Defensive-only CLI that scans a local codebase (and optionally a URL with explicit opt-in) and maps findings to OWASP Top 10 (2021).
This MVP is designed to be proof/evidence-driven: findings include file/line evidence or HTTP header evidence, plus practical fix guidance.
Requirements: Python 3.10+ (stdlib only).
Show help:
python -m owasp_analyzer.cli --helpRun a sample scan against the included examples:
python -m owasp_analyzer.cli scan --path examples --out-dir out --formats json sarif htmlOpen the HTML report:
out/report.html
Run the local web interface from ./web:
python web/server.pyThen open:
http://127.0.0.1:8000
The UI calls API endpoints exposed by the same server:
GET /api/scannersPOST /api/scan
Generated report files are written under:
out/web/<timestamp>/
- Normalized JSON:
out/report.json - SARIF 2.1.0:
out/report.sarif.json - HTML:
out/report.html
List scanners:
python -m owasp_analyzer.cli list-scannersEnable/disable scanners:
python -m owasp_analyzer.cli scan --path . --disable-scanners web_passive
python -m owasp_analyzer.cli scan --path . --enable-scanners static_code dependenciesPassive web checks are disabled by default and require explicit opt-in.
By default, URL fetching is limited to localhost/loopback to avoid fetching external web content.
python -m owasp_analyzer.cli scan --path . --url https://localhost:8443 --allow-networkTo fetch a non-local URL (only for environments you control):
python -m owasp_analyzer.cli scan --path . --url https://staging.example --allow-network --allow-external-url- Heuristic detections (no full dataflow/taint analysis).
- Dependency checks focus on hygiene (pinning/sources), not CVE lookups.
- Web checks are passive headers/cookies only; no crawling, fuzzing, or payload injection.
- Demo “proof-driven” findings with line-level evidence + fix guidance mapped to OWASP A01..A10.
- Export SARIF and upload as a CI artifact / GitHub Code Scanning input.
- Add a custom scanner plugin under
owasp_analyzer/scanners/and toggle via CLI flags.