fya v0.3.0
The "test a real app" release.
New capabilities
- Authenticated scanning: --header/-H, --cookie, --bearer
- Scope and budget controls: --include / --exclude path regexes, --max-requests
- Baseline for CI: --write-baseline and --baseline to suppress known findings, so --fail-on only trips on new ones
- Optional headless-browser crawler for single-page apps: --spa (needs the [browser] extra)
New checks (36 total)
- CSP policy weakness analysis, JWT algorithm/expiry/sensitive-claims, outdated JS libraries, security.txt and robots.txt
Correctness and robustness (from a full internal audit)
- Reflected XSS confidence + content-type gate, SSTI baseline + two-factor, CSRF SameSite/meta awareness, CORS wildcard accuracy, verbose-error baseline, sqlmap requires the real "is vulnerable" banner, external-tool timeouts keep partial output, TLS cert parsing via cryptography, APK implicit-exported detection
Quality
- SARIF fingerprints + rule help, entry-point plugin discovery, py.typed + mypy config, coverage in CI, Dockerfile, pre-commit, CHANGELOG, issue/PR templates
- New tests: false-positive control on a hardened app, integration-parser tests, APK-manifest unit test
Upgrade: pip install -U fya