Reference

Rules

Rules are ways to detect security risks and vulnerabilities across your codebase and enforce best practices. Bearer's summary report allows you to quickly identify rule violations in your code.

Bearer's built-in rules aim to keep you protected from the most cirtical security risks and vulnerabilities of web applcations and include corresponding Common Weakness Enumeration (CWE) and OWASP links to help you identify them.

express_default_cookie_config

Cookie with default config detected.
- javascript
- CWE-523
- CWE-522
express_default_session_config

Session cookie with default config detected.
- javascript
- CWE-523
- CWE-522
express_insecure_cookie

Missing secure options for cookie detected.
- javascript
- CWE-1004
- CWE-614
javascript_aws_lambda_code_injection

Code injection detected.
- javascript
- CWE-94
- CWE-95
javascript_aws_lambda_os_command_injection

OS command injection vulnerability detected.
- javascript
- CWE-78
javascript_aws_lambda_query_injection

Raw user input in data store query detected.
- javascript
- CWE-89
javascript_aws_lambda_sql_injection

SQL injection vulnerability detected.
- javascript
- CWE-89
javascript_dangerous_insert_html

Dangerous dynamic HTML insert detected.
- javascript
- CWE-79
javascript_dom_purify

Unsecure use of DOMPurify detected.
- javascript
- CWE-79
javascript_elasticsearch

Sensitive data sent to ElasticSearch detected.
- javascript
- CWE-201
javascript_express_cross_site_scripting

Cross-site scripting (XSS) vulnerability detected.
- javascript
- CWE-79
javascript_express_eval_user_input

Dangerous use of eval with user input detected
- javascript
- CWE-94
- CWE-95
javascript_express_exposed_dir_listing

Missing access restriction to directory listing detected.
- javascript
- CWE-548
javascript_express_external_file_upload

External control of filename or path detected.
- javascript
- CWE-73
javascript_express_external_resource

Rendering of resources resolved from external name or reference detected.
- javascript
- CWE-706
javascript_express_hardcoded_secret

Hard-coded secret detected.
- javascript
- CWE-798
javascript_express_helmet_missing

Security misconfiguration detected.
- javascript
- CWE-693
javascript_express_https_protocol_missing

Missing https protocol detected.
- javascript
- CWE-693
javascript_express_insecure_allow_origin

Insecure Access-Control-Allow-Origin detected.
- javascript
- CWE-346
javascript_express_insecure_template_rendering

Insecure template rendering detected.
- javascript
- CWE-1336
javascript_express_jwt_not_revoked

Unrevoked JWT detected.
- javascript
- CWE-525
javascript_express_open_redirect

Open redirect detected.
- javascript
- CWE-601
javascript_express_path_traversal

Possible path traversal vulnerability detected.
- javascript
- CWE-22
javascript_express_reduce_fingerprint

Security misconfiguration detected.
- javascript
- CWE-693
javascript_express_server_side_request_forgery

Risk of server-side request forgery detected.
- javascript
- CWE-918
javascript_express_sql_injection

SQL injection vulnerability detected.
- javascript
- CWE-89
javascript_express_static_asset_with_session

Static asset with active session detected.
- javascript
- CWE-352
- CWE-668
javascript_express_ui_redress

User Interface (UI) redress vulnerability (clickjacking) detected.
- javascript
- CWE-1021
javascript_express_unsafe_deserialization

Deserialization of untrusted data detected.
- javascript
- CWE-502
javascript_express_xxe_vulnerability

XML External Entity vulnerability detected.
- javascript
- CWE-611
javascript_google_analytics

Sensitive data sent to Google Analytic detected.
- javascript
- CWE-201
javascript_google_tag_manager

Sensitive data sent to Google Tag Manager detected.
- javascript
- CWE-201
javascript_hardcoded_secret

Hardcoded secret detected
- javascript
- CWE-798
javascript_honeybadger

Sensitive data sent to Honeybadger detected.
- javascript
- CWE-201
javascript_http_insecure

Connection with an unsecure HTTP communication detected.
- javascript
- CWE-319
javascript_jwt

Sensitive data in a JWT detected.
- javascript
- CWE-312
javascript_jwt_hardcoded_secret

Hardcoded jwt secret deteted
- javascript
- CWE-798
javascript_jwt_weak_encryption

Weak jwt encryption deceted
- javascript
- CWE-327
javascript_lang_exception

Sensitive data in a exception message detected.
- javascript
- CWE-210
javascript_lang_file_generation

Sensitive data detected as part of a dynamic file generation.
- javascript
- CWE-313
javascript_lang_logger

Sensitive data in a logger message detected.
- javascript
- CWE-1295
- CWE-532
javascript_lang_open_redirect

Open redirect detected.
- javascript
- CWE-601
javascript_react_dangerously_set_inner_html

React's dangerously set inner HTML detected.
- javascript
- CWE-79
javascript_react_google_analytics

Sensitive data sent to Google Analytics detected.
- javascript
- CWE-201
javascript_rollbar

Sensitive data sent to Rollbar detected.
- javascript
- CWE-201
javascript_session

Sensitive data stored in HTML local storage detected.
- javascript
- CWE-312
javascript_third_parties_airbrake

Sensitive data sent to Airbrake detected.
- javascript
- CWE-201
javascript_third_parties_algolia

Sensitive data sent to Algolia detected.
- javascript
- CWE-201
javascript_third_parties_bugsnag

Sensitive data sent to Bugsnag detected.
- javascript
- CWE-201
javascript_third_parties_datadog

Sensitive data sent to Datadog detected.
- javascript
- CWE-201
javascript_third_parties_datadog_browser

Sensitive data sent to Datadog detected.
- javascript
- CWE-201
javascript_third_parties_new_relic

Sensitive data sent to New Relic detected.
- javascript
- CWE-201
javascript_third_parties_open_telemetry

Sensitive data sent to Open Telemetry detected.
- javascript
- CWE-201
javascript_third_parties_passport_hardcoded_secret

Hardcoded passport secret detected
- javascript
- CWE-798
javascript_third_parties_segment

Sensitive data sent to Segment detected.
- javascript
- CWE-201
javascript_third_parties_sentry

Sensitive data sent to Sentry detected.
- javascript
- CWE-201
javascript_weak_encryption

Weak encryption library usage detected.
- javascript
- CWE-327
javascript_weak_password_encryption

Weak encryption library usage detected.
- javascript
- CWE-327
- CWE-916
ruby_lang_cookies

Sensitive data stored in a cookie detected.
- ruby
- CWE-315
- CWE-539
ruby_lang_deserialization_of_user_input

User input detected in an unsafe deserialization method.
- ruby
- CWE-502
ruby_lang_eval_using_user_input

Potential command injection with user input detected.
- ruby
- CWE-94
- CWE-95
ruby_lang_exception

Sensitive data in a exception message detected.
- ruby
- CWE-210
ruby_lang_exec_using_user_input

Execution of OS command formed with user input detected.
- ruby
- CWE-78
ruby_lang_file_generation

Sensitive data detected as part of a dynamic file generation.
- ruby
- CWE-532
- CWE-313
ruby_lang_ftp_using_user_input

Do not use user input with FTP.
- ruby
- CWE-22
ruby_lang_hardcoded_secret

Hard-coded secret detected.
- ruby
- CWE-798
ruby_lang_http_get_params

Sensitive data communicated through GET parameters detected.
- ruby
- CWE-598
ruby_lang_http_insecure

Connection through an unsecure HTTP communication detected.
- ruby
- CWE-319
ruby_lang_http_post_insecure_with_data

Sensitive data sent through an unsecure HTTP communication detected.
- ruby
- CWE-319
ruby_lang_http_url_using_user_input

HTTP communication with user-controlled destination detected.
- ruby
- CWE-918
ruby_lang_insecure_ftp

Communication with an unsecure FTP server detected.
- ruby
- CWE-319
ruby_lang_jwt

Sensitive data in a JWT detected.
- ruby
- CWE-315
ruby_lang_logger

Sensitive data in a logger message detected.
- ruby
- CWE-209
- CWE-532
ruby_lang_path_using_user_input

Do not use user input to form file paths.
- ruby
- CWE-22
- CWE-73
ruby_lang_reflection_using_user_input

Use of reflection influenced by user input detected.
- ruby
- CWE-94
ruby_lang_regex_using_user_input

Regular expression built from user input detected.
- ruby
- CWE-1333
ruby_lang_ssl_verification

Missing SSL certificate verification detected.
- ruby
- CWE-295
ruby_lang_weak_encryption

Weak encryption library usage detected.
- ruby
- CWE-331
- CWE-326
ruby_lang_weak_encryption_with_data

Sensitive data encrypted with a weak encryption library detected.
- ruby
- CWE-326
- CWE-331
ruby_rails_default_encryption

Missing application-level encryption of sensitive data detected.
- ruby
- CWE-312
ruby_rails_http_verb_confusion

Potential for HTTP verb confusion detected.
- ruby
- CWE-650
ruby_rails_insecure_communication

Missing force SSL configuration for incoming communication detected.
- ruby
- CWE-319
ruby_rails_insecure_disabling_of_callback

Insecure disabling of callback detected.
- ruby
- CWE-284
ruby_rails_insecure_http_password

Insecure HTTP Password.
- ruby
ruby_rails_insecure_smtp

Communication with an unsecure SMTP connection detected.
- ruby
- CWE-319
ruby_rails_logger

Sensitive data sent to Rails loggers detected.
- ruby
- CWE-209
- CWE-532
ruby_rails_password_length

Password length (< 8) requirement is too short.
- ruby
- CWE-521
ruby_rails_permissive_regex_validation

Validation using permissive regular expression detected.
- ruby
- CWE-625
ruby_rails_redirect_to

Open redirect detected
- ruby
- CWE-601
ruby_rails_render_using_user_input

Unsanitized user input detected in response.
- ruby
- CWE-79
ruby_rails_session

Sensitive data stored in a session cookie detected.
- ruby
- CWE-315
ruby_rails_session_key_using_user_input

User input detected in a session key.
- ruby
- CWE-276
ruby_third_parties_airbrake

Sensitive data sent to Airbrake detected.
- ruby
- CWE-201
ruby_third_parties_algolia

Sensitive data sent to Algolia detected.
- ruby
- CWE-201
ruby_third_parties_bigquery

Sensitive data sent to BigQuery detected.
- ruby
- CWE-201
ruby_third_parties_bugsnag

Sensitive data sent to Bugsnag detected.
- ruby
- CWE-201
ruby_third_parties_clickhouse

Sensitive data sent to ClickHouse detected.
- ruby
- CWE-201
ruby_third_parties_datadog

Sensitive data sent to Datadog detected.
- ruby
- CWE-201
ruby_third_parties_elasticsearch

Sensitive data sent to Elasticsearch detected.
- ruby
- CWE-201
ruby_third_parties_google_analytics

Sensitive data sent to Google Analytics detected.
- ruby
- CWE-201
ruby_third_parties_google_dataflow

Sensitive data sent to Google Dataflow detected.
- ruby
- CWE-201
ruby_third_parties_honeybadger

Sensitive data sent to Honeybadger detected.
- ruby
- CWE-201
ruby_third_parties_new_relic

Sensitive data sent to New Relic detected.
- ruby
- CWE-201
ruby_third_parties_open_telemetry

Sensitive data sent to Open Telemetry detected.
- ruby
- CWE-201
ruby_third_parties_rollbar

Sensitive data sent to Rollbar detected.
- ruby
- CWE-201
ruby_third_parties_scout_apm

Sensitive data sent to Scout APM detected.
- ruby
- CWE-201
ruby_third_parties_segment

Sensitive data sent to Segment detected..
- ruby
- CWE-201
ruby_third_parties_sentry

Sensitive data sent to Sentry detected.
- ruby
- CWE-201

Rules

express_default_cookie_config

express_default_session_config

express_insecure_cookie

javascript_aws_lambda_code_injection

javascript_aws_lambda_os_command_injection

javascript_aws_lambda_query_injection

javascript_aws_lambda_sql_injection

javascript_dangerous_insert_html

javascript_dom_purify

javascript_elasticsearch

javascript_express_cross_site_scripting

javascript_express_eval_user_input

javascript_express_exposed_dir_listing

javascript_express_external_file_upload

javascript_express_external_resource

javascript_express_hardcoded_secret

javascript_express_helmet_missing

javascript_express_https_protocol_missing

javascript_express_insecure_allow_origin

javascript_express_insecure_template_rendering

javascript_express_jwt_not_revoked

javascript_express_open_redirect

javascript_express_path_traversal

javascript_express_reduce_fingerprint

javascript_express_server_side_request_forgery

javascript_express_sql_injection

javascript_express_static_asset_with_session

javascript_express_ui_redress

javascript_express_unsafe_deserialization

javascript_express_xxe_vulnerability

javascript_google_analytics

javascript_google_tag_manager

javascript_hardcoded_secret

javascript_honeybadger

javascript_http_insecure

javascript_jwt

javascript_jwt_hardcoded_secret

javascript_jwt_weak_encryption

javascript_lang_exception

javascript_lang_file_generation

javascript_lang_logger

javascript_lang_open_redirect

javascript_react_dangerously_set_inner_html

javascript_react_google_analytics

javascript_rollbar

javascript_session

javascript_third_parties_airbrake

javascript_third_parties_algolia

javascript_third_parties_bugsnag

javascript_third_parties_datadog

javascript_third_parties_datadog_browser

javascript_third_parties_new_relic

javascript_third_parties_open_telemetry

javascript_third_parties_passport_hardcoded_secret

javascript_third_parties_segment

javascript_third_parties_sentry

javascript_weak_encryption

javascript_weak_password_encryption

ruby_lang_cookies

ruby_lang_deserialization_of_user_input

ruby_lang_eval_using_user_input

ruby_lang_exception

ruby_lang_exec_using_user_input

ruby_lang_file_generation

ruby_lang_ftp_using_user_input

ruby_lang_hardcoded_secret

ruby_lang_http_get_params

ruby_lang_http_insecure

ruby_lang_http_post_insecure_with_data

ruby_lang_http_url_using_user_input

ruby_lang_insecure_ftp

ruby_lang_jwt

ruby_lang_logger

ruby_lang_path_using_user_input

ruby_lang_reflection_using_user_input

ruby_lang_regex_using_user_input

ruby_lang_ssl_verification

ruby_lang_weak_encryption

ruby_lang_weak_encryption_with_data