Documentation

Install. Scan. Ship secure.

Everything you need to wire OWASP.WTF into your workflow — locally, in CI, or as a GitHub Action. Full markdown reference lives in the docs/ directory on GitHub.

Install

Full reference

OWASP.WTF runs on Node.js 20+.

One-shot

npx owasp-wtf

Global install

npm install -g owasp-wtf
owasp-wtf --version

GitHub Action

- uses: actions/checkout@v4
- uses: decoperations/owasp.wtf@v1
  with:
    severity: high
    fail-on-findings: true

Usage

Full reference
owasp-wtf [directory] [options]

Common flags:

  • -f, --format terminal, json, or html
  • -o, --output — write the report to a file
  • -s, --severity critical, high, medium, low, info
  • -i, --ignore — comma-separated ignore globs
  • --ai — enable AI-assisted analysis
  • --setup — run the AI provider wizard

Examples

# Quick local scan
owasp-wtf

# Limit to high-severity findings, write JSON
owasp-wtf ./src -s high -f json -o report.json

# AI-assisted, ignore tests and generated code
owasp-wtf --ai -i "**/*.test.ts,**/__generated__/**"

# HTML report for sharing
owasp-wtf -f html -o report.html

GitHub Action

Full reference

The reusable composite action installs the CLI, runs a scan, and uploads the report as a workflow artifact.

name: Security
on:
  pull_request:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: decoperations/owasp.wtf@v1
        with:
          severity: high
          fail-on-findings: true

Inputs include:

  • directory — path to scan (default .)
  • severity, format, output, ignore — same semantics as the CLI flags
  • fail-on-findings — fail the workflow when findings ≥ severity exist
  • version — pin a CLI version
  • upload-artifact, artifact-name — artifact upload

Outputs: report-path and findings.

AI providers

Full reference

--ai needs a provider configured. Run owasp-wtf --setup for an interactive wizard.

  • Claude Code CLI — uses your existing claude session
  • Codex CLI — uses your existing codex session
  • Anthropic API ANTHROPIC_API_KEY
  • OpenAI API OPENAI_API_KEY
  • Ollama — local models, no key required

Privacy: only snippets around each finding are sent to your chosen provider, not the entire codebase. For air-gapped use, pick Ollama or skip --ai entirely.

Configuration

Full reference

Config lives in ~/.owasp-wtf/config.json and stores your AI provider, model, and (optionally) an API key. Recommended: keep keys in the environment with "apiKey": "env".

{
  "version": 1,
  "ai": {
    "provider": "anthropic",
    "model": "claude-sonnet-4-20250514",
    "apiKey": "env"
  }
}

Detection rules

Full reference

Static rules cover A01, A02, A03, A05, A07, A09. Remaining categories (A04, A06, A08, A10) surface through AI-assisted analysis. New rules live in packages/cli/src/rules/.

Found a false positive or missing case? Open an issue with a minimal repro.

Contributing

Full reference

PRs welcome. See CONTRIBUTING.md for dev setup, repo layout, and how to add a detection rule.

git clone https://github.com/DecOperations/OWASP.WTF.git
cd OWASP.WTF
pnpm install
pnpm build
node packages/cli/dist/index.js .