Skip to main content

Security testing

Qodex brings security testing into the same workflow as your API, UI, and regression tests. Instead of waiting for a yearly pentest report, you can run OWASP API Top 10 checks, BOLA and IDOR probes, auth-bypass tests, and injection scenarios as repeatable tests in your project. The goal is simple: turn important security checks into saved scenarios with evidence, severity, and reproduction steps. When the app blocks an attack, the scenario becomes regression coverage. When the attack succeeds, Qodex opens a finding.

How security testing works

The security testing flow has four parts:
  • Choose the surface you want to test, such as an endpoint group, auth flow, sensitive resource, or imported API collection.
  • Run a security skill so Qodex can create attack scenarios from known vulnerability classes.
  • Verify each scenario against the target environment using inverted security assertions.
  • Report findings with request and response evidence when a vulnerability is confirmed.

What you can start with

OWASP API Top 10 in Qodex

See how Qodex maps OWASP API risks to probes, scenarios, and findings.

Security scenarios

Understand how attack scenarios differ from functional tests.

Inverted semantics

Learn why pass means the attack was blocked and fail means the app is vulnerable.

Sensitive endpoints

Scope active testing with environment constraints before running invasive checks.

Continuous, not annual

Security testing often happens as a point-in-time audit. The report lands, the highest-risk issues get fixed, and coverage starts drifting as soon as new endpoints ship. Qodex treats security checks as part of the normal test suite. The agent can author security scenarios from chat, save them with the same lifecycle as functional scenarios, run them on a schedule or in CI, and turn failures into findings with evidence. That makes security testing easier to repeat. A BOLA check on /api/orders/{id} can run after every release, not only during a formal review.

What Qodex can test today

  • OWASP API Top 10 categories such as BOLA, broken auth, mass assignment, rate limiting, SSRF, and misconfiguration.
  • Authorization issues including IDOR, broken object-level authorization, and broken function-level authorization.
  • Auth and session issues such as JWT manipulation, expired tokens, default credentials, and missing login rate limits.
  • Injection and payload-based checks such as SQL injection, command injection, and unsafe server-side fetches.
  • Security findings with severity, reproduction steps, request and response evidence, and OWASP category.
  • Per-environment constraints such as read_only, max_requests_per_second, and allow_destructive_tests.

Where results go

When a security scenario passes, Qodex keeps it as regression coverage. When it fails because the attack succeeded, Qodex creates a finding with the evidence a human needs to reproduce and fix the issue. Findings are deduplicated by endpoint and attack type, so the same vulnerability does not become a pile of duplicate tickets.

Where to go next

Security scenarios

Learn the scenario model Qodex uses for security checks.

Findings

Review severity, evidence, and lifecycle states for reported issues.

Auth profiles

Configure roles used for BOLA, IDOR, and privilege-escalation tests.

API scenarios

See the base scenario model shared by API and security testing.

On the roadmap

Qodex plans to add a dedicated allow_security_testing environment gate, stronger self-critique when security scenarios are saved, and source-aware security generation that reads linked repository routes before choosing probes.