OWASP LLM Top 10 Coverage
Rigour provides Strong coverage for all 10 OWASP risks identified in the "Top 10 Risks for Code Generated by LLM" (SonarQube/OWASP, 2025 v2).
Coverage Matrix
| # | OWASP Risk | Rigour Gate(s) | Coverage |
|---|---|---|---|
| 1 | Injection Flaws — SQL injection, command injection, XSS | security-patterns — SQL injection, command injection, XSS, eval with user input | Strong |
| 2 | Broken Authentication — hardcoded passwords, weak auth | security-patterns — hardcoded secrets, weak crypto detection | Strong |
| 3 | Sensitive Data Exposure — hardcoded keys, leaked secrets | security-patterns — API keys, tokens, passwords; hooks real-time blocking | Strong |
| 4 | Hallucinated Dependencies — non-existent packages | hallucinated-imports — verifies every import against node_modules and registry | Strong |
| 5 | Improper Error Handling — missing try/catch, unhandled promises | promise-safety + error-handling — catches floating promises, missing error boundaries | Strong |
| 6 | Unsafe Output Handling — reflected user input, template injection | security-patterns — response reflection, template injection, eval with user input | Strong |
| 7 | Denial of Service — ReDoS, resource exhaustion | security-patterns — dynamic regex from user input, nested quantifiers | Strong |
| 8 | Missing Input Validation — raw body parsing, type assertions | security-patterns — JSON.parse without validation, as any assertions | Strong |
| 9 | Overly Permissive Code — CORS wildcards, chmod 777 | security-patterns — CORS wildcard origin, 0.0.0.0 binding, chmod 777, wildcard headers | Strong |
| 10 | Insufficient Code Quality — duplication, complexity, dead code | file-size + ast-complexity + duplication-drift + content-check | Strong |
10 out of 10 OWASP LLM code risks have Strong coverage via Rigour's deterministic quality gates.
AI Drift Detection (Beyond OWASP)
Rigour also catches AI-specific issues not covered by traditional OWASP lists:
| Issue | Gate | Description |
|---|---|---|
| Hallucinated Imports | hallucinated-imports | AI models fabricate package names that don't exist |
| Floating Promises | promise-safety | AI often forgets await on async calls |
| Context Window Artifacts | context-window-artifacts | Leftover debugging code, placeholder text from AI context |
| Duplication Drift | duplication-drift | AI generates similar code blocks instead of reusing existing patterns |
Real-Time Prevention with Hooks
Hooks catch OWASP risks before code is committed:
Agent: Write → src/auth.ts
const API_KEY = "sk-live-4f3c2b1a..."
[rigour/hook] CRITICAL [security-patterns] src/auth.ts:3
→ Possible hardcoded secret or API key (OWASP #3)
See Real-Time Hooks for setup instructions.
Peer-Reviewed Research
The approach behind Rigour's deterministic quality gates is documented in a peer-reviewed whitepaper:
Singh, A. (2025). Deterministic Quality Gates and Governance for AI-Generated Code in Regulated Software Systems. Zenodo. DOI:10.5281/zenodo.18673564
Next Steps
- Real-Time Hooks: Install hooks for your AI tool.
- Security Patterns: Full list of 25+ vulnerability patterns.
- Industry Presets: HIPAA, SOC2, FedRAMP compliance configuration.