Access-Control-Allow-Origin: *)
and V09 (CSP unsafe-inline) at runtime via HTTP response header inspection.
SQL injection (V01, V02), RCE (V03), deserialization (V04), and secret scanning (V11)
require source-level or credential analysis and are only detectable by static tools.
SAST and DAST are complementary β neither alone achieves full coverage.
| Tool | True Positives | False Positives | False Negatives | Precision | Recall | F1 Score |
|---|---|---|---|---|---|---|
| π Semgrep | 10 | 1 | 0 | 90.9% | 100.0% | 95.2% |
| π Gitleaks | 1 | 0 | 0 | 100.0% | 100.0% | 100.0% |
| π¦ Trivy | 2 | 0 | 1 | 100.0% | 66.7% | 80.0% |
| Combined | 13 | 1 | 1 | 92.9% | 92.9% | 92.9% |
Each pipeline variant was executed n=10 times on GitHub-hosted ubuntu-latest runners
under controlled conditions (May 2026, commit 771e14b).
The baseline performs Docker build only. The parallel and sequential variants
both run Gitleaks, Semgrep, Trivy and tfsec with identical tool versions and configurations.
β οΈ These are fixed experimental measurements from a controlled evaluation β
not live performance metrics. Runtime varies across GitHub-hosted runners due to
queue latency and shared infrastructure. See thesis Section 5.4 for full discussion.
| Pipeline | n | Mean | Std Dev | Min | Max | CV | Security Tools | Overhead vs Baseline |
|---|---|---|---|---|---|---|---|---|
| ποΈ Baseline | 10 | 35.5s | Β±7.6s | 29s | 55s | 21.4% | None | β |
| β‘ Parallel | 10 | 231.0s | Β±54.6s | 151s | 305s | 23.6% | 4 tools | +195.5s (+551%) |
| π Sequential | 10 | 303.0s | Β±38.3s | 241s | 362s | 12.6% | 4 tools | +267.5s (+754%) |
| ID | Vulnerability | File | Line | CWE | OWASP | Tool | Detection |
|---|---|---|---|---|---|---|---|
| V01 | SQL Injection (login) | flask_webgoat/auth.py |
17 | CWE-89 | A03:2021 | semgrep | β Detecteddefault |
| V02 | SQL Injection (create_user) | flask_webgoat/users.py |
37 | CWE-89 | A03:2021 | semgrep | β Detecteddefault |
| V03 | Remote Code Execution | flask_webgoat/actions.py |
43 | CWE-78 | A03:2021 | semgrep | β Detecteddefault |
| V04 | Insecure Deserialization | flask_webgoat/actions.py |
61 | CWE-502 | A08:2021 | semgrep | β Detectedcustom rule |
| V05 | Directory Traversal | flask_webgoat/actions.py |
32 | CWE-22 | A01:2021 | semgrep | β Detectedcustom rule |
| V06 | Open Redirect | flask_webgoat/auth.py |
46 | CWE-601 | A01:2021 | semgrep | β Detectedcustom rule |
| V07 | Sensitive Data Exposure | flask_webgoat/__init__.py |
13 | CWE-200 | A02:2021 | semgrep | β Detectedcustom rule |
| V08 | Broken Access Control (CORS) | run.py |
8 | CWE-284 | A01:2021 | semgrep | β Detectedcustom rule |
| V09 | Security Misconfiguration (CSP) | run.py |
10 | CWE-16 | A05:2021 | semgrep | β Detectedcustom rule |
| V10 | Security Misconfiguration (debug=True) | run.py |
15 | CWE-94 | A05:2021 | semgrep | β Detectedcustom rule |
| V11 | Hardcoded Secret Key | flask_webgoat/__init__.py |
13 | CWE-798 | A02:2021 | gitleaks | β Detecteddefault |
| V12 | Outdated Flask 1.1.2 | requirements.txt |
β | CVE-2023-30861 | A06:2021 | trivy | β Detecteddefault |
| V13 | Outdated Jinja2 2.11.3 (MEDIUM β below threshold) CVEs classified as MEDIUM by NVD β below HIGH/CRITICAL threshold |
requirements.txt |
β | CVE-2024-22195 | A06:2021 | trivy | β Missed |
| V14 | Outdated Werkzeug 1.0.1 | requirements.txt |
β | CVE-2023-25577 | A06:2021 | trivy | β Detecteddefault |
OWASP ZAP performed a baseline scan against the running flask-webgoat application
at http://localhost:5000 using the Automation Framework.
The baseline scan mode performs passive analysis and selected active probes
without aggressive fuzzing. ZAP dynamically confirmed CORS misconfiguration (V08)
and CSP unsafe-inline (V09) via HTTP response header inspection β both of which
were also detected statically by Semgrep custom rules. SQL injection (V01, V02),
RCE (V03), and insecure deserialization (V04) are not detectable by passive DAST
and require source-level static analysis. This confirms the complementary nature
of SAST and DAST as defence-in-depth layers.
| Risk | Alert | CWE | Instances | Solution |
|---|---|---|---|---|
| MEDIUM | CSP: Failure to Define Directive with No Fallback | CWE-693 | 2 | Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. |
| MEDIUM | CSP: Wildcard Directive | CWE-693 | 4 | Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. |
| MEDIUM | CSP: script-src unsafe-inline | CWE-693 | 4 | Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. |
| MEDIUM | CSP: style-src unsafe-inline | CWE-693 | 4 | Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. |
| MEDIUM | Cross-Domain Misconfiguration | CWE-264 | 4 | Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Acces |
| LOW | Permissions Policy Header Not Set | CWE-693 | 4 | Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. |
| LOW | Server Leaks Version Information via "Server" HTTP Response Header Field | CWE-497 | 4 | Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details. |
| INFORMATIONAL | Storable and Cacheable Content | CWE-524 | 4 | Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP re |
tfsec identified 8 known findings in the Terraform infrastructure code. Each finding is classified as a True Positive (remediated), Intentional Design Decision, Known Limitation, or False Positive β demonstrating that IaC scan results require human analysis to distinguish genuine misconfigurations from deliberate trade-offs.
| ID | Rule | Resource | Severity | Detected | Classification | Rationale |
|---|---|---|---|---|---|---|
| I01 | AVD-AWS-0052 |
ecs.tf β aws_lb | HIGH | Not detected in this run | β True Positive β Remediated | Fixed: added drop_invalid_header_fields = true. Prevents HTTP request smuggling attacks. |
| I02 | AVD-AWS-0107 |
security_groups.tf β alb_ingress_http | CRITICAL | Not detected in this run | π΅ Intentional Design Decision | The ALB is the single public entry point by design. Fargate tasks run in private subnets with no public IP. Restricting ALB ingress would make the application unreachable. |
| I03 | AVD-AWS-0053 |
ecs.tf β aws_lb | HIGH | Not detected in this run | π΅ Intentional Design Decision | An internal ALB would make the thesis demo application inaccessible. The ALB is intentionally public-facing. Production deployments should add a WAF layer. |
| I04 | AVD-AWS-0054 |
ecs.tf β aws_lb_listener | CRITICAL | Detected | π‘ Known Limitation | HTTPS requires a registered domain and an ACM certificate, both out of scope for this thesis demo environment. Production deployment must use HTTPS. Documented as future work. |
| I05 | AVD-AWS-0057 |
iam.tf β execution_policy | HIGH | Not detected in this run | β οΈ False Positive | logs:CreateLogStream is the minimum permission required for ECS Fargate tasks to write container logs to CloudWatch. Scoped to a specific log group ARN β not a wildcard. Standard AWS ECS practice. |
| I06 | AVD-AWS-0178 |
vpc.tf β aws_vpc | MEDIUM | Not detected in this run | π‘ Known Limitation | VPC Flow Logs require an S3 bucket or dedicated CloudWatch Log Group with IAM roles, generating ongoing storage costs. Out of scope for thesis demo environment. Documented as future work. |
| I07 | AVD-AWS-0017 |
ecr.tf β aws_cloudwatch_log_group | LOW | Not detected in this run | β True Positive β Remediated | Fixed: dedicated KMS key created for CloudWatch Logs with correct key policy granting the logs service principal encryption permissions. Key rotation enabled. |
| I08 | AVD-AWS-0098 |
secrets.tf β aws_secretsmanager_secret | LOW | Not detected in this run | β True Positive β Remediated | Fixed: dedicated customer-managed KMS key created for Secrets Manager. Provides full auditability via CloudTrail, ability to revoke access by disabling the key, and automatic annual key rotation. |
Showing only application-level packages (Flask, Jinja2, Werkzeug etc.) β OS-level CVEs excluded from ground truth evaluation.
| CVE | Package | Installed | Fixed In | Severity | Title |
|---|---|---|---|---|---|
CVE-2023-30861 |
Flask | 1.1.2 | 2.3.2, 2.2.5 | HIGH | flask: Possible disclosure of permanent session cookie due to missing Vary: Cook |
CVE-2023-25577 |
Werkzeug | 1.0.1 | 2.2.3 | HIGH | python-werkzeug: high resource usage when parsing multipart form data with many |
CVE-2024-34069 |
Werkzeug | 1.0.1 | 3.0.3 | HIGH | python-werkzeug: user may execute code on a developer's machine |
| Rule | File | Line | Classification | Reason |
|---|---|---|---|---|
request-data-write |
flask_webgoat/actions.py |
22 | False Positive | Rule targets Django patterns; not applicable to Flask |