CLASF — Code-Level API Security Framework
A research framework for detecting data-leaks, insecure dependencies, and API-level vulnerabilities directly in source code.
Modern applications expose hundreds of APIs across microservices, cloud services, and third-party integrations. While most security tools focus on runtime traffic analysis, many critical API vulnerabilities originate in the source code itself.
CLASF (Code-Level API Security Framework) introduces a shift-left, code-centric approach to API security. It detects data-leaks, backdoor patterns, hard-coded secrets, insecure dependencies, and API contract violations before deployment, inside the developer workflow.
This repository contains the conceptual framework, architecture, and reference configuration for CLASF as published in the research paper:
“CLASF: A Framework for Detecting Data-Leak and Backdoor Vulnerabilities at the Source Level” (2025, Zenodo)
- Semantic Code Analysis (AST-based)
CLASF parses source code using language-specific Abstract Syntax Trees (ASTs) to detect:
- Hard-coded API keys & secrets
- Insecure authentication headers
- Sensitive data flows reaching API calls
- Excessive response serialization
- API Schema Correlation (OpenAPI / Swagger)
Detects schema violations such as:
- Undocumented endpoints
- Extra fields exposed in serialized responses
- Missing security definitions
- Version mismatches
- Dependency Risk Mapping
Evaluates software dependencies based on:
- Known CVEs (NVD / OSV)
- Malicious behavior patterns
- Update activity & maintainer health
- License risks
- Policy Enforcement in CI/CD
Configurable rules enforce security gates at:
- Pre-commit
- 8Pull Request
- Build pipeline
- Release pipeline
Supports:
- Advisory warnings
- Merge blockers
- Critical error gates
- Developer-First Security Provides actionable feedback directly to developers with:
- Clear messages
- Contextual code locations
- Suggested remediation
- Framework Architecture
CLASF is composed of four integrated layers:
- Semantic Code Analysis Engine
- API Schema Correlation Module
- Dependency Risk Mapping
- Policy Enforcement Layer (OPA-style)
Each component is designed to run independently or be integrated into CI/CD systems such as GitHub Actions, GitLab CI, Jenkins, and Azure DevOps.
CLASF is designed for seamless integration:
Developer Commit → Pre-Commit Analysis → PR CI Check ↓ Full CLASF Analysis (AST + Schema + Dependencies) ↓ Policy Decision (Advisory / Warning / Block) ↓ Merge / Deploy
Traditional API security tools inspect traffic after deployment. CLASF prevents vulnerabilities before code reaches production.
It addresses:
Hard-coded secrets Excessive data exposure Undocumented endpoints Misconfigured authentication Vulnerable dependencies Backdoor API behavior Supply-chain risks CLASF aligns with the OWASP API Security Top 10 (2023) and modern DevSecOps practices.
If you use CLASF in academic work, cite: Ashok Kumar (2025). Code-Level API Security Framework (CLASF): Detecting Data-Leak and Backdoor Vulnerabilities at the Source Level. Zenodo.
This repository is open to contributions for: Implementing detectors Improving schema correlation Adding language support (Python, JS/TS, Java, Go, etc.) Creating sample datasets CI/CD integration examples Pull Requests are welcome.
For research collaboration, implementation guidance, or security discussions:
Ashok Kumar
Email: ashokchandru@gmail.com
ORCID: 0009-0008-5515-6893
https://zenodo.org/records/17610443