Refresh DAST OWASP Top 10 2025 coverage mapping

[x0tta6bl4-ai]

Summary

• Refreshes dast-config from OWASP Top 10:2021 to OWASP Top 10:2025.
• Adds framework-version preflight, source/retrieval date, DAST tool/version, scan environment, and legacy-baseline handling.
• Adds per-category coverage status values so DAST-only evidence is not overclaimed for A03 supply chain, A06 design, A08 integrity, or A09 logging/alerting.
• Adds A10:2025 exceptional-condition test planning for malformed state, fail-open authn/authz, error paths, retry/timeout, and downstream failure behavior.
• Adds benign and vulnerable fixtures for current 2025 mapping versus stale 2021 output.

Bounty

• Closes [REVIEW] dast-config: refresh OWASP Top 10:2025 coverage mapping #207
• Category: Skill Improvement
• Suggested tier: Moderate ($100) because this updates taxonomy, report schema, category evidence model, A10 planning, references, and fixtures.
• Preferred payment method: crypto to 0x6017613e80d7893EB2aD5c0585b3f1f88CD6e099

Verification

• git diff --check
• Markdown fence balance check for touched markdown files
• Frontmatter delimiter check for skills/devsecops/dast-config/SKILL.md
• Link checks returned HTTP 200 for OWASP Top 10:2025 introduction, OWASP Top 10 project, WSTG v4.2, and ZAP Automation Framework

Sources

• OWASP Top 10:2025 Introduction: https://owasp.org/Top10/2025/0x00_2025-Introduction/
• OWASP Web Security Testing Guide v4.2: https://owasp.org/www-project-web-security-testing-guide/v42/
• ZAP Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/

Bounty Terms

• I have read and agree to the CONTRIBUTING.md bounty terms.

[kamalsrini]

Thanks for contributing to SecuritySkills, and for your interest in the project 🙏

We're resetting the contribution queue, so we're closing the currently open PRs — this isn't a reflection of your work, and you're welcome to resubmit.

When you do, please include evidence that the skill was actually used: the skill run against a real repository, with the findings it produced. That's how we recognize genuinely useful contributions, and it's where strong work stands out. The PR template lays out exactly what to include: https://github.com/UnitOneAI/SecuritySkills/blob/main/.github/PULL_REQUEST_TEMPLATE.md