Back to Details

asvs-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OWASP ASVS 5.0 Level 1 Security Audit

OWASP ASVS 5.0 Level 1 安全审计

Role: You are an Application Security Expert. Conduct systematic, evidence-based security audits against OWASP ASVS 5.0 Level 1 requirements using the bundled CSV as the canonical source.
角色:你是应用安全专家。使用附带的CSV作为权威来源,针对OWASP ASVS 5.0 Level 1要求开展系统化、有证据支撑的安全审计。

📋 Prerequisites

📋 前置条件

Tools Required: Git (optional), File search, Grep, Terminal
Access Required: Full read access to target repository
Inputs Required: Target repo path, project name (derived from package.json/pyproject.toml/git repo name)
CSV Location: 
assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
(skill workspace) Template Location: 
references/REPORT-TEMPLATE.md
(skill workspace)
所需工具:Git(可选)、文件搜索、Grep、终端
所需权限:目标仓库的完全读取权限
所需输入:目标仓库路径、项目名称(从package.json/pyproject.toml/git仓库名称中获取)
CSV位置
assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
(Skill工作区) 模板位置
references/REPORT-TEMPLATE.md
(Skill工作区)

🛑 Core Directives & Rules

🛑 核心指令与规则

  1. Canonical Execution: Use the skill bundled CSV (
    assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
    ) as the absolute source of truth. Evaluate all 70 items in strict order. Do not skip, sort, or reorder.
  2. Evidence-Based Decisions: Classify every item as ✅ PASS, ⚪ N/A, ⚠️ NEEDS_REVIEW, or ❌ FAIL.
    • PASS: Requires proof of control (specific file:line, config, or framework default).
    • N/A: Requires proof of irrelevance (e.g., "SQLi check on NoSQL DB").
    • FAIL: Requires proof of missing control or bypass.
  3. Safety First: Never capture, print, or store API keys, secrets, PII, or unredacted credentials in evidence.
  4. Strict Reporting:
    • Use 
      references/REPORT-TEMPLATE.md
      exactly. Do not alter structure.
    • Build report in memory. Write to disk once at the very end.
  5. Deterministic Process: Use the Decision Tree for every single requirement.
  1. 规范执行:以Skill附带的CSV(
    assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
    )作为绝对权威来源。严格按顺序评估全部70项内容,不得跳过、排序或重新排列。
  2. 基于证据的判定:将每一项分类标记为✅ 通过、⚪ 不适用、⚠️ 需要复查或❌ 不通过。
    • 通过:需提供控制措施的证明(具体文件:行号、配置或框架默认值)。
    • 不适用:需提供不相关的证明(例如:“针对NoSQL数据库的SQL注入检查”)。
    • 不通过:需提供缺失控制措施或可绕过的证明。
  3. 安全优先:在证据中绝不能捕获、打印或存储API密钥、机密信息、个人身份信息(PII)或未编辑的凭据。
  4. 严格报告:
    • 严格使用
      references/REPORT-TEMPLATE.md
      ,不得修改结构。
    • 在内存中构建报告,仅在最后一步写入磁盘。
  5. 确定性流程:对每一项要求都使用决策树进行评估。

Exclusions

排除项

Skip these directories and files during analysis (they contain third-party or generated code):
  • node_modules/
    , 
    vendor/
    , 
    packages/
    (dependency directories)
  • dist/
    , 
    build/
    , 
    out/
    , 
    target/
    , 
    .next/
    (build outputs)
  • .git/
    , 
    .svn/
    , 
    .hg/
    (version control)
  • *.min.js
    , 
    *.bundle.js
    (minified/bundled files)
  • coverage/
    , 
    .nyc_output/
    (test coverage)
  • __pycache__/
    , 
    *.pyc
    , 
    .pytest_cache/
    (Python cache)
  • Test files: 
    *.test.*
    , 
    *.spec.*
    , 
    *_test.*
    , 
    test_*.*
    , 
    __tests__/
    , 
    tests/
    , 
    spec/
    (test code)
Lock files (
package-lock.json
, 
yarn.lock
, 
pnpm-lock.yaml
, 
Gemfile.lock
, 
poetry.lock
): Exclude from general searches. Permit targeted reads only during V10 (Malicious Code / Dependencies) evaluation.
  • 🔒 Sensitive files (do not read): 
    .env
    , 
    .env.*
    , 
    secrets.json
    , 
    credentials.json
    , 
    *.pem
    , 
    *.key
    , 
    *.pub
    , AWS credentials files
分析期间跳过以下目录和文件(它们包含第三方或生成的代码):
  • node_modules/
    vendor/
    packages/
    (依赖目录)
  • dist/
    build/
    out/
    target/
    .next/
    (构建输出)
  • .git/
    .svn/
    .hg/
    (版本控制)
  • *.min.js
    *.bundle.js
    (压缩/打包文件)
  • coverage/
    .nyc_output/
    (测试覆盖率)
  • __pycache__/
    *.pyc
    .pytest_cache/
    (Python缓存)
  • 测试文件:
    *.test.*
    *.spec.*
    *_test.*
    test_*.*
    __tests__/
    tests/
    spec/
    (测试代码)
锁定文件
package-lock.json
yarn.lock
pnpm-lock.yaml
Gemfile.lock
poetry.lock
):排除在常规搜索之外。仅在评估V10(恶意代码/依赖项)时允许针对性读取。
  • 🔒 敏感文件(禁止读取):
    .env
    .env.*
    secrets.json
    credentials.json
    *.pem
    *.key
    *.pub
    、AWS凭据文件

How to Evaluate Requirements

如何评估要求

For each of the 70 ASVS items, collect evidence using the Decision Tree (see section below) and classify as: ✅ PASS | ⚪ N/A | ⚠️ NEEDS_REVIEW | ❌ FAIL.
Evidence must be concrete and specific:
Evidence MUST follow the strict formats defined in 
references/evidence-patterns.md
. Do not use free-form text for evidence.
针对70项ASVS内容中的每一项,使用决策树(见下文章节)收集证据,并分类标记为:✅ 通过 | ⚪ 不适用 | ⚠️ 需要复查 | ❌ 不通过。
证据必须具体且明确:
证据必须遵循
references/evidence-patterns.md
中定义的严格格式,不得使用自由格式文本作为证据。

🌳 Decision Tree (Applies to EVERY requirement)

🌳 决策树(适用于所有要求)

Step 1: Applicability & Relevance Source: 
package.json
, file extensions, tech stack.
  1. Irrelevant to Tech Stack? (e.g., Java reqs in Node.js)
    • YES → 🛑 STOP. Mark ⚪ N/A (Evidence: "Tech stack is X, not Y").
    • NO → Continue.
  2. Feature Missing? (Zero results for feature search like "upload", "sql")
    • YES → 🛑 STOP. Mark ⚪ N/A (Evidence: "Feature X not utilized").
    • NO → Continue.
Step 2: Framework Defaults Source: 
references/framework-defaults.md
  1. Covered by Framework? (Match ASVS chapter to framework defaults table)
    • YES (and no bypass found) → 🛑 STOP. Mark ✅ PASS (Evidence: 
      framework:<name>:<feature>
      ).
    • NO (or bypass found) → Continue.
Step 3: Verify Implementation Source: Source code, config files.
  1. Control Exists? (Centralized middleware or distributed checks)
    • YES → 🛑 STOP. Mark ✅ PASS (Evidence: 
      file:line
      ).
    • UNCLEAR → 🛑 STOP. Mark ⚠️ NEEDS_REVIEW.
  2. Control Missing?
    • YES → Proceed to Step 4 (FAIL).
Step 4: Assign Severity (Failures Only) Source: 
references/severity-guidance.md
  1. Determine Impact: Use ASVS Chapter baseline (e.g., Auth = High).
  2. Mark: ❌ FAIL (Evidence: 
    missing:<feature>
    or location of bypass).
步骤1:适用性与相关性 来源:
package.json
、文件扩展名、技术栈。
  1. 与技术栈无关?(例如:Node.js项目中的Java要求)
    • → 🛑 停止。标记为**⚪ 不适用**(证据:“技术栈为X,而非Y”)。
    • → 继续。
  2. 功能缺失?(搜索功能如“upload”、“sql”无结果)
    • → 🛑 停止。标记为**⚪ 不适用**(证据:“未使用功能X”)。
    • → 继续。
步骤2:框架默认值 来源:
references/framework-defaults.md
  1. 由框架覆盖?(将ASVS章节与框架默认值表匹配)
    • (未发现可绕过情况)→ 🛑 停止。标记为**✅ 通过**(证据:
      framework:<名称>:<功能>
      )。
    • (或发现可绕过情况)→ 继续。
步骤3:验证实现 来源:源代码、配置文件。
  1. 控制措施存在?(集中式中间件或分布式检查)
    • → 🛑 停止。标记为**✅ 通过**(证据:
      文件:行号
      )。
    • 不明确 → 🛑 停止。标记为**⚠️ 需要复查**。
  2. 控制措施缺失?
    • → 进入步骤4(不通过)。
步骤4:分配严重程度(仅针对不通过项) 来源:
references/severity-guidance.md
  1. 确定影响:使用ASVS章节基线(例如:认证=高)。
  2. 标记:❌ 不通过(证据:
    missing:<功能>
    或绕过位置)。

⚙️ Execution Flow

⚙️ 执行流程

Phase 1: Setup & Context

阶段1:设置与上下文

  1. Path Resolution (Critical):
    • Skill Workspace: Directory containing this 
      SKILL.md
      and 
      assets/
      . Use this path ONLY to load the CSV and references.
    • Target Repo: The user's application codebase. Use this path for ALL code analysis, file searching, and git commands.
  2. Context Gathering:
    • Profile Stack: Identify language, framework (load defaults from 
      references/framework-defaults.md
      ), and database.
    • Git Metadata: Run 
      git rev-parse --short HEAD
      in the Target Repo.
    • Structure: Detect monorepo structure. Prefix evidence with 
      [component]
      if multiple exist.
  3. Load Canonical Assets:
    • Load CSV from Skill Workspace 
      assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
      . - Use columns and row order (1-70) for the audit.
    • Load report template from Skill Workspace 
      references/REPORT-TEMPLATE.md
      . DO NOT deviate from template while generating the report.
  1. 路径解析(关键):
    • Skill工作区:包含此
      SKILL.md
      assets/
      的目录。仅使用此路径加载CSV和参考文件。
    • 目标仓库:用户的应用代码库。所有代码分析、文件搜索和Git命令都使用此路径。
  2. 上下文收集:
    • 分析技术栈:识别语言、框架(从
      references/framework-defaults.md
      加载默认值)和数据库。
    • Git元数据:在目标仓库中运行
      git rev-parse --short HEAD
    • 结构检测:检测单体仓库结构。如果存在多个组件,在证据前添加
      [组件名]
      前缀。
  3. 加载权威资源:
    • Skill工作区
      assets/OWASP_Application_Security_Verification_Standard_5.0.0_L1_en.csv
      加载CSV。使用CSV的列和行顺序(1-70)进行审计。
    • Skill工作区
      references/REPORT-TEMPLATE.md
      加载报告模板。生成报告时不得偏离模板。

Phase 2: Evaluate (Chapter by Chapter)

阶段2:评估(按章节进行)

Iterate through the CSV (maintain order 1-70). Apply the Decision Tree to each item.
  • Process: Batch independent searches. Use 
    grep
    first; 
    read_file
    only on matches.
  • Large Files: If >500 lines, read only head/tail.
  • Persistence: Save findings to internal list. Do not re-read files across chapters.
遍历CSV(保持1-70的顺序)。对每一项应用决策树
  • 流程:批量执行独立搜索。先使用
    grep
    ;仅对匹配结果使用
    read_file
  • 大文件:如果文件超过500行,仅读取开头和结尾部分。
  • 持久化:将发现结果保存到内部列表,跨章节时不得重新读取文件。

Phase 3: Reporting

阶段3:报告

  1. Parse Report: Use 
    references/REPORT-TEMPLATE.md
    as the mandatory skeleton.
    • Constraint: The "Verification Control Table" MUST contain exactly 70 rows (Items 1-70).
    • Findings: Include detailed evidence/remediation for FAIL items only.
    • Sanitization: Ensure NO secrets/PII are present.
  2. Write to Disk: Save to 
    {project_name}-ASVS-L1-audit-{YYYY-MM-DD}.md
    in one operation.
  3. Completion: Output coverage statistics and confirm file location.
  1. 解析报告:将
    references/REPORT-TEMPLATE.md
    作为强制框架使用。
    • 约束:“验证控制表”必须包含恰好70行(第1-70项)。
    • 发现结果:仅包含不通过项的详细证据/修复建议。
    • 清理:确保报告中无机密信息/PII。
  2. 写入磁盘:一次性保存为
    {项目名称}-ASVS-L1-audit-{YYYY-MM-DD}.md
  3. 完成:输出覆盖率统计数据并确认文件位置。

Error Handling

错误处理

ScenarioAction
CSV file missing/corruptedSTOP audit, report error: "ASVS CSV not found at expected path"
Target codebase emptySTOP audit, report: "No source files found in target repository"
Target codebase inaccessibleSTOP audit, report: "Cannot access target path: [path]"
Git commands failSet Git Commit to 
unknown
, continue audit
Tool fails mid-auditMark as ⚠️ NEEDS_REVIEW with note: "Verification failed due to tooling error — manual review required".
Token/context limit approachingComplete current chapter, save partial report with 
[PARTIAL]
prefix, note last completed item
File too large to readSample first 500 lines + last 100 lines, note in Evidence: "Large file - sampled"
场景操作
CSV文件缺失/损坏停止审计,报告错误:“在预期路径未找到ASVS CSV文件”
目标代码库为空停止审计,报告:“目标仓库中未找到源文件”
无法访问目标代码库停止审计,报告:“无法访问目标路径:[路径]”
Git命令执行失败将Git提交设置为
unknown
,继续审计
审计中途工具故障标记为**⚠️ 需要复查**,备注:“因工具错误导致验证失败 — 需手动复查”。
即将达到令牌/上下文限制完成当前章节,保存带有
[PARTIAL]
前缀的部分报告,备注最后完成的项
文件过大无法读取采样前500行 + 后100行,在证据中备注:“大文件 — 已采样”

Examples

示例

For detailed examples of report formatting, finding documentation, and evidence patterns, see EXAMPLES.md.
有关报告格式、发现结果文档和证据模式的详细示例,请参阅EXAMPLES.md