asvs-compliance-tools 2.1.0

ASVS Compliance Starter Kit - CLI tools for security requirements management

OWASP ASVS Compliance Engine

Turn Security Requirements into Verifiable Code.

Move beyond static checklists. The ASVS Compliance Engine is a DevSecOps toolkit that automates the OWASP Application Security Verification Standard (ASVS) 5.0. It empowers engineering teams to treat compliance as code, verifying security controls directly in the CI/CD pipeline.

Explore the Docs · Report a Bug · Request Feature

---

⚡ Why Use This?

Most compliance efforts fail because they rely on Word documents that become obsolete the moment they're written. This engine solves the "proof gap" by linking requirements directly to your codebase.

❌ Old Way (Static)	✅ New Way (Dynamic)
Manual spreadsheet updates	Automated evidence collection
"Trust me" attestations	Verifiable code & config checks
Scrambling before an audit	Continuous audit-readiness

---

🚀 Key Features

1. Automated Evidence Verification

Don't just claim you use secure libraries—prove it. Map ASVS requirements directly to files in your repository. The engine scans for their existence and content.

# evidence.yml
requirements:
  V14.4.1: # HTTP Security Headers
    checks:
      - type: content_match
        path: "package.json"
        pattern: "\"helmet\"" # Verify Helmet.js is installed

2. Infrastructure-as-Code (IaC) Scanning

Shift security left by catching cloud misconfigurations before they are deployed. Our native scanner checks Terraform plans against ASVS V5.3 requirements for storage security.

3. Auditor-Ready Dashboards

Generate comprehensive HTML reports that combine documentation status, code evidence, and DAST results into a single pane of glass for stakeholders and auditors (SOC2, ISO 27001).

---

🛠️ Quick Start

Get up and running in minutes.

Option A: Using Python (Recommended)

1. Install the toolkit:

pip install "asvs-compliance-starter-kit[evidence,verification]"

2. Initialize your project: Run the wizard to generate your security architecture documentation based on your risk profile.

python -m tools.init_project --interactive

3. Verify compliance: Run the gate against your docs and the generated sample evidence.

python -m tools.compliance_gate --level 2 --evidence-manifest evidence.yml

Option B: Using Docker

No Python? No problem. Run the full suite in a container.

# Build the image
docker build -t asvs-engine .

# Run the init wizard
docker run -it -v $(pwd):/app asvs-engine tools.init_project --interactive

# Run the compliance gate
docker run -v $(pwd):/app asvs-engine tools.compliance_gate --level 2 --evidence-manifest evidence.yml

---

🗓️ Roadmap & Community

We are actively building the future of open-source compliance. Check out our ROADMAP.md to see what's coming next, including:

• Two-way sync with Jira/GitHub Issues.
• Pre-built evidence packs for Node.js, Python, and Java frameworks.
• Expanded cloud infrastructure scanning.

Want to contribute? We'd love your help! See our CONTRIBUTING.md guide to get started.

---

Currently maintaining this project in my free time.

If this tool saves your company time and money, please consider supporting its development.

OWASP ASVS • Report Bug • Request Feature