Reference

Rules

Rules are ways to detect security risks and vulnerabilities across your codebase and enforce best practices. Bearer CLI's security report allows you to quickly identify rule violations in your code.

The built-in rules aim to keep you protected from the most critical security risks and vulnerabilities of web applications and include corresponding Common Weakness Enumeration (CWE) and OWASP links to help you identify them.

Don't find a rule you are looking for? You can develop a custom rule that allow you to add specific requirements to suit your organization's needs.

Search (469 results)

gitleaks

Hard-coded secret detected.
- CWE-798
- A07:2021
go_gorilla_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- GO
- CWE-1004
- A05:2021
go_gorilla_insecure_cookie

Missing Secure option in cookie configuration
- GO
- CWE-614
- A05:2021
go_gosec_blocklist_cgi

Usage of vulnerable CGI package
- GO
- CWE-1395
go_gosec_blocklist_des

Import of weak encryption algorithm (DES)
- GO
- CWE-327
- A02:2021
go_gosec_blocklist_md5

Import of weak hashing library (MD5)
- GO
- CWE-328
- A02:2021
go_gosec_blocklist_rc4

Import of weak encryption algorithm (RCA)
- GO
- CWE-327
- A02:2021
go_gosec_blocklist_sha1

Import of weak hashing library (SHA-1)
- GO
- CWE-328
- A02:2021
go_gosec_crypto_bad_tls_settings

Usage of insecure cipher
- GO
- CWE-327
- A02:2021
go_gosec_crypto_insecure_ignore_host_key

Missing verification of host keys
- GO
- CWE-327
- A02:2021
go_gosec_crypto_weak_crypto

Usage of weak hashing library
- GO
- CWE-327
- A02:2021
go_gosec_crypto_weak_key_strength

Usage of inadequate encryption strength
- GO
- CWE-327
- A02:2021
go_gosec_crypto_weak_random

Usage of weak Pseudo-Random Number Generator (PRNG)
- GO
- CWE-327
- A02:2021
go_gosec_crypto_weak_tls_version

Usage of deprecated TLS version
- GO
- CWE-327
- A02:2021
go_gosec_file_permissions_file_perm

Permissive file assignment
- GO
- CWE-732
go_gosec_file_permissions_mkdir

Permissive folder creation
- GO
- CWE-732
go_gosec_filesystem_decompression_bomb

Missing configuration against decompression bomb
- GO
- CWE-409
go_gosec_filesystem_dirtraversal

Usage of Root directory mounting
- GO
- CWE-22
- A01:2021
go_gosec_filesystem_filereadtaint

Unsanitized user input in file path
- GO
- CWE-73
- A04:2021
go_gosec_filesystem_poor_write_permissions

Permissive file creation
- GO
- CWE-732
go_gosec_filesystem_tempfile

Permissive temporary file creation
- GO
- CWE-378
go_gosec_filesystem_ziparchive

Missing protection against 'Zip Slip' path traversal
- GO
- CWE-22
- A01:2021
go_gosec_http_http_serve

Usage of vulnerable 'serve' function
- GO
- CWE-400
go_gosec_http_http_slowloris

Missing protection against 'Slowloris' attack
- GO
- CWE-400
go_gosec_injection_ssrf_injection

Unsanitized user input in HTTP request (SSRF)
- GO
- CWE-918
- A10:2021
go_gosec_injection_subproc_injection

Unsanitized dynamic input in OS command
- GO
- CWE-78
- A03:2021
go_gosec_injection_template_injection

Unsanitized user input in web page generation (XSS)
- GO
- CWE-79
- A03:2021
go_gosec_leak_pprof_endpoint

Usage of active debug code (pprof enabled)
- GO
- CWE-200
- A01:2021
go_gosec_memory_integer_overflow

Possible integer overflow
- GO
- CWE-190
go_gosec_memory_math_big_rat

Possible integer overflow when converting strings
- GO
- CWE-190
go_gosec_memory_memory_aliasing

Usage of single iteration variable in range loop
- GO
- CWE-118
go_gosec_network_bind_to_all_interfaces

Permissive server network interface configuration
- GO
- CWE-200
- A01:2021
go_gosec_secrets_secrets

Usage of hard-coded secret
- GO
- CWE-798
- A07:2021
go_gosec_sql_concat_sqli

Unsanitized user input in SQL query
- GO
- CWE-89
- A03:2021
go_gosec_subproc_subproc

Unsanitized external input in code execution
- GO
- CWE-94
- A03:2021
go_gosec_unsafe_unsafe

Usage of vulnerable 'unsafe' package
- GO
- CWE-242
go_lang_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- GO
- CWE-1004
- A05:2021
go_lang_deserialization_of_user_input

Unsanitized user input in deserialization method
- GO
- CWE-502
- A08:2021
go_lang_hardcoded_mysql_database_password

Usage of hard-coded MySQL database password
- GO
- CWE-259
- A07:2021
go_lang_hardcoded_pg_database_password

Usage of hard-coded PostgreSQL database password
- GO
- CWE-259
- A07:2021
go_lang_html_tag_injection

Missing sanitization of HTML template tags
- GO
- CWE-80
- A03:2021
go_lang_information_leakage

Leakage of sensitive information in exception message
- GO
- CWE-209
- A04:2021
go_lang_insecure_cookie

Missing Secure option in cookie configuration
- GO
- CWE-614
- A05:2021
go_lang_insufficiently_random_values

Usage of insufficient random value
- GO
- CWE-330
- A02:2021
go_lang_log_output_neutralization

Missing output neutralization for logs
- GO
- CWE-117
- A09:2021
go_lang_logger

Leakage of sensitive information in logger message
- GO
- CWE-532
- A09:2021
go_lang_logger_leak

Leakage of information in logger message
- GO
- CWE-532
- A09:2021
go_lang_missing_tls_minversion

Missing TLS MinVersion
- GO
- CWE-327
- A02:2021
go_lang_observable_timing

Observable Timing Discrepancy
- GO
- CWE-208
go_lang_open_redirect

Unsanitized user input in redirect
- GO
- CWE-601
- A01:2021
go_lang_permissive_regex_validation

Permissive regular expression used in matching
- GO
- CWE-625
go_lang_ssl_verification

Missing SSL certificate verification
- GO
- CWE-295
- A07:2021
go_lang_weak_hash_md5

Usage of weak hashing library (MD5)
- GO
- CWE-328
- A02:2021
go_lang_weak_hash_sha1

Usage of weak hashing library (SHA-1)
- GO
- CWE-328
- A02:2021
go_lang_weak_password_encryption_md5

Usage of weak hashing library on a password (MD5)
- GO
- CWE-326
- A02:2021
go_lang_weak_password_encryption_sha1

Usage of weak hashing library on a password (SHA-1)
- GO
- CWE-326
- A02:2021
go_lang_xml_external_entity_vulnerability

Unsanitized user input in XML External Entity
- GO
- CWE-611
- A05:2021
go_third_parties_airbrake

Leakage of sensitive data to Airbrake
- GO
- CWE-201
- A01:2021
go_third_parties_algolia

Leakage of sensitive data to Algolia
- GO
- CWE-201
- A01:2021
go_third_parties_bigquery

Leakage of sensitive data to BigQuery
- GO
- CWE-201
- A01:2021
go_third_parties_bugsnag

Leakage of sensitive data to Bugsnag
- GO
- CWE-201
- A01:2021
go_third_parties_clickhouse

Leakage of sensitive data to ClickHouse
- GO
- CWE-201
- A01:2021
go_third_parties_datadog

Leakage of sensitive data to Datadog
- GO
- CWE-201
- A01:2021
go_third_parties_elasticsearch

Leakage of sensitive data to ElasticSearch
- GO
- CWE-201
- A01:2021
go_third_parties_google_analytics

Leakage of sensitive data to Google Analytics
- GO
- CWE-201
- A01:2021
go_third_parties_google_dataflow

Leakage of sensitive data to Google Dataflow
- GO
- CWE-201
- A01:2021
go_third_parties_honeybadger

Leakage of sensitive data to Honeybadger
- GO
- CWE-201
- A01:2021
go_third_parties_new_relic

Leakage of sensitive data to New Relic
- GO
- CWE-201
- A01:2021
go_third_parties_open_telemetry

Leakage of sensitive data to OpenTelemetry
- GO
- CWE-201
- A01:2021
go_third_parties_rollbar

Leakage of sensitive data to RollBar
- GO
- CWE-201
- A01:2021
go_third_parties_segment

Leakage of sensitive data to Segment
- GO
- CWE-201
- A01:2021
go_third_parties_sentry

Leakage of sensitive data to Sentry
- GO
- CWE-201
- A01:2021
java_android_prevent_screenshot

Permissive screenshot option set
- JAVA
- CWE-200
- A01:2021
java_android_world_readable_writable_mode

Permissive context mode for resources
- JAVA
- CWE-732
java_lang_apache_commons_collection

Usage of vulnerable Apache Commons Collections InvokeTransformer class
- JAVA
- CWE-1395
java_lang_bad_hex_conversion

Usage of bad hex conversion on digest array
- JAVA
- CWE-704
java_lang_blowfish_key_size

Usage of small key size with Blowfish encryption
- JAVA
- CWE-326
- A02:2021
java_lang_code_injection

Unsanitized user input in code generation
- JAVA
- CWE-94
- A03:2021
java_lang_cookie_leak

Leakage of sensitive data in cookie
- JAVA
- CWE-315
- A05:2021
java_lang_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- JAVA
- CWE-1004
- A05:2021
java_lang_cookie_missing_secure

Missing Secure option in cookie configuration
- JAVA
- CWE-614
- A05:2021
java_lang_cookie_with_http_only_false

Permissive HTTP Only option in cookie configuration
- JAVA
- CWE-1004
- A05:2021
java_lang_crlf_injection

Possible CLRF injection detected
- JAVA
- CWE-93
- A03:2021
java_lang_custom_message_digest_class

Usage of custom Digest class
- JAVA
- CWE-327
- A02:2021
java_lang_dangerous_permissions

Usage of dangerous permissions
- JAVA
- CWE-269
- A04:2021
java_lang_deserialization_of_user_input

Unsanitized user input in deserialization method
- JAVA
- CWE-502
- A08:2021
java_lang_empty_database_password

Missing database password detected
- JAVA
- CWE-306
- A07:2021
java_lang_eval_using_user_input

Unsanitized user input in 'eval' type function
- JAVA
- CWE-95
- A03:2021
java_lang_exception

Leakage of sensitive data in exception message
- JAVA
- CWE-210
java_lang_expression_language_injection

Possible expression language (EL) injection detected
- JAVA
- CWE-917
- A03:2021
java_lang_external_config_control

Unsanitized user input in SQL catalog configuration
- JAVA
- CWE-15
- A05:2021
java_lang_file_permission_others

Usage of permissive file permission ('other')
- JAVA
- CWE-732
java_lang_file_upload_filename

Unsanitized use of FileUpload filename
- JAVA
- CWE-73
- A04:2021
java_lang_format_string_manipulation

Unsanitized user input in format string detected
- JAVA
- CWE-134
java_lang_hardcoded_database_password

Usage of hard-coded database password
- JAVA
- CWE-259
- A07:2021
java_lang_hardcoded_secret

Usage of hard-coded secret
- JAVA
- CWE-798
- A07:2021
java_lang_http_parameter_pollution

Possible HTTP Parameter Pollution detected
- JAVA
- CWE-88
- A03:2021
java_lang_http_response_splitting

Unsanitized user input in HTTP response (XSS)
- JAVA
- CWE-79
- A03:2021
java_lang_http_url_using_user_input

Unsanitized user input in HTTP request (SSRF)
- JAVA
- CWE-918
- A10:2021
java_lang_information_leakage

Leakage of sensitive information in exception message
- JAVA
- CWE-209
- A04:2021
java_lang_insecure_allow_origin

Unsanitized user input in Access-Control-Allow-Origin
- JAVA
- CWE-346
- A07:2021
java_lang_insecure_cookie

Missing Secure option in cookie configuration
- JAVA
- CWE-614
- A05:2021
java_lang_insufficiently_random_values

Usage of insufficient random value
- JAVA
- CWE-330
- A02:2021
java_lang_jwt_verification_bypass

Missing signature verification of JWT
- JAVA
- CWE-347
- A02:2021
java_lang_ldap_injection

Unsanitized user input in LDAP request
- JAVA
- CWE-90
- A03:2021
java_lang_log_injection

Unsanitized user input in logger message
- JAVA
- CWE-117
- A09:2021
java_lang_logger

Leakage of sensitive information in logger message
- JAVA
- CWE-532
- A09:2021
java_lang_logger_leak

Leakage of information in logger message
- JAVA
- CWE-532
- A09:2021
java_lang_missing_database_authentication

Missing authentication for database
- JAVA
- CWE-306
- A07:2021
java_lang_missing_integrity_check

Missing support for integrity check
- JAVA
- CWE-353
- A08:2021
java_lang_missing_smtp_ssl_host_check

Missing SSL host check in SMTP
- JAVA
- CWE-297
- A07:2021
java_lang_observable_timing

Observable Timing Discrepancy
- JAVA
- CWE-208
java_lang_open_redirect

Unsanitized user input in redirect
- JAVA
- CWE-601
- A01:2021
java_lang_os_command_injection

Unsanitized user input in OS command
- JAVA
- CWE-78
- A03:2021
java_lang_padding_oracle_encryption_vulnerability

Usage of CBC (Cipher Block Chaining) mode with padding
- JAVA
- CWE-327
- A02:2021
java_lang_path_traversal

Unsanitized user input in file path
- JAVA
- CWE-73
- A04:2021
java_lang_path_using_user_input

Unsanitized user input in file path
- JAVA
- CWE-73
- A04:2021
java_lang_permissive_allow_origin

Permissive Access-Control-Allow-Origin configuration
- JAVA
- CWE-942
- A05:2021
java_lang_permissive_cookie_config

Permissive cookie configuration
- JAVA
- CWE-693
java_lang_reflection_using_user_input

Usage of external input in code reflection
- JAVA
- CWE-470
- A03:2021
java_lang_regex_using_user_input

Unsanitized user input in regular expression
- JAVA
- CWE-1287
java_lang_rsa_no_padding

Missing Optimal Asymmetric Encryption Padding (OAEP)
- JAVA
- CWE-780
- A02:2021
java_lang_socket_init

Usage of naive Socket class to create SSL Socket
- JAVA
- CWE-319
- A02:2021
java_lang_sqli

Unsanitized external input in SQL query
- JAVA
- CWE-89
- A03:2021
java_lang_ssl_hostname_verifier

Missing or permissive SSL hostname verifier
- JAVA
- CWE-295
- A07:2021
java_lang_ssl_verification

Missing TLS validation
- JAVA
- CWE-295
- A07:2021
java_lang_trust_boundary_violation

Usage of trusted and untrusted data inside the same data structure
- JAVA
- CWE-501
- A04:2021
java_lang_weak_encryption_des

Usage of weak encryption algorithm (DES)
- JAVA
- CWE-327
- A02:2021
java_lang_weak_encryption_ecb_mode

Usage of ECB cipher mode
- JAVA
- CWE-327
- A02:2021
java_lang_weak_hash_md5

Usage of weak hashing library (MD5)
- JAVA
- CWE-328
- A02:2021
java_lang_weak_hash_sha1

Usage of weak hashing library (SHA-1)
- JAVA
- CWE-328
- A02:2021
java_lang_weak_password_encryption_des

Usage of weak encryption algorithm on a password (DES)
- JAVA
- CWE-326
- A02:2021
java_lang_weak_password_hash_md5

Usage of weak hashing library on a password (MD5)
- JAVA
- CWE-326
- A02:2021
java_lang_weak_password_hash_sha1

Usage of weak hashing library on a password (SHA-1)
- JAVA
- CWE-326
- A02:2021
java_lang_xml_external_entity_vulnerability

Unsanitized user input in XML External Entity
- JAVA
- CWE-611
- A05:2021
java_lang_xpath_injection

Unsanitized user input in XPath
- JAVA
- CWE-643
- A03:2021
java_lang_xss_response_writer

Unsanitized user input in output stream (XSS)
- JAVA
- CWE-79
- A03:2021
java_spring_missing_session_fixation

Missing protection against session fixation attacks
- JAVA
- CWE-384
- A07:2021
java_spring_model_reflected_xss

Unsanitized request data in Spring UI model (XSS)
- JAVA
- CWE-79
- A03:2021
java_spring_sqli

Unsanitized external input in SQL query
- JAVA
- CWE-89
- A03:2021
java_third_parties_airbrake_javabrake

Leakage of sensitive data to Airbrake
- JAVA
- CWE-201
- A01:2021
java_third_parties_algolia

Leakage of sensitive data to Algolia
- JAVA
- CWE-201
- A01:2021
java_third_parties_aws_query_injection

Unsanitized user input in AWS query
- JAVA
- CWE-943
java_third_parties_bugsnag

Leakage of sensitive data to Bugsnag
- JAVA
- CWE-201
- A01:2021
java_third_parties_clickhouse

Leakage of sensitive data to ClickHouse
- JAVA
- CWE-201
- A01:2021
java_third_parties_datadog

Leakage of sensitive data to Datadog
- JAVA
- CWE-201
- A01:2021
java_third_parties_elasticsearch

Leakage of sensitive data to ElasticSearch
- JAVA
- CWE-201
- A01:2021
java_third_parties_new_relic

Leakage of sensitive data to New Relic
- JAVA
- CWE-201
- A01:2021
java_third_parties_open_telemetry

Leakage of sensitive data to OpenTelemetry
- JAVA
- CWE-201
- A01:2021
java_third_parties_rollbar

Leakage of sensitive data to RollBar
- JAVA
- CWE-201
- A01:2021
java_third_parties_sentry

Leakage of sensitive data to Sentry
- JAVA
- CWE-201
- A01:2021
javascript_express_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- JAVASCRIPT
- CWE-1004
- A05:2021
javascript_express_cross_site_scripting

Unsanitized user input in HTTP response (XSS)
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_express_default_cookie_config

Usage of default cookie configuration
- JAVASCRIPT
- CWE-693
javascript_express_default_session_config

Usage of default session cookie configuration
- JAVASCRIPT
- CWE-693
javascript_express_exposed_dir_listing

Missing access restriction on directory listing
- JAVASCRIPT
- CWE-548
- A01:2021
javascript_express_external_file_upload

Unsanitized user input in HTTP send file request
- JAVASCRIPT
- CWE-73
- A04:2021
javascript_express_external_resource

Unsanitized user input in resource rendering
- JAVASCRIPT
- CWE-706
- A01:2021
javascript_express_hardcoded_secret

Usage of hard-coded secret
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_express_helmet_missing

Missing Helmet configuration on HTTP headers
- JAVASCRIPT
- CWE-693
javascript_express_https_protocol_missing

Missing secure HTTP server configuration
- JAVASCRIPT
- CWE-319
- A02:2021
javascript_express_insecure_allow_origin

Unsanitized user input in Access-Control-Allow-Origin
- JAVASCRIPT
- CWE-346
- A07:2021
javascript_express_insecure_cookie

Missing Secure option in cookie configuration
- JAVASCRIPT
- CWE-614
- A05:2021
javascript_express_jwt_not_revoked

Missing revoke method on JWT
- JAVASCRIPT
- CWE-693
javascript_express_nosql_injection

Unsanitized input in NoSQL query
- JAVASCRIPT
- CWE-943
javascript_express_open_redirect

Unsanitized user input in redirect
- JAVASCRIPT
- CWE-601
- A01:2021
javascript_express_path_traversal

Unsanitized user input in file path
- JAVASCRIPT
- CWE-73
- A04:2021
javascript_express_reduce_fingerprint

Missing server configuration to reduce server fingerprinting
- JAVASCRIPT
- CWE-693
javascript_express_server_side_request_forgery

Unsanitized user input in HTTP request (SSRF)
- JAVASCRIPT
- CWE-918
- A10:2021
javascript_express_static_asset_with_session

Usage of session on static asset (CSRF)
- JAVASCRIPT
- CWE-352
- A01:2021
javascript_express_ui_redress

Unsanitized user input in UI
- JAVASCRIPT
- CWE-1021
- A04:2021
javascript_express_unsafe_deserialization

Unsanitized user input in deserialization method
- JAVASCRIPT
- CWE-502
- A08:2021
javascript_express_xml_external_entity_vulnerability

Unsanitized user input in XML parsing method
- JAVASCRIPT
- CWE-611
- A05:2021
javascript_hapi_open_redirect

Unsanitized user input in redirect
- JAVASCRIPT
- CWE-601
- A01:2021
javascript_lang_dangerous_insert_html

Unsanitized user input in dynamic HTML insertion (XSS)
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_lang_dynamic_os_command

Unsanitized dynamic input in OS command
- JAVASCRIPT
- CWE-78
- A03:2021
javascript_lang_dynamic_regex

Unsanitized dynamic input in regular expression
- JAVASCRIPT
- CWE-1333
javascript_lang_eval_user_input

Unsanitized user input in 'eval' type function
- JAVASCRIPT
- CWE-95
- A03:2021
javascript_lang_exception

Leakage of sensitive data in exception message
- JAVASCRIPT
- CWE-210
javascript_lang_file_generation

Leakage of sensitive data in dynamic file generation
- JAVASCRIPT
- CWE-313
- A04:2021
javascript_lang_file_permissions

Permissive file assignment
- JAVASCRIPT
- CWE-732
javascript_lang_format_string_using_user_input

Unsanitized user input in format string
- JAVASCRIPT
- CWE-134
javascript_lang_handlebars_no_escape

Missing escape of HTML entities in Handlebars template compilation
- JAVASCRIPT
- CWE-80
- A03:2021
javascript_lang_hardcoded_secret

Usage of hard-coded secret
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_lang_http_insecure

Usage of insecure HTTP connection
- JAVASCRIPT
- CWE-319
- A02:2021
javascript_lang_http_url_using_user_input

Unsanitized user input in HTTP request (SSRF)
- JAVASCRIPT
- CWE-918
- A10:2021
javascript_lang_import_using_user_input

Usage of externally controlled input to select code
- JAVASCRIPT
- CWE-470
- A03:2021
javascript_lang_insufficiently_random_values

Usage of insufficient random value
- JAVASCRIPT
- CWE-330
- A02:2021
javascript_lang_jwt

Leakage of sensitive data in JWT
- JAVASCRIPT
- CWE-312
- A04:2021
javascript_lang_jwt_hardcoded_secret

Leakage of hard-coded secret in JWT
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_lang_jwt_weak_encryption

Usage of weak encryption algorithm in JWT
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_logger

Leakage of sensitive information in logger message
- JAVASCRIPT
- CWE-532
- A09:2021
javascript_lang_logger_leak

Leakage of information in logger message
- JAVASCRIPT
- CWE-532
- A09:2021
javascript_lang_manual_html_sanitization

Usage of manual HTML sanitization (XSS)
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_lang_message_handler_origin

Missing origin check in message handler
- JAVASCRIPT
- CWE-346
- A07:2021
javascript_lang_non_literal_fs_filename

Unsanitized dynamic input in file path
- JAVASCRIPT
- CWE-73
- A04:2021
javascript_lang_observable_timing

Observable Timing Discrepancy
- JAVASCRIPT
- CWE-208
javascript_lang_open_redirect

Unsanitized user input in redirect
- JAVASCRIPT
- CWE-601
- A01:2021
javascript_lang_os_command_injection

Unsanitized user input in OS command
- JAVASCRIPT
- CWE-78
- A03:2021
javascript_lang_path_traversal

Unsanitized dynamic input in file path
- JAVASCRIPT
- CWE-22
- A01:2021
javascript_lang_post_message_origin

Permissive origin in postMessage
- JAVASCRIPT
- CWE-346
- A07:2021
javascript_lang_raw_html_using_user_input

Unsanitized user input in raw HTML strings (XSS)
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_lang_regex_using_user_input

Unsanitized user input in regular expression
- JAVASCRIPT
- CWE-1287
javascript_lang_session

Leakage of sensitive data in local storage
- JAVASCRIPT
- CWE-312
- A04:2021
javascript_lang_sql_injection

Unsanitized input in SQL query
- JAVASCRIPT
- CWE-89
- A03:2021
javascript_lang_unsafe_deserialization

Unsanitized user input in deserialization method
- JAVASCRIPT
- CWE-502
- A08:2021
javascript_lang_weak_encryption_des

Usage of weak encryption algorithm (DES)
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_weak_encryption_rc4

Usage of weak encryption algorithm (RC4)
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_weak_hash_md5

Usage of weak hashing library (MD5)
- JAVASCRIPT
- CWE-328
- A02:2021
javascript_lang_weak_hash_sha1

Usage of weak hashing library (SHA-1)
- JAVASCRIPT
- CWE-328
- A02:2021
javascript_lang_weak_password_encryption_des

Usage of weak encryption algorithm on a password (DES)
- JAVASCRIPT
- CWE-326
- A02:2021
javascript_lang_weak_password_encryption_rc4

Usage of weak encryption algorithm on a password (RC4)
- JAVASCRIPT
- CWE-326
- A02:2021
javascript_lang_weak_password_hash_argon2

Usage of weak hashing library on a password (Argon2)
- JAVASCRIPT
- CWE-326
- A02:2021
javascript_lang_weak_password_hash_md5

Usage of weak hashing library on a password (MD5)
- JAVASCRIPT
- CWE-326
- A02:2021
javascript_lang_weak_password_hash_sha1

Usage of weak hashing library on a password (SHA-1)
- JAVASCRIPT
- CWE-326
- A02:2021
javascript_lang_websocket_insecure

Usage of insecure websocket connection
- JAVASCRIPT
- CWE-319
- A02:2021
javascript_node_missing_tls_validation

Missing TLS validation
- JAVASCRIPT
- CWE-295
- A07:2021
javascript_react_dangerously_set_inner_html

Unsanitized user input in React inner HTML method (XSS)
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_react_google_analytics

Leakage of sensitive data to Google Analytics (React)
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_airbrake

Leakage of sensitive data to Airbrake
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_algolia

Leakage of sensitive data to Algolia
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_bugsnag

Leakage of sensitive data to Bugsnag
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_datadog

Leakage of sensitive data to Datadog
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_datadog_browser

Leakage of sensitive data to Datadog RUM
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_dom_purify

Usage of vulnerable DOMPurify package
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_third_parties_dynamodb_query_injection

Unsanitized user input in DynamoDB query
- JAVASCRIPT
- CWE-943
javascript_third_parties_elasticsearch

Leakage of sensitive data to ElasticSearch
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_google_analytics

Leakage of sensitive data to Google Analytics
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_google_tag_manager

Leakage of sensitive data to Google Tag Manager
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_honeybadger

Leakage of sensitive data to HoneyBadget
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_marked

Usage of vulnerable marked package
- JAVASCRIPT
- CWE-1333
javascript_third_parties_new_relic

Leakage of sensitive data to New Relic
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_open_telemetry

Leakage of sensitive data to OpenTelemetry
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_openai

Leakage of sensitive data to OpenAI
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_passport_hardcoded_secret

Usage of hard-coded passport secret
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_third_parties_rollbar

Leakage of sensitive data to RollBar
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_segment

Leakage of sensitive data to Segment
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_sentry

Leakage of sensitive data to Sentry
- JAVASCRIPT
- CWE-201
- A01:2021
php_lang_cbc_predictable_iv

Usage of CBC (Cipher Block Chaining) with predictable Initialization Vector (IV)
- PHP
- CWE-329
- A02:2021
php_lang_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- PHP
- CWE-1004
- A05:2021
php_lang_cookies

Leakage of sensitive data in cookie
- PHP
- CWE-315
- A05:2021
php_lang_deserialization_of_user_input

Unsanitized user input in deserialization method
- PHP
- CWE-502
- A08:2021
php_lang_eval_using_user_input

Unsanitized user input in 'eval' type function
- PHP
- CWE-95
- A03:2021
php_lang_exception

Leakage of sensitive data in exception message
- PHP
- CWE-210
php_lang_exec_using_user_input

Unsanitized user input in OS command
- PHP
- CWE-78
- A03:2021
php_lang_file_generation

Leakage of sensitive data in dynamic file generation
- PHP
- CWE-313
- A04:2021
php_lang_format_string_using_user_input

Unsanitized user input in format string
- PHP
- CWE-134
php_lang_ftp_using_user_input

Unsanitized user input in FTP request
- PHP
- CWE-73
- A04:2021
php_lang_hardcoded_secret

Usage of hard-coded secret
- PHP
- CWE-798
- A07:2021
php_lang_http_insecure

Usage of insecure HTTP connection
- PHP
- CWE-319
- A02:2021
php_lang_http_url_using_sensitive_data

Leakage of sensitive data in HTTP request
- PHP
- CWE-598
- A04:2021
php_lang_http_url_using_user_input

Unsanitized user input in HTTP request (SSRF)
- PHP
- CWE-918
- A10:2021
php_lang_information_leakage

Leakage of sensitive information in exception message
- PHP
- CWE-209
- A04:2021
php_lang_insecure_allow_origin

Unsanitized user input in Access-Control-Allow-Origin
- PHP
- CWE-346
- A07:2021
php_lang_insecure_cookie

Missing Secure option in cookie configuration
- PHP
- CWE-614
- A05:2021
php_lang_insecure_ftp

Usage of insecure FTP connection
- PHP
- CWE-319
- A02:2021
php_lang_jwt

Leakage of sensitive data in JWT
- PHP
- CWE-315
- A05:2021
php_lang_logger

Leakage of sensitive information in logger message
- PHP
- CWE-532
- A09:2021
php_lang_manual_html_sanitization

Usage of manual HTML sanitization (XSS)
- PHP
- CWE-79
- A03:2021
php_lang_open_redirect

Unsanitized user input in redirect
- PHP
- CWE-601
- A01:2021
php_lang_path_using_user_input

Unsanitized user input in file path
- PHP
- CWE-73
- A04:2021
php_lang_permissive_allow_origin

Permissive Access-Control-Allow-Origin configuration
- PHP
- CWE-942
- A05:2021
php_lang_phpinfo

Leakage of sensitive information with 'phpinfo' function
- PHP
- CWE-200
- A01:2021
php_lang_raw_html_using_user_input

Unsanitized user input in raw HTML strings (XSS)
- PHP
- CWE-79
- A03:2021
php_lang_raw_output_using_user_input

Unsanitized user input in 'echo' function (XSS)
- PHP
- CWE-79
- A03:2021
php_lang_reflection_using_user_input

Unsanitized user input in code generation
- PHP
- CWE-98
- A03:2021
php_lang_regex_using_user_input

Unsanitized user input in regular expression
- PHP
- CWE-1287
php_lang_session_key_using_user_input

Unsanitized user input in session key
- PHP
- CWE-1018
php_lang_sql_injection

Unsanitized external input in SQL query
- PHP
- CWE-89
- A03:2021
php_lang_ssl_verification

Missing SSL certificate verification
- PHP
- CWE-295
- A07:2021
php_lang_ui_redress

Unsanitized user input in UI
- PHP
- CWE-1021
- A04:2021
php_lang_weak_hash_adler32

Usage of weak hashing library (Adler-32)
- PHP
- CWE-328
- A02:2021
php_lang_weak_hash_crc32

Usage of weak hashing library (CRC32)
- PHP
- CWE-328
- A02:2021
php_lang_weak_hash_md

Usage of weak hashing library (MDx)
- PHP
- CWE-328
- A02:2021
php_lang_weak_hash_sha1

Usage of weak hashing library (SHA-1)
- PHP
- CWE-328
- A02:2021
php_lang_weak_password_hash_md

Usage of weak hashing library on a password (MDx)
- PHP
- CWE-326
- A02:2021
php_lang_weak_password_hash_sha1

Usage of weak hashing library on a password (SHA-1)
- PHP
- CWE-326
- A02:2021
php_lang_websocket_insecure

Usage of insecure websocket connection
- PHP
- CWE-319
- A02:2021
php_lang_xml_external_entity_vulnerability

Unsanitized user input in XML External Entity
- PHP
- CWE-611
- A05:2021
php_lang_xpath_injection

Unsanitized user input in XPath
- PHP
- CWE-643
- A03:2021
php_symfony_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- PHP
- CWE-1004
- A05:2021
php_symfony_cookies

Leakage of sensitive data in cookie
- PHP
- CWE-315
- A05:2021
php_symfony_csrf_protection_disabled

Missing Cross-Site Request Forgery (CSRF) configuration
- PHP
- CWE-352
- A01:2021
php_symfony_insecure_allow_origin

Unsanitized user input in Access-Control-Allow-Origin
- PHP
- CWE-346
- A07:2021
php_symfony_insecure_cookie

Missing Secure option in cookie configuration
- PHP
- CWE-614
- A05:2021
php_symfony_insecure_smtp

Usage of insecure SMTP connection
- PHP
- CWE-319
- A02:2021
php_symfony_open_redirect

Unsanitized user input in redirect
- PHP
- CWE-601
- A01:2021
php_symfony_permissive_allow_origin

Permissive Access-Control-Allow-Origin configuration
- PHP
- CWE-942
- A05:2021
php_symfony_permissive_regex_validation

Missing validation for regular expression
- PHP
- CWE-625
php_symfony_session_key_using_user_input

Unsanitized user input in session key
- PHP
- CWE-1018
php_symfony_sql_injection

Unsanitized external input in SQL query
- PHP
- CWE-89
- A03:2021
php_symfony_ui_redress

Unsanitized user input in UI
- PHP
- CWE-1021
- A04:2021
php_third_parties_airbrake

Leakage of sensitive data to Airbrake
- PHP
- CWE-201
- A01:2021
php_third_parties_algolia

Leakage of sensitive data to Algolia
- PHP
- CWE-201
- A01:2021
php_third_parties_bigquery

Leakage of sensitive data to BigQuery
- PHP
- CWE-201
- A01:2021
php_third_parties_bugsnag

Leakage of sensitive data to Bugsnag
- PHP
- CWE-201
- A01:2021
php_third_parties_clickhouse

Leakage of sensitive data to ClickHouse
- PHP
- CWE-201
- A01:2021
php_third_parties_datadog

Leakage of sensitive data to Datadog
- PHP
- CWE-201
- A01:2021
php_third_parties_elasticsearch

Leakage of sensitive data to ElasticSearch
- PHP
- CWE-201
- A01:2021
php_third_parties_honeybadger

Leakage of sensitive data to Honeybadger
- PHP
- CWE-201
- A01:2021
php_third_parties_logger

Leakage of sensitive information in logger message
- PHP
- CWE-532
- A09:2021
php_third_parties_new_relic

Leakage of sensitive data to New Relic
- PHP
- CWE-201
- A01:2021
php_third_parties_open_telemetry

Leakage of sensitive data to OpenTelemetry
- PHP
- CWE-201
- A01:2021
php_third_parties_rollbar

Leakage of sensitive data to RollBar
- PHP
- CWE-201
- A01:2021
php_third_parties_scout_apm

Leakage of sensitive data to Scout APM
- PHP
- CWE-201
- A01:2021
php_third_parties_segment

Leakage of sensitive data to Segment
- PHP
- CWE-201
- A01:2021
php_third_parties_sentry

Leakage of sensitive data to Sentry
- PHP
- CWE-201
- A01:2021
python_django_cookie_missing_http_only

Missing HTTP Only option in cookie configuration
- PYTHON
- CWE-1004
- A05:2021
python_django_cookie_missing_secure

Missing Secure option in cookie configuration
- PYTHON
- CWE-614
- A05:2021
python_django_cookies

Leakage of sensitive data in cookie
- PYTHON
- CWE-315
- A05:2021
python_django_crlf_injection

Possible CLRF injection detected
- PYTHON
- CWE-93
- A03:2021
python_django_csrf_protection_disabled

Missing Cross-Site Request Forgery (CSRF) token(s)
- PYTHON
- CWE-352
- A01:2021
python_django_debug_mode_enabled

Usage of Django debug mode
- PYTHON
- CWE-200
- A01:2021
python_django_file_permissions

Permissive file assignment
- PYTHON
- CWE-732
python_django_html_magic_method

Usage of __html__ magic method
- PYTHON
- CWE-79
- A03:2021
python_django_insecure_allow_origin

Unsanitized user input in Access-Control-Allow-Origin
- PYTHON
- CWE-346
- A07:2021
python_django_insecure_cookie

Missing Secure option in cookie configuration
- PYTHON
- CWE-614
- A05:2021
python_django_insecure_cookie_settings

Usage of insecure cookie settings
- PYTHON
- CWE-693
python_django_insecure_smtp

Usage of insecure SMTP connection
- PYTHON
- CWE-319
- A02:2021
python_django_jwt_weak_encryption

Usage of weak encryption algorithm in JWT
- PYTHON
- CWE-327
- A02:2021
python_django_mark_safe

Usage of mark_safe
- PYTHON
- CWE-79
- A03:2021
python_django_open_redirect

Unsanitized user input in redirect
- PYTHON
- CWE-601
- A01:2021
python_django_path_traversal

Unsanitized dynamic input in file path
- PYTHON
- CWE-22
- A01:2021
python_django_path_using_user_input

Unsanitized user input in file path
- PYTHON
- CWE-73
- A04:2021
python_django_permissive_allow_origin

Permissive Access-Control-Allow-Origin configuration
- PYTHON
- CWE-942
- A05:2021
python_django_response_using_user_input

Unsanitized user input in output stream (XSS)
- PYTHON
- CWE-79
- A03:2021
python_django_sql_injection

Unsanitized external input in SQL query
- PYTHON
- CWE-89
- A03:2021
python_django_template_injection

Unsanitized user input in web page generation (XSS)
- PYTHON
- CWE-79
- A03:2021
python_django_weak_secret_key

Usage of weak secret key
- PYTHON
- CWE-326
- A02:2021
python_lang_avoid_pickle

Usage of unsafe Pickle libraries
- PYTHON
- CWE-502
- A08:2021
python_lang_bind_to_all_interfaces

Permissive server network interface configuration
- PYTHON
- CWE-200
- A01:2021
python_lang_code_injection

Unsanitized external input in code generation
- PYTHON
- CWE-94
- A03:2021
python_lang_cookies

Leakage of sensitive data in cookie
- PYTHON
- CWE-315
- A05:2021
python_lang_deserialization_of_user_input

Unsanitized user input in deserialization method
- PYTHON
- CWE-502
- A08:2021
python_lang_eval_using_user_input

Unsanitized user input in 'eval' type function
- PYTHON
- CWE-95
- A03:2021
python_lang_exception

Leakage of sensitive data in exception message
- PYTHON
- CWE-210
python_lang_file_permissions

Permissive file assignment
- PYTHON
- CWE-732
python_lang_http_response_splitting

Unsanitized user input in HTTP response (XSS)
- PYTHON
- CWE-79
- A03:2021
python_lang_http_url_using_user_input

Unsanitized user input in HTTP request (SSRF)
- PYTHON
- CWE-918
- A10:2021
python_lang_insecure_allow_origin

Unsanitized user input in Access-Control-Allow-Origin
- PYTHON
- CWE-346
- A07:2021
python_lang_insecure_cookie

Missing Secure option in cookie configuration
- PYTHON
- CWE-614
- A05:2021
python_lang_insecure_ftp

Usage of insecure FTP connection
- PYTHON
- CWE-319
- A02:2021
python_lang_insecure_http

Usage of insecure HTTP connection
- PYTHON
- CWE-319
- A02:2021
python_lang_insecure_smtp

Usage of insecure SMTP connection
- PYTHON
- CWE-319
- A02:2021
python_lang_insecure_websocket

Usage of insecure websocket connection
- PYTHON
- CWE-319
- A02:2021
python_lang_jwt_verification_bypass

Missing signature verification of JWT
- PYTHON
- CWE-347
- A02:2021
python_lang_jwt_weak_encryption

Usage of weak encryption algorithm in JWT
- PYTHON
- CWE-327
- A02:2021
python_lang_logger

Leakage of sensitive information in logger message
- PYTHON
- CWE-532
- A09:2021
python_lang_manual_html_sanitization

Usage of manual HTML sanitization (XSS)
- PYTHON
- CWE-79
- A03:2021
python_lang_nosql_injection

Unsanitized input in NoSQL query
- PYTHON
- CWE-943
python_lang_os_command_injection

Unsanitized user input in OS command
- PYTHON
- CWE-78
- A03:2021
python_lang_path_traversal

Unsanitized dynamic input in file path
- PYTHON
- CWE-22
- A01:2021
python_lang_path_using_user_input

Unsanitized user input in file path
- PYTHON
- CWE-73
- A04:2021
python_lang_permissive_allow_origin

Permissive Access-Control-Allow-Origin configuration
- PYTHON
- CWE-942
- A05:2021
python_lang_raw_html_using_user_input

Unsanitized user input in raw HTML strings (XSS)
- PYTHON
- CWE-79
- A03:2021
python_lang_reflection_using_user_input

Usage of external input in code reflection
- PYTHON
- CWE-470
- A03:2021
python_lang_regex_using_user_input

Unsanitized user input in regular expression
- PYTHON
- CWE-1287
python_lang_sql_injection

Unsanitized external input in SQL query
- PYTHON
- CWE-89
- A03:2021
python_lang_ssl_verification

Missing SSL certificate verification
- PYTHON
- CWE-295
- A07:2021
python_lang_weak_encryption_blowfish

Usage of weak encryption algorithm (Blowfish)
- PYTHON
- CWE-327
- A02:2021
python_lang_weak_encryption_des

Usage of weak encryption algorithm (DES)
- PYTHON
- CWE-327
- A02:2021
python_lang_weak_encryption_ecb_mode

Usage of ECB cipher mode
- PYTHON
- CWE-327
- A02:2021
python_lang_weak_encryption_rc4

Usage of weak encryption algorithm (RC4)
- PYTHON
- CWE-327
- A02:2021
python_lang_weak_encryption_rsa

Usage of weak encryption algorithm (RSA)
- PYTHON
- CWE-327
- A02:2021
python_lang_weak_hash_adler32

Usage of weak hashing library (Adler-32)
- PYTHON
- CWE-328
- A02:2021
python_lang_weak_hash_crc32

Usage of weak hashing library (CRC32)
- PYTHON
- CWE-328
- A02:2021
python_lang_weak_hash_dss

Usage of weak hashing library (DSS)
- PYTHON
- CWE-328
- A02:2021
python_lang_weak_hash_md5

Usage of weak hashing library (MDx)
- PYTHON
- CWE-328
- A02:2021
python_lang_weak_hash_sha1

Usage of weak hashing library (SHA-1)
- PYTHON
- CWE-328
- A02:2021
python_lang_weak_password_encryption_md5

Usage of weak hashing library on a password (MD5)
- PYTHON
- CWE-326
- A02:2021
python_lang_weak_password_encryption_sha1

Usage of weak hashing library on a password (SHA-1)
- PYTHON
- CWE-326
- A02:2021
python_lang_weak_password_hash_adler32

Usage of weak hashing library on a password (Adler-32)
- PYTHON
- CWE-326
- A02:2021
python_lang_weak_password_hash_argon2

Usage of weak hashing library on a password (Argon2)
- PYTHON
- CWE-326
- A02:2021
python_lang_weak_password_hash_crc32

Usage of weak hashing library on a password (CRC32)
- PYTHON
- CWE-326
- A02:2021
python_lang_weak_password_hash_dss

Usage of weak hashing library on a password (DSS)
- PYTHON
- CWE-326
- A02:2021
python_lang_weak_random

Usage of weak Pseudo-Random Number Generator (PRNG)
- PYTHON
- CWE-327
- A02:2021
python_lang_weak_tls_version

Usage of deprecated TLS version
- PYTHON
- CWE-327
- A02:2021
python_lang_xml_external_entity_vulnerability

Usage of vulnerable XML libraries
- PYTHON
- CWE-611
- A05:2021
python_lang_xpath_injection

Unsanitized user input in XPath
- PYTHON
- CWE-643
- A03:2021
python_third_parties_airbrake

Leakage of sensitive data to Airbrake
- PYTHON
- CWE-201
- A01:2021
python_third_parties_algolia

Leakage of sensitive data to Algolia
- PYTHON
- CWE-201
- A01:2021
python_third_parties_aws_query_injection

Unsanitized user input in AWS query
- PYTHON
- CWE-943
python_third_parties_bigquery

Leakage of sensitive data to BigQuery
- PYTHON
- CWE-201
- A01:2021
python_third_parties_bugsnag

Leakage of sensitive data to Bugsnag
- PYTHON
- CWE-201
- A01:2021
python_third_parties_clickhouse

Leakage of sensitive data to ClickHouse
- PYTHON
- CWE-201
- A01:2021
python_third_parties_datadog

Leakage of sensitive data to Datadog
- PYTHON
- CWE-201
- A01:2021
python_third_parties_elasticsearch

Leakage of sensitive data to ElasticSearch
- PYTHON
- CWE-201
- A01:2021
python_third_parties_google_dataflow

Leakage of sensitive data to Google Dataflow
- PYTHON
- CWE-201
- A01:2021
python_third_parties_honeybadger

Leakage of sensitive data to Honeybadger
- PYTHON
- CWE-201
- A01:2021
python_third_parties_new_relic

Leakage of sensitive data to New Relic
- PYTHON
- CWE-201
- A01:2021
python_third_parties_open_telemetry

Leakage of sensitive data to OpenTelemetry
- PYTHON
- CWE-201
- A01:2021
python_third_parties_openai

Leakage of sensitive data to OpenAI
- PYTHON
- CWE-201
- A01:2021
python_third_parties_rollbar

Leakage of sensitive data to RollBar
- PYTHON
- CWE-201
- A01:2021
python_third_parties_scout_apm

Leakage of sensitive data to Scout APM
- PYTHON
- CWE-201
- A01:2021
python_third_parties_sentry

Leakage of sensitive data to Sentry
- PYTHON
- CWE-201
- A01:2021
ruby_lang_cookies

Leakage of sensitive data in cookie
- RUBY
- CWE-315
- A05:2021
ruby_lang_deserialization_of_user_input

Unsanitized user input in deserialization method
- RUBY
- CWE-502
- A08:2021
ruby_lang_eval_linter

Usage of dangerous 'eval' function
- RUBY
- CWE-95
- A03:2021
ruby_lang_eval_using_user_input

Unsanitized user input in 'eval' type function
- RUBY
- CWE-95
- A03:2021
ruby_lang_exception

Leakage of sensitive data in exception message
- RUBY
- CWE-210
ruby_lang_exec_using_user_input

Unsanitized user input in OS command
- RUBY
- CWE-78
- A03:2021
ruby_lang_file_generation

Leakage of sensitive data in dynamic file generation
- RUBY
- CWE-313
- A04:2021
ruby_lang_format_string_using_user_input

Unsanitized user input in format string
- RUBY
- CWE-134
ruby_lang_ftp_using_user_input

Unsanitized user input in FTP request
- RUBY
- CWE-73
- A04:2021
ruby_lang_hardcoded_secret

Usage of hard-coded secret
- RUBY
- CWE-798
- A07:2021
ruby_lang_http_get_params

Leakage of sensitive data in HTTP GET parameters
- RUBY
- CWE-598
- A04:2021
ruby_lang_http_insecure

Usage of insecure HTTP connection
- RUBY
- CWE-319
- A02:2021
ruby_lang_http_url_using_user_input

Unsanitized user input in HTTP request (SSRF)
- RUBY
- CWE-918
- A10:2021
ruby_lang_insecure_ftp

Usage of insecure FTP connection
- RUBY
- CWE-319
- A02:2021
ruby_lang_jwt

Leakage of sensitive data in JWT
- RUBY
- CWE-315
- A05:2021
ruby_lang_logger

Leakage of sensitive information in logger message
- RUBY
- CWE-532
- A09:2021
ruby_lang_manual_html_sanitization

Usage of manual HTML sanitization (XSS)
- RUBY
- CWE-79
- A03:2021
ruby_lang_path_using_user_input

Unsanitized user input in file path
- RUBY
- CWE-73
- A04:2021
ruby_lang_raw_html_using_user_input

Unsanitized user input in raw HTML strings (XSS)
- RUBY
- CWE-79
- A03:2021
ruby_lang_reflection_using_user_input

Unsanitized user input in code generation
- RUBY
- CWE-94
- A03:2021
ruby_lang_regex_using_user_input

Unsanitized user input in regular expression
- RUBY
- CWE-1287
ruby_lang_ssl_verification

Missing SSL certificate verification
- RUBY
- CWE-295
- A07:2021
ruby_lang_weak_encryption_blowfish

Usage of weak encryption algorithm (Blowfish)
- RUBY
- CWE-327
- A02:2021
ruby_lang_weak_encryption_dsa

Usage of weak encryption algorithm (DSA)
- RUBY
- CWE-327
- A02:2021
ruby_lang_weak_encryption_rc4

Usage of weak encryption algorithm (RC4)
- RUBY
- CWE-327
- A02:2021
ruby_lang_weak_encryption_rsa

Usage of weak encryption algorithm (RSA)
- RUBY
- CWE-327
- A02:2021
ruby_lang_weak_hash_dss

Usage of weak hashing library (DSS)
- RUBY
- CWE-328
- A02:2021
ruby_lang_weak_hash_md

Usage of weak hashing library (MD5)
- RUBY
- CWE-328
- A02:2021
ruby_lang_weak_hash_sha

Usage of weak hashing library (SHA)
- RUBY
- CWE-328
- A02:2021
ruby_lang_weak_password_encryption_blowfish

Usage of weak encryption algorithm on a password (Blowfish)
- RUBY
- CWE-326
- A02:2021
ruby_lang_weak_password_encryption_dsa

Usage of weak encryption algorithm on a password (DSA)
- RUBY
- CWE-326
- A02:2021
ruby_lang_weak_password_encryption_rc4

Usage of weak encryption algorithm on a password (RC4)
- RUBY
- CWE-326
- A02:2021
ruby_lang_weak_password_encryption_rsa

Usage of weak encryption algorithm on a password (RSA)
- RUBY
- CWE-326
- A02:2021
ruby_lang_weak_password_hash_dss

Usage of weak hashing library on a password (DSS)
- RUBY
- CWE-326
- A02:2021
ruby_lang_weak_password_hash_md

Usage of weak hashing library on a password (MD5)
- RUBY
- CWE-326
- A02:2021
ruby_lang_weak_password_hash_sha

Usage of weak hashing library on a password (SHA)
- RUBY
- CWE-326
- A02:2021
ruby_lang_websocket_insecure

Usage of insecure websocket connection
- RUBY
- CWE-319
- A02:2021
ruby_rails_default_encryption

Missing application-level encryption of sensitive data
- RUBY
- CWE-312
- A04:2021
ruby_rails_detailed_exceptions

Leakage of sensitive information in exception message
- RUBY
- CWE-209
- A04:2021
ruby_rails_http_verb_confusion

Possible HTTP verb confusion
- RUBY
- CWE-650
- A04:2021
ruby_rails_insecure_communication

Missing secure HTTP server configuration
- RUBY
- CWE-319
- A02:2021
ruby_rails_insecure_disabling_of_callback

Permissive callback disable configuration
- RUBY
- CWE-284
- A01:2021
ruby_rails_insecure_http_password

Usage of hard-coded password
- RUBY
- CWE-259
- A07:2021
ruby_rails_insecure_smtp

Usage of insecure SMTP connection
- RUBY
- CWE-319
- A02:2021
ruby_rails_logger

Leakage of sensitive information in logger message
- RUBY
- CWE-532
- A09:2021
ruby_rails_open_redirect

Unsanitized user input in redirect
- RUBY
- CWE-601
- A01:2021
ruby_rails_password_length

Usage of weak password constraint
- RUBY
- CWE-521
- A07:2021
ruby_rails_permissive_parameters

Permissive request parameters
- RUBY
- CWE-913
- A01:2021
ruby_rails_permissive_regex_validation

Missing validation for regular expression
- RUBY
- CWE-625
ruby_rails_render_using_user_input

Unsanitized user input in raw HTML strings (XSS)
- RUBY
- CWE-79
- A03:2021
ruby_rails_session

Leakage of sensitive data in session cookie
- RUBY
- CWE-315
- A05:2021
ruby_rails_session_key_using_user_input

Unsanitized user input in session key
- RUBY
- CWE-1018
ruby_rails_session_with_httponly_disabled

Missing HTTP Only option in cookie configuration
- RUBY
- CWE-1004
- A05:2021
ruby_rails_sql_injection

Unsanitized external input in SQL query
- RUBY
- CWE-89
- A03:2021
ruby_rails_unsafe_cookie_serialization_strategy

Possible dangerous serialization configuration
- RUBY
- CWE-502
- A08:2021
ruby_rails_unsafe_mass_assignment

Possible dangerous permitted parameter key
- RUBY
- CWE-913
- A01:2021
ruby_rails_weak_custom_key

Usage of weak model specific encryption key
- RUBY
- CWE-326
- A02:2021
ruby_third_parties_airbrake

Leakage of sensitive data to Airbrake
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_algolia

Leakage of sensitive data to Algolia
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_appsignal

Leakage of sensitive data to AppSignal
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_bigquery

Leakage of sensitive data to BigQuery
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_bugsnag

Leakage of sensitive data to Bugsnag
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_clickhouse

Leakage of sensitive data to ClickHouse
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_datadog

Leakage of sensitive data to Datadog
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_elasticsearch

Leakage of sensitive data to Elasticsearch
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_google_analytics

Leakage of sensitive data to Google Analytics
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_google_dataflow

Leakage of sensitive data to Google Dataflow
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_honeybadger

Leakage of sensitive data to Honeybadger
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_new_relic

Leakage of sensitive data to New Relic
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_open_telemetry

Leakage of sensitive data to OpenTelemetry
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_rollbar

Leakage of sensitive data to Rollbar
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_scout_apm

Leakage of sensitive data to Scout APM
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_segment

Leakage of sensitive data to Segment
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_sentry

Leakage of sensitive data to Sentry
- RUBY
- CWE-201
- A01:2021

Rules

gitleaks

go_gorilla_cookie_missing_http_only

go_gorilla_insecure_cookie

go_gosec_blocklist_cgi

go_gosec_blocklist_des

go_gosec_blocklist_md5

go_gosec_blocklist_rc4

go_gosec_blocklist_sha1

go_gosec_crypto_bad_tls_settings

go_gosec_crypto_insecure_ignore_host_key

go_gosec_crypto_weak_crypto

go_gosec_crypto_weak_key_strength

go_gosec_crypto_weak_random

go_gosec_crypto_weak_tls_version

go_gosec_file_permissions_file_perm

go_gosec_file_permissions_mkdir

go_gosec_filesystem_decompression_bomb

go_gosec_filesystem_dirtraversal

go_gosec_filesystem_filereadtaint

go_gosec_filesystem_poor_write_permissions

go_gosec_filesystem_tempfile

go_gosec_filesystem_ziparchive

go_gosec_http_http_serve

go_gosec_http_http_slowloris

go_gosec_injection_ssrf_injection

go_gosec_injection_subproc_injection

go_gosec_injection_template_injection

go_gosec_leak_pprof_endpoint

go_gosec_memory_integer_overflow

go_gosec_memory_math_big_rat

go_gosec_memory_memory_aliasing

go_gosec_network_bind_to_all_interfaces

go_gosec_secrets_secrets

go_gosec_sql_concat_sqli

go_gosec_subproc_subproc

go_gosec_unsafe_unsafe

go_lang_cookie_missing_http_only

go_lang_deserialization_of_user_input

go_lang_hardcoded_mysql_database_password

go_lang_hardcoded_pg_database_password

go_lang_html_tag_injection

go_lang_information_leakage

go_lang_insecure_cookie

go_lang_insufficiently_random_values

go_lang_log_output_neutralization

go_lang_logger

go_lang_logger_leak

go_lang_missing_tls_minversion

go_lang_observable_timing

go_lang_open_redirect

go_lang_permissive_regex_validation

go_lang_ssl_verification

go_lang_weak_hash_md5

go_lang_weak_hash_sha1

go_lang_weak_password_encryption_md5

go_lang_weak_password_encryption_sha1

go_lang_xml_external_entity_vulnerability

go_third_parties_airbrake

go_third_parties_algolia

go_third_parties_bigquery

go_third_parties_bugsnag

go_third_parties_clickhouse

go_third_parties_datadog

go_third_parties_elasticsearch

go_third_parties_google_analytics

go_third_parties_google_dataflow

go_third_parties_honeybadger

go_third_parties_new_relic

go_third_parties_open_telemetry

go_third_parties_rollbar

go_third_parties_segment

go_third_parties_sentry

java_android_prevent_screenshot

java_android_world_readable_writable_mode

java_lang_apache_commons_collection

java_lang_bad_hex_conversion

java_lang_blowfish_key_size

java_lang_code_injection

java_lang_cookie_leak