Code Security Scanning
OWASP Top 10 Checklist for Java
- •Injection — Use parameterized queries, validate all input
- •Broken Authentication — Use strong password hashing, session management
- •Sensitive Data Exposure — Encrypt data at rest/transit, no hardcoded secrets
- •XXE — Disable external entity processing in XML parsers
- •Broken Access Control — Enforce authorization on every endpoint
- •Security Misconfiguration — Remove defaults, disable unused features
- •XSS — Encode output, validate input, use Content Security Policy
- •Insecure Deserialization — Validate input types, avoid native serialization
- •Known Vulnerabilities — Run
mvn dependency-check:check - •Insufficient Logging — Log security events, protect log integrity
Dependency Scanning
bash
# OWASP Dependency Check mvn dependency-check:check # Fail on HIGH/CRITICAL mvn dependency-check:check -DfailBuildOnCVSS=7
Container Scanning
bash
trivy image --severity HIGH,CRITICAL --exit-code 1 myapp:latest
Secret Detection
- •Never commit passwords, API keys, or tokens
- •Use environment variables or secret managers
- •Scan with:
trufflehog git file://. --since-commit HEAD~10
Report Structure
- •Executive Summary (overall posture, critical count, risk level)
- •Findings by severity (Critical → Low) with file/line, description, fix
- •Best Practices Review
- •Dependency Analysis
- •Prioritized Action Items