Public Roadmap

Roadmap

Where OWASP.WTF is going. Sourced from ROADMAP.md at the repo root — edit it via PR to propose changes.

overall:22/63 shipped·10 phases

Shipped

Live in main and published to GitHub Packages.

In Progress

Actively being built. PRs landing.

Planned

Scoped and queued. Issues filed.

Exploring

Under consideration. Open to discussion.

Planned

Vision

> OWASP.WTF runs the best open-source security scanners and turns the mess > into one OWASP Top 10 semantic report with agent-ready fixes. We don't compete on detection. We orchestrate, normalize, prioritize, map to OWASP, and emit reports humans and coding agents can act on.

    ShippedETA 2026-Q2
    8/8
    100%

    Phase 1 — Release Automation Foundation

    Productionize the release pipeline so every version ships automatically from Conventional Commits with no manual bumps.

    • Conventional Commits enforced via commitlint + husky
    • semantic-release wired with conventionalcommits preset
    • Tag format anchored to `cli-v*`
    • 0.x graduation guard (BREAKING → minor while pre-1.0)
    • CI quality gates: lint, typecheck, test, build, self-scan
    • Release workflow: gated by CI, publishes to GitHub Packages
    • Post-release smoke test
    • Build-time version metadata (`--version` reports SHA + build date)
    In ProgressETA 2026-Q2
    10/11
    91%

    Phase 2 — Meta-Scanner Orchestrator

    Reposition the CLI from "another scanner" to an AppSec orchestrator that runs best-of-breed OSS tools, normalizes their output, and maps to OWASP Top 10. See [`specs/owasp-wtf-v2.md`](./specs/owasp-wtf-v2.md).

    • Adapter interface + normalized `OwaspFinding` schema
    • Native adapter (zero-dep regex rules, always available)
    • Semgrep / Gitleaks / Trivy adapters
    • Deterministic CWE → OWASP Top 10 2021 mapping table
    • Cross-tool dedupe with `confirmedBy`
    • `quick` / `scan` / `deep` / `ci` / `fix-plan` / `doctor` / `install-tools` subcommands
    • Terminal / JSON / SARIF / Markdown / HTML reporters
    • Agent fix-plan reporter (`SECURITY_FIX_PLAN.md`)
    • Severity-based `--fail-on` for CI
    • GitHub Action wired to the v2 subcommand surface
    • Per-finding deduplication tests / golden files
    In ProgressETA 2026-Q3
    3/13
    23%

    Phase 3 — Supply Chain & Security Hardening

    Make release artifacts verifiable end-to-end and expand the orchestrator to cover the supply chain.

    • Syft SBOM generation adapter (Phase 2 of the CLI)
    • Grype CVE matching adapter
    • Hadolint Dockerfile linting (auto-enabled when Dockerfile present)
    • Gitleaks secret scan in repo CI on PR + push
    • OSV-Scanner dependency audit
    • CodeQL workflow for JS/TS
    • Syft SBOM uploaded as release artifact (CycloneDX + SPDX)
    • [Dependency-Track](https://dependencytrack.org/) push integration
    • VEX statements for known-not-exploitable CVEs
    • npm Trusted Publishing (OIDC, no long-lived `NPM_TOKEN`)
    • Provenance attestations on every published version
    • Branch protection: linear history, signed commits, required reviews
    • `SECURITY.md` with vulnerability disclosure policy
    PlannedETA 2026-Q3
    0/8
    0%

    Phase 4 — CI/CD & PR Continuous Delivery

    Ship every PR as an installable canary, and make the GitHub Action a first-class part of the dev loop.

    • Per-PR canary publishing `0.x.y-pr.<num>.<sha>`
    • PR comment bot with `npm install @canary` instructions
    • Nightly prerelease channel
    • PR comment summary from the Action (markdown + emoji badges)
    • DefectDojo-compatible JSON importer output
    • Workflow templates for Vercel / Cloudflare / Fly.io
    • Preview-deploy scanner reports linked from PR
    • Auto-revert if smoke-test fails post-publish
    PlannedETA 2026-Q3
    1/6
    17%

    Phase 5 — Coding-Agent Layer

    Translate findings into machine-actionable remediation that agents (Claude Code, Cursor, Codex, Copilot) can apply.

    • Generic `SECURITY_FIX_PLAN.md` writer
    • Per-agent prompt formats (Claude / Cursor / Codex / Copilot variants)
    • `.cursor/rules/security.mdc` writer
    • `CLAUDE_SECURITY.md` writer
    • MCP server exposing `scan`, `explain`, `fix-plan`
    • Live mode: `owasp-wtf watch` re-scans on file changes
    PlannedETA 2026-Q4
    0/7
    0%

    Phase 6 — Public API Stabilization

    Lock down the contracts users depend on so we can cut a deliberate `1.0.0`.

    • Document CLI command surface and flags
    • Document config file schema with JSON Schema
    • Stable JSON output schema with versioning (`schemaVersion`)
    • Stable SARIF output conforming to SARIF 2.1.0
    • Documented exit codes
    • Plugin interface for custom adapters and rules
    • Backwards-compat policy in `CONTRIBUTING.md`
    ExploringETA 2026-Q4
    0/5
    0%

    Phase 7 — Semantic + DAST

    Go beyond pattern matching and SCA. Agentic semantic review for business logic, dynamic scanning for live apps, framework-specific rule packs.

    • [deepsec](https://github.com/vercel-labs/deepsec) adapter (agentic semantic scan)
    • OWASP ZAP adapter (`--url` against a live app)
    • Framework packs: Next.js / NestJS / Rails / Django / Laravel
    • Optional: Solana / EVM smart-contract rule packs
    • CVE-aware adapter version synchronization
    Exploring
    0/5
    0%

    Phase 8 — Web Platform

    Hosted dashboards, team collaboration, historical trends.

    • Hosted scan history per repo
    • Team accounts and access control
    • Trend charts (severity over time)
    • PR check integration as a GitHub App
    • Webhook delivery for findings
    Planned

    Non-goals

    - Reimplementing what Trivy / Semgrep / Gitleaks already do - Replacing vulnerability management platforms (DefectDojo, ArmorCode, Apiiro) - Implying official OWASP foundation endorsement — marketing must say _"OWASP Top 10 oriented."_

      $ Want to nudge a priority? Open an issue or comment on existing ones.