@chain305/x-security 0.2.4 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +39 -0
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -89,6 +89,45 @@ xsecurity validate api.yaml --target kong --gateway http://localhost:8001
89
89
 
90
90
  Run `xsecurity <command> --help` for full flags.
91
91
 
92
+ ## Support matrix
93
+
94
+ ### Compile & deploy targets
95
+
96
+ `xsecurity generate --target <name>` compiles one annotated spec to any of these. Two are hosted deploys; the rest are self-hosted bundles you drop into your gateway.
97
+
98
+ | Target (`--target`) | What it is | Delivery | Status |
99
+ | --- | --- | --- | --- |
100
+ | `cloudflare` | Cloudflare Ruleset Engine + WAF | hosted deploy | GA |
101
+ | `aws-apigw` | AWS API Gateway + WAFv2 | hosted deploy | beta |
102
+ | `kong` | Kong Gateway (decK plugin config) | self-hosted bundle | beta |
103
+ | `coraza` | Coraza / ModSecurity WAF (SecLang) | self-hosted bundle | beta |
104
+ | `coraza` *(nginx preset)* | NGINX + libcoraza | self-hosted bundle | beta |
105
+ | `bunkerweb` | BunkerWeb (OpenResty WAF) | self-hosted bundle | beta |
106
+ | `openappsec` | Check Point Open AppSec WAF | self-hosted bundle | beta |
107
+ | `envoy` | Envoy (ext_proc / Lua filter) | self-hosted bundle | alpha |
108
+ | `firewall` | Host firewall (iptables) | self-hosted bundle | SSRF egress only¹ |
109
+
110
+ ¹ `firewall` is L3/L4 — it enforces only API7 SSRF egress via `domainAllowlist`; it can't introspect HTTP, so it's not on the coverage matrix below.
111
+
112
+ ### OWASP API Top 10 coverage per target
113
+
114
+ How much of each class a target can **enforce natively**. 🟢 full · 🟡 partial · 🔴 gap · ⚪ not yet measured.
115
+
116
+ | OWASP API class | Cloudflare | AWS API GW | BunkerWeb |
117
+ | --- | :--: | :--: | :--: |
118
+ | API1 · Broken Object Level Auth (BOLA) | 🔴 | 🔴 | 🔴 |
119
+ | API2 · Broken Authentication | 🟡 | 🟡 | 🟡 |
120
+ | API3 · Broken Object Property Auth (BOPLA) | 🟡 | 🟡 | 🟡 |
121
+ | API4 · Unrestricted Resource Consumption | 🟢 | 🟡 | 🟡 |
122
+ | API5 · Broken Function Level Auth (BFLA) | 🟡 | 🟡 | 🟡 |
123
+ | API6 · Unrestricted Access to Business Flows | 🟡 | 🟡 | 🟡 |
124
+ | API7 · Server-Side Request Forgery (SSRF) | 🔴 | 🔴 | 🟢 |
125
+ | API8 · Security Misconfiguration | 🟡 | 🟡 | 🟡 |
126
+ | API9 · Improper Inventory Management | 🔴 | 🔴 | 🟡 |
127
+ | API10 · Unsafe Consumption of APIs | 🟡 | 🟡 | 🟡 |
128
+
129
+ Only these three targets are independently **measured** today; Kong, Coraza, NGINX, Envoy and OpenAppSec compile the same policy but aren't yet published with a per-class measurement (⚪). Authorization classes (**API1**, **API5**) rise when JWT **identity** is wired — with identity context API1 reaches 🟡 on Cloudflare and 🟢 on AWS, and API5 reaches 🟢 on AWS. Full per-field matrix (incl. the Writ-native injection / prompt-injection / audit classes): **[usewaf.com/coverage](https://usewaf.com/coverage)**.
130
+
92
131
  ## License
93
132
 
94
133
  Apache-2.0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@chain305/x-security",
3
- "version": "0.2.4",
3
+ "version": "0.2.5",
4
4
  "description": "x-security CLI — generate/validate/test/report/diff/init against multiple gateway targets",
5
5
  "license": "Apache-2.0",
6
6
  "homepage": "https://usewaf.com",