Compliance Framework

OWASP Top 10 — stopped before the first commit.

The OWASP Top 10 represents the most critical security risks to web applications. MergeGuide ships with detection rules covering all ten categories — enforcing them at IDE write time, AI generation time, git hook, and PR gate across all 14 supported languages.

The OWASP Top 10 as a baseline

The OWASP Top 10 is the most widely referenced security standard for web application development. It's referenced by PCI-DSS, HIPAA security guidance, SOC 2 auditors, and enterprise security procurement requirements. Demonstrating OWASP Top 10 coverage is increasingly a table-stakes requirement.

Most OWASP Top 10 vulnerabilities are detectable in source code before they become runtime exploits. MergeGuide's detection rules identify the code patterns that create these vulnerabilities — catching them at the point of authorship, not after a penetration test.

MergeGuide's Free tier includes full OWASP Top 10 detection — 106 Semgrep rules and 237 regex patterns across 14 languages, with evidence artifacts generated for every evaluation. No paid tier required for baseline coverage.

All 10 categories covered

  • A01 — Broken Access Control: detecting missing authorization checks and privilege escalation patterns
  • A02 — Cryptographic Failures: detecting weak encryption and unencrypted sensitive data
  • A03 — Injection: SQL, command, LDAP, and OS injection patterns
  • A04 — Insecure Design: detecting missing security controls at design checkpoints
  • A05 — Security Misconfiguration: debug mode, default credentials, missing headers
  • A06 — Vulnerable and Outdated Components: detecting use of known-vulnerable patterns
  • A07 — Identification and Authentication Failures: weak auth, hardcoded credentials
  • A08 — Software and Data Integrity Failures: detecting unsafe deserialization
  • A09 — Security Logging and Monitoring Failures: detecting missing audit logging
  • A10 — Server-Side Request Forgery (SSRF): detecting SSRF-enabling code patterns

Top detection patterns

OWASP Category What MergeGuide Detects Severity
A03 — InjectionSQL injection — unparameterized queries with user-controlled inputCritical
A03 — InjectionCommand injection via shell execution with unsanitized argumentsCritical
A07 — Auth FailuresHardcoded credentials, API keys, and secrets in source codeCritical
A02 — Cryptographic FailuresSensitive data stored without encryption or using deprecated algorithmsCritical
A01 — Broken Access ControlMissing authorization checks on protected routes and resourcesHigh
A05 — Security MisconfigurationDebug mode enabled, missing security headers, default credentialsHigh
A10 — SSRFUser-controlled URLs passed to HTTP client functions without validationHigh
🆓

Free tier coverage

Full OWASP Top 10 detection is included in MergeGuide's Free tier — 106 Semgrep rules plus 237 regex patterns across 14 languages. Every individual developer gets baseline OWASP coverage with no subscription required.

📋

Auditor-ready evidence

SOC 2, PCI-DSS, and enterprise security questionnaires regularly ask for OWASP Top 10 coverage evidence. MergeGuide generates signed artifacts for every evaluation — giving your security team documentation showing continuous OWASP enforcement across the codebase.

🤖

AI code generation

AI coding assistants generate OWASP Top 10 vulnerabilities at scale — fast. MergeGuide's MCP server injects OWASP policies into AI coding tools, preventing vulnerabilities from being generated in the first place. Detection and prevention, not just detection.

Stop OWASP Top 10 vulnerabilities at the source.

Get started free — full OWASP Top 10 detection across all 14 languages with no credit card required.

Get Started Free Book a demo