OWASP Category Mapping
Use this skill when the user asks for OWASP Top 10 mapping, CWE alignment, or standards-oriented reporting. The directory name stays `owasp-2025` for backward compatibility, but external reports should use official OWASP Top 10 names.
Best use case
OWASP Category Mapping is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use this skill when the user asks for OWASP Top 10 mapping, CWE alignment, or standards-oriented reporting. The directory name stays `owasp-2025` for backward compatibility, but external reports should use official OWASP Top 10 names.
Teams using OWASP Category Mapping should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/owasp-2025/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How OWASP Category Mapping Compares
| Feature / Agent | OWASP Category Mapping | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use this skill when the user asks for OWASP Top 10 mapping, CWE alignment, or standards-oriented reporting. The directory name stays `owasp-2025` for backward compatibility, but external reports should use official OWASP Top 10 names.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# OWASP Top 10 Reference ## Purpose Map VulnScout findings to official OWASP Top 10 category names, highlight what the plugin covers well, and keep reports aligned with widely recognized security terminology. ## Reporting Rule - Use official OWASP Top 10 names in user-facing reports. - Treat the `owasp-2025` directory name as a compatibility alias, not as proof of a future OWASP taxonomy. - Prefer CWE plus concrete vulnerability class when a finding does not fit cleanly into a single OWASP bucket. ## Coverage Overview | OWASP Top 10 | VulnScout Coverage | Primary Skills | |--------------|--------------------|----------------| | A01: Broken Access Control | Strong | `business-logic`, `threat-modeling` | | A02: Cryptographic Failures | Strong | `cryptographic-failures` | | A03: Injection | Strong | `vuln-patterns`, `dangerous-functions`, `framework-patterns` | | A04: Insecure Design | Strong | `business-logic`, `threat-modeling` | | A05: Security Misconfiguration | Strong | `security-misconfiguration`, `framework-patterns` | | A06: Vulnerable and Outdated Components | Out of scope | *(dependency and SBOM tooling)* | | A07: Identification and Authentication Failures | Moderate | `vuln-patterns`, `business-logic` | | A08: Software and Data Integrity Failures | Moderate | `vuln-patterns`, `sensitive-data-leakage` | | A09: Security Logging and Monitoring Failures | Strong | `logging-failures`, `sensitive-data-leakage` | | A10: Server-Side Request Forgery | Strong | `vuln-patterns`, `framework-patterns`, `vulnerability-chains` | ## Mapping Guidance ### A01: Broken Access Control Use for: - IDOR - missing authorization checks - role and tenant boundary bypasses - unsafe direct access to user-controlled object identifiers Common CWE anchors: - CWE-284 - CWE-285 - CWE-639 - CWE-862 - CWE-863 ### A02: Cryptographic Failures Use for: - weak or obsolete algorithms - hardcoded secrets - insecure randomness - missing encryption on sensitive data paths Common CWE anchors: - CWE-326 - CWE-327 - CWE-330 - CWE-338 - CWE-798 ### A03: Injection Use for: - SQL injection - command injection - SSTI - XSS - LDAP injection - unsafe interpreter invocation Common CWE anchors: - CWE-77 - CWE-78 - CWE-79 - CWE-89 - CWE-90 - CWE-94 ### A04: Insecure Design Use for: - missing rate limits or workflow controls - trust boundary violations - dangerous state transitions - business logic flaws that are not just a missing authorization check Common CWE anchors: - CWE-209 - CWE-256 - CWE-501 - CWE-522 - CWE-656 ### A05: Security Misconfiguration Use for: - debug mode in production - insecure defaults - exposed internal tooling - missing hardening headers or framework safety controls Common CWE anchors: - CWE-16 - CWE-209 - CWE-215 - CWE-548 - CWE-756 ### A06: Vulnerable and Outdated Components Out of scope for this plugin's code-review workflow. If the user needs this category: - hand off to dependency scanning, SBOM, or supply-chain tooling - do not overstate coverage in VulnScout-generated reports ### A07: Identification and Authentication Failures Use for: - session fixation - weak password or token validation - authentication bypass - unsafe MFA or reset flows Common CWE anchors: - CWE-287 - CWE-288 - CWE-294 - CWE-307 - CWE-384 - CWE-640 ### A08: Software and Data Integrity Failures Use for: - unsafe deserialization - integrity bypasses in update or build flows - unsigned or unverified data loading - missing signature verification Common CWE anchors: - CWE-345 - CWE-353 - CWE-502 - CWE-565 - CWE-784 - CWE-829 ### A09: Security Logging and Monitoring Failures Use for: - log injection - secrets in logs - missing security event coverage - missing or unusable audit trails for critical actions Common CWE anchors: - CWE-117 - CWE-223 - CWE-532 - CWE-778 ### A10: Server-Side Request Forgery Use for: - server-side fetches of attacker-controlled URLs - metadata service reachability - internal pivoting through HTTP clients - webhook, callback, and proxy misuse without host or protocol controls Common CWE anchors: - CWE-918 ## Reporting Template When mapping a finding, prefer this shape: ```markdown - OWASP: A03 Injection - CWE: CWE-89 - Why it fits: user-controlled input reaches SQL execution without parameter binding ``` ## Guardrails - Do not upgrade a `hotspot` into a reportable finding just to fill an OWASP bucket. - If the best label is uncertain, keep the concrete vulnerability type and CWE, and state the OWASP category as provisional. - Unsupported-language verification should remain `na_cpg`, not `false_positive`.
Related Skills
OWASP API Security Top 10
This skill should be used when the user asks about "API security", "OWASP API Top 10", "BOLA", "broken object level authorization", "API authentication", "mass assignment", "GraphQL security", "gRPC security", "rate limiting", "API abuse", "REST API vulnerabilities", or needs to identify API-specific security issues during whitebox security review.
Compliance Mapping
This skill should be used when the user asks about "compliance mapping", "PCI-DSS", "HIPAA", "SOC 2", "NIST CSF", "regulatory requirements", "compliance report", or needs to map security findings to compliance framework requirements.
Workspace Discovery
This skill should be used when the user asks to "detect workspaces", "find packages", "list monorepo packages", "workspace structure", "monorepo analysis", or needs to identify workspace/package boundaries in a codebase for focused security analysis.
vulnerability-chains
This skill should be used when the user asks about "vulnerability chains", "chained exploits", "multi-step attacks", "SSRF to RCE", "pivot attacks", or needs to identify how vulnerabilities in different components can be combined during whitebox security review.
Vulnerability Patterns
This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.
Threat Modeling
This skill should be used when the user asks about "threat model", "STRIDE", "data flow diagram", "attack surface", "threat analysis", "security architecture", "component threats", "trust boundaries", "technology decomposition", or needs systematic threat identification during whitebox security review.
verify-finding
Drive a single finding through CPG verification and false-positive triage.
start-audit
Guided first-run security audit: doctor, scope, threats, scan, verify, report.
scope-repo
Decide audit boundaries for large or monorepo targets and write audit-plan.md.
review-pr
Diff-aware PR security review with verified findings and PR comment payload.
package-evidence
Bundle findings, reports, audit plan, and ledger into one evidence zip.
Sensitive Data Leakage
Detect ANY credential/secret flowing to ANY output sink. Use when asked about "credential leakage", "secret logging", "sensitive data exposure", "CWE-532", "password in logs", "token exposure", or security logging issues.