Skip to content

fya v0.3.0

Choose a tag to compare

@ayam04 ayam04 released this 01 Jul 11:43

The "test a real app" release.

New capabilities

  • Authenticated scanning: --header/-H, --cookie, --bearer
  • Scope and budget controls: --include / --exclude path regexes, --max-requests
  • Baseline for CI: --write-baseline and --baseline to suppress known findings, so --fail-on only trips on new ones
  • Optional headless-browser crawler for single-page apps: --spa (needs the [browser] extra)

New checks (36 total)

  • CSP policy weakness analysis, JWT algorithm/expiry/sensitive-claims, outdated JS libraries, security.txt and robots.txt

Correctness and robustness (from a full internal audit)

  • Reflected XSS confidence + content-type gate, SSTI baseline + two-factor, CSRF SameSite/meta awareness, CORS wildcard accuracy, verbose-error baseline, sqlmap requires the real "is vulnerable" banner, external-tool timeouts keep partial output, TLS cert parsing via cryptography, APK implicit-exported detection

Quality

  • SARIF fingerprints + rule help, entry-point plugin discovery, py.typed + mypy config, coverage in CI, Dockerfile, pre-commit, CHANGELOG, issue/PR templates
  • New tests: false-positive control on a hardened app, integration-parser tests, APK-manifest unit test

Upgrade: pip install -U fya