Maeris logo
Get started for free

OWASP Top 10 Security Scan

Maeris MCP includes an AI-guided static security analysis tool that scans your codebase against the OWASP Top 10 vulnerability categories. It identifies risks in your source code without executing your application, making it safe to run at any time — including in CI/CD pipelines.

Running a Security Scan

# Standard scan (balanced speed and depth) maeris scan security # Quick scan (surface-level, faster) maeris scan security --quick # Deep scan (thorough, takes longer) maeris scan security --deep

The standard scan is recommended for most projects. Use --deep for comprehensive audits before major releases or compliance reviews.

OWASP Top 10 Coverage

The security scan covers all OWASP Top 10 (2021) categories:

  • A01 — Broken Access Control — Missing authorization checks, insecure direct object references, privilege escalation paths
  • A02 — Cryptographic Failures — Hardcoded secrets, weak hashing algorithms, unencrypted sensitive data in storage or transit
  • A03 — Injection — SQL injection, command injection, XSS via unsanitized user input, template injection
  • A04 — Insecure Design — Missing rate limiting, absent input validation patterns, insecure default configurations
  • A05 — Security Misconfiguration — Debug mode in production, exposed stack traces, permissive CORS policies, default credentials
  • A06 — Vulnerable Components — Known CVEs in dependencies detected from package.json, requirements.txt, or pom.xml
  • A07 — Authentication Failures — Weak password policies, missing brute-force protection, insecure session management
  • A08 — Software Integrity Failures — Unsigned CI/CD pipelines, untrusted third-party scripts included without SRI
  • A09 — Logging Failures — Sensitive data logged to console, insufficient audit trails, missing error logging
  • A10 — SSRF — Server-Side Request Forgery via unvalidated URL parameters passed to internal fetch calls

AI-Guided Static Analysis

Unlike traditional rule-based scanners, Maeris uses Claude AI to understand the context of your code. This reduces false positives by determining whether a potential issue is actually reachable and exploitable given your application's specific architecture.

How AI analysis works

Claude reads the surrounding code context — input sources, validation middleware, output encoding — before flagging an issue. A raw SQL concatenation inside a function that is only called with hardcoded internal values will be flagged differently than one that directly interpolates user request parameters.

Findings and Severity Levels

Each finding is assigned a severity level and includes file location, code snippet, and remediation guidance:

Security Scan Results — my-web-app
==================================

CRITICAL (2 findings)
  [A03] SQL Injection risk
    File: src/api/users.js:47
    Code: db.query(`SELECT * FROM users WHERE id = ${req.params.id}`)
    Fix:  Use parameterized queries: db.query('SELECT * FROM users WHERE id = ?', [req.params.id])

  [A02] Hardcoded secret
    File: src/config/db.js:12
    Code: const password = "admin1234"
    Fix:  Move to environment variable: process.env.DB_PASSWORD

HIGH (5 findings)
  ...

MEDIUM (11 findings)
  ...

PASSED: A01 Broken Access Control — no issues found
PASSED: A08 Software Integrity — no issues found

Syncing Results to Portal

After the scan completes, push the results to the Maeris Portal for team visibility and tracking:

maeris scan push

On the portal, team members can review findings, mark items as accepted risks, assign remediation owners, and track remediation progress over time.

Next Steps

To run specialized security profiles (API security, SAST, compliance) or export reports, see the Security Profiles & Reports guide.