Skip to content

Add DAST API route coverage evidence gates#1709

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/dast-api-route-coverage
Open

Add DAST API route coverage evidence gates#1709
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/dast-api-route-coverage

Conversation

@yanziwei
Copy link
Copy Markdown

@yanziwei yanziwei commented Jun 8, 2026

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: dast-config
Skill path: skills/devsecops/dast-config/

What Was Wrong

The skill required OpenAPI import for API scanning, but it did not require proof that the imported specification matched deployed runtime routes or that each operation was actually exercised during the scan. A DAST run could therefore pass after importing a stale or partial OpenAPI file while missing runtime-only, admin, auth-blocked, WAF-blocked, or partially imported endpoints.

What This PR Fixes

  • Adds API route coverage evidence gates after OpenAPI import guidance.
  • Requires reviewers to reconcile OpenAPI/Swagger specs, runtime route inventories, DAST import logs, request logs or HAR evidence, and auth role maps.
  • Adds a route-level coverage matrix template with gap reasons and owners.
  • Adds finding severity guidance for low API route coverage, runtime routes missing from specs, import failures, and routes marked covered without request-log evidence.
  • Extends the output format with API route coverage status and a dedicated route coverage table.
  • Adds a common pitfall warning against counting OpenAPI import as endpoint coverage.
  • Updates the skill version/changelog to 1.0.1.

Test Cases Added/Updated

  • Added evidence checklist and report fields in the skill body
  • Updated findings classification and common pitfalls
  • Existing markdown structure remains valid

Validation run locally:

git diff --check
markdown fences: 22
marker checks: API Route Coverage Evidence, Coverage matrix template, API route coverage below 80%, OpenAPI Specification, 1.0.1

Bounty Tier

  • Minor ($50) — Doc update, small logic tweak, typo fix
  • Moderate ($100) — New edge case coverage, FP reduction with evidence
  • Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: Can provide privately after maintainer acceptance.

Closes #1708

@yanziwei yanziwei mentioned this pull request Jun 8, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] dast-config: add API route coverage evidence gates

1 participant

@yanziwei