Visa Vulnerability Agentic Harness — Agentic SAST Pipeline

src/network-services-pentesting/pentesting-web/code-review-tools.md

@@ -92,6 +92,35 @@ These are especially relevant when a path passes through validation in wide-char
 
 There is a **free package to review PRs**.
 
+### Agentic SAST pipelines
+
+Modern **AI-assisted code review** works better as a **staged pipeline** than as a single `scan this repo` prompt. A practical pattern used by tools such as **[Visa Vulnerability Agentic Harness (VVAH)](https://github.com/visa/visa-vulnerability-agentic-harness)** is:
+
+1. **Threat-model first**: inventory entrypoints, assets, trust boundaries, API boundaries, authz paths, taint candidates and reachable components before deep review. If available, enrich this with CMDB / known-CVE / control data so the model prioritizes realistic attack paths instead of isolated code smells.
+2. **Split research by lens**: run separate passes for access control, business logic, crypto, deserialization, IaC, batch/ETL, or language-specific sinks instead of trusting one generic review.
+3. **Require deterministic gates**: only promote a finding if it survives policy checks such as evidence completeness, majority voting, or repeated independent review.
+4. **Add adversarial verification**: force a second pass that tries to prove the trust-boundary crossing and exploitability: attacker-controlled input, source-to-sink reachability, missing authorization, privilege boundary crossed, and realistic impact.
+5. **Report chains, not only single bugs**: deduplicate related findings, map them to **CWE/CVSS**, and emit **SARIF** so the output can be ingested by code-scanning and vuln-management platforms.
+
+This usually produces fewer but **higher-signal triage candidates** and is especially useful in large repos where the bottleneck is analyst triage time rather than raw finding count.
+
+#### Quick start example with `vvaharness`
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install .
+vvaharness doctor
+vvaharness estimate --repo /path/to/target
+vvaharness scan --repo /path/to/target --application-id 12345
+```
+
+Useful operational details:
+
+- `vvaharness scan --resume` skips completed checkpoints after an interruption.
+- Per-target output is written under `<target>/security-scan/` as Markdown reports, `*.sarif`, and `*_errors.jsonl`.
+- Treat results as **triage candidates**, not confirmed vulns: this kind of pipeline is best at prioritising manual review, not replacing it.
+
 ### [**Semgrep**](https://github.com/returntocorp/semgrep)
 
 It's an **Open Source tool**.
@@ -539,6 +568,9 @@ https://github.com/securego/gosec
 - [Trail of Bits blog: Master C and C++ with our new Testing Handbook chapter](https://blog.trailofbits.com/2026/04/09/master-c-and-c-with-our-new-testing-handbook-chapter/)
 - [Trail of Bits Testing Handbook: C/C++](https://appsec.guide/docs/languages/c-cpp/)
 - [DEVCORE: WorstFit - Unveiling Hidden Transformers in Windows ANSI](https://devco.re/blog/2025/01/09/worstfit-unveiling-hidden-transformers-in-windows-ansi/)
+- [Visa Vulnerability Agentic Harness](https://github.com/visa/visa-vulnerability-agentic-harness)
+- [VVAH Architecture](https://github.com/visa/visa-vulnerability-agentic-harness/blob/main/docs/architecture.md)
+- [Anthropic Project Glasswing](https://www.anthropic.com/glasswing)
 
 {{#include ../../banners/hacktricks-training.md}}