Skip to content

AbrarRagib/Security-Testing

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🔒 Security-Testing

Security Testing License: MIT OWASP API Top 10

A hands-on API security testing suite that runs four independent layers of security checks in CI against the Restful-Booker API — covering the three places a vulnerability hides: your dependencies, your repository, and the running service itself.

Every layer runs automatically on push, on every pull request, on a weekly schedule, and on demand, and uploads a downloadable report.


What's inside

# Layer Tool Protects against Type
1 SCA npm audit Known-vulnerable dependencies Static · supply-chain
2 Secret scanning Gitleaks Keys / passwords / tokens committed to git Static · repo-history
3 DAST OWASP ZAP Insecure config & missing headers on the live API Dynamic · black-box
4 API security Newman + Postman OWASP API Top 10 (auth, injection, error leakage) Dynamic · assertion-based

📖 Full technical write-up, tool-by-tool, with interview talking points: SECURITY-TESTING.md


Repository structure

Security-Testing/
├── .github/workflows/
│   └── security.yml                              # CI pipeline — 4 security jobs
├── .zap/
│   └── rules.tsv                                 # OWASP ZAP rule tuning
├── postman/
│   ├── Restful-Booker-Security-Tests.postman_collection.json   # OWASP API Top 10 tests
│   └── environments/
│       └── qa.postman_environment.json           # target base URL
├── .gitleaks.toml                                # secret-scan rules + allowlist
├── package.json                                  # scripts + Newman devDeps
├── SECURITY-TESTING.md                           # deep-dive documentation
├── LICENSE
└── README.md

The 4 layers at a glance

1 · SCA — dependency scanning (npm audit)

Software Composition Analysis. Gates the build on high/critical advisories in production dependencies (--omit=dev — "gate on what ships"), and uploads a full-tree JSON report covering dev tooling too ("report on everything").

2 · Secret scanning (Gitleaks)

Scans the entire git history (not just the latest commit) for accidentally committed credentials, using 100+ built-in detection rules plus a small allowlist in .gitleaks.toml for the public demo login.

3 · DAST — OWASP ZAP baseline

Dynamic testing of the running API. A passive baseline scan (safe for a shared practice server) checks for missing security headers, version disclosure, cookie flags and cache-control issues. Findings are reported as artifacts, not hard-gated, and tunable via .zap/rules.tsv.

4 · API security assertions (Newman + Postman)

13 explicit checks organised by the OWASP API Security Top 10:

Folder Category Example check
A01 Broken Access Control DELETE/PUT/PATCH without a token → 401/403/405
A07 Authentication Failures Invalid / empty credentials → no token issued
A03 Injection SQLi must not bypass auth; no DB-error / 500 leakage; XSS not reflected
A04 Error Handling Malformed JSON → no stack trace; missing resource → clean 404
A05 Security Misconfiguration Security headers present; no version disclosure; TRACE disabled

Access-control and injection checks are hard assertions; header/hardening checks are informational findings surfaced in the report (the job runs with --suppress-exit-code, the same philosophy as the ZAP baseline).


Run it locally

Prerequisites: Node.js 18+. Gitleaks and Docker are optional (only for layers 2 and 3 locally).

# install Newman + reporter
npm install

# 1 · SCA
npm run audit

# 4 · API security assertions (opens a report at newman-reports/security-report.html)
npm run test:security

Optional extra layers locally:

# 2 · Secret scan   (brew install gitleaks  /  see gitleaks releases)
npm run gitleaks

# 3 · DAST          (requires Docker)
npm run zap

View results in CI

Actions tab → Security Testing workflow → pick a run → Artifacts:

  • npm-audit-report — dependency advisories (JSON)
  • zap-baseline-report — ZAP findings (HTML / MD / JSON)
  • newman-security-report — API security assertions (HTML)

Skills demonstrated

Security Testing · SCA · Secret Scanning · DAST · OWASP ZAP · OWASP API Security Top 10 · Gitleaks · npm audit · Postman · Newman · CI/CD · GitHub Actions · API Testing


Author

Abrar Ragibgithub.com/AbrarRagib

Licensed under the MIT License.

Releases

No releases published

Packages

 
 
 

Contributors