> ## Documentation Index
> Fetch the complete documentation index at: https://qodex.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security testing

> Run OWASP API Top 10, BOLA, IDOR, auth-bypass, and injection tests in the same suite as your functional regression.

# Security testing

Qodex brings security testing into the same workflow as your API, UI, and regression tests. Instead of waiting for a yearly pentest report, you can run OWASP API Top 10 checks, BOLA and IDOR probes, auth-bypass tests, and injection scenarios as repeatable tests in your project.

The goal is simple: turn important security checks into saved scenarios with evidence, severity, and reproduction steps. When the app blocks an attack, the scenario becomes regression coverage. When the attack succeeds, Qodex opens a finding.

## How security testing works

The security testing flow has four parts:

* **Choose the surface** you want to test, such as an endpoint group, auth flow, sensitive resource, or imported API collection.
* **Run a security skill** so Qodex can create attack scenarios from known vulnerability classes.
* **Verify each scenario** against the target environment using inverted security assertions.
* **Report findings** with request and response evidence when a vulnerability is confirmed.

## What you can start with

<CardGroup cols={2}>
  <Card title="OWASP API Top 10 in Qodex" icon="list-ordered" href="/security-testing-owasp-api-top-10">
    See how Qodex maps OWASP API risks to probes, scenarios, and findings.
  </Card>

  <Card title="Security scenarios" icon="shield-half" href="/security-testing-scenarios">
    Understand how attack scenarios differ from functional tests.
  </Card>

  <Card title="Inverted semantics" icon="arrows-up-down" href="/security-testing-inverted-semantics">
    Learn why pass means the attack was blocked and fail means the app is vulnerable.
  </Card>

  <Card title="Sensitive endpoints" icon="lock" href="/security-testing-sensitive-endpoints">
    Scope active testing with environment constraints before running invasive checks.
  </Card>
</CardGroup>

## Continuous, not annual

Security testing often happens as a point-in-time audit. The report lands, the highest-risk issues get fixed, and coverage starts drifting as soon as new endpoints ship.

Qodex treats security checks as part of the normal test suite. The agent can author security scenarios from chat, save them with the same lifecycle as functional scenarios, run them on a schedule or in CI, and turn failures into findings with evidence.

That makes security testing easier to repeat. A BOLA check on `/api/orders/{id}` can run after every release, not only during a formal review.

## What Qodex can test today

* OWASP API Top 10 categories such as BOLA, broken auth, mass assignment, rate limiting, SSRF, and misconfiguration.
* Authorization issues including IDOR, broken object-level authorization, and broken function-level authorization.
* Auth and session issues such as JWT manipulation, expired tokens, default credentials, and missing login rate limits.
* Injection and payload-based checks such as SQL injection, command injection, and unsafe server-side fetches.
* Security findings with severity, reproduction steps, request and response evidence, and OWASP category.
* Per-environment constraints such as `read_only`, `max_requests_per_second`, and `allow_destructive_tests`.

## Where results go

When a security scenario passes, Qodex keeps it as regression coverage. When it fails because the attack succeeded, Qodex creates a finding with the evidence a human needs to reproduce and fix the issue.

Findings are deduplicated by endpoint and attack type, so the same vulnerability does not become a pile of duplicate tickets.

## Where to go next

<CardGroup cols={2}>
  <Card title="Security scenarios" icon="shield-half" href="/security-testing-scenarios">
    Learn the scenario model Qodex uses for security checks.
  </Card>

  <Card title="Findings" icon="bug" href="/concepts-findings">
    Review severity, evidence, and lifecycle states for reported issues.
  </Card>

  <Card title="Auth profiles" icon="key" href="/api-testing-auth-profiles">
    Configure roles used for BOLA, IDOR, and privilege-escalation tests.
  </Card>

  <Card title="API scenarios" icon="list-checks" href="/api-testing-scenarios">
    See the base scenario model shared by API and security testing.
  </Card>
</CardGroup>

## On the roadmap

<Tip>
  Qodex plans to add a dedicated `allow_security_testing` environment gate, stronger self-critique when security scenarios are saved, and source-aware security generation that reads linked repository routes before choosing probes.
</Tip>
