Security Auditing.
Powered by AI.
Scan any codebase for OWASP vulnerabilities in seconds. AI-powered static analysis that actually understands your code.
$ npx owasp-wtf$ npx owasp-wtf
⢾ Scanning 847 files...
╔══════════════════════════════════════════════╗
║ OWASP.WTF Security Report ║
║ Score: 72/100 ║
╠══════════════════════════════════════════════╣
║ 🔴 CRITICAL 2 │ 🟠 HIGH 5 ║
║ 🟡 MEDIUM 8 │ 🔵 LOW 12 ║
╠══════════════════════════════════════════════╣
║ A03:Injection ██████░░░░ 3 found ║
║ A07:Auth Failures ████░░░░░░ 2 found ║
║ A01:Access Control ███░░░░░░░ 1 found ║
╔══════════════════════════════════════════════╝
Features
Everything you need to ship secure code
A complete security toolkit that fits in your terminal.
OWASP Top 10 Coverage
Full coverage of the latest OWASP Top 10 vulnerability categories. Every rule mapped, every pattern detected.
AI-Powered Analysis
Claude AI understands context, not just patterns. Catches vulnerabilities that regex-based tools miss entirely.
Zero Config
Run one command. No config files, no setup, no BS. Works with any JavaScript, TypeScript, Python, or Go project.
Beautiful Reports
Terminal reports with color. Export to HTML or JSON for CI/CD pipelines. Share findings with your team.
CLI First
Built for developers who live in the terminal. Fast, scriptable, composable. Pipe it, chain it, automate it.
Open Source
MIT licensed. Audit the auditor. Contribute rules, improve detection. Community-driven security.
Comprehensive Coverage
The OWASP Top 10
Every category. Every vulnerability. Every fix.
A01:2021
Broken Access Control
Restrictions on authenticated users are not properly enforced, allowing access to unauthorized functions or data.
A02:2021
Cryptographic Failures
Failures related to cryptography that lead to exposure of sensitive data or system compromise.
A03:2021
Injection
User-supplied data is sent to an interpreter as part of a command or query, tricking it into executing unintended actions.
A04:2021
Insecure Design
Missing or ineffective security controls and architectural flaws that cannot be fixed by proper implementation alone.
A05:2021
Security Misconfiguration
Missing hardening, open cloud storage, verbose errors, unnecessary features enabled, or default credentials in use.
A06:2021
Vulnerable Components
Using components with known vulnerabilities that can undermine application defenses and enable attacks.
A07:2021
Auth Failures
Broken authentication and session management allowing attackers to compromise passwords, keys, or session tokens.
A08:2021
Software Integrity Failures
Code and infrastructure that does not protect against integrity violations from untrusted sources or insecure CI/CD.
A09:2021
Logging Failures
Insufficient logging, monitoring, and alerting that allows attackers to go undetected and persist in systems.
A10:2021
SSRF
Server-Side Request Forgery occurs when a web app fetches a remote resource without validating the user-supplied URL.
How It Works
Three steps to secure code
From zero to security report in under a minute.
Install
One command. No signup, no API keys, no configuration files. Just install and go.
Scan
Automatically detects your project type, language, and framework. Scans every file for vulnerabilities.
Fix
Get actionable, framework-specific remediation advice powered by AI. Copy-paste fixes, not vague warnings.
AI Engine
Not Your Average Scanner
Traditional scanners use regex patterns and AST matching. They find obvious bugs but miss the subtle ones. OWASP.WTF uses Claude AI to understand your code the way a senior security engineer would -- reading context, tracing data flow, and understanding business logic.
Framework-Aware
Understands Next.js, Express, Django, Flask, Gin, and more. Knows the security patterns and pitfalls of each.
Cross-File Data Flow
Traces user input across files, through middleware, into database queries. Finds injection paths that span your entire codebase.
Contextual Fixes
Doesn't just say "sanitize input." Gives you the exact code fix for your framework, your language, your specific vulnerability.
CVE-Informed
Learns from the latest CVEs and security advisories. Detection rules evolve as the threat landscape changes.
// Vulnerability detected: SQL Injection (A03:2021)
const query = `SELECT * FROM users WHERE id = $${req.params.id}`
▶ AI Analysis:
User input from req.params.id flows directly into SQL query without parameterization.
Traced from: routes/users.ts:42 → db/queries.ts:15
✔ Suggested fix:
const query = `SELECT * FROM users WHERE id = $1`
const result = await db.query(query, [req.params.id])
Get Started
Secure your code in seconds
No signup required. No API keys. Just one command.
Run in your project directory:
npx owasp-wtfRequires Node.js 20+