The OWASP Application Security Verification Standard (ASVS) defines the security requirements for designing, developing, and testing secure web applications. MergeGuide enforces ASVS Level 1 and Level 2 requirements at the code layer — catching violations before they reach your application.
ASVS is organized into three verification levels based on application risk. Level 1 covers the baseline security requirements for any web application. Level 2 adds requirements for applications that contain sensitive data or perform significant transactions. Level 3 is for the most critical applications.
MergeGuide covers ASVS L1 (starter tier) and L2 (pro tier) requirements — the range relevant to most commercial software teams building applications under SOC 2, HIPAA, PCI-DSS, or enterprise security requirements.
MergeGuide includes policies that guide implementation of OWASP ASVS L1 and L2 requirements — mapped to detection rules that enforce authentication, session management, input validation, cryptography, and access control requirements in code.
MergeGuide templates cover key OWASP ASVS chapters at the code level:
| ASVS Requirement | What MergeGuide Detects | Severity |
|---|---|---|
| V5.3 — Output Encoding | Unsanitized user input rendered in HTML output (XSS patterns) | Critical |
| V5.3 — Injection Prevention | SQL injection — unparameterized queries with user-controlled input | Critical |
| V2.4 — Credential Storage | Passwords stored with weak or no hashing in application code | Critical |
| V2.10 — Service Authentication | Hardcoded credentials for service-to-service authentication | Critical |
| V6.2 — Algorithms | Use of deprecated algorithms (MD5, SHA-1) for cryptographic operations | High |
| V9.1 — Communication Security | TLS 1.0/1.1 usage or disabled certificate verification | High |
| V3.4 — Cookie-Based Session Mgmt | Session cookies without Secure, HttpOnly, or SameSite attributes | High |
Every PR Gate evaluation maps findings to their ASVS requirement ID — giving security teams a running checklist of which ASVS requirements have been continuously verified across your codebase and which may need additional attention.
ASVS requirements align closely with SOC 2 TSC and PCI-DSS security requirements. MergeGuide's PolicyMerge resolves overlapping controls — a single ASVS L2 evaluation satisfies requirements across all three frameworks simultaneously.
ASVS requirements apply equally to AI-generated code. MergeGuide's MCP server injects ASVS policy requirements into AI coding assistants — preventing ASVS violations from being introduced at code generation time, not just caught at review.
See how MergeGuide enforces OWASP ASVS L1/L2 requirements at the code layer and generates continuous verification evidence in a live demo.