CASA Tier 2 / OWASP ASVS security scanner. One command, full compliance report.

vet https://your-app.com

Replicates what a CASA Tier 2 security assessor runs against your OAuth app:

• Security headers — HSTS, CSP, X-Frame-Options, etc.
• HTTP methods — TRACE/TRACK blocked, proper 405s
• Error disclosure — no stack traces, no version strings
• Input validation — SQL injection, XSS, path traversal probes
• TLS/SSL — TLS 1.2+, valid cert chain
• CORS — no overly permissive origins
• OAuth flows — state replay, code reuse, redirect_uri bypass
• Rate limiting — 429 enforcement verification

Output is a structured JSON report mapped to OWASP ASVS control IDs.

Google requires a CASA Tier 2 audit for OAuth apps requesting sensitive scopes (Gmail write, Calendar, etc.). The audit costs $550+ and takes weeks. This tool lets you pre-scan and fix issues before the assessor arrives.

bun install
bun build src/cli.ts --compile --outfile vet
cp vet ~/.bun/bin/vet

# Basic scan
vet https://example.com

# With OpenAPI spec for full endpoint discovery
vet https://example.com --openapi https://example.com/openapi.json

# OAuth-aware scan
vet https://example.com --client-id id_xxx --client-secret sk_xxx

# Specific categories only
vet https://example.com --only headers,tls,errors

See AGENTS.md for full spec.

MIT