OWASP ASVS

Profile name: owasp-asvs

The OWASP Application Security Verification Standard (ASVS) is the most detailed application-security control catalogue available - 14 chapters spanning architecture, authentication, session management, access control, input validation, cryptography, error handling, data protection, comms security, malicious code, business logic, files & resources, API & web service, configuration.

Coverage

Vulkro maps findings to L1 and L2 controls across V1-V14. L3 (high-assurance) controls are not currently auto-evaluable - they require manual attestation that's outside the scope of a static scanner.

Run it

vulkro compliance . --profile owasp-asvs
vulkro scan . --profile owasp-asvs --format json

The compliance command produces a per-control evaluation. The scan --profile form decorates each finding with the relevant controls inline.

High-traffic mappings

Vulkro finding category	ASVS controls
`BrokenAuthentication`	V2.1, V2.2, V2.7
`BrokenObjectLevelAuth` (IDOR)	V4.1, V4.2
`MassAssignment`	V5.1.5
`Injection`	V5.3.4, V5.3.5
`XSS / SSTI`	V5.3.3
`CSRF`	V13.2.3
`Hardcoded secret`	V2.10.4, V14.4
`Weak crypto`	V6.2
`Session fixation`	V3.2
`SecurityMisconfiguration`	V14.1, V14.4

Audit packaging

For an audit handoff:

vulkro report . --profile owasp-asvs -o asvs-report.html

Produces a single-page HTML with per-control pass/fail status, citations, and timestamped scan provenance. PDF rendering: --format pdf (requires wkhtmltopdf).

Compliance overview ->

Coverage​

Run it​

High-traffic mappings​

Audit packaging​

Related​

Coverage

Run it

High-traffic mappings

Audit packaging

Related