|$ curl https://forge-ai.dev/api/markdown?path=docs/security/audit
$cat docs/security-auditing.md
updated Recently·30 min read·published

Security Auditing

SecurityIntermediate🎯Free Tools
Introduction

Security auditing identifies vulnerabilities in your dependencies, code, configuration, and infrastructure. Regular audits catch known CVEs, insecure configurations, and common attack vectors before they're exploited.

npm audit & Dependency Scanning
audit.sh
Bash
1# Built-in dependency audit
2npm audit
3npm audit --production # Only production dependencies
4npm audit fix # Auto-fix where possible
5npm audit fix --force # Include breaking changes
6
7# Generate audit report
8npm audit --json > audit-report.json
9
10# Deno: built-in audit
11deno audit
12
13# Python: safety check
14pip install safety
15safety check --json
16
17# Snyk (more comprehensive)
18npm install -g snyk
19snyk auth
20snyk test # Test project
21snyk test --all-projects # Monorepo
22snyk monitor # Create monitoring snapshot
23
24# GitHub: Dependabot (automatic PRs)
25# .github/dependabot.yml:
26# version: 2
27# updates:
28# - package-ecosystem: npm
29# directory: "/"
30# schedule:
31# interval: weekly

info

Add npm audit to your CI pipeline and fail the build on high-severity vulnerabilities. This ensures known issues never reach production.
OWASP ZAP
owasp-zap.sh
Bash
1# OWASP ZAP — automated security scanning
2# Docker-based scan
3docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
4 -t http://localhost:3000 \
5 -r report.html \
6 -a # Include alpha-quality scanners
7
8# Full scan (slower, more thorough)
9docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
10 -t https://staging.example.com \
11 -r full-report.html
12
13# ZAP API scan for REST APIs
14docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
15 -t http://localhost:3000/openapi.json \
16 -f openapi \
17 -r api-report.html
18
19# Programmatic scanning with ZAP
20# Install: npm install --save-dev @zaproxy/client
Security Headers
security-headers.ts
TypeScript
1// Comprehensive security headers for Next.js
2import { NextResponse } from "next/server";
3import type { NextRequest } from "next/server";
4
5export function middleware(request: NextRequest) {
6 const response = NextResponse.next();
7
8 // Prevent XSS
9 response.headers.set("X-Content-Type-Options", "nosniff");
10 response.headers.set("X-XSS-Protection", "0"); // Deprecated, but set for older browsers
11 response.headers.set("X-Frame-Options", "DENY");
12
13 // Strict Transport Security (HTTPS only)
14 response.headers.set(
15 "Strict-Transport-Security",
16 "max-age=63072000; includeSubDomains; preload"
17 );
18
19 // Referrer policy
20 response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
21
22 // Permissions policy (disable unnecessary APIs)
23 response.headers.set(
24 "Permissions-Policy",
25 "camera=(), microphone=(), geolocation=(), payment=()"
26 );
27
28 // Prevent clickjacking
29 response.headers.set("X-Frame-Options", "DENY");
30
31 // Cross-Origin policies
32 response.headers.set("Cross-Origin-Opener-Policy", "same-origin");
33 response.headers.set("Cross-Origin-Embedder-Policy", "require-corp");
34
35 return response;
36}
verify-headers.sh
Bash
1# Verify security headers
2curl -I https://example.com | grep -i "strict|content-type|x-frame|permissions"
3
4# securityheaders.com — free online scanner
5# Input your URL and get a grade (A+ target)
6
7# Mozilla Observatory
8# https://observatory.mozilla.org/ — comprehensive scan

best practice

Target an A+ rating on securityheaders.com. Set Strict-Transport-Security with a long max-age, include preload, and submit to the HSTS preload list.
CI Security Pipeline
security-audit.yml
YAML
1# GitHub Actions security audit workflow
2name: Security Audit
3on: [push, pull_request]
4
5jobs:
6 audit:
7 runs-on: ubuntu-latest
8 steps:
9 - uses: actions/checkout@v4
10 - uses: actions/setup-node@v4
11 with:
12 node-version: 20
13
14 - run: npm ci
15
16 - name: Dependency audit
17 run: npm audit --audit-level=high
18
19 - name: Snyk test
20 uses: snyk/actions/node@master
21 env:
22 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
23 with:
24 args: --severity-threshold=high
25
26 - name: Check security headers
27 run: npx check-headers https://staging.example.com
28
29 - name: Secret scanning
30 uses: trufflesecurity/trufflehog@main
31 with:
32 extra_args: --only-verified

warning

Never commit API keys, tokens, or secrets to your repository. Use trufflehog or gitleaks in CI to catch accidental leaks before they reach production.
$Blueprint — Engineering Documentation·Section ID: SEC-AUD-01·Revision: 1.0