OWASP Top 10¶
The owasp-top-10 pack enforces rules for the OWASP Top 10 2021 web application security risks.
Enable¶
Rules¶
The pack includes 22 rules covering all 10 OWASP categories:
Code rules (16)¶
| Category | Rules | Key checks |
|---|---|---|
| A01: Broken Access Control | 2 | Hardcoded credentials, missing auth checks |
| A02: Cryptographic Failures | 2 | Weak hashing (MD5/SHA1), hardcoded secrets |
| A03: Injection | 3 | SQL injection, eval(), OS command injection |
| A04: Insecure Design | 1 | Missing input validation patterns |
| A05: Security Misconfiguration | 2 | Debug mode enabled, overly permissive CORS |
| A06: Vulnerable Components | 1 | Known-vulnerable import patterns |
| A07: Auth Failures | 2 | Weak session management, missing rate limiting |
| A08: Data Integrity | 1 | Unsafe deserialization (pickle + user input) |
| A09: Logging Failures | 1 | Missing security event logging |
| A10: SSRF | 1 | Unvalidated URL construction from user input |
Documentation obligations (6)¶
Non-code compliance items tracked in reports:
- Security policy documentation
- Incident response plan
- Vulnerability disclosure process
- Security training records
- Penetration testing schedule
- Third-party component inventory
Composite rules¶
Several rules use all_patterns for precise detection. For example, the SQL injection rule only flags files that contain both execute( and user input patterns — reducing false positives compared to matching either pattern alone.
Use case¶
Any team building web applications — especially those using AI coding agents that may introduce OWASP vulnerabilities without awareness. The pack catches the most common security issues before they reach production.