|$ curl https://forge-ai.dev/api/markdown?path=docs/security/audit
$cat docs/security-auditing.md
updated Recently·30 min read·published
Security Auditing
Introduction
Security auditing identifies vulnerabilities in your dependencies, code, configuration, and infrastructure. Regular audits catch known CVEs, insecure configurations, and common attack vectors before they're exploited.
npm audit & Dependency Scanning
audit.sh
Bash
| 1 | # Built-in dependency audit |
| 2 | npm audit |
| 3 | npm audit --production # Only production dependencies |
| 4 | npm audit fix # Auto-fix where possible |
| 5 | npm audit fix --force # Include breaking changes |
| 6 | |
| 7 | # Generate audit report |
| 8 | npm audit --json > audit-report.json |
| 9 | |
| 10 | # Deno: built-in audit |
| 11 | deno audit |
| 12 | |
| 13 | # Python: safety check |
| 14 | pip install safety |
| 15 | safety check --json |
| 16 | |
| 17 | # Snyk (more comprehensive) |
| 18 | npm install -g snyk |
| 19 | snyk auth |
| 20 | snyk test # Test project |
| 21 | snyk test --all-projects # Monorepo |
| 22 | snyk monitor # Create monitoring snapshot |
| 23 | |
| 24 | # GitHub: Dependabot (automatic PRs) |
| 25 | # .github/dependabot.yml: |
| 26 | # version: 2 |
| 27 | # updates: |
| 28 | # - package-ecosystem: npm |
| 29 | # directory: "/" |
| 30 | # schedule: |
| 31 | # interval: weekly |
ℹ
info
Add npm audit to your CI pipeline and fail the build on high-severity vulnerabilities. This ensures known issues never reach production.
OWASP ZAP
owasp-zap.sh
Bash
| 1 | # OWASP ZAP — automated security scanning |
| 2 | # Docker-based scan |
| 3 | docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \ |
| 4 | -t http://localhost:3000 \ |
| 5 | -r report.html \ |
| 6 | -a # Include alpha-quality scanners |
| 7 | |
| 8 | # Full scan (slower, more thorough) |
| 9 | docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \ |
| 10 | -t https://staging.example.com \ |
| 11 | -r full-report.html |
| 12 | |
| 13 | # ZAP API scan for REST APIs |
| 14 | docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \ |
| 15 | -t http://localhost:3000/openapi.json \ |
| 16 | -f openapi \ |
| 17 | -r api-report.html |
| 18 | |
| 19 | # Programmatic scanning with ZAP |
| 20 | # Install: npm install --save-dev @zaproxy/client |
Security Headers
security-headers.ts
TypeScript
| 1 | // Comprehensive security headers for Next.js |
| 2 | import { NextResponse } from "next/server"; |
| 3 | import type { NextRequest } from "next/server"; |
| 4 | |
| 5 | export function middleware(request: NextRequest) { |
| 6 | const response = NextResponse.next(); |
| 7 | |
| 8 | // Prevent XSS |
| 9 | response.headers.set("X-Content-Type-Options", "nosniff"); |
| 10 | response.headers.set("X-XSS-Protection", "0"); // Deprecated, but set for older browsers |
| 11 | response.headers.set("X-Frame-Options", "DENY"); |
| 12 | |
| 13 | // Strict Transport Security (HTTPS only) |
| 14 | response.headers.set( |
| 15 | "Strict-Transport-Security", |
| 16 | "max-age=63072000; includeSubDomains; preload" |
| 17 | ); |
| 18 | |
| 19 | // Referrer policy |
| 20 | response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin"); |
| 21 | |
| 22 | // Permissions policy (disable unnecessary APIs) |
| 23 | response.headers.set( |
| 24 | "Permissions-Policy", |
| 25 | "camera=(), microphone=(), geolocation=(), payment=()" |
| 26 | ); |
| 27 | |
| 28 | // Prevent clickjacking |
| 29 | response.headers.set("X-Frame-Options", "DENY"); |
| 30 | |
| 31 | // Cross-Origin policies |
| 32 | response.headers.set("Cross-Origin-Opener-Policy", "same-origin"); |
| 33 | response.headers.set("Cross-Origin-Embedder-Policy", "require-corp"); |
| 34 | |
| 35 | return response; |
| 36 | } |
verify-headers.sh
Bash
| 1 | # Verify security headers |
| 2 | curl -I https://example.com | grep -i "strict|content-type|x-frame|permissions" |
| 3 | |
| 4 | # securityheaders.com — free online scanner |
| 5 | # Input your URL and get a grade (A+ target) |
| 6 | |
| 7 | # Mozilla Observatory |
| 8 | # https://observatory.mozilla.org/ — comprehensive scan |
✓
best practice
Target an A+ rating on securityheaders.com. Set Strict-Transport-Security with a long max-age, include preload, and submit to the HSTS preload list.
CI Security Pipeline
security-audit.yml
YAML
| 1 | # GitHub Actions security audit workflow |
| 2 | name: Security Audit |
| 3 | on: [push, pull_request] |
| 4 | |
| 5 | jobs: |
| 6 | audit: |
| 7 | runs-on: ubuntu-latest |
| 8 | steps: |
| 9 | - uses: actions/checkout@v4 |
| 10 | - uses: actions/setup-node@v4 |
| 11 | with: |
| 12 | node-version: 20 |
| 13 | |
| 14 | - run: npm ci |
| 15 | |
| 16 | - name: Dependency audit |
| 17 | run: npm audit --audit-level=high |
| 18 | |
| 19 | - name: Snyk test |
| 20 | uses: snyk/actions/node@master |
| 21 | env: |
| 22 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
| 23 | with: |
| 24 | args: --severity-threshold=high |
| 25 | |
| 26 | - name: Check security headers |
| 27 | run: npx check-headers https://staging.example.com |
| 28 | |
| 29 | - name: Secret scanning |
| 30 | uses: trufflesecurity/trufflehog@main |
| 31 | with: |
| 32 | extra_args: --only-verified |
⚠
warning
Never commit API keys, tokens, or secrets to your repository. Use trufflehog or gitleaks in CI to catch accidental leaks before they reach production.
$Blueprint — Engineering Documentation·Section ID: SEC-AUD-01·Revision: 1.0