Build penetration testing automation with DAST/SAST integration in CI

[Smartdevs17]

Context

Security testing is performed manually on a quarterly basis. Vulnerabilities may go undetected for weeks between testing cycles.

Current Limitation/Problem

No automated security scanning in CI pipeline. No SAST, DAST, dependency scanning, or container scanning runs on PRs.

Expected Outcome

Automated security pipeline: SAST (Semgrep), DAST (OWASP ZAP), dependency scanning (Snyk/Dependabot), and container scanning (Trivy) running on every PR and merge to main.

Acceptance Criteria

• SAST: Semgrep rules for OWASP Top 10 (SQL injection, XSS, CSRF, IDOR, SSRF)
• DAST: OWASP ZAP baseline scan against sandbox deployment
• Dependency scanning: Snyk or Dependabot on package.json, Cargo.toml, requirements.txt
• Container scanning: Trivy on Docker images for vulnerable base layers and OS packages
• CI gate: critical vulnerabilities block merge, high severity requires manual review by security team
• Security dashboard: finding severity, age, fix guidance, SLA (critical <24h, high <72h)
• False positive management: suppress with justification in .snyk or semgrep-suppressions
• Edge case: rate limiting on ZAP scanner (retry with backoff, 5 min between scans)

Technical Scope

• .github/workflows/security-scan.yml - CI security workflow
• .semgrep/ - custom Semgrep rules for subscription domain
• scripts/zap-baseline-scan.sh - ZAP automation with GitHub Actions
• Dockerfile - Trivy scan integration in build step
• docs/SECURITY.md - security testing policy and SLA

[Flamki]

@Flamki has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i would love to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Flamki to this issue.

[alamuoyeemmanuel7-create]

@alamuoyeemmanuel7-create has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello please I'd like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @alamuoyeemmanuel7-create to this issue.

[drips-wave]

Congratulations, @Flamki! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @Flamki: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊