asvs: cross-reference findings against open issues/PRs

After consolidation, cross-reference each finding against a commit-pinned
snapshot of the repo's open issues and PRs, so already-tracked or
in-flight-fix findings are flagged. Writes issues_cross_reference.md
alongside consolidated.md / issues.md (additive; does not modify them).

New agents:
- asvs_fetch_issues_prs (no model): snapshots open issues + open PRs (with
  changed files) to issues_prs:{repo}@{sha}, pinned to the audit's commit so
  the comparison is against a fixed point. GitHub GraphQL, paginated, no
  coverage cap, rate-limit aware. Requires a token.
- asvs_compare_open_issues_prs (Sonnet 4.6, temp 0.7, max_tokens 4096): reads
  the structured findings, deterministic pre-filter (file-path / CWE /
  keyword) to candidates per finding, Sonnet adjudicates survivors
  (TRACKS / ADDRESSES / RELATED / UNRELATED). Annotates and links, never
  deletes.

Updated:
- asvs_consolidate: persist structured findings to
  consolidated_findings:{reports_namespace} (additive, best-effort) so the
  compare agent reads clean JSON instead of parsing markdown.
- asvs_orchestrate: wire the snapshot fetch after commit-hash resolution and
  the compare after consolidation succeeds; both best-effort, never abort the
  run. Always-on, no flag.
4 files changed
tree: 09580f20d68b514b245fe70de47e721376b2f0c5
  1. ASVS/
  2. docs/
  3. gh-helper/
  4. gha-review/
  5. scrutineer/
  6. util/
  7. .asf.yaml
  8. .gitignore
  9. LICENSE
  10. README.md
README.md

Apache Tooling Agents

AI-driven security auditing and code review for ASF projects

Pipelines

ASVS Security Audit

Automated OWASP ASVS v5.0.0 compliance auditing for any GitHub-hosted codebase. Downloads source code, discovers the architecture, runs per-requirement security analysis with Claude, and produces a consolidated report with deduplicated findings and GitHub issues. In production — piloted on ATR and Apache Steve.

GitHub Actions Review

Automated security scan of GitHub Actions workflows across an entire GitHub organization. Combines LLM classification (which repos publish what, where) with static pattern matching (12 check types from CRITICAL to INFO) to identify exploitable workflows, supply chain risks, and policy violations. Scanned 2,500+ Apache repos.

Both pipelines run on Gofannon — see docs/gofannon for platform setup.

Repository Structure

├── ASVS/                  # ASVS security audit pipeline
│   ├── agents/            # Pipeline agent code (6 agents)
│   ├── audit_guidance/    # Project-specific false positive guidance
│   ├── reports/           # Audit output organized by project and commit
│   └── rerun-sections.sh  # QA: re-run failed sections, re-consolidate
├── gha-review/            # GitHub Actions security review
│   ├── agents/            # Review pipeline agents (7 agents + tests)
│   └── reports/           # Review output
├── docs/
│   ├── gofannon/          # Gofannon setup and agent development guide
│   ├── tooling/           # Security tooling landscape and comparisons
│   ├── roadmap/           # Eval framework, multi-spec expansion plans
│   └── how-to-contribute.md
└── util/                  # Utility scripts

Documentation

Getting Involved

Join the Conversation

  1. Mailing list: Say hello at 📧 dev@tooling.apache.org (Subscribe by sending an email with empty subject and body to dev-subscribe@tooling.apache.org and replying to the automated response, per the ASF mailing list how-to)

  2. Slack: #tooling-discuss on the ASF Slack

  3. Issues: Use GitHub Issues to ask questions, suggest approaches, or report bugs

Contribute

  • How to contribute
  • Request an audit: Just ask on the mailing list or Slack — we handle everything. No tokens, no setup needed.
  • Write audit guidance: Help reduce false positives for your project — see audit_guidance/README.md

Note: Please introduce yourself on the mailing list before submitting a PR; this helps us deter spam and means your contribution won't be overlooked.

License

This project is licensed under the Apache License 2.0.


Part of the Apache Tooling Initiative.