Multi-target scanning
Scan your SPA frontend (form auth) and Supabase API (JWT auth) in one
casa-ready scan invocation. Per-target ZAP context, per-target findings,
one aggregated TAC bundle.
Open source · MIT · Built in the open
Pass Google's CASA Tier 2 without paying a consulting firm.
If your app uses restricted Gmail, Drive, or Calendar scopes, Google requires an annual CASA Tier 2 assessment. Two paths exist: TAC Security's official lab ($540–$1,800/year, but you're on your own for a 50-question SAQ and the OWASP ZAP setup), or a pen-test from a security consultancy (typically thousands to tens of thousands, plus weeks of back-and-forth). CASA Ready is an open-source toolkit that automates the scan, scaffolds the config, and gives you the playbook the lab doesn't include.
v0.5.2 shipped June 10, 2026
What's actually hard about CASA
It isn't the money. It's:
- No public guide. TAC sends you portal credentials and a deadline. No walkthrough, no example artifacts, no "here's what 'pass' looks like."
- A 50+ question Self-Assessment Questionnaire that takes most of the calendar time. Most answers are "the cloud provider handles that" or "N/A for our architecture" — but you have to figure that out yourself.
- OWASP ZAP / Fluid Attacks setup the App Defense Alliance's own docs make harder than it needs to be. Wrong context XML, wrong policy file format, wrong exit-code semantics — we've hit them all.
- Annual recert resets the pain. CASA Ready is built so the second year is a single command.
30 seconds to your first scan
-
Install
npm install -g casa-ready -
Generate your config
casa-ready initInteractive prompts walk you through your app's URLs and login form (or Supabase JWT auth). Writes a
casa-ready.ymlwith IDE autocomplete wired up via the published JSON Schema. -
Scan
export CASA_READY_USER=test-user@your-app.com export CASA_READY_PASS=test-password casa-ready scanSpins up OWASP ZAP in Docker with the right context, runs the baseline or full CASA scan, writes TAC-portal-ready artifacts to
scan-output/.
What you get
Supabase JWT auth, done right
Native supabase-jwt auth type does the Supabase password login from
Node, then injects the JWT and anon key into every in-scope ZAP request via the
replacer addon. Fails fast with an actionable error if creds are wrong.
YAML config + IDE autocomplete
casa-ready.yml is a regular YAML file. The
$schema directive at the top wires up VS Code's YAML extension
for inline validation, autocomplete on every key, and schema-aware error messages.
${VAR} expansion keeps secrets out of the file.
Named containers in Docker Desktop
Every ZAP container spawns as
casa-ready-<target>-<runId>
and the name is printed to stdout when the scan starts. No more guessing which
"competent_pasteur" container is yours.
Best-effort failure semantics
A failed target gets reported in the summary; remaining targets still scan. The process exit code is non-zero only if something actually failed. CI-friendly.
Built in the open
MIT licensed. Every release is exercised against real applications before it ships — the rules knowledge base and scan flavors come from findings on live targets, not synthetic test pages.
Roadmap
| Version | Scope | Status |
|---|---|---|
| V1.0 | Anonymous + form-auth ZAP scan, single target | Shipped Apr 29, 2026 — v0.1.0 |
| V1.1 | Multi-target scanning + supabase-jwt auth | Shipped Apr 29, 2026 — v0.2.0 |
| V1.2 | YAML config + init command + JSON Schema + TS types | Shipped May 1, 2026 — v0.3.0 |
| V2 | Endpoint seeding (seedDir/seedUrls) shipped; OAuth callback active-scanning experimental | v0.4.x — May 1, 2026 |
| Triage | casa-ready triage — classifies findings into Actionable / SAQ-explainable / Noise, plus the casa-ready Claude Code plugin skill | Shipped May 29, 2026 — v0.5.x |
| V2.1 | OAuth callback active-scan rewrite (custom hook bypassing zap-api-scan normalization) | Next |
| V3 | casa-ready saq — SAQ Copilot drafting answers from repo + cloud config | Once V1/V2 produce real scan output to feed it |