Sec0 middleware exposes optional scan hooks that you can connect to your SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Claude Security, and Custom scanners. When enabled, tool handler code is scanned for vulnerabilities, and findings can block execution based on severity thresholds.
We recommend using security scanners optimized to prevent AI-assisted attacks, such as Claude Security or OpenAI Aardvark Security Research Agent.
SAST Hook (Static Analysis)
SAST scans tool handler source code for vulnerabilities. Scans are triggered when handler code changes (detected via source hashing) and results are cached by handler hash.
Enabling the SAST Hook
import { sec0SecurityMiddleware } from "sec0-sdk/middleware";
sec0SecurityMiddleware({
// ...standard options...
sast: {
enabled: true,
block_on_change: true, // Block until scan completes after code change
block_on_severity: "high", // Block if max finding severity >= high
cache_ttl_ms: 24 * 60 * 60 * 1000, // Cache results for 24 hours
scan_all_on_server_change: false, // Batch scan all tools on server change
onScan: async (info) => {
// Custom scanner integration
const result = await mySastScanner.scan({
source: info.source,
file: info.filePath,
});
return {
status: result.passed ? "pass" : "fail",
findings: result.findings,
scanId: result.id,
};
},
},
})(server);
Snippets on this page focus on SAST/DAST options. Keep base middleware options (policy, signer, otel, sec0) in your actual configuration.
SAST Scan Hook (onScan)
The onScan function receives:
interface SastScanInfo {
server: string; // Server name
tool: string; // Tool name
handlerHash: string; // SHA-256 of handler source
filePath?: string; // File path (if available)
source?: string; // Handler source code
ruleset?: string; // Configured ruleset
}
interface SastScanResult {
status: "pass" | "fail" | "pending";
findings?: SastFinding[];
scanId?: string;
raw?: any;
}
SAST Findings
interface SastFinding {
code: string; // Stable finding code
title: string; // Short title
severity: "low" | "medium" | "high" | "critical";
message: string; // Human-readable details
file?: string; // File path
startLine?: number; // Start line
endLine?: number; // End line
suggest?: string; // Suggested fix
tags?: string[]; // Optional tags
cwe?: string[]; // CWE identifiers
owasp?: string[]; // OWASP identifiers
nist?: string[]; // NIST identifiers
}
Semgrep Integration
Sec0 includes a built-in Semgrep adapter:
import { semgrepOnScan } from "sec0-sdk/middleware";
sec0SecurityMiddleware({
// ...
sast: {
enabled: true,
block_on_change: true,
block_on_severity: "high",
onScan: semgrepOnScan,
},
})(server);
| Variable | Description |
|---|
SEMGREP_BIN | Path to Semgrep CLI (default: semgrep) |
SEC0_SEMGREP_CONFIG | Ruleset configuration |
SEC0_SEMGREP_TIMEOUT_SEC | Scan timeout |
SEC0_SEMGREP_SERVICE_URL | Remote Semgrep service URL |
DAST Hook (Dynamic Analysis)
DAST scans tool servers at runtime for vulnerabilities. Scans target a sandbox URL and can generate dynamic block rules with TTL.
Enabling the DAST Hook
sec0SecurityMiddleware({
// ...standard options...
dast: {
enabled: true,
block_on_change: true,
block_on_severity: "high",
block_on_count: 1, // Block if findings >= count
rule_ttl_ms: 24 * 60 * 60 * 1000, // Dynamic rule TTL
sandbox_url: "https://your-dast-sandbox",
mode: "sync", // "sync" | "async"
scope: "server", // "server" | "tool"
onScan: async (info) => {
const result = await myDastScanner.scan({
target: info.sandboxUrl,
tool: info.tool,
});
return {
status: result.passed ? "pass" : "fail",
findings: result.findings,
scanId: result.id,
};
},
},
})(server);
DAST Scan Hook (onScan)
The onScan function receives:
interface DastScanInfo {
server: string;
tool: string;
handlerHash: string;
sandboxUrl?: string;
templates?: string;
tags?: string[];
excludeTags?: string[];
severity?: string[];
}
DAST Findings
interface DastFinding {
code: string;
title: string;
severity: "low" | "medium" | "high" | "critical";
message: string;
url?: string; // Affected URL
method?: string; // HTTP method
param?: string; // Parameter name
location?: string; // Path or resource
evidence?: string; // Evidence snippet
sources?: string[]; // Scanner sources
tags?: string[];
cwe?: string[];
owasp?: string[];
nist?: string[];
}
Nuclei Integration
Sec0 includes a built-in Nuclei adapter:
import { nucleiOnScan } from "sec0-sdk/middleware";
sec0SecurityMiddleware({
// ...
dast: {
enabled: true,
block_on_change: true,
block_on_severity: "high",
sandbox_url: "https://your-sandbox",
onScan: nucleiOnScan,
},
})(server);
| Variable | Description |
|---|
NUCLEI_BIN | Path to Nuclei CLI (default: nuclei) |
SEC0_NUCLEI_TEMPLATES | Templates directory/file |
SEC0_NUCLEI_TIMEOUT_SEC | Scan timeout |
SEC0_NUCLEI_TARGET | Default sandbox target |
Policy-Driven DAST
Configure DAST via policy YAML:
dast:
enabled: true
sandbox_url: https://your-sandbox
templates: /path/to/nuclei-templates
tags: [nist, cwe, owasp]
severity: [low, medium, high, critical]
Enforcement Integration
SAST/DAST findings integrate with the standard enforcement pipeline:
enforcement:
deny_on:
- sast_pending # Block while SAST scan is pending
- sast_failed # Block if SAST findings exceed threshold
- dast_pending # Block while DAST scan is pending
- dast_failed # Block if DAST findings exceed threshold
