You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Tracks adoption of OWASP.WTF as the Security gate in Dial-WTF/PeerSpeak, a pnpm Next.js monorepo. PeerSpeak currently has zero security scanning — OWASP.WTF integration is greenfield, no overlap with any existing tool.
Consuming-side tracker: Dial-WTF/PeerSpeak#1365 — "consolidate PR checks into 6-stage gate chain". OWASP.WTF owns stage 3 (Security), one of five required PR checks.
Why this rollout matters for OWASP.WTF
PeerSpeak is the first Next.js app to adopt OWASP.WTF as a binding PR gate, and exercises parts of the scanner that the dogfood self-scan (#28) won't:
Monorepo with cross-workspace dependencies — apps/* + packages/* + experiments/* + tooling/*. Scope of a scan needs to follow changed workspaces, not blindly recurse from root.
WebRTC + wallet auth surface — stress test for the auth (A07), access control (A01), and crypto (A02) rule paths once they land beyond stubs.
Real run cadence — high PR volume means the action download / scanner install adds up. CLI tarball caching becomes a real performance concern.
Adoption checklist
Run in a fresh Claude Code / Codex session against the PeerSpeak checkout:
OWASP.WTF appears as stage 3 in PeerSpeak's pr-gates.yml (Security gate). Single required PR check: OWASP — Security.
PeerSpeak has never had security scanning. The first scan will surface a long tail of pre-existing findings that need to be triaged, not block PRs. Need a baseline mechanism:
owasp-wtf scan . --baseline owasp-baseline.json
The baseline file records findings accepted at a point in time; PRs are graded only against new findings since the baseline. Without this, the gate either floods reviewers on day one or starts non-blocking forever.
Related: --accept-finding <id> to suppress a specific finding with a reason field, written into the baseline.
G2. Workspace-aware scan
Monorepo support: owasp-wtf scan --workspace apps/dial.wtf to scope the scan to one workspace, and --changed-workspaces to scope based on a git base. Today --ignore globbing is the only knob; explicit workspace selection is cleaner and easier to wire into CI.
The composite action downloads the CLI tarball from a GitHub Release every run. On a self-hosted runner with high PR throughput, that's ~30s of avoidable network per job. Cache by version + checksum in ~/.cache/owasp-wtf/ and only re-download on version change.
Lets PeerSpeak's pr-gates.yml pass through the scope-computed workspace list without shell glue.
G5. Next.js / React rule pack
Nice-to-have, not prereq. Once native A03 rules graduate from regex to AST, ship a Next.js-aware pack:
App Router server-action auth-guard checks
dangerouslySetInnerHTML with non-sanitized input
Middleware bypass patterns
Public env var leakage (NEXT_PUBLIC_* containing secret-shaped values)
Server-only imports in client components (security boundary)
PeerSpeak would be the natural validation repo.
Open questions
Does the existing semgrep adapter (called via --config p/owasp-top-ten) cover Next.js patterns sufficiently, or do we want --config p/nextjs added as a default when a Next.js project is detected?
For the first PR-blocking week, should fail-on start at critical and tighten to high once the baseline is stable, or start at high and triage aggressively?
Where should the fix-plan --agent claude artifact be uploaded — PR comment, workflow artifact, or both?
OWASP.WTF Security gate is a required PR check on main in PeerSpeak.
Baseline file committed and the gate has blocked at least one PR for a new finding (proving the gate is binding and the baseline isn't masking everything).
Nightly deep scan running and reporting via SARIF to GitHub code scanning.
Tracks adoption of OWASP.WTF as the Security gate in Dial-WTF/PeerSpeak, a pnpm Next.js monorepo. PeerSpeak currently has zero security scanning — OWASP.WTF integration is greenfield, no overlap with any existing tool.
Consuming-side tracker: Dial-WTF/PeerSpeak#1365 — "consolidate PR checks into 6-stage gate chain". OWASP.WTF owns stage 3 (
Security), one of five required PR checks.Why this rollout matters for OWASP.WTF
PeerSpeak is the first Next.js app to adopt OWASP.WTF as a binding PR gate, and exercises parts of the scanner that the dogfood self-scan (#28) won't:
.next/,.turbo/,dist/,storybook-static/directories generate false-positive secrets in obfuscated JS. Default-ignore work in fix(cli): add default ignore patterns for build output dirs (.next/, dist/) to suppress FP secrets #30 is a hard prereq.apps/*+packages/*+experiments/*+tooling/*. Scope of a scan needs to follow changed workspaces, not blindly recurse from root.Adoption checklist
Run in a fresh Claude Code / Codex session against the PeerSpeak checkout:
pr-gates.yml(Securitygate). Single required PR check:OWASP — Security.[self-hosted, linux, x64, dial-lab, peerspeak].mode: scan,format: sarif,fail-on: high. SARIF uploaded to GitHub code scanning.security-events: write,contents: read,pull-requests: write.Securitycheck added tomainbranch protection rules.Securitygate green.deepmode scheduled nightly on main (separate workflowapp-gate-full.ymlor similar).fix-plan --agent claudeartifact attached to failing PRs.Hard prereqs (existing issues in this repo)
.next/,dist/(and ideally.turbo/,coverage/,storybook-static/,**/__generated__/). Hard prereq — Next.js build output will generate hundreds of false-positive secrets otherwise.Engine gaps surfaced by this rollout
New items beyond the existing issue tracker:
G1. Baseline / snapshot mode
PeerSpeak has never had security scanning. The first scan will surface a long tail of pre-existing findings that need to be triaged, not block PRs. Need a baseline mechanism:
The baseline file records findings accepted at a point in time; PRs are graded only against new findings since the baseline. Without this, the gate either floods reviewers on day one or starts non-blocking forever.
Related:
--accept-finding <id>to suppress a specific finding with a reason field, written into the baseline.G2. Workspace-aware scan
Monorepo support:
owasp-wtf scan --workspace apps/dial.wtfto scope the scan to one workspace, and--changed-workspacesto scope based on a git base. Today--ignoreglobbing is the only knob; explicit workspace selection is cleaner and easier to wire into CI.Proposal:
or:
G3. Cache CLI tarball between action runs
The composite action downloads the CLI tarball from a GitHub Release every run. On a self-hosted runner with high PR throughput, that's ~30s of avoidable network per job. Cache by version + checksum in
~/.cache/owasp-wtf/and only re-download on version change.Low effort; meaningful saving on a busy repo.
G4. Action input UX for monorepos
With G2 landed, surface the same in
action.yml:Lets PeerSpeak's
pr-gates.ymlpass through the scope-computed workspace list without shell glue.G5. Next.js / React rule pack
Nice-to-have, not prereq. Once native A03 rules graduate from regex to AST, ship a Next.js-aware pack:
dangerouslySetInnerHTMLwith non-sanitized inputNEXT_PUBLIC_*containing secret-shaped values)PeerSpeak would be the natural validation repo.
Open questions
--config p/owasp-top-ten) cover Next.js patterns sufficiently, or do we want--config p/nextjsadded as a default when a Next.js project is detected?fail-onstart atcriticaland tighten tohighonce the baseline is stable, or start athighand triage aggressively?fix-plan --agent claudeartifact be uploaded — PR comment, workflow artifact, or both?Done when
mainin PeerSpeak.deepscan running and reporting via SARIF to GitHub code scanning.