Defensive Security Portfolio

Security tooling
that proves itself.

Three production-grade defensive tools — built, tested end-to-end, and verified against concrete green gates. No demos that only work in slides.

3
defensive tools
205
tests passing
100%
gates green
$ ./portfolio --scan-all [secrethawk] walking working tree · 15 rules + entropy 5 findings · previews redacted · SARIF 2.1.0 [webshield] audit https://target.you-own · 13 checks grade A–F computed · read-only [authlab] OAuth Auth-Code + PKCE · session rotation refresh rotation · insecure demos sandboxed ───────────────────────────────────────────── status: 205/205 tests green · 3 tools · defensive only

Defensive & educational

Detection, auditing, and teaching — never offensive exploitation. No auto-revocation, no weaponized payloads, no detection evasion.

Authorized targets only

Scan repos you own. Audit sites you own or are authorized to test. WebShield refuses to run without an explicit authorization flag.

Verified, not asserted

Every tool ships a fixture-based test suite that checks detections and non-detections. The green gate is the definition of done.

The Toolkit

Three tools across the security lifecycle.

Detection, auditing, and education — each a self-contained, tested project with a clean, pure core and a thin I/O shell.

01 / DETECTION

SecretHawk

Scan your own Git repos for leaked keys, tokens, and credentials — before they ship.

Python CLI 90 tests SARIF 2.1.0
  • Hybrid detection — 15 format-specific rules (AWS, GitHub, Stripe, Slack, private keys, JWTs…) plus a Shannon-entropy heuristic for generic high-randomness strings.
  • Low false positives by design — path globs, regex allowlists, and inline secrethawk:ignore pragmas. Tests assert non-detections, not just hits.
  • CI-native — SARIF for GitHub code scanning, JSON for pipelines, and a composite GitHub Action that fails the build on new findings.
  • Safe output — previews are redacted to first-4 / last-2 chars; the raw secret never reaches the report.
$ secrethawk scan . --format sarif [CRITICAL] stripe-secret-key (rule) config.py:6:15 · sk_l***********34 [CRITICAL] private-key (rule) keys/id_rsa:1:1 · ----*********-- [HIGH] github-pat (rule) config.py:5:17 · ghp_***********89 [MEDIUM] high-entropy-string (entropy) config.py:9:24 · g7Xq**********Qo ──────────────────────────── 5 findings · exit 1 · clean tree → exit 0
02 / AUDITING

WebShield

Audit a site you own for common security-configuration issues — read-only, with a letter grade.

Python CLI 59 tests read-only
  • 13 checks, 5 families — security headers (CSP, HSTS, frame-options…), TLS/HTTPS, cookie flags (Secure / HttpOnly / SameSite), CORS misconfiguration, and reflected-input detection.
  • Graded report — every check is pass / warn / fail with remediation guidance, rolled up to an overall A–F grade.
  • Safe by construction — GET-only, non-destructive, no weaponized payloads, and a hard --i-am-authorized gate it refuses to run without.
  • Pure checks — each check is a function over a recorded Probe, so good/bad fixtures verify verdicts with zero network.
$ webshield scan https://example.com --i-am-authorized FAIL Content-Security-Policy headers.csp FAIL Strict-Transport-Security headers.hsts PASS HTTPS in use tls.https WARN Modern TLS version (≥ 1.2) tls.version PASS Reflected input reflected.input ──────────────────────────── overall grade: F · 13 checks · no auth → exit 2
03 / EDUCATION

AuthLab

An educational playground contrasting secure and insecure OAuth & session patterns — by example.

Next.js 16 Prisma 56 tests PKCE
  • Correct by the book — Authorization Code + PKCE (S256) against a self-contained mock provider, server-side token exchange, and constant-time state validation.
  • Session hardening — HttpOnly / Secure / SameSite cookies, high-entropy session IDs, rotation on privilege change, and refresh-token rotation with reuse detection.
  • Secure-vs-insecure, side by side — three loudly-labeled anti-pattern demos (token-in-localStorage, missing-state, missing-PKCE), each paired with its fix.
  • Sandboxed — insecure routes are isolated from the real flow (tests enforce it); no real users, providers, or credentials anywhere.
$ npm test # vitest login → verifier+challenge+state, HttpOnly cookies authorize→ code bound to S256 challenge token → correct verifier · wrong verifier ✗ 400 callback → state validated · session issued refresh → rotate token · reuse detected ──────────────────────────── 6 files · 56 passed · build · lint
Done = Green

The gate decides when it’s finished.

Each project defines concrete verification gates — the green signal that the work is actually done, not just plausible-looking. Here they are, all passing.


SecretHawk 90 ✓

  • Every planted secret found; every allowlisted / benign string suppressed.
  • SARIF validates against the vendored schema; malformed SARIF rejected.
  • Non-zero exit on a planted tree; zero on a clean tree.

WebShield 59 ✓

  • Correct pass / warn / fail on recorded good & bad fixtures.
  • Reflected-input check fails on a vulnerable app, passes on a safe one.
  • Refuses to run without the authorized-target confirmation flag.

AuthLab 56 ✓

  • End-to-end secure flow: PKCE verifier/challenge, state, session issuance.
  • Insecure demos labeled & isolated; cookie flags verified on responses.
  • Production build & lint succeed (exit 0).
About

Security engineering, end to end.

Most portfolios skip security. This one leans in: detection, configuration auditing, and secure-design education — the work that backend, platform, and AppSec teams actually value.

Every tool here follows the same discipline — a pure, testable core wrapped in a thin I/O shell, a fixture suite that proves both what it catches and what it ignores, and an explicit authorized-use posture. The result is software you can trust to be honest about when it’s done.

LanguagesPython · TypeScript
Detectionregex · Shannon entropy
ReportingSARIF · JSON · graded
AuthOAuth2 · PKCE · sessions
StackNext.js · Prisma · Flask
Testingpytest · vitest
CIGitHub Actions
static analysis HTTP security OAuth / PKCE CLI design SARIF CI integration