Documentation
FeaturesSecurity & Accessibility Scanning

Security & Accessibility Scanning

Run AI agents that scan your project's features and documents for OWASP Top 10 security risks and WCAG 2.1 AA accessibility issues, with severity and remediation for every finding.

Every Fabric project has a Security & Accessibility page where two AI agents review your work and report what they find. The security agent checks your features and documents against the OWASP Top 10; the accessibility agent checks the UI you describe against WCAG 2.1 AA. Each finding comes with a severity, plain-language remediation, and a reference to the rule that produced it.

Scanning works at design time. The agents read what's already in Fabric — your features (with acceptance criteria) and generated documents — so you can review security and accessibility before a line of code exists. There's nothing to install and no repository to connect.

Open the page

In a project, open the Security tab. You'll see three areas:

  • Run scan and a last scan summary (status, when it ran, how many findings, the model used).
  • Configuration — which scanners run, how findings are enforced, and your custom rules.
  • Results — findings grouped by severity, with filters.

Run a scan

Open the Security tab

In your project, click Security.

Click Run scan

The button starts a scan over the whole project. The summary shows Running while it works — typically under a couple of minutes — and you can keep using Fabric; you'll get a notification when it finishes.

Review the findings

Findings appear grouped by severity (Critical → High → Medium → Low). Each one has a title, a description of the risk, a Remediation block, the rule it maps to (e.g. OWASP Top 10 — A03:2021 Injection or WCAG 2.1 AA — 1.4.3 Contrast (Minimum)), and the feature or document it's about.

A clean scan is confirmed explicitly. If the agents find nothing, you get a "Clean scan — no issues found" confirmation with a timestamp, not just an empty list.

What gets scanned

The agents read your project's Fabric-held context:

  • Features — titles, descriptions, acceptance criteria, and release notes.
  • Generated documents — PRDs, specs, and other documents. Their described UI is what the accessibility agent reviews.

A project-wide scan covers your recent features and active documents together. The richer your features and documents, the sharper the findings — the agents can only review what's written down.

Configuration

Open the Configuration card to tune how scanning works. Changes are saved with Save changes.

SettingWhat it does
Security scanningTurn the OWASP Top 10 security agent on or off
Accessibility scanningTurn the WCAG 2.1 AA accessibility agent on or off
Enforcement modeWarn (non-blocking) surfaces findings without stopping work. This is the default
Auto-scan at maturation gateAutomatically scan a feature when it reaches a chosen stage
Maturation gateThe drafting stage (e.g. Published) that triggers an auto-scan

Findings are a soft warning by default. In Warn mode a scan never blocks a feature from moving forward — it's there to inform you, not to gate your work.

Auto-scan when a feature matures

With Auto-scan at maturation gate on, Fabric runs a focused scan of a feature the moment it reaches the maturation gate stage you choose. This is handy for catching issues as features are finalized, without anyone remembering to press a button. It runs once per transition into the gate and won't pile up duplicate scans.

Custom rules

Beyond the OWASP Top 10 and WCAG 2.1 AA, you can add project-specific rules the agents enforce alongside the standard sets — for example, an industry compliance requirement or a house security policy.

Add a rule

In Configuration → Custom rules, click Add rule.

Describe it

Give the rule a name, choose its category (Security or Accessibility) and severity, and write the guidance — what the agent should flag. Be specific (e.g. "Flag any feature that describes storing credentials directly in source code or client-side config instead of a secrets manager").

Save and scan

Save your changes and run a scan. Findings from a custom rule are clearly marked with a Custom rule badge and attributed as Custom: <your rule name>, so you always know which rule produced them.

Work through findings

Each finding has actions:

  • Resolve — you've addressed it. It moves to the Resolved status.
  • Dismiss — it doesn't apply. It moves to Dismissed.
  • Reopen — bring a resolved or dismissed finding back to Open.

Use the Status, Category, and Severity filters to focus — for example, only Open High-severity Security findings.

Re-scanning gives you the current picture. Each scan reflects your project as it is now. When you run a new scan, the results page shows that latest run's findings — so a re-scan replaces the view rather than stacking new findings on top of old ones. Previous runs are kept as history.

Tips

  • Write detailed acceptance criteria. The agents reason about what you describe — explicit security and accessibility requirements lead to more precise findings.
  • Scan after generating documents. Documents carry more detail than feature stubs, so a scan after document generation tends to surface more.
  • Start in Warn mode. Keep findings advisory while your team builds the habit of reviewing them.

Project Management Sync

Connect a project to Azure DevOps, GitLab, Jira, or Fizzy and push/pull your backlog as features and work items.

Channels & Meetings as Context

Monitor Slack and Teams channels for backlog ideas, and sync Teams meeting transcripts into your project as context.

On this page

Open the pageRun a scanOpen the Security tabClick Run scanReview the findingsWhat gets scannedConfigurationAuto-scan when a feature maturesCustom rulesAdd a ruleDescribe itSave and scanWork through findingsTips