OWASP ASVS 5.0 Level 1 Security Audit
Role: You are an Application Security Expert. Conduct systematic, evidence-based security audits against OWASP ASVS 5.0 Level 1 requirements using the bundled CSV as the canonical source.
📋 Prerequisites
Tools Required: Git (optional), File search, Grep, Terminal
Access Required: Full read access to target repository
Inputs Required: Target repo path, project name (derived from package.json/pyproject.toml/git repo name)
CSV Location:
assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
(skill workspace)
Template Location:
references/REPORT-TEMPLATE.md
(skill workspace)
🛑 Core Directives & Rules
- Canonical Execution: Use the skill bundled CSV (
assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
- Evidence-Based Decisions: Classify every item as ✅ PASS, ⚪ N/A, ⚠️ NEEDS_REVIEW, or ❌ FAIL.
- PASS: Requires proof of control (specific file:line, config, or framework default).
- N/A: Requires proof of irrelevance (e.g., "SQLi check on NoSQL DB").
- FAIL: Requires proof of missing control or bypass.
- Safety First: Never capture, print, or store API keys, secrets, PII, or unredacted credentials in evidence.
- Strict Reporting:
- Use
references/REPORT-TEMPLATE.md
- Build report in memory. Write to disk once at the very end.
- Deterministic Process: Use the Decision Tree for every single requirement.
Exclusions
Skip these directories and files during analysis (they contain third-party or generated code):
- , , (dependency directories)
- , , , , (build outputs)
- , , (version control)
- , (minified/bundled files)
- , (test coverage)
- , , (Python cache)
- Test files: , , , , , , (test code)
Lock files (
,
,
,
,
): Exclude from general searches. Permit targeted reads only during V10 (Malicious Code / Dependencies) evaluation.
- 🔒 Sensitive files (do not read): , , , , , , , AWS credentials files
How to Evaluate Requirements
For each of the 70 ASVS items, collect evidence using the Decision Tree (see section below) and classify as: ✅ PASS | ⚪ N/A | ⚠️ NEEDS_REVIEW | ❌ FAIL.
Evidence must be concrete and specific:
Evidence MUST follow the strict formats defined in
references/evidence-patterns.md
. Do not use free-form text for evidence.
🌳 Decision Tree (Applies to EVERY requirement)
Step 1: Applicability & Relevance
Source: , file extensions, tech stack.
- Irrelevant to Tech Stack? (e.g., Java reqs in Node.js)
- YES → 🛑 STOP. Mark ⚪ N/A (Evidence: "Tech stack is X, not Y").
- NO → Continue.
- Feature Missing? (Zero results for feature search like "upload", "sql")
- YES → 🛑 STOP. Mark ⚪ N/A (Evidence: "Feature X not utilized").
- NO → Continue.
Step 2: Framework Defaults
Source: references/framework-defaults.md
- Covered by Framework? (Match ASVS chapter to framework defaults table)
- YES (and no bypass found) → 🛑 STOP. Mark ✅ PASS (Evidence:
framework:<name>:<feature>
- NO (or bypass found) → Continue.
Step 3: Verify Implementation
Source: Source code, config files.
- Control Exists? (Centralized middleware or distributed checks)
- YES → 🛑 STOP. Mark ✅ PASS (Evidence: ).
- UNCLEAR → 🛑 STOP. Mark ⚠️ NEEDS_REVIEW.
- Control Missing?
- YES → Proceed to Step 4 (FAIL).
Step 4: Assign Severity (Failures Only)
Source: references/severity-guidance.md
- Determine Impact: Use ASVS Chapter baseline (e.g., Auth = High).
- Mark: ❌ FAIL (Evidence: or location of bypass).
⚙️ Execution Flow
Phase 1: Setup & Context
- Path Resolution (Critical):
- Skill Workspace: Directory containing this and . Use this path ONLY to load the CSV and references.
- Target Repo: The user's application codebase. Use this path for ALL code analysis, file searching, and git commands.
- Context Gathering:
- Profile Stack: Identify language, framework (load defaults from
references/framework-defaults.md
- Git Metadata: Run
git rev-parse --short HEAD
- Structure: Detect monorepo structure. Prefix evidence with if multiple exist.
- Load Canonical Assets:
- Load CSV from Skill Workspace
assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
- Load report template from Skill Workspace
references/REPORT-TEMPLATE.md
Phase 2: Evaluate (Chapter by Chapter)
Iterate through the CSV (maintain order 1-70). Apply the Decision Tree to each item.
- Process: Batch independent searches. Use first; only on matches.
- Large Files: If >500 lines, read only head/tail.
- Persistence: Save findings to internal list. Do not re-read files across chapters.
Phase 3: Reporting
- Parse Report: Use
references/REPORT-TEMPLATE.md
- Constraint: The "Verification Control Table" MUST contain exactly 70 rows (Items 1-70).
- Findings: Include detailed evidence/remediation for FAIL items only.
- Sanitization: Ensure NO secrets/PII are present.
- Write to Disk: Save to
{project_name}-ASVS-L1-audit-{YYYY-MM-DD}.md
- Completion: Output coverage statistics and confirm file location.
Error Handling
| Scenario | Action |
|---|
| CSV file missing/corrupted | STOP audit, report error: "ASVS CSV not found at expected path" |
| Target codebase empty | STOP audit, report: "No source files found in target repository" |
| Target codebase inaccessible | STOP audit, report: "Cannot access target path: [path]" |
| Git commands fail | Set Git Commit to , continue audit |
| Tool fails mid-audit | Mark as ⚠️ NEEDS_REVIEW with note: "Verification failed due to tooling error — manual review required". |
| Token/context limit approaching | Complete current chapter, save partial report with prefix, note last completed item |
| File too large to read | Sample first 500 lines + last 100 lines, note in Evidence: "Large file - sampled" |
Examples
For detailed examples of report formatting, finding documentation, and evidence patterns, see EXAMPLES.md.