asvs-compliance-tools 2.2.0

ASVS Compliance Starter Kit - CLI tools for security requirements management

ASVS Compliance Engine

Turn Security Requirements into Verifiable Code.

Stop managing security in spreadsheets. The ASVS Compliance Engine is a DevSecOps toolkit that operationalizes the OWASP Application Security Verification Standard (ASVS) 5.0. It treats compliance as code, scanning your infrastructure, verifying your app headers, and enforcing evidence requirements in your CI/CD pipeline.

Get Started · Documentation · Report Bug

---

⚡ The Problem: Compliance Rot

Most security compliance efforts fail because they rely on static documents (Word/Excel) that become obsolete the moment they are written. This engine bridges the gap between Requirements and Reality.

❌ The Old Way (Static)	✅ The Compliance Engine (Dynamic)
Manual Attestation: "I promise we use bcrypt."	Automated Evidence: Scans package.json for bcrypt library.
Stale Docs: Architecture diagrams from 2021.	Living Docs: Requirements mapped directly to code files.
Blind Spots: Cloud configs checked manually.	IaC Scanning: Terraform plans scanned for ASVS V5.3 violations.
Audit Panic: Scrambling for screenshots.	Instant Dashboards: Single-click HTML audit reports.

---

🚀 Key Features

1. Automated Evidence Verification

Don't just claim you use secure libraries—prove it. Map ASVS requirements directly to files in your repository using evidence.yml. The engine verifies their existence and content during every build.

2. Infrastructure-as-Code (IaC) Scanning

Shift security left by catching cloud storage misconfigurations before they deploy. Our native scanner checks Terraform plans against ASVS V5.3 (Storage & Cryptography).

3. Auditor-Ready Dashboards

Stop manually compiling evidence. Generate a comprehensive HTML report that combines documentation status, code evidence, and DAST results into a single pane of glass for your SOC2/ISO 27001 auditor.

---

🛠️ Quick Start

Option A: Python (Recommended)

# 1. Install the toolkit
pip install "asvs-compliance-tools[evidence,verification]"

# 2. Initialize your project (Interactive Wizard)
# Generates your security docs and evidence.yml
python -m tools.init_project --interactive

# 3. Verify Compliance
# Scans your docs and code for evidence
python -m tools.compliance_gate --level 2 --evidence-manifest evidence.yml

Option B: Docker

No Python environment? No problem.

# Build the image
docker build -t asvs-engine .

# Run the Compliance Gate
docker run -v $(pwd):/app asvs-engine tools.compliance_gate --level 2

---

📦 What's Inside?

Tool	Command	Description
Compliance Gate	compliance_gate	Enforces documentation and code evidence rules.
Verification Suite	verification_suite	DAST scanner for Security Headers, CSRF, and Cookies.
IaC Scanner	iac_scanner	Scans Terraform plans for unencrypted storage.
Drift Detector	drift_detector	Checks if your ASVS definitions are out of sync with OWASP.
Report Gen	generate_report	Compiles JSON outputs into an HTML dashboard.

---

🤝 Contributing

We are building the standard for open-source compliance.

• Roadmap: See our plans for Jira Sync and VS Code extensions.
• Contributing Guide: How to set up your dev environment.

💖 Support the Project

If this tool saves your team hours of audit preparation, please consider sponsoring the development. Your support funds the creation of pre-built Evidence Packs for frameworks like Django, Spring Boot, and Node.js.

---

_{Built with ❤️ for the Security Community}

OWASP ASVS •