Rules
Rules are ways to detect security risks and vulnerabilities across your codebase and enforce best practices. Bearer's summary report allows you to quickly identify rule violations in your code.
Bearer's built-in rules aim to keep you protected from the most cirtical security risks and vulnerabilities of web applcations and include corresponding Common Weakness Enumeration (CWE) and OWASP links to help you identify them.
-
express_default_cookie_config
Cookie with default config detected.
- javascript
- CWE-523
- CWE-522
-
express_default_session_config
Session cookie with default config detected.
- javascript
- CWE-523
- CWE-522
-
express_insecure_cookie
Missing secure options for cookie detected.
- javascript
- CWE-1004
- CWE-614
-
javascript_aws_lambda_code_injection
Code injection detected.
- javascript
- CWE-94
- CWE-95
-
javascript_aws_lambda_os_command_injection
OS command injection vulnerability detected.
- javascript
- CWE-78
-
javascript_aws_lambda_query_injection
Raw user input in data store query detected.
- javascript
- CWE-89
-
javascript_aws_lambda_sql_injection
SQL injection vulnerability detected.
- javascript
- CWE-89
-
javascript_dangerous_insert_html
Dangerous dynamic HTML insert detected.
- javascript
- CWE-79
-
javascript_dom_purify
Unsecure use of DOMPurify detected.
- javascript
- CWE-79
-
javascript_elasticsearch
Sensitive data sent to ElasticSearch detected.
- javascript
- CWE-201
-
javascript_express_cross_site_scripting
Cross-site scripting (XSS) vulnerability detected.
- javascript
- CWE-79
-
javascript_express_eval_user_input
Dangerous use of eval with user input detected
- javascript
- CWE-94
- CWE-95
-
javascript_express_exposed_dir_listing
Missing access restriction to directory listing detected.
- javascript
- CWE-548
-
javascript_express_external_file_upload
External control of filename or path detected.
- javascript
- CWE-73
-
javascript_express_external_resource
Rendering of resources resolved from external name or reference detected.
- javascript
- CWE-706
-
javascript_express_hardcoded_secret
Hard-coded secret detected.
- javascript
- CWE-798
-
javascript_express_helmet_missing
Security misconfiguration detected.
- javascript
- CWE-693
-
javascript_express_https_protocol_missing
Missing https protocol detected.
- javascript
- CWE-693
-
javascript_express_insecure_allow_origin
Insecure Access-Control-Allow-Origin detected.
- javascript
- CWE-346
-
javascript_express_insecure_template_rendering
Insecure template rendering detected.
- javascript
- CWE-1336
-
javascript_express_jwt_not_revoked
Unrevoked JWT detected.
- javascript
- CWE-525
-
javascript_express_open_redirect
Open redirect detected.
- javascript
- CWE-601
-
javascript_express_path_traversal
Possible path traversal vulnerability detected.
- javascript
- CWE-22
-
javascript_express_reduce_fingerprint
Security misconfiguration detected.
- javascript
- CWE-693
-
javascript_express_server_side_request_forgery
Risk of server-side request forgery detected.
- javascript
- CWE-918
-
javascript_express_sql_injection
SQL injection vulnerability detected.
- javascript
- CWE-89
-
javascript_express_static_asset_with_session
Static asset with active session detected.
- javascript
- CWE-352
- CWE-668
-
javascript_express_ui_redress
User Interface (UI) redress vulnerability (clickjacking) detected.
- javascript
- CWE-1021
-
javascript_express_unsafe_deserialization
Deserialization of untrusted data detected.
- javascript
- CWE-502
-
javascript_express_xxe_vulnerability
XML External Entity vulnerability detected.
- javascript
- CWE-611
-
javascript_google_analytics
Sensitive data sent to Google Analytic detected.
- javascript
- CWE-201
-
javascript_google_tag_manager
Sensitive data sent to Google Tag Manager detected.
- javascript
- CWE-201
-
javascript_hardcoded_secret
Hardcoded secret detected
- javascript
- CWE-798
-
javascript_honeybadger
Sensitive data sent to Honeybadger detected.
- javascript
- CWE-201
-
javascript_http_insecure
Connection with an unsecure HTTP communication detected.
- javascript
- CWE-319
-
javascript_jwt
Sensitive data in a JWT detected.
- javascript
- CWE-312
-
javascript_jwt_hardcoded_secret
Hardcoded jwt secret deteted
- javascript
- CWE-798
-
javascript_jwt_weak_encryption
Weak jwt encryption deceted
- javascript
- CWE-327
-
javascript_lang_exception
Sensitive data in a exception message detected.
- javascript
- CWE-210
-
javascript_lang_file_generation
Sensitive data detected as part of a dynamic file generation.
- javascript
- CWE-313
-
javascript_lang_logger
Sensitive data in a logger message detected.
- javascript
- CWE-1295
- CWE-532
-
javascript_lang_open_redirect
Open redirect detected.
- javascript
- CWE-601
-
javascript_react_dangerously_set_inner_html
React's dangerously set inner HTML detected.
- javascript
- CWE-79
-
javascript_react_google_analytics
Sensitive data sent to Google Analytics detected.
- javascript
- CWE-201
-
javascript_rollbar
Sensitive data sent to Rollbar detected.
- javascript
- CWE-201
-
javascript_session
Sensitive data stored in HTML local storage detected.
- javascript
- CWE-312
-
javascript_third_parties_airbrake
Sensitive data sent to Airbrake detected.
- javascript
- CWE-201
-
javascript_third_parties_algolia
Sensitive data sent to Algolia detected.
- javascript
- CWE-201
-
javascript_third_parties_bugsnag
Sensitive data sent to Bugsnag detected.
- javascript
- CWE-201
-
javascript_third_parties_datadog
Sensitive data sent to Datadog detected.
- javascript
- CWE-201
-
javascript_third_parties_datadog_browser
Sensitive data sent to Datadog detected.
- javascript
- CWE-201
-
javascript_third_parties_new_relic
Sensitive data sent to New Relic detected.
- javascript
- CWE-201
-
javascript_third_parties_open_telemetry
Sensitive data sent to Open Telemetry detected.
- javascript
- CWE-201
-
javascript_third_parties_passport_hardcoded_secret
Hardcoded passport secret detected
- javascript
- CWE-798
-
javascript_third_parties_segment
Sensitive data sent to Segment detected.
- javascript
- CWE-201
-
javascript_third_parties_sentry
Sensitive data sent to Sentry detected.
- javascript
- CWE-201
-
javascript_weak_encryption
Weak encryption library usage detected.
- javascript
- CWE-327
-
javascript_weak_password_encryption
Weak encryption library usage detected.
- javascript
- CWE-327
- CWE-916
-
ruby_lang_cookies
Sensitive data stored in a cookie detected.
- ruby
- CWE-315
- CWE-539
-
ruby_lang_deserialization_of_user_input
User input detected in an unsafe deserialization method.
- ruby
- CWE-502
-
ruby_lang_eval_using_user_input
Potential command injection with user input detected.
- ruby
- CWE-94
- CWE-95
-
ruby_lang_exception
Sensitive data in a exception message detected.
- ruby
- CWE-210
-
ruby_lang_exec_using_user_input
Execution of OS command formed with user input detected.
- ruby
- CWE-78
-
ruby_lang_file_generation
Sensitive data detected as part of a dynamic file generation.
- ruby
- CWE-532
- CWE-313
-
ruby_lang_ftp_using_user_input
Do not use user input with FTP.
- ruby
- CWE-22
-
ruby_lang_hardcoded_secret
Hard-coded secret detected.
- ruby
- CWE-798
-
ruby_lang_http_get_params
Sensitive data communicated through GET parameters detected.
- ruby
- CWE-598
-
ruby_lang_http_insecure
Connection through an unsecure HTTP communication detected.
- ruby
- CWE-319
-
ruby_lang_http_post_insecure_with_data
Sensitive data sent through an unsecure HTTP communication detected.
- ruby
- CWE-319
-
ruby_lang_http_url_using_user_input
HTTP communication with user-controlled destination detected.
- ruby
- CWE-918
-
ruby_lang_insecure_ftp
Communication with an unsecure FTP server detected.
- ruby
- CWE-319
-
ruby_lang_jwt
Sensitive data in a JWT detected.
- ruby
- CWE-315
-
ruby_lang_logger
Sensitive data in a logger message detected.
- ruby
- CWE-209
- CWE-532
-
ruby_lang_path_using_user_input
Do not use user input to form file paths.
- ruby
- CWE-22
- CWE-73
-
ruby_lang_reflection_using_user_input
Use of reflection influenced by user input detected.
- ruby
- CWE-94
-
ruby_lang_regex_using_user_input
Regular expression built from user input detected.
- ruby
- CWE-1333
-
ruby_lang_ssl_verification
Missing SSL certificate verification detected.
- ruby
- CWE-295
-
ruby_lang_weak_encryption
Weak encryption library usage detected.
- ruby
- CWE-331
- CWE-326
-
ruby_lang_weak_encryption_with_data
Sensitive data encrypted with a weak encryption library detected.
- ruby
- CWE-326
- CWE-331
-
ruby_rails_default_encryption
Missing application-level encryption of sensitive data detected.
- ruby
- CWE-312
-
ruby_rails_http_verb_confusion
Potential for HTTP verb confusion detected.
- ruby
- CWE-650
-
ruby_rails_insecure_communication
Missing force SSL configuration for incoming communication detected.
- ruby
- CWE-319
-
ruby_rails_insecure_disabling_of_callback
Insecure disabling of callback detected.
- ruby
- CWE-284
-
ruby_rails_insecure_http_password
Insecure HTTP Password.
- ruby
-
ruby_rails_insecure_smtp
Communication with an unsecure SMTP connection detected.
- ruby
- CWE-319
-
ruby_rails_logger
Sensitive data sent to Rails loggers detected.
- ruby
- CWE-209
- CWE-532
-
ruby_rails_password_length
Password length (< 8) requirement is too short.
- ruby
- CWE-521
-
ruby_rails_permissive_regex_validation
Validation using permissive regular expression detected.
- ruby
- CWE-625
-
ruby_rails_redirect_to
Open redirect detected
- ruby
- CWE-601
-
ruby_rails_render_using_user_input
Unsanitized user input detected in response.
- ruby
- CWE-79
-
ruby_rails_session
Sensitive data stored in a session cookie detected.
- ruby
- CWE-315
-
ruby_rails_session_key_using_user_input
User input detected in a session key.
- ruby
- CWE-276
-
ruby_third_parties_airbrake
Sensitive data sent to Airbrake detected.
- ruby
- CWE-201
-
ruby_third_parties_algolia
Sensitive data sent to Algolia detected.
- ruby
- CWE-201
-
ruby_third_parties_bigquery
Sensitive data sent to BigQuery detected.
- ruby
- CWE-201
-
ruby_third_parties_bugsnag
Sensitive data sent to Bugsnag detected.
- ruby
- CWE-201
-
ruby_third_parties_clickhouse
Sensitive data sent to ClickHouse detected.
- ruby
- CWE-201
-
ruby_third_parties_datadog
Sensitive data sent to Datadog detected.
- ruby
- CWE-201
-
ruby_third_parties_elasticsearch
Sensitive data sent to Elasticsearch detected.
- ruby
- CWE-201
-
ruby_third_parties_google_analytics
Sensitive data sent to Google Analytics detected.
- ruby
- CWE-201
-
ruby_third_parties_google_dataflow
Sensitive data sent to Google Dataflow detected.
- ruby
- CWE-201
-
ruby_third_parties_honeybadger
Sensitive data sent to Honeybadger detected.
- ruby
- CWE-201
-
ruby_third_parties_new_relic
Sensitive data sent to New Relic detected.
- ruby
- CWE-201
-
ruby_third_parties_open_telemetry
Sensitive data sent to Open Telemetry detected.
- ruby
- CWE-201
-
ruby_third_parties_rollbar
Sensitive data sent to Rollbar detected.
- ruby
- CWE-201
-
ruby_third_parties_scout_apm
Sensitive data sent to Scout APM detected.
- ruby
- CWE-201
-
ruby_third_parties_segment
Sensitive data sent to Segment detected..
- ruby
- CWE-201
-
ruby_third_parties_sentry
Sensitive data sent to Sentry detected.
- ruby
- CWE-201