CybersecurityFeatured

StudentSecScore — DevSecOps Automated Security Platform

SaaS platform for automated security analysis of GitHub repositories via OAuth, integrating SCA (Trivy), SAST (SonarQube/Semgrep), and DAST (OWASP ZAP) to generate dynamic OWASP compliance scores.

2026
Completed (February 2026)
1 member

Technologies Used

PythonNode.jsReactOAuth GitHubTrivySonarQubeSemgrepOWASP ZAPDockerDevSecOps

A web application that automates the security analysis of GitHub repositories through OAuth integration. Combines multiple security scanning tools (SCA, SAST, DAST) into a unified pipeline and generates dynamic compliance scores aligned with OWASP Top 10.

🎯 Project Overview

StudentSecScore makes DevSecOps accessible by providing automated, one-click security analysis of any GitHub repository. The platform generates actionable compliance reports with exportable dashboards.

🔍 Security Scanning Pipeline

SCA — Software Composition Analysis

  • Trivy — Scans dependencies and container images for known CVEs
  • Detects outdated libraries, insecure package versions, and license risks

SAST — Static Application Security Testing

  • SonarQube — Code quality and security bug detection
  • Semgrep — Fast, customizable static analysis with security rulesets

DAST — Dynamic Application Security Testing

  • OWASP ZAP — Automated web vulnerability scanning (injection, XSS, CSRF, etc.)
  • Tests running applications against OWASP Top 10 attack vectors

📊 Compliance Scoring

  • Dynamic score generated from aggregated scan results
  • Breakdown by OWASP Top 10 category
  • Risk tracking dashboard with trend visualization
  • Exportable compliance reports (PDF/JSON)

🔐 GitHub OAuth Integration

  • Secure OAuth 2.0 flow for repository access
  • Scoped permissions — read-only access to repository contents
  • Supports public and private repositories

🏗️ Architecture

  • Frontend — React with dynamic dashboards
  • Backend — Python/Node.js API orchestrating scan tools
  • Pipeline — Containerized scan workers via Docker

Challenges

  • Orchestrating heterogeneous security tools (SCA, SAST, DAST) into a unified pipeline
  • Managing GitHub OAuth scopes to minimize permissions while enabling repository access
  • Aggregating scan results from different tools into a coherent compliance score
  • Designing a scoring model aligned with OWASP Top 10 categories

Solutions

  • Built a pipeline orchestrator running Trivy → Semgrep/SonarQube → OWASP ZAP with structured output
  • Used read-only OAuth scopes (repo:read) for safe GitHub integration
  • Designed a normalized vulnerability schema mapping findings from all tools to OWASP categories
  • Implemented weighted scoring per OWASP Top 10 category with severity multipliers

Outcomes

  • Full automated DevSecOps pipeline covering SCA, SAST, and DAST in a single platform
  • Dynamic compliance scores with OWASP Top 10 breakdown and risk trend dashboards
  • GitHub OAuth integration enabling analysis of public and private repositories
  • Exportable compliance reports ready for academic and professional use