Security Scan
The Security Scan detector identifies security vulnerabilities, misconfigurations, and risk factors across your web application, API, and source code repository. It combines dynamic analysis (DAST), static analysis (SAST), and dependency scanning into a single detector.
What it checks
OWASP Top 10
The security scan covers the OWASP Top 10 categories:
| OWASP Category | Checks |
|---|---|
| A01 Broken Access Control | Unauthorized resource access, insecure direct object references |
| A02 Cryptographic Failures | Sensitive data in transit/at rest, weak algorithms, HTTP vs HTTPS |
| A03 Injection | SQL, NoSQL, command, LDAP injection vectors |
| A04 Insecure Design | Missing security controls, insecure architectural patterns |
| A05 Security Misconfiguration | Default credentials, unnecessary features, verbose error messages |
| A06 Vulnerable Components | Outdated dependencies with known CVEs |
| A07 Auth Failures | Weak session management, credential exposure |
| A08 Software Integrity Failures | CI/CD pipeline security, unsigned packages |
| A09 Logging Failures | Missing security event logging |
| A10 SSRF | Server-side request forgery vulnerabilities |
Additional checks
- Exposed secrets: API keys, tokens, passwords in code or HTTP responses
- HTTP security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
- TLS/SSL configuration: Certificate validity, cipher suites, protocol versions
- Dependency vulnerabilities: CVE database lookup for all detected dependencies
Scan modes
The security scanner operates in different modes depending on your target type:
| Mode | Target type | What it does |
|---|---|---|
| DAST | URL / API | Actively probes the running application |
| SAST | Repository | Static analysis of source code |
| SCA | Repository | Software composition analysis (dependencies) |
You can combine modes by running scans on both a URL and a repository target within the same project.
Configuration
{
"detectors": ["security"],
"detector_options": {
"security": {
"mode": "dast",
"active_scan": false,
"check_headers": true,
"check_tls": true,
"check_dependencies": true,
"secret_detection": true,
"owasp_categories": ["A01", "A02", "A03", "A05", "A06"]
}
}
}
| Option | Type | Default | Description |
|---|---|---|---|
mode | "dast" | "sast" | "sca" | "all" | "all" | Scan mode(s) to run |
active_scan | boolean | false | Enable active probing (may send test payloads) |
check_headers | boolean | true | Evaluate HTTP security headers |
check_tls | boolean | true | Evaluate TLS configuration |
check_dependencies | boolean | true | Check for vulnerable dependencies |
secret_detection | boolean | true | Detect exposed secrets |
Enabling active_scan: true causes Ariftly to send test payloads to your application. Only enable this on non-production environments, and ensure you have authorization to perform active testing.
Findings
Example finding
{
"id": "finding_s01",
"detector": "security",
"severity": "critical",
"rule_id": "owasp-a02-http-plain",
"title": "Sensitive data transmitted over HTTP",
"description": "Login form at /login submits credentials over unencrypted HTTP.",
"location": {
"type": "url",
"url": "http://myapp.example.com/login",
"parameter": "POST body"
},
"remediation": "Redirect all HTTP traffic to HTTPS. Ensure all form actions use HTTPS endpoints.",
"cvss_score": 8.1,
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/",
"https://cwe.mitre.org/data/definitions/319.html"
]
}
CVE findings
For dependency vulnerabilities, findings include CVE metadata:
{
"id": "finding_s02",
"detector": "security",
"severity": "high",
"rule_id": "cve-2023-44487",
"title": "HTTP/2 Rapid Reset Attack (CVE-2023-44487)",
"description": "Detected dependency 'h2' version 0.3.18 is vulnerable to CVE-2023-44487.",
"location": {
"type": "dependency",
"package": "h2",
"version": "0.3.18",
"file": "Cargo.lock"
},
"remediation": "Upgrade 'h2' to version 0.3.26 or later.",
"cvss_score": 7.5,
"cve_id": "CVE-2023-44487"
}
Severity mapping
| CVSS Score | Severity |
|---|---|
| 9.0–10.0 | Critical |
| 7.0–8.9 | High |
| 4.0–6.9 | Medium |
| 0.1–3.9 | Low |
| 0.0 / N/A | Info |
Responsible use
Only run security scans against applications and infrastructure you own or have explicit written authorization to test. Unauthorized scanning may violate computer crime laws.