@wazir-dev/cli 1.0.0

package/expertise/security/testing/vulnerability-scanning.md

@@ -0,0 +1,1062 @@
+# Vulnerability Scanning
+
+> **Purpose:** Reference for AI agents to understand vulnerability scanning methodology, guide
+> scan configuration and scheduling, interpret scan results, and assist with remediation
+> prioritization. Covers SAST, DAST, IAST, and SCA across infrastructure, applications, and
+> containers. This module is strictly DEFENSIVE.
+> **Last updated:** 2026-03-08
+> **Sources:** OWASP Testing Guide v5, NIST SP 800-115, PCI-DSS v4.0 (Req 11.2/11.3),
+> CVSS v3.1/v4.0, FIRST EPSS, NVD, ProjectDiscovery Nuclei, Trivy v0.68, Semgrep,
+> OWASP ZAP, VulnCheck State of Exploitation 2026
+
+---
+
+## Threat Landscape
+
+### Why Vulnerability Scanning Matters
+
+Vulnerability scanning is the systematic, automated examination of systems, applications, and
+infrastructure to identify known security weaknesses before adversaries exploit them. Unlike
+penetration testing (which relies on human creativity and chained exploitation), vulnerability
+scanning provides breadth-first coverage at a scale and frequency that manual testing cannot match.
+
+Key statistics:
+
+- A record 48,185 CVEs were published in 2025, with 3,984 rated critical (NVD).
+- Over 21,500 CVEs were disclosed in the first half of 2026 alone — a 16-18% increase YoY.
+- VulnCheck identified 432 CVEs exploited in the wild in H1 2025; 32.1% were exploited on or
+  before disclosure day (zero-day weaponization).
+- 28.96% of CISA KEVs in 2025 were exploited on or before CVE publication — up from 23.6% in 2024.
+- Average cost of a data breach reached $4.88M in 2024 (IBM Cost of a Data Breach Report).
+- Organizations running weekly vulnerability scans detect exploitable issues 11x faster
+  than those scanning quarterly.
+
+### Real-World Breaches That Scanners Would Have Detected
+
+| Breach / Vulnerability | Year | CVE | Root Cause | Scanner Type |
+|------------------------|------|-----|-----------|--------------|
+| MOVEit Transfer mass exploitation | 2023 | CVE-2023-34362 | SQL injection in file transfer | DAST + SCA |
+| Log4Shell (Apache Log4j) | 2021 | CVE-2021-44228 | JNDI injection in logging lib | SCA |
+| Citrix Bleed | 2023 | CVE-2023-4966 | Buffer overflow in NetScaler | Infrastructure scanner |
+| Spring4Shell | 2022 | CVE-2022-22965 | RCE in Spring Framework | SCA + DAST |
+| Equifax breach | 2017 | CVE-2017-5638 | Unpatched Apache Struts | SCA + infrastructure |
+| SolarWinds Orion | 2020 | CVE-2020-10148 | Supply chain compromise | SCA (SBOM analysis) |
+| XZ Utils backdoor | 2024 | CVE-2024-3094 | Malicious code in compression lib | SCA |
+| React2Shell (React RSC) | 2025 | CVE-2025-8671 | Unauth RCE via Server Components | SCA + SAST |
+| Langflow AI platform | 2025 | CVE-2025-3248 | Critical flaw in AI orchestration | SCA + DAST |
+| Apache Tika SSRF/XXE | 2025 | CVE-2025-66516 | SSRF/XXE via crafted document | SAST + DAST |
+
+### Disclosure-to-Exploitation Timeline Collapse
+
+```text
+2020:  Average 42 days from disclosure to exploitation
+2022:  Average 19 days from disclosure to exploitation
+2024:  Average  5 days from disclosure to exploitation
+2025:  32.1% exploited on or BEFORE disclosure (zero-day)
+```
+
+This trend makes continuous, automated scanning non-negotiable.
+
+---
+
+## Core Security Principles
+
+### The Four Pillars of Vulnerability Scanning
+
+1. **Coverage** — Scan all assets: infrastructure, applications, containers, IaC, dependencies.
+2. **Frequency** — Scan continuously; weekly minimum for infra, on every commit for code.
+3. **Accuracy** — Tune scanners to minimize false positives without suppressing true findings.
+4. **Action** — Every finding must have an owner, a severity, and a remediation deadline.
+
+### Scanning Taxonomy
+
+| Type | Acronym | What It Scans | When | Examples |
+|------|---------|--------------|------|----------|
+| Static Application Security Testing | SAST | Source code, bytecode | Pre-commit, CI | Semgrep, CodeQL, SonarQube |
+| Dynamic Application Security Testing | DAST | Running applications | Post-deploy, staging | OWASP ZAP, Burp Suite, Nuclei |
+| Interactive Application Security Testing | IAST | Instrumented runtime | QA/testing | Contrast Security, Hdiv |
+| Software Composition Analysis | SCA | Dependencies, libraries | CI, scheduled | Trivy, Snyk, Dependabot, Grype |
+| Infrastructure Scanning | Infra | Hosts, networks, services | Scheduled | Nessus, OpenVAS, Qualys |
+| Container Scanning | Container | Images, registries | CI, hooks | Trivy, Grype, Anchore |
+| IaC Scanning | IaC | Terraform, CloudFormation | Pre-commit, CI | Checkov, tfsec, KICS |
+| Cloud Security Posture Mgmt | CSPM | Cloud configurations | Continuous | Prowler, ScoutSuite, Wiz |
+
+### Vulnerability Scoring: CVSS v3.1 and v4.0
+
+| Score Range | v3.1 Rating | Recommended SLA |
+|-------------|-------------|-----------------|
+| 0.0 | None | Informational |
+| 0.1 - 3.9 | Low | 90 days |
+| 4.0 - 6.9 | Medium | 30 days |
+| 7.0 - 8.9 | High | 14 days |
+| 9.0 - 10.0 | Critical | 48 hours |
+
+**CVSS v4.0 improvements** (released Nov 2023, adopted across NVD 2024-2025):
+
+- **Attack Requirements (AT)** — distinguishes "no special conditions" from race conditions.
+- **Threat metrics** — optional group capturing real-world exploitation status.
+- **Supplemental metrics** — safety, automatable, recovery, value density, provider urgency.
+
+### Risk-Based Prioritization (Beyond CVSS)
+
+CVSS alone is insufficient. Combine with:
+
+- **EPSS** — probability a CVE will be exploited in next 30 days. Score > 0.1 (10%) = immediate.
+- **CISA KEV** — if listed, treat as emergency regardless of CVSS.
+- **Asset criticality** — medium finding on payment server outweighs critical on isolated dev VM.
+- **Reachability analysis** — is the vulnerable function actually called in your codebase?
+
+### False Positive Management
+
+1. **Triage within 48 hours** — unreviewed findings become noise.
+2. **Suppress with documentation** — justification + compensating controls + expiry date.
+3. **Track rates** — target < 15% for SAST, < 5% for SCA.
+4. **Feed back** — custom rules, tuned policies, updated ignore lists.
+5. **Periodic review** — re-validate suppressions quarterly.
+
+---
+
+## Implementation Patterns
+
+### Pattern 1: SAST Integration with Semgrep (TypeScript)
+
+```typescript
+// semgrep-runner.ts — Programmatic Semgrep runner for CI pipelines
+import { execSync } from "child_process";
+import { readFileSync } from "fs";
+
+interface SemgrepFinding {
+  check_id: string;
+  path: string;
+  start: { line: number; col: number };
+  extra: {
+    severity: "ERROR" | "WARNING" | "INFO";
+    message: string;
+    metadata: { cwe?: string[]; owasp?: string[] };
+  };
+}
+
+interface ScanResult {
+  findings: SemgrepFinding[];
+  criticalCount: number;
+  passed: boolean;
+}
+
+function runSastScan(targetDir: string, config = "auto"): ScanResult {
+  const out = "/tmp/semgrep-results.json";
+  try {
+    execSync(
+      `semgrep scan --config=${config} --json --output=${out} ${targetDir}`,
+      { stdio: "pipe", timeout: 300_000 }
+    );
+  } catch {
+    // Semgrep exits non-zero when findings exist — expected
+  }
+
+  const raw = JSON.parse(readFileSync(out, "utf-8"));
+  const findings: SemgrepFinding[] = raw.results ?? [];
+  const criticalCount = findings.filter(
+    (f) => f.extra.severity === "ERROR"
+  ).length;
+
+  return { findings, criticalCount, passed: criticalCount === 0 };
+}
+
+// CI quality gate
+const result = runSastScan("./src", "p/security-audit");
+if (!result.passed) {
+  console.error(`SAST FAILED: ${result.criticalCount} critical findings`);
+  process.exit(1);
+}
+```
+
+### Pattern 2: SCA Container Scanning (Python)
+
+```python
+"""trivy_scanner.py — Container and dependency scanning with Trivy."""
+import json
+import subprocess
+import sys
+from dataclasses import dataclass
+
+
+@dataclass
+class VulnFinding:
+    vuln_id: str
+    pkg_name: str
+    installed_version: str
+    fixed_version: str
+    severity: str
+    cvss_score: float
+
+
+def scan_image(image: str, threshold: str = "HIGH") -> list[VulnFinding]:
+    """Scan a container image, return findings >= threshold."""
+    result = subprocess.run(
+        ["trivy", "image", "--format", "json",
+         "--severity", f"{threshold},CRITICAL", image],
+        capture_output=True, text=True, timeout=300,
+    )
+    data = json.loads(result.stdout)
+    findings: list[VulnFinding] = []
+
+    for target in data.get("Results", []):
+        for vuln in target.get("Vulnerabilities", []):
+            findings.append(VulnFinding(
+                vuln_id=vuln["VulnerabilityID"],
+                pkg_name=vuln["PkgName"],
+                installed_version=vuln.get("InstalledVersion", "unknown"),
+                fixed_version=vuln.get("FixedVersion", "no fix"),
+                severity=vuln["Severity"],
+                cvss_score=vuln.get("CVSS", {}).get("nvd", {}).get("V3Score", 0.0),
+            ))
+    return sorted(findings, key=lambda f: f.cvss_score, reverse=True)
+
+
+def enforce_gate(findings: list[VulnFinding], max_critical: int = 0) -> bool:
+    critical = [f for f in findings if f.severity == "CRITICAL"]
+    if len(critical) > max_critical:
+        for f in critical:
+            print(f"  CRITICAL: {f.vuln_id} in {f.pkg_name}@{f.installed_version}")
+        return False
+    return True
+
+
+if __name__ == "__main__":
+    img = sys.argv[1] if len(sys.argv) > 1 else "myapp:latest"
+    vulns = scan_image(img)
+    if not enforce_gate(vulns):
+        sys.exit(1)
+    print(f"Scan passed: {len(vulns)} findings, 0 critical")
+```
+
+### Pattern 3: Secure Dependency Lockfile Verification (TypeScript)
+
+```typescript
+// verify-deps.ts — Verify lockfile integrity before install
+import { execSync } from "child_process";
+import { createHash } from "crypto";
+import { readFileSync } from "fs";
+
+function verifyLockfileIntegrity(lockfilePath: string): boolean {
+  const lockfile = readFileSync(lockfilePath, "utf-8");
+  const parsed = JSON.parse(lockfile);
+
+  for (const [name, meta] of Object.entries(parsed.packages ?? {})) {
+    const pkg = meta as { integrity?: string };
+    if (name && !pkg.integrity) {
+      console.error(`Missing integrity hash: ${name}`);
+      return false;
+    }
+  }
+
+  // Compare to committed version to detect tampering
+  try {
+    const committed = execSync(`git show HEAD:${lockfilePath}`, {
+      encoding: "utf-8",
+    });
+    const cur = createHash("sha256").update(lockfile).digest("hex");
+    const prev = createHash("sha256").update(committed).digest("hex");
+    if (cur !== prev) {
+      console.warn("Lockfile modified since last commit — review changes");
+    }
+  } catch {
+    console.warn("No committed lockfile — first-time setup");
+  }
+  return true;
+}
+```
+
+---
+
+## Vulnerability Catalog
+
+### Critical Vulnerability Classes Detected by Scanners
+
+| CWE | Name | Severity | Scanner Type | Example Pattern |
+|-----|------|----------|-------------|----------------|
+| CWE-89 | SQL Injection | Critical | SAST, DAST | `query("SELECT * FROM users WHERE id=" + userId)` |
+| CWE-79 | Cross-Site Scripting (XSS) | High | SAST, DAST | `innerHTML = userInput` |
+| CWE-78 | OS Command Injection | Critical | SAST, DAST | `exec("ping " + hostname)` |
+| CWE-502 | Unsafe Deserialization | Critical | SAST, IAST | `pickle.loads(user_data)` |
+| CWE-611 | XML External Entity (XXE) | High | SAST, DAST | XML parser with external entities enabled |
+| CWE-918 | Server-Side Request Forgery | High | SAST, DAST | `fetch(userProvidedUrl)` without allowlist |
+| CWE-1321 | Prototype Pollution | High | SAST, SCA | `merge(target, JSON.parse(userInput))` |
+| CWE-327 | Broken Cryptography | Medium | SAST | MD5/SHA1 for password hashing |
+| CWE-798 | Hard-coded Credentials | Critical | SAST, Secrets | `const API_KEY = "sk-live-abc123"` |
+| CWE-1104 | Unmaintained Component | Medium | SCA | Dependency with no updates in 2+ years |
+| CWE-269 | Improper Privilege Mgmt | High | CSPM, IaC | IAM `Action: *` on all resources |
+| CWE-295 | Improper Cert Validation | High | SAST, DAST | `rejectUnauthorized: false` |
+| CWE-434 | Unrestricted File Upload | Critical | DAST, SAST | No file type/content validation |
+
+### Dependency Vulnerabilities (SCA Focus)
+
+```text
+CRIT: log4j-core < 2.17.1     — Remote code execution   (CVE-2021-44228)
+CRIT: spring-core < 5.3.18    — RCE via data binding     (CVE-2022-22965)
+CRIT: xz-utils 5.6.0-5.6.1   — Backdoor in compression  (CVE-2024-3094)
+HIGH: lodash < 4.17.21        — Prototype pollution       (CVE-2021-23337)
+HIGH: jsonwebtoken < 9.0.0    — Algorithm confusion       (CVE-2022-23529)
+HIGH: axios < 1.6.0           — SSRF via protocol bypass  (CVE-2023-45857)
+```
+
+### Container Image Findings
+
+| Finding | Severity | Remediation |
+|---------|----------|-------------|
+| Base image has known CVEs in glibc | High | Switch to distroless or Alpine |
+| Container runs as root | Medium | Add `USER nonroot` to Dockerfile |
+| Secrets baked into image layer | Critical | Use runtime secrets injection |
+| Package manager cache not cleared | Low | `rm -rf /var/lib/apt/lists/*` |
+| Outdated OS packages | Variable | Rebuild with updated base image |
+
+---
+
+## Security Checklist
+
+### Pre-Deployment Gate
+
+- [ ] SAST scan passes — zero critical/high findings or documented exceptions
+- [ ] SCA scan passes — no known critical CVEs in dependencies
+- [ ] Container image scan passes — base image updated within 30 days
+- [ ] IaC scan passes — no public buckets, no overprivileged IAM, no open security groups
+- [ ] Secrets scan passes — no hardcoded credentials, API keys, or tokens
+- [ ] DAST baseline completed (staging) — zero high-severity findings
+- [ ] License compliance verified — no GPL in proprietary code (if applicable)
+- [ ] SBOM generated — CycloneDX or SPDX stored alongside release artifacts
+
+### Scanning Cadence
+
+- [ ] **Every PR:** SAST, SCA, secrets scan, IaC scan
+- [ ] **Weekly:** Full DAST active scan against staging
+- [ ] **Weekly:** Infrastructure vulnerability scan (Nessus/OpenVAS/Qualys)
+- [ ] **Monthly:** Full container registry scan of all deployed images
+- [ ] **Quarterly:** External ASV scan (PCI requirement)
+- [ ] **On-demand:** Ad-hoc scans on new critical CVE disclosures
+
+### False Positive Review
+
+- [ ] Finding reviewed by security engineer within 48 hours
+- [ ] Suppression justified in writing with compensating controls
+- [ ] Suppression has expiry date (max 90 days)
+- [ ] Suppressions tracked in central register
+- [ ] Quarterly audit of all active suppressions
+
+### Remediation Workflow
+
+- [ ] Finding assigned to owner within SLA
+- [ ] Root cause identified (not just symptom)
+- [ ] Fix verified by re-scan
+- [ ] Regression test added
+- [ ] Postmortem documented for critical/high findings
+
+---
+
+## Tools & Automation
+
+### SAST: Semgrep Configuration
+
+```yaml
+# .semgrep.yml
+rules:
+  - id: sql-injection-string-concat
+    patterns:
+      - pattern: |
+          $QUERY = "..." + $INPUT + "..."
+      - metavariable-pattern:
+          metavariable: $INPUT
+          pattern-not: "..."
+    message: >
+      SQL injection via string concatenation. Use parameterized queries.
+    severity: ERROR
+    languages: [typescript, javascript]
+    metadata:
+      cwe: ["CWE-89: SQL Injection"]
+      owasp: ["A03:2021 - Injection"]
+
+  - id: hardcoded-secret
+    pattern-regex: (?i)(api[_-]?key|secret|password|token)\s*[:=]\s*["'][a-zA-Z0-9+/=]{16,}["']
+    paths:
+      exclude: ["**/*test*", "**/*mock*"]
+    message: Hardcoded secret detected. Use env vars or secrets manager.
+    severity: ERROR
+    languages: [generic]
+    metadata:
+      cwe: ["CWE-798: Hard-coded Credentials"]
+
+  - id: insecure-tls
+    patterns:
+      - pattern: rejectUnauthorized: false
+    message: TLS validation disabled — allows MITM attacks.
+    severity: WARNING
+    languages: [typescript, javascript]
+    metadata:
+      cwe: ["CWE-295: Improper Certificate Validation"]
+```
+
+```bash
+# CI execution with quality gate
+semgrep scan --config=p/security-audit --config=.semgrep.yml \
+  --json --output=semgrep.json --error --severity=ERROR src/
+```
+
+### DAST: OWASP ZAP Automation Framework
+
+```yaml
+# zap-automation.yaml
+env:
+  contexts:
+    - name: "target-app"
+      urls: ["https://staging.example.com"]
+      includePaths: ["https://staging.example.com/.*"]
+      excludePaths: ["https://staging.example.com/logout.*"]
+      authentication:
+        method: "json"
+        parameters:
+          loginRequestUrl: "https://staging.example.com/api/auth/login"
+          loginRequestBody: '{"email":"{%username%}","password":"{%password%}"}'
+        verification:
+          method: "response"
+          loggedInRegex: '"token":".+"'
+      users:
+        - name: "test-user"
+          credentials:
+            username: "${ZAP_AUTH_USER}"
+            password: "${ZAP_AUTH_PASS}"
+jobs:
+  - type: spider
+    parameters: { context: "target-app", user: "test-user", maxDuration: 5 }
+  - type: spiderAjax
+    parameters: { context: "target-app", user: "test-user", maxDuration: 5 }
+  - type: passiveScan-wait
+    parameters: { maxDuration: 10 }
+  - type: activeScan
+    parameters:
+      context: "target-app"
+      user: "test-user"
+      maxScanDurationInMins: 30
+      policy: "API-Scan"
+  - type: report
+    parameters:
+      template: "traditional-json"
+      reportDir: "/zap/reports"
+      reportFile: "zap-report.json"
+    risks: [high, medium]
+```
+
+```bash
+# Run ZAP in CI via Docker
+docker run --rm \
+  -v $(pwd)/zap-automation.yaml:/zap/wrk/zap-automation.yaml:ro \
+  -v $(pwd)/reports:/zap/reports \
+  -e ZAP_AUTH_USER="${ZAP_AUTH_USER}" \
+  -e ZAP_AUTH_PASS="${ZAP_AUTH_PASS}" \
+  ghcr.io/zaproxy/zaproxy:stable \
+  zap.sh -cmd -autorun /zap/wrk/zap-automation.yaml
+```
+
+### SCA: Trivy Multi-Target Scanning
+
+```bash
+# Container image scan
+trivy image --severity CRITICAL,HIGH --format json --output trivy-image.json myapp:latest
+
+# Filesystem / dependency scan
+trivy fs --severity CRITICAL,HIGH --format json --output trivy-fs.json ./
+
+# IaC scan (Terraform, CloudFormation, Kubernetes)
+trivy config --severity CRITICAL,HIGH --format json --output trivy-iac.json ./infra/
+
+# SBOM generation (CycloneDX)
+trivy fs --format cyclonedx --output sbom.cdx.json ./
+
+# Scan an existing SBOM for new vulnerabilities
+trivy sbom sbom.cdx.json --severity CRITICAL,HIGH
+```
+
+### Infrastructure: Nuclei Template Scanning
+
+```yaml
+# custom-template.yaml — Detect exposed internal services
+id: internal-service-exposure
+info:
+  name: Internal Service Publicly Accessible
+  author: security-team
+  severity: high
+  tags: internal,exposure,misconfiguration
+  metadata:
+    cwe-id: CWE-668
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/actuator/health"
+      - "{{BaseURL}}/debug/vars"
+      - "{{BaseURL}}/_cluster/health"
+      - "{{BaseURL}}/server-status"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words: ['"status":"UP"', "cmdline", '"cluster_name"', "Apache Server Status"]
+        condition: or
+      - type: status
+        status: [200]
+```
+
+```bash
+nuclei -l targets.txt -t /path/to/nuclei-templates/ -t ./custom-templates/ \
+  -severity critical,high -rate-limit 100 -json -output nuclei-results.json
+```
+
+### Secrets: Gitleaks Configuration
+
+```toml
+# .gitleaks.toml
+title = "Custom Gitleaks Config"
+
+[extend]
+useDefault = true
+
+[[rules]]
+id = "custom-internal-api-key"
+description = "Internal API Key"
+regex = '''internal[_-]?api[_-]?key\s*[:=]\s*["']?[a-zA-Z0-9]{32,}["']?'''
+entropy = 3.5
+keywords = ["internal_api_key", "internal-api-key"]
+
+[allowlist]
+paths = ['''(^|/)test[s]?/''', '''\.md$''', '''\.example$''']
+```
+
+### CI/CD Pipeline: GitHub Actions
+
+```yaml
+# .github/workflows/security-scan.yml
+name: Security Scanning Pipeline
+on:
+  pull_request:
+    branches: [main, develop]
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"  # Weekly Monday 6AM UTC
+
+jobs:
+  sast:
+    name: SAST — Semgrep
+    runs-on: ubuntu-latest
+    container: { image: "semgrep/semgrep:latest" }
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep scan --config=auto --config=p/security-audit --json --output=semgrep.json --error src/
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with: { name: semgrep-results, path: semgrep.json }
+
+  sca:
+    name: SCA — Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          scan-ref: "."
+          format: json
+          output: trivy-fs.json
+          severity: CRITICAL,HIGH
+          exit-code: "1"
+
+  container-scan:
+    name: Container — Trivy Image
+    runs-on: ubuntu-latest
+    needs: [sast]
+    steps:
+      - uses: actions/checkout@v4
+      - run: docker build -t myapp:${{ github.sha }} .
+      - uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: myapp:${{ github.sha }}
+          format: json
+          output: trivy-image.json
+          severity: CRITICAL,HIGH
+          exit-code: "1"
+
+  secrets-scan:
+    name: Secrets — Gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: gitleaks/gitleaks-action@v2
+        env: { GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" }
+
+  dast:
+    name: DAST — ZAP (Staging)
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    needs: [sast, sca, container-scan]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: ${{ vars.STAGING_URL }}
+          rules_file_name: zap-rules.tsv
+          cmd_options: "-a -j"
+```
+
+### Tool Comparison Matrix
+
+| Tool | Type | License | CI Integration | False Positive Rate |
+|------|------|---------|----------------|---------------------|
+| Semgrep | SAST | OSS (LGPL-2.1) | Native | Low |
+| CodeQL | SAST | Free for OSS | GitHub native | Low |
+| SonarQube | SAST+Quality | Community/Paid | Plugins | Medium |
+| OWASP ZAP | DAST | OSS (Apache-2.0) | Docker/Actions | Medium |
+| Burp Suite | DAST | Commercial | CI extension | Low |
+| Nuclei | DAST/Infra | OSS (MIT) | CLI | Low |
+| Trivy | SCA+Container+IaC | OSS (Apache-2.0) | Native Actions | Low |
+| Snyk | SCA+Container | Freemium | Native | Low |
+| Grype | SCA+Container | OSS (Apache-2.0) | CLI | Low |
+| Nessus | Infrastructure | Commercial | API | Low |
+| OpenVAS | Infrastructure | OSS (GPL) | API | Medium |
+| Qualys | Infrastructure+Cloud | Commercial | API/Agents | Low |
+| Gitleaks | Secrets | OSS (MIT) | Native Actions | Low |
+| Checkov | IaC | OSS (Apache-2.0) | CLI | Low |
+
+---
+
+## Platform-Specific Guidance
+
+### Web Applications
+
+- Authenticate DAST scanners using the same auth flow as real users (OAuth, JWT, sessions).
+- Exclude destructive endpoints (DELETE, account termination) from active scans.
+- Run baseline (passive) scans on every PR deploy; full active scans weekly on staging.
+- Import OpenAPI/Swagger specs into ZAP or Burp for complete API coverage.
+- SPAs require AJAX spider or browser-based crawling for full page discovery.
+- Focus SAST on server-side for injection; client-side for XSS and DOM manipulation.
+- Template engines (Handlebars, EJS, Jinja2) need framework-specific rules.
+
+### Mobile Applications
+
+- **Binary analysis:** MobSF for APK/IPA static analysis.
+- **Hardcoded secrets:** Mobile binaries frequently embed API keys and certificates.
+- **Insecure storage:** Check SharedPreferences (Android) / UserDefaults (iOS) for unencrypted data.
+- **Certificate pinning:** Verify implementation and resistance to bypass.
+- **Third-party SDKs:** SCA scan all bundled SDKs — many bundle vulnerable native libraries.
+
+```bash
+# MobSF static analysis via Docker
+docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
+curl -F "file=@app-release.apk" http://localhost:8000/api/v1/upload \
+  -H "Authorization: ${MOBSF_API_KEY}"
+```
+
+### Cloud Infrastructure (AWS/GCP/Azure)
+
+| Layer | Tool | What It Detects |
+|-------|------|----------------|
+| IaC (pre-deploy) | Checkov, tfsec, KICS | Misconfigurations before production |
+| Runtime config | Prowler, ScoutSuite | Drift from secure baselines |
+| Containers | Trivy, Grype | Vulnerable packages in deployed images |
+| Kubernetes | kubeaudit, kube-bench | CIS benchmark violations |
+| Serverless | AWS Inspector | Function-level vulnerabilities |
+
+```bash
+# Prowler — AWS security best practices
+prowler aws --severity critical high --compliance cis_2.0_aws \
+  --output-formats json-ocsf --output-directory ./prowler-results
+
+# AWS Inspector — automated vulnerability management
+aws inspector2 list-findings \
+  --filter-criteria '{"severity":[{"comparison":"EQUALS","value":"CRITICAL"}]}' \
+  --max-results 50
+```
+
+### Kubernetes Continuous Scanning
+
+```yaml
+# Trivy Operator — install via Helm for in-cluster continuous scanning
+# helm install trivy-operator aquasecurity/trivy-operator \
+#   --namespace trivy-system --create-namespace \
+#   --set trivy.severity=CRITICAL,HIGH
+
+# Auto-generated VulnerabilityReport example:
+apiVersion: aquasecurity.github.io/v1alpha1
+kind: VulnerabilityReport
+metadata:
+  name: deployment-myapp
+  namespace: production
+report:
+  vulnerabilities:
+    - vulnerabilityID: CVE-2024-3094
+      resource: xz-utils
+      installedVersion: "5.6.1"
+      fixedVersion: "5.6.2"
+      severity: CRITICAL
+      score: 10.0
+```
+
+---
+
+## Incident Patterns
+
+### Scenario 1: Zero-Day CVE — Emergency Response
+
+**Trigger:** Critical CVE (CVSS 9.0+) disclosed and listed on CISA KEV.
+
+1. **T+0h:** Run targeted SCA scan across all repos and registries for affected package.
+   ```bash
+   trivy fs --severity CRITICAL --format json . | \
+     jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-XXXX-XXXXX")'
+   ```
+2. **T+1h:** Assess blast radius — affected services, reachability, compensating controls.
+3. **T+4h:** Deploy mitigations — WAF rules, network restrictions, config changes.
+4. **T+24h:** Deploy patches — update deps, rebuild containers, redeploy.
+5. **T+48h:** Verify — re-scan all affected systems.
+6. **T+72h:** Postmortem — document timeline, assess detection gaps, update rules.
+
+### Scenario 2: SAST Blocks SQL Injection in PR
+
+1. CI gate blocks merge on CWE-89 finding.
+2. Developer confirms true positive (string concatenation in query).
+3. Fix: replace with parameterized query.
+4. Re-scan passes.
+5. Regression test added for parameterized path.
+
+### Scenario 3: Container Base Image Vulnerability
+
+1. Trivy detects critical CVEs in production container base image.
+2. Assess: is the vulnerable package actually used?
+3. Update `FROM` directive, rebuild, run integration tests.
+4. Rolling deploy to production.
+5. Scan registry for other images using the same base.
+
+### Scenario 4: Secrets Detected in Git History
+
+1. **Rotate immediately** — credential is compromised regardless of repo visibility.
+2. **Audit** — review CloudTrail/audit logs for unauthorized use.
+3. **Remove** — `git filter-repo` or BFG Repo Cleaner (rewrites history).
+4. **Prevent** — pre-commit hook with Gitleaks, server-side push protection.
+5. **Educate** — share anonymized incident as learning opportunity.
+
+### Scan Scheduling Matrix
+
+| Scan Type | Trigger | Frequency | Max Duration | Failure Action |
+|-----------|---------|-----------|-------------|----------------|
+| SAST | PR/push | Every commit | 5 min | Block merge |
+| SCA | PR/push | Every commit | 2 min | Block merge |
+| Secrets | PR/push | Every commit | 1 min | Block merge |
+| Container | Image build | Every build | 3 min | Block deploy |
+| IaC | PR/push | Every commit | 2 min | Block merge |
+| DAST baseline | Staging deploy | On deploy | 15 min | Alert |
+| DAST active | Scheduled | Weekly | 2 hours | Create tickets |
+| Infrastructure | Scheduled | Weekly | 4 hours | Create tickets |
+| Registry sweep | Scheduled | Monthly | 8 hours | Create tickets |
+| External ASV | Scheduled | Quarterly | Variable | Compliance report |
+
+---
+
+## Compliance & Standards
+
+### Scanning Requirements by Framework
+
+| Standard | Requirement | Scanning Type | Frequency |
+|----------|-------------|--------------|-----------|
+| PCI DSS v4.0 (6.3) | Identify/manage vulnerabilities | SCA, SAST | Continuous |
+| PCI DSS v4.0 (11.3.1) | Internal vulnerability scans | Infra, container | Quarterly min |
+| PCI DSS v4.0 (11.3.2) | External scans by ASV | ASV external | Quarterly + changes |
+| NIST 800-115 | Technical security testing | SAST, DAST, infra | Risk-based |
+| NIST 800-53 (RA-5) | Vulnerability monitoring | All types | Continuous |
+| ISO 27001 (A.12.6) | Technical vuln management | Infra, SCA | Per risk assessment |
+| SOC 2 (CC7.1) | Detect/monitor vulnerabilities | All types | Continuous |
+| HIPAA (164.308(a)(8)) | Periodic technical evaluation | Infra, app | Annual minimum |
+| FedRAMP | Continuous monitoring | All types | Monthly OS, annual app |
+| DORA (EU) | ICT risk management, testing | App, infra | Regular, risk-based |
+| NIS2 (EU) | Network/info system security | Infra, app | Regular, risk-based |
+
+### PCI DSS v4.0 ASV Requirements
+
+- **Scope:** All externally accessible IPs and domains in the cardholder data environment.
+- **Frequency:** Quarterly minimum, plus after significant infrastructure changes.
+- **Pass criteria:** No vulnerabilities with CVSS >= 4.0 (after dispute resolution).
+- **Exceptions:** Documented false positives with compensating controls are permitted.
+- **Retention:** ASV scan results retained for at least 12 months.
+- **Methodology:** Must follow PCI SSC ASV Program Guide; recognized methodologies include
+  NIST SP 800-115, OSSTMM, OWASP, and PTES.
+
+### NIST SP 800-115 Scanning Hierarchy
+
+1. **Review techniques** — documentation, log, ruleset review (passive).
+2. **Identification and analysis** — network discovery, port scanning, vulnerability scanning.
+3. **Vulnerability validation** — penetration testing to confirm findings.
+
+Key principles: scan from both internal and external perspectives; credentialed scans
+produce significantly more accurate results; correlate findings with asset inventory
+and threat intelligence.
+
+### SBOM Requirements (Executive Order 14028)
+
+```bash
+# Generate CycloneDX SBOM
+trivy fs --format cyclonedx --output sbom.cdx.json ./
+
+# Generate SPDX SBOM
+trivy fs --format spdx-json --output sbom.spdx.json ./
+
+# Scan existing SBOM for new vulnerabilities
+trivy sbom sbom.cdx.json --severity CRITICAL,HIGH
+```
+
+| Format | Standard Body | Best For |
+|--------|--------------|----------|
+| CycloneDX | OWASP | Security, vulnerability tracking |
+| SPDX | Linux Foundation | License compliance |
+| SWID | ISO/IEC 19770-2 | Software asset management |
+
+---
+
+## Code Examples
+
+### Insecure vs Secure: SQL Query (TypeScript)
+
+```typescript
+// INSECURE — CWE-89: SQL injection via string concatenation
+import { Client } from "pg";
+
+async function getUserInsecure(client: Client, userId: string) {
+  // Attacker passes userId = "1' OR '1'='1" to dump all users
+  const query = `SELECT * FROM users WHERE id = '${userId}'`;
+  return (await client.query(query)).rows;
+}
+
+// SECURE — Parameterized query, immune to injection
+async function getUserSecure(client: Client, userId: string) {
+  const query = "SELECT * FROM users WHERE id = $1";
+  return (await client.query(query, [userId])).rows;
+}
+```
+
+### Insecure vs Secure: Command Execution (Python)
+
+```python
+# INSECURE — CWE-78: Shell injection via unsanitized input
+import os
+
+def ping_host_insecure(hostname: str) -> str:
+    # Attacker passes "8.8.8.8; cat /etc/passwd"
+    return os.popen(f"ping -c 4 {hostname}").read()
+
+
+# SECURE — subprocess with argument list, no shell interpolation
+import re
+import subprocess
+
+def ping_host_secure(hostname: str) -> str:
+    if not re.match(r"^[a-zA-Z0-9.\-]+$", hostname):
+        raise ValueError(f"Invalid hostname: {hostname}")
+    result = subprocess.run(
+        ["ping", "-c", "4", hostname],
+        capture_output=True, text=True, timeout=30, shell=False,
+    )
+    return result.stdout
+```
+
+### Insecure vs Secure: Deserialization (Python)
+
+```python
+# INSECURE — CWE-502: Pickle deserialization of untrusted data
+import pickle
+
+def load_data_insecure(raw: bytes) -> dict:
+    return pickle.loads(raw)  # Attacker crafts payload for arbitrary code exec
+
+
+# SECURE — JSON with explicit schema validation
+import json
+from dataclasses import dataclass
+
+@dataclass
+class UserData:
+    user_id: str
+    name: str
+    email: str
+
+    @classmethod
+    def from_json(cls, raw: bytes) -> "UserData":
+        data = json.loads(raw)
+        for field in ("user_id", "name", "email"):
+            if not isinstance(data.get(field), str):
+                raise ValueError(f"{field} must be a string")
+        return cls(user_id=data["user_id"], name=data["name"], email=data["email"])
+```
+
+### Insecure vs Secure: SSRF Prevention (TypeScript)
+
+```typescript
+// INSECURE — CWE-918: Unrestricted URL fetch
+async function fetchInsecure(url: string): Promise<string> {
+  // Attacker passes "http://169.254.169.254/latest/meta-data/" to steal IAM creds
+  return (await fetch(url)).text();
+}
+
+// SECURE — URL validation with allowlist and private IP blocking
+import { URL } from "url";
+import * as dns from "dns/promises";
+
+const ALLOWED_PROTOCOLS = new Set(["https:"]);
+const ALLOWED_DOMAINS = new Set(["api.example.com", "cdn.example.com"]);
+
+async function fetchSecure(rawUrl: string): Promise<string> {
+  const parsed = new URL(rawUrl);
+  if (!ALLOWED_PROTOCOLS.has(parsed.protocol))
+    throw new Error(`Blocked protocol: ${parsed.protocol}`);
+  if (!ALLOWED_DOMAINS.has(parsed.hostname))
+    throw new Error(`Blocked domain: ${parsed.hostname}`);
+
+  // Resolve DNS and block private IPs (anti-DNS-rebinding)
+  const addrs = await dns.resolve4(parsed.hostname);
+  for (const ip of addrs) {
+    if (isPrivateIP(ip)) throw new Error(`Private IP: ${ip}`);
+  }
+  return (await fetch(rawUrl)).text();
+}
+
+function isPrivateIP(ip: string): boolean {
+  const p = ip.split(".").map(Number);
+  return (
+    p[0] === 10 || p[0] === 127 ||
+    (p[0] === 172 && p[1] >= 16 && p[1] <= 31) ||
+    (p[0] === 192 && p[1] === 168) ||
+    (p[0] === 169 && p[1] === 254) // Cloud metadata endpoint
+  );
+}
+```
+
+### Insecure vs Secure: Dependency Management
+
+```json5
+// INSECURE — Wildcard and unpinned versions
+{
+  "dependencies": {
+    "express": "*",           // Any version — could pull malicious update
+    "lodash": "^4.0.0",       // Wide range — could pull vulnerable minor
+    "jsonwebtoken": "latest"  // No reproducibility
+  }
+}
+```
+
+```json5
+// SECURE — Exact pinning + lockfile + overrides
+{
+  "dependencies": {
+    "express": "4.21.1",
+    "lodash": "4.17.21",
+    "jsonwebtoken": "9.0.2"
+  },
+  "overrides": {
+    "semver": "7.5.4"  // Force transitive dep to patched version
+  }
+}
+// Pair with: committed package-lock.json, npm ci in CI,
+// Dependabot/Renovate for updates, Trivy/Snyk SCA on every PR
+```
+
+### Unified Security Quality Gate (Python)
+
+```python
+"""security_gate.py — Unified quality gate for CI/CD pipelines."""
+import json
+import subprocess
+import sys
+from dataclasses import dataclass, field
+
+
+@dataclass
+class GateResult:
+    tool: str
+    passed: bool
+    critical: int = 0
+    high: int = 0
+    medium: int = 0
+    details: list[str] = field(default_factory=list)
+
+
+def run_semgrep(src: str) -> GateResult:
+    r = subprocess.run(
+        ["semgrep", "scan", "--config=auto", "--json", "--quiet", src],
+        capture_output=True, text=True, timeout=300,
+    )
+    findings = json.loads(r.stdout).get("results", [])
+    sev_map = {"ERROR": "critical", "WARNING": "high", "INFO": "medium"}
+    counts = {"critical": 0, "high": 0, "medium": 0}
+    for f in findings:
+        s = sev_map.get(f["extra"]["severity"], "medium")
+        counts[s] += 1
+    return GateResult(tool="semgrep", passed=counts["critical"] == 0, **counts)
+
+
+def run_trivy(target: str) -> GateResult:
+    r = subprocess.run(
+        ["trivy", "fs", "--format", "json", "--quiet", target],
+        capture_output=True, text=True, timeout=300,
+    )
+    data = json.loads(r.stdout)
+    counts = {"critical": 0, "high": 0, "medium": 0}
+    for t in data.get("Results", []):
+        for v in t.get("Vulnerabilities", []):
+            s = v.get("Severity", "").lower()
+            if s in counts:
+                counts[s] += 1
+    return GateResult(tool="trivy", passed=counts["critical"] == 0, **counts)
+
+
+def run_gitleaks() -> GateResult:
+    r = subprocess.run(
+        ["gitleaks", "detect", "--source=.", "--report-format=json",
+         "--report-path=/dev/stdout"],
+        capture_output=True, text=True, timeout=120,
+    )
+    findings = json.loads(r.stdout) if r.stdout.strip() else []
+    return GateResult(tool="gitleaks", passed=len(findings) == 0,
+                      critical=len(findings))
+
+
+def evaluate(results: list[GateResult], max_c=0, max_h=0, max_m=10) -> bool:
+    tc = sum(r.critical for r in results)
+    th = sum(r.high for r in results)
+    tm = sum(r.medium for r in results)
+    print("\n" + "=" * 50)
+    print("SECURITY QUALITY GATE")
+    print("=" * 50)
+    for r in results:
+        s = "PASS" if r.passed else "FAIL"
+        print(f"  [{s}] {r.tool}: C={r.critical} H={r.high} M={r.medium}")
+    passed = tc <= max_c and th <= max_h and tm <= max_m
+    print(f"  Total: C={tc} H={th} M={tm}  |  GATE: {'PASS' if passed else 'FAIL'}")
+    print("=" * 50)
+    return passed
+
+
+if __name__ == "__main__":
+    results = [run_semgrep("./src"), run_trivy("."), run_gitleaks()]
+    if not evaluate(results):
+        sys.exit(1)
+```
+
+---
+
+> **References:**
+> - [OWASP Testing Guide v5](https://owasp.org/www-project-web-security-testing-guide/)
+> - [NIST SP 800-115](https://csrc.nist.gov/pubs/sp/800/115/final)
+> - [PCI DSS v4.0](https://www.pcisecuritystandards.org/document_library/)
+> - [CVSS v4.0 Specification](https://www.first.org/cvss/v4.0/)
+> - [FIRST EPSS](https://www.first.org/epss/)
+> - [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
+> - [VulnCheck State of Exploitation 2026](https://www.vulncheck.com/blog/state-of-exploitation-2026)
+> - [Semgrep Documentation](https://semgrep.dev/docs/)
+> - [Trivy Documentation](https://trivy.dev/docs/)
+> - [Nuclei Documentation](https://docs.projectdiscovery.io/opensource/nuclei/overview)
+> - [OWASP ZAP Documentation](https://www.zaproxy.org/docs/)