD / JSON)newman-security-report— API security assertions (HTML)
Security Testing · SCA · Secret Scanning · DAST · OWASP ZAP ·
OWASP API Security Top 10 · Gitleaks · npm audit · Postman · Newman ·
CI/CD · GitHub Actions · API Testing
Abrar Ragib — github.com/AbrarRagib
Licensed under the MIT License.