Security Scanning Best Practices

Applications built with Framework M should inherit the safety standards of the framework while implementing their own security guardrails.

1. Automated CI Scanning

We recommend adding a security.yml (or equivalent for your CI provider) to all downstream applications.

Ensure your custom business logic is checked for common security pitfalls.

# Examples CI Job
lint_security:
  stage: test
  script:
    - uv run bandit -r src/ -ll

Use Gitleaks to prevent committing secrets (API keys, DB credentials) to your application repository.

Regularly check for vulnerabilities in third-party packages.

uv tree --outdated
uv pip audit

In a modular monolith, security isn't just about the external API but also about the internal boundaries between apps.

Authorization Testing: Write integration tests that simulate a user from App A trying to access App B without proper roles.
RLS Validation: Ensure that your standard DocTypes are correctly applying Row Level Security (RLS) policies by testing with different user IDs.
Encrypted Metadata: If storing sensitive metadata in documents, ensure the EncryptedField adapter is used and correctly configured.

For production-grade applications, perform regular API penetration testing.

Tools: OWASP ZAP, Burp Suite.
Focus Areas:
- IDOR (Insecure Direct Object Reference): Can a user guess a UUID and access someone else's document? (Framework M's RLS and Meta-API prevent this by default, but custom handlers should be audited).
- Broken Function Level Authorization: Can a non-manager call an /api/v1/salary-update endpoint?
- Mass Assignment: Can a user update the owner or role fields via a standard POST? (Framework M's SchemaMapper handles readonly/system fields, but verify your DocType definitions).