Compliance Framework

OWASP ASVS, verified in code.

The OWASP Application Security Verification Standard (ASVS) defines the security requirements for designing, developing, and testing secure web applications. MergeGuide enforces ASVS Level 1 and Level 2 requirements at the code layer, catching violations before they reach your application.

The standard

What ASVS levels mean for your team

ASVS is organized into three verification levels based on application risk. Level 1 covers the baseline security requirements for any web application. Level 2 adds requirements for applications that contain sensitive data or perform significant transactions. Level 3 is for the most critical applications.

MergeGuide maps ASVS L1 (starter tier) and L2 (pro tier) requirements, the range relevant to most commercial software teams building applications under SOC 2, HIPAA, PCI-DSS, or enterprise security requirements.

MergeGuide includes policies that guide implementation of OWASP ASVS L1 and L2 requirements, mapped to detection rules that enforce authentication, session management, input validation, cryptography, and access control requirements in code.

Mapped chapters

ASVS chapter coverage

MergeGuide templates map key OWASP ASVS chapters (V1 through V14) to code-level detection patterns:

V1 Architecture & design V2 Authentication V3 Session management V5 Validation & encoding V6 Stored cryptography V8 Data protection V9 Communication

V1 (Architecture, Design and Threat Modeling): enforcing security architectural patterns
V2 (Authentication): detecting weak or missing authentication implementations
V3 (Session Management): detecting insecure session handling patterns
V5 (Validation, Sanitization and Encoding): detecting injection and XSS patterns
V6 (Stored Cryptography): detecting weak encryption and insecure key storage
V8 (Data Protection): detecting unprotected sensitive data in code
V9 (Communication): detecting insecure transmission configurations

Enforcement

How MergeGuide enforces OWASP ASVS

DOC

ASVS checklist evidence

Every PR Gate evaluation maps findings to their ASVS requirement ID, giving security teams a running checklist of which ASVS requirements have been continuously verified across your codebase and which may need additional attention.

MAP

SOC 2 and PCI alignment

ASVS requirements align closely with SOC 2 TSC and PCI-DSS security requirements. MergeGuide's PolicyMerge resolves overlapping controls, so a single ASVS L2 evaluation can satisfy mapped requirements across these frameworks at the same time.

AI coding assistant coverage

ASVS requirements apply equally to AI-generated code. MergeGuide's MCP server injects ASVS policy requirements into AI coding assistants, preventing ASVS violations from being introduced at code generation time, not just caught at review.

Detection engine

ASVS detection patterns

Selected examples of what MergeGuide catches. These patterns run on every commit, across the languages your team writes in.

ASVS Requirement	What MergeGuide Detects	Severity
V5.3 Output Encoding	Unsanitized user input rendered in HTML output (XSS patterns)	Critical
V5.3 Injection Prevention	SQL injection: unparameterized queries with user-controlled input	Critical
V2.4 Credential Storage	Passwords stored with weak or no hashing in application code	Critical
V2.10 Service Authentication	Hardcoded credentials for service-to-service authentication	Critical
V6.2 Algorithms	Use of deprecated algorithms (MD5, SHA-1) for cryptographic operations	High
V9.1 Communication Security	TLS 1.0/1.1 usage or disabled certificate verification	High
V3.4 Cookie-Based Session Mgmt	Session cookies without Secure, HttpOnly, or SameSite attributes	High

Building web applications under security requirements?

See how MergeGuide enforces OWASP ASVS L1 and L2 requirements at the code layer and generates continuous verification evidence.

Book a Demo Get Started Free