AI-powered security auditor agent for Claude Code that tests your application against the OWASP Application Security Verification Standard (ASVS) 5.0.
This tool is AI-powered and provided as-is with no warranty. It is intended as a development aid, not a certified security assessment. You should be aware that:
- AI can and will make mistakes. Findings may be incorrect, incomplete, or misattributed. Always verify results against the ASVS specification and your own expertise.
- This is not a substitute for professional security testing. Use it to complement — not replace — manual code reviews, penetration testing, and formal compliance audits.
- No liability is accepted for any security incidents, data breaches, compliance failures, or other damages arising from reliance on this tool's output. See LICENSE.
- You are responsible for validating all findings and remediation guidance before applying changes to your codebase.
If your application handles sensitive data, financial transactions, healthcare records, or other regulated information, engage qualified security professionals.
- Scans your codebase for security vulnerabilities
- Maps every finding to a specific ASVS 5.0 requirement (e.g., V1.2.5)
- Requires code evidence — file paths, line numbers, vulnerable snippets
- Supports both interactive markdown reports and CI/CD JSON output
- Language-agnostic — adapts scanning patterns to your stack
# Copy to your project
mkdir -p .claude/commands
curl -sL https://raw.githubusercontent.com/TarkinLarson/asvs-auditor/v1.0.0/agent-asvs.md \
-o .claude/commands/agent-asvs.mdThen in Claude Code:
/agent-asvs
For best results, use the most capable available model:
| Use case | Recommended model |
|---|---|
| Thorough audit, large codebase | Claude Opus 4.6 (claude-opus-4-6) |
| Fast scan, smaller project | Claude Sonnet 4.6 (claude-sonnet-4-6) |
Extended thinking: For complex codebases where multi-step logic flaws or subtle authorization issues are a concern, enable extended thinking in Claude Code settings (/config → toggle Extended Thinking). This gives the auditor significantly more reasoning depth at the cost of speed.
| File | Purpose | Output |
|---|---|---|
agent-asvs.md |
Interactive auditor | Markdown report with findings, compliance matrix, and remediation |
agent-asvs-ci.md |
CI/CD pipeline | Strict JSON for automation, exit code gating, and dashboards |
mkdir -p .claude/commands
cp agent-asvs.md .claude/commands/
cp agent-asvs-ci.md .claude/commands/ # optionalmkdir -p ~/.claude/commands
cp agent-asvs.md ~/.claude/commands/
cp agent-asvs-ci.md ~/.claude/commands/ # optional/agent-asvs # Full audit
/agent-asvs focus on authentication # Scoped to auth
/agent-asvs audit src/controllers/ only # Scoped to directory
/agent-asvs L1 requirements only # Minimum baseline only
/agent-asvs-ci # JSON output for CI
- Reconnaissance — maps the codebase, identifies languages and frameworks
- Category-by-category review — checks each relevant ASVS chapter against your code
- Common vulnerability patterns — targeted searches for injection, XSS, secrets, auth gaps, etc.
- Configuration review — security headers, TLS, dependencies, debug settings
- Report generation — findings with evidence, compliance matrix, prioritized remediation
The agents include an inline section-level reference of all 17 ASVS 5.0 chapters with requirement IDs, levels, and direct links to the ASVS 5.0 source on GitHub. When the agent is uncertain about the exact wording of a requirement, it is instructed to fetch the chapter source rather than relying on training data.
This approach balances prompt size (embedding all 345 requirements would consume too much context) against accuracy (the agent has enough detail to cite correctly in most cases and knows where to verify).
These agents target ASVS 5.0 (released May 2025). The chapter structure reflects the 5.0 reorganization from the previous 4.0.3 standard.
| Chapter | Topic | Key L1 Areas |
|---|---|---|
| V1 | Encoding and Sanitization | SQL/OS/LDAP injection, output encoding, deserialization |
| V2 | Validation and Business Logic | Input validation, anti-automation |
| V3 | Web Frontend Security | XSS, cookies, security headers, CSRF |
| V4 | API and Web Service | REST, GraphQL, WebSocket security |
| V5 | File Handling | Upload validation, SSRF, path traversal |
| V6 | Authentication | Passwords, MFA, credential storage |
| V7 | Session Management | Token security, termination, timeouts |
| V8 | Authorization | Access control, IDOR prevention |
| V9 | Self-contained Tokens | JWT validation, claims, lifecycle |
| V10 | OAuth and OIDC | PKCE, token validation, auth servers |
| V11 | Cryptography | Approved ciphers, password hashing, CSPRNG |
| V12 | Secure Communication | TLS configuration, certificates |
| V13 | Configuration | Secret management, debug mode, info leakage |
| V14 | Data Protection | PII, client-side storage, encryption at rest |
| V15 | Secure Coding and Architecture | Memory safety, supply chain |
| V16 | Security Logging and Error Handling | Audit logs, log protection |
| V17 | WebRTC | Peer connections, media streams |
| Severity | ASVS Level | Description |
|---|---|---|
| Critical | L1 violation | Directly exploitable, data breach risk |
| High | L1 violation | Significant security impact |
| Medium | L2 violation | Defense-in-depth gap |
| Low | L3 violation | Hardening recommendation |
The agents adapt their scanning patterns to the detected stack. Explicit guidance is included for:
- .NET / C#
- Node.js / TypeScript
- Python
- Java
- Go
- PHP
- Ruby
Other languages are supported via general pattern matching — contributions for additional language-specific guidance are welcome.
The CI variant can be integrated into your pipeline to fail builds on critical or high findings.
# .github/workflows/security-audit.yml
name: ASVS Security Audit
on:
pull_request:
push:
branches: [main]
jobs:
asvs-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Run ASVS audit
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: claude --print /agent-asvs-ci > audit-report.json
- name: Check result
run: |
PASS=$(jq -r '.scan_summary.pass' audit-report.json)
CRITICAL=$(jq -r '.scan_summary.critical' audit-report.json)
HIGH=$(jq -r '.scan_summary.high' audit-report.json)
echo "Pass: $PASS | Critical: $CRITICAL | High: $HIGH"
if [ "$PASS" = "false" ]; then
echo "::error::ASVS audit failed: $CRITICAL critical, $HIGH high findings"
exit 1
fi
- name: Upload report
if: always()
uses: actions/upload-artifact@v4
with:
name: asvs-audit-report
path: audit-report.jsonNote: Audits on large codebases can take several minutes. Consider running on a schedule or scoping to PRs targeting sensitive paths rather than every push.
- Static analysis only — the agent reads source code; it doesn't execute, fuzz, or probe the running application
- LLM-dependent — findings depend on the model's reasoning ability; complex multi-step vulnerabilities or logic flaws may be missed
- False positives and negatives — AI may misidentify safe code as vulnerable or miss genuine issues; always verify findings manually
- Prompt size vs. accuracy tradeoff — the full ASVS 5.0 spec (345 requirements) is not embedded; the agent may need to fetch chapter sources for precise requirement text
- Not a compliance certification — a passing scan does not constitute ASVS compliance; formal assessment requires qualified auditors
See CONTRIBUTING.md for guidelines. The most valuable contributions are:
- Correcting ASVS requirement references
- Adding language/framework-specific scanning patterns
- Improving methodology to reduce false positives
See CHANGELOG.md for release history.
MIT — see LICENSE.