OWASP Guard CLI: secure code inspector
Project description
OWASP Guard CLI
Professional OWASP Top 10 (2021) code security scanner powered by LLM analysis.
Scans repositories or individual files and generates structured JSON + Markdown reports.
Prerequisites
| Requirement | Version |
|---|---|
| Python | 3.11+ |
| Groq API Key | Get one free → |
Installation
From PyPI (recommended):
pip install owasp-guard-cli
From source:
git clone https://github.com/your-org/owasp-guard
cd owasp-guard
pip install -r requirements.txt
pip install -e .
Quick Start
1 — Add your API key
owasp-guard init
Or pass it directly:
owasp-guard init --api-key gsk_xxxxxxxxxxxx
2 — Scan your code
# Scan a full repository
owasp-guard scan ./my-project --output-dir outputs
# Scan a single file
owasp-guard scan ./src/app.py --output-dir outputs
3 — Review the reports
outputs/
├── report.json ← for pipelines and automation
└── report.md ← for human review and audit
Common Commands
# Scan a repo
owasp-guard scan ./my-project --output-dir outputs
# Limit to first 10 files (useful for large repos)
owasp-guard scan ./my-project --max-files 10 --output-dir outputs
# Use a specific model
owasp-guard scan ./my-project --model llama-3.1-8b-instant --output-dir outputs
# Scan a single file
owasp-guard scan ./src/auth.py --output-dir outputs
CLI Reference
owasp-guard --help Show help
owasp-guard help scan Scan command options
owasp-guard help init Init command options
owasp-guard help reports Report format details
owasp-guard help errors Error codes reference
Alias: owasp works the same as owasp-guard.
Report Contents
report.json includes:
- Tool metadata and report version
- Scope metrics:
total_files,total_chunks,total_findings - Summary metrics:
risk_score_10, severity and OWASP category distributions - Full findings list with evidence and line references
report.md includes:
- Executive summary and risk score
- OWASP category and file impact breakdown
- Findings index with detailed evidence and fix guidance
- Priority action plan and remediation roadmap
Exit Codes
| Code | Meaning |
|---|---|
0 |
Scan complete — no findings |
1 |
Scan complete — findings detected |
2 |
Invalid CLI usage |
3 |
Runtime error |
Troubleshooting
| Error | Fix |
|---|---|
Invalid API Key |
Run owasp-guard init again with a valid Groq key |
Path not found |
Make sure the target path exists before scanning |
Configuration Error |
Delete ~/.owasp_guard/config.json and re-run init |
How It Works
Collect files → Chunk code → LLM analysis → Verification pass → Deduplicate → Report
- File collection — gathers source files from the target path
- Chunking — splits large files into context-sized chunks
- LLM analysis — each chunk is analyzed against OWASP Top 10 categories
- Verification pass — findings are re-checked to reduce false positives
- Deduplication — repeated findings across chunks are merged
- Reporting — outputs
report.jsonandreport.md
Project Layout
src/owasp_guard/
├── cli.py # Entry point — commands: init, scan, help
├── scanner.py # Main pipeline orchestrator
├── llm_utils.py # Groq API calls and response parsing
├── prompts.py # OWASP analysis prompts sent to the LLM
├── chunking.py # Splits files into LLM-sized chunks
├── file_collector.py # Finds and filters files for scanning
├── reporting.py # Generates report.json and report.md
├── models.py # Data models for findings and scan results
├── config.py # API key storage (~/.owasp_guard/config.json)
├── constants.py # Model names, file extensions, OWASP categories
└── errors.py # Custom exception types
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file owasp_guard_cli-0.2.2.tar.gz.
File metadata
- Download URL: owasp_guard_cli-0.2.2.tar.gz
- Upload date:
- Size: 33.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e9180e2b0fd50cd17927cee415d53937590c75ac6b4539f6aade5004e92070f
|
|
| MD5 |
0859226f79133c615e7662e07f9224f5
|
|
| BLAKE2b-256 |
444fe3bc00229af6f4cc4ef754d1647e6e8e56254e251f714fae3d9ef5843f30
|
Provenance
The following attestation bundles were made for owasp_guard_cli-0.2.2.tar.gz:
Publisher:
publish.yml on jeanclaudegeagea/owasp-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
owasp_guard_cli-0.2.2.tar.gz -
Subject digest:
6e9180e2b0fd50cd17927cee415d53937590c75ac6b4539f6aade5004e92070f - Sigstore transparency entry: 1229705103
- Sigstore integration time:
-
Permalink:
jeanclaudegeagea/owasp-guard@58ecbc892123933aa428d6931864f00f2f3b0bad -
Branch / Tag:
refs/heads/main - Owner: https://github.com/jeanclaudegeagea
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@58ecbc892123933aa428d6931864f00f2f3b0bad -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file owasp_guard_cli-0.2.2-py3-none-any.whl.
File metadata
- Download URL: owasp_guard_cli-0.2.2-py3-none-any.whl
- Upload date:
- Size: 36.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a46874e6c48a086e96295e50754a8ed3800787b95f9e14e6e8bbc4771519d420
|
|
| MD5 |
462543b5df8392ed0425d19c64a57101
|
|
| BLAKE2b-256 |
bc19bb751cdea390135a5733251550373aa80ea38fb0f72f753c4d34e348a65a
|
Provenance
The following attestation bundles were made for owasp_guard_cli-0.2.2-py3-none-any.whl:
Publisher:
publish.yml on jeanclaudegeagea/owasp-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
owasp_guard_cli-0.2.2-py3-none-any.whl -
Subject digest:
a46874e6c48a086e96295e50754a8ed3800787b95f9e14e6e8bbc4771519d420 - Sigstore transparency entry: 1229705126
- Sigstore integration time:
-
Permalink:
jeanclaudegeagea/owasp-guard@58ecbc892123933aa428d6931864f00f2f3b0bad -
Branch / Tag:
refs/heads/main - Owner: https://github.com/jeanclaudegeagea
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@58ecbc892123933aa428d6931864f00f2f3b0bad -
Trigger Event:
workflow_dispatch
-
Statement type: