Reference

Rules

Rules are ways to detect security risks and vulnerabilities across your codebase and enforce best practices. Bearer CLI's security report allows you to quickly identify rule violations in your code.

The built-in rules aim to keep you protected from the most critical security risks and vulnerabilities of web applications and include corresponding Common Weakness Enumeration (CWE) and OWASP links to help you identify them.

Don't find a rule you are looking for? You can develop a custom rule that allow you to add specific requirements to suit your organization's needs.

Search (285 results)

go_gorilla_insecure_cookie

Missing secure options for cookie detected.
- GO
- CWE-1004
- CWE-614
- A05:2021
go_gosec_blocklist_cgi

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_blocklist_des

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_blocklist_md5

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_blocklist_rc4

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_blocklist_sha1

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_crypto_bad_tls_settings

Use of a broken or risky cryptographic algorithm
- GO
- CWE-327
- A02:2021
go_gosec_crypto_insecure_ignore_host_key

Key exchange without entity authentication
- GO
- CWE-322
- A02:2021
go_gosec_crypto_weak_crypto

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_crypto_weak_key_strength

Inadequate encryption strength
- GO
- CWE-326
- A02:2021
go_gosec_crypto_weak_random

Use of cryptographically weak Pseudo-Random Number Generator (PRNG)
- GO
- CWE-338
- A02:2021
go_gosec_crypto_weak_tls_version

Use of deprecated TLS version
- GO
- CWE-310
go_gosec_file_permissions_file_perm

Incorrect permission assignment for critical resource
- GO
- CWE-732
go_gosec_file_permissions_mkdir

Incorrect permission assignment for critical resource
- GO
- CWE-732
go_gosec_filesystem_decompression_bomb

Use of a Broken or Risky Cryptographic Algorithm
- GO
- CWE-327
- A02:2021
go_gosec_filesystem_dirtraversal

Relative path traversal
- GO
- CWE-327
- A02:2021
go_gosec_filesystem_filereadtaint

Improper limitation of a pathname to a restricted directory ('Path Traversal')
- GO
- CWE-327
- A02:2021
go_gosec_filesystem_poor_write_permissions

Incorrect default permissions
- GO
- CWE-276
- A01:2021
go_gosec_filesystem_tempfile

Incorrect default permissions
- GO
- CWE-378
go_gosec_filesystem_ziparchive

Improper limitation of a pathname to a restricted directory ('Path Traversal')
- GO
- CWE-22
- A01:2021
go_gosec_http_http_serve

Uncontrolled resource consumption
- GO
- CWE-400
go_gosec_http_http_slowloris

Uncontrolled resource consumption (Slowloris)
- GO
- CWE-400
go_gosec_injection_ssrf_injection

Server Side Request Forgery (SSRF)
- GO
- CWE-918
- A10:2021
go_gosec_injection_subproc_injection

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- GO
- CWE-95
- A03:2021
go_gosec_injection_template_injection

Improper neutralization of input during web page generation ('Cross-site Scripting')
- GO
- CWE-79
- A03:2021
go_gosec_leak_pprof_endpoint

Active debug code (pprof enabled)
- GO
- CWE-918
- A10:2021
go_gosec_memory_integer_overflow

Integer overflow or wraparound
- GO
- CWE-190
go_gosec_memory_math_big_rat

Integer Overflow or Wraparound
- GO
- CWE-190
go_gosec_memory_memory_aliasing

Incorrect access of indexable resource ('Range Error')
- GO
- CWE-118
go_gosec_network_bind_to_all_interfaces

Exposure of sensitive information to an unauthorized actor
- GO
- CWE-200
- A01:2021
go_gosec_secrets_secrets

Use of hard-coded password
- GO
- CWE-798
- A07:2021
go_gosec_sql_concat_sqli

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- GO
- CWE-89
- A03:2021
go_gosec_subproc_subproc

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- GO
- CWE-95
- A03:2021
go_gosec_unsafe_unsafe

Use of inherently dangerous function (unsafe package)
- GO
- CWE-242
go_lang_information_leakage

Possible information leakage detected.
- GO
- CWE-209
- A04:2021
go_lang_insecure_cookie

Missing secure options for cookie detected.
- GO
- CWE-1004
- CWE-614
- A05:2021
go_lang_logger

Sensitive data in a logger message detected.
- GO
- CWE-209
- CWE-532
- A04:2021
- A09:2021
go_lang_weak_hash_md5

Weak hashing library (MD5) detected.
- GO
- CWE-331
- CWE-328
- A02:2021
go_lang_weak_hash_sha1

Weak hashing library (SHA1) detected.
- GO
- CWE-331
- CWE-328
- A02:2021
go_lang_weak_password_encryption_md5

Weak password encryption algorithm (MD5) used for password detected.
- GO
- CWE-331
- CWE-328
- A02:2021
go_lang_weak_password_encryption_sha1

Weak password encryption algorithm (SHA1) used for password detected.
- GO
- CWE-331
- CWE-328
- A02:2021
go_lang_xml_external_entity_vulnerability

XML External Entity vulnerability detected.
- GO
- CWE-611
- A05:2021
java_lang_cookie_missing_http_only

Missing secure options for cookie detected.
- JAVA
- CWE-614
- A05:2021
java_lang_cookie_missing_secure

Missing secure options for cookie detected.
- JAVA
- CWE-614
- A05:2021
java_lang_file_permission_others

File permission open to 'other' detected.
- JAVA
- CWE-732
java_lang_hardcoded_database_password

Hardcoded database password detected
- JAVA
- CWE-259
- A07:2021
java_lang_http_response_splitting

HTTP response splitting vulnerability detected.
- JAVA
- CWE-79
- CWE-113
- A03:2021
java_lang_information_leakage

Possible information leakage detected.
- JAVA
- CWE-209
- A04:2021
java_lang_insecure_cookie

Missing secure options for cookie detected.
- JAVA
- CWE-614
- A05:2021
java_lang_insufficiently_random_values

Insufficiently random value detected.
- JAVA
- CWE-330
- A02:2021
java_lang_ldap_injection

LDAP injection threat detected
- JAVA
- CWE-90
- A03:2021
java_lang_log_injection

Log injection detected.
- JAVA
- CWE-117
- A09:2021
java_lang_logger

Sensitive data in a logger message detected.
- JAVA
- CWE-209
- CWE-532
- A04:2021
- A09:2021
java_lang_missing_database_authentication

Missing authentication for database detected
- JAVA
- CWE-306
- A07:2021
java_lang_missing_integrity_check

Missing support for integrity check detected.
- JAVA
- CWE-353
- A08:2021
java_lang_os_command_injection

Command injection vulnerability detected.
- JAVA
- CWE-78
- A03:2021
java_lang_padding_oracle_encryption_vulnerability

Padding Oracle encryption vulnerability detected.
- JAVA
- CWE-327
- A02:2021
java_lang_path_traversal

Possible path traversal vulnerability detected
- JAVA
- CWE-22
- A01:2021
java_lang_rsa_no_padding

RSA algorithm with no padding detected.
- JAVA
- CWE-327
- CWE-780
- A02:2021
java_lang_sqli

Unsanitized user input in SQL query detected.
- JAVA
- CWE-89
- A03:2021
java_lang_trust_boundary_violation

Trust boundary violation detected.
- JAVA
- CWE-501
- A04:2021
java_lang_weak_encryption_des

Weak encryption algorithm (DES) detected.
- JAVA
- CWE-326
- CWE-327
- A02:2021
java_lang_weak_hash_md5

Weak hashing library (MD5) detected
- JAVA
- CWE-327
- A02:2021
java_lang_weak_hash_sha1

Weak hashing library (SHA-1) detected
- JAVA
- CWE-327
- A02:2021
java_lang_weak_password_encryption_des

Weak encryption algorithm (DES) used for password detected.
- JAVA
- CWE-326
- CWE-327
- CWE-916
- A02:2021
java_lang_weak_password_hash_md5

Weak hashing library (MD5) detected
- JAVA
- CWE-327
- CWE-916
- A02:2021
java_lang_weak_password_hash_sha1

Weak hashing library (SHA-1) detected
- JAVA
- CWE-327
- CWE-916
- A02:2021
java_lang_xpath_injection

XPATH injection threat detected
- JAVA
- CWE-643
- A03:2021
java_lang_xss_response_writer

Possible cross site scripting threat detected.
- JAVA
- CWE-79
- A03:2021
java_spring_sqli

Unsanitized user input in SQL query detected.
- JAVA
- CWE-89
- A03:2021
javascript_express_cross_site_scripting

Cross-site scripting (XSS) vulnerability detected.
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_express_default_cookie_config

Cookie with default config detected.
- JAVASCRIPT
- CWE-523
- CWE-522
- A02:2021
- A04:2021
javascript_express_default_session_config

Session cookie with default config detected.
- JAVASCRIPT
- CWE-523
- CWE-522
- A02:2021
- A04:2021
javascript_express_exposed_dir_listing

Missing access restriction to directory listing detected.
- JAVASCRIPT
- CWE-548
- A01:2021
javascript_express_external_file_upload

External control of filename or path detected.
- JAVASCRIPT
- CWE-73
- A04:2021
javascript_express_external_resource

Rendering of resources resolved from external name or reference detected.
- JAVASCRIPT
- CWE-706
- A01:2021
javascript_express_hardcoded_secret

Hard-coded secret detected.
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_express_helmet_missing

Security misconfiguration detected (Helmet missing).
- JAVASCRIPT
- CWE-693
javascript_express_https_protocol_missing

Missing https protocol detected.
- JAVASCRIPT
- CWE-693
javascript_express_insecure_allow_origin

Insecure Access-Control-Allow-Origin detected.
- JAVASCRIPT
- CWE-346
- A07:2021
javascript_express_insecure_cookie

Missing secure options for cookie detected.
- JAVASCRIPT
- CWE-1004
- CWE-614
- A05:2021
javascript_express_jwt_not_revoked

Unrevoked JWT detected.
- JAVASCRIPT
- CWE-525
- A04:2021
javascript_express_open_redirect

Open redirect detected.
- JAVASCRIPT
- CWE-601
- A01:2021
javascript_express_path_traversal

Possible path traversal vulnerability detected.
- JAVASCRIPT
- CWE-22
- A01:2021
javascript_express_reduce_fingerprint

Security misconfiguration detected (server fingerprinting).
- JAVASCRIPT
- CWE-693
javascript_express_server_side_request_forgery

Risk of server-side request forgery detected.
- JAVASCRIPT
- CWE-918
- A10:2021
javascript_express_static_asset_with_session

Static asset with active session detected.
- JAVASCRIPT
- CWE-352
- CWE-668
- A01:2021
javascript_express_ui_redress

User Interface (UI) redress vulnerability (clickjacking) detected.
- JAVASCRIPT
- CWE-1021
- A04:2021
javascript_express_unsafe_deserialization

Deserialization of untrusted data detected.
- JAVASCRIPT
- CWE-502
- A08:2021
javascript_express_xml_external_entity_vulnerability

XML External Entity vulnerability detected.
- JAVASCRIPT
- CWE-611
- A05:2021
javascript_lang_dangerous_insert_html

Dangerous dynamic HTML insert detected.
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_lang_eval_user_input

Dangerous use of eval with user input detected
- JAVASCRIPT
- CWE-94
- CWE-95
- A03:2021
javascript_lang_exception

Sensitive data in a exception message detected.
- JAVASCRIPT
- CWE-210
javascript_lang_file_generation

Sensitive data detected as part of a dynamic file generation.
- JAVASCRIPT
- CWE-313
- A04:2021
javascript_lang_format_string_using_user_input

User input in format string detected.
- JAVASCRIPT
- CWE-134
javascript_lang_hardcoded_secret

Hardcoded secret detected
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_lang_http_insecure

Connection with an insecure HTTP communication detected.
- JAVASCRIPT
- CWE-319
- A02:2021
javascript_lang_http_url_using_user_input

HTTP communication with user-controlled destination detected.
- JAVASCRIPT
- CWE-918
- A10:2021
javascript_lang_import_using_user_input

Loading of resource resolved from external name detected.
- JAVASCRIPT
- CWE-22
- CWE-95
- A01:2021
- A03:2021
javascript_lang_jwt

Sensitive data in a JWT detected.
- JAVASCRIPT
- CWE-312
- A04:2021
javascript_lang_jwt_hardcoded_secret

Hardcoded JWT secret detected
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_lang_jwt_weak_encryption

Weak JWT encryption detected
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_logger

Sensitive data in a logger message detected.
- JAVASCRIPT
- CWE-1295
- CWE-532
- A09:2021
javascript_lang_manual_html_sanitization

Manual HTML sanitization detected.
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_lang_message_handler_origin

Unchecked origin in message handler detected.
- JAVASCRIPT
- CWE-346
- A07:2021
javascript_lang_open_redirect

Open redirect detected.
- JAVASCRIPT
- CWE-601
- A01:2021
javascript_lang_os_command_injection

OS command injection vulnerability detected.
- JAVASCRIPT
- CWE-78
- A03:2021
javascript_lang_post_message_origin

Permissive origin in postMessage detected.
- JAVASCRIPT
- CWE-923
javascript_lang_raw_html_using_user_input

Unsanitized user input detected in raw HTML string.
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_lang_regex_using_user_input

Regular expression built from user input detected.
- JAVASCRIPT
- CWE-1333
javascript_lang_session

Sensitive data stored in HTML local storage detected.
- JAVASCRIPT
- CWE-312
- A04:2021
javascript_lang_sql_injection

SQL injection vulnerability detected.
- JAVASCRIPT
- CWE-89
- A03:2021
javascript_lang_weak_encryption_des

Weak encryption algorithm (DES) detected.
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_weak_encryption_rc4

Weak encryption algorithm (RC4) detected.
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_weak_hash_md5

Weak hashing library (MD5) detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
javascript_lang_weak_hash_sha1

Weak hashing library (SHA1) detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
javascript_lang_weak_password_encryption_des

Weak encryption algorithm (DES) used for password detected.
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_weak_password_encryption_rc4

Weak encryption algorithm (RC4) used for password detected.
- JAVASCRIPT
- CWE-327
- A02:2021
javascript_lang_weak_password_hash_argon2

Insecure Argon2 type used for password hashing.
- JAVASCRIPT
- CWE-327
- CWE-916
- A02:2021
javascript_lang_weak_password_hash_md5

Weak hashing library (MD5) used for password detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
javascript_lang_weak_password_hash_sha1

Weak hashing library (SHA1) used for password detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
javascript_lang_websocket_insecure

Insecure websocket communication detected.
- JAVASCRIPT
- CWE-319
- A02:2021
javascript_react_dangerously_set_inner_html

React's dangerously set inner HTML detected.
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_react_google_analytics

Sensitive data sent to Google Analytics detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_airbrake

Sensitive data sent to Airbrake detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_algolia

Sensitive data sent to Algolia detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_bugsnag

Sensitive data sent to Bugsnag detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_datadog

Sensitive data sent to Datadog detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_datadog_browser

Sensitive data sent to Datadog detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_dom_purify

Insecure use of DOMPurify detected.
- JAVASCRIPT
- CWE-79
- A03:2021
javascript_third_parties_dynamodb_query_injection

Raw user input in data store query detected.
- JAVASCRIPT
- CWE-89
- A03:2021
javascript_third_parties_elasticsearch

Sensitive data sent to ElasticSearch detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_google_analytics

Sensitive data sent to Google Analytic detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_google_tag_manager

Sensitive data sent to Google Tag Manager detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_honeybadger

Sensitive data sent to Honeybadger detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_new_relic

Sensitive data sent to New Relic detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_open_telemetry

Sensitive data sent to Open Telemetry detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_openai

Sensitive data sent to OpenAI detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_passport_hardcoded_secret

Hardcoded passport secret detected
- JAVASCRIPT
- CWE-798
- A07:2021
javascript_third_parties_rollbar

Sensitive data sent to Rollbar detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_segment

Sensitive data sent to Segment detected.
- JAVASCRIPT
- CWE-201
- A01:2021
javascript_third_parties_sentry

Sensitive data sent to Sentry detected.
- JAVASCRIPT
- CWE-201
- A01:2021
php_lang_cbc_predictable_iv

Predictable initialization vector detected.
- PHP
- CWE-329
- A02:2021
php_lang_cookies

Sensitive data stored in a cookie detected.
- PHP
- CWE-315
- CWE-539
- A04:2021
- A05:2021
php_lang_deserialization_of_user_input

User input detected in an unsafe deserialization method.
- PHP
- CWE-502
- A08:2021
php_lang_eval_using_user_input

Potential command injection with user input detected.
- PHP
- CWE-94
- CWE-95
- A03:2021
php_lang_exception

Sensitive data in a exception message detected.
- PHP
- CWE-210
php_lang_exec_using_user_input

Execution of OS command formed with user input detected.
- PHP
- CWE-78
- A03:2021
php_lang_file_generation

Sensitive data detected as part of a dynamic file generation.
- PHP
- CWE-532
- CWE-313
- A04:2021
- A09:2021
php_lang_format_string_using_user_input

User input in format string detected.
- PHP
- CWE-134
php_lang_ftp_using_user_input

Do not use user input with FTP.
- PHP
- CWE-22
- A01:2021
php_lang_hardcoded_secret

Hard-coded secret detected.
- PHP
- CWE-798
- A07:2021
php_lang_http_insecure

Communication through an insecure HTTP connection detected.
- PHP
- CWE-319
- A02:2021
php_lang_http_url_using_sensitive_data

Sensitive data detected in HTTP URL.
- PHP
- CWE-598
- A04:2021
php_lang_http_url_using_user_input

HTTP communication with user-controlled destination detected.
- PHP
- CWE-918
- A10:2021
php_lang_information_leakage

Possible information leakage detected.
- PHP
- CWE-209
- A04:2021
php_lang_insecure_allow_origin

Insecure Access-Control-Allow-Origin detected.
- PHP
- CWE-346
- A07:2021
php_lang_insecure_cookie

Missing secure options for cookie detected.
- PHP
- CWE-1004
- CWE-614
- A05:2021
php_lang_insecure_ftp

Communication with an insecure FTP server detected.
- PHP
- CWE-319
- A02:2021
php_lang_jwt

Sensitive data in a JWT detected.
- PHP
- CWE-315
- A05:2021
php_lang_logger

Sensitive data in a logger message detected.
- PHP
- CWE-209
- CWE-532
- A04:2021
- A09:2021
php_lang_manual_html_sanitization

Manual HTML sanitization detected.
- PHP
- CWE-79
- A03:2021
php_lang_open_redirect

Open redirect detected.
- PHP
- CWE-601
- A01:2021
php_lang_path_using_user_input

Do not use user input to form file paths.
- PHP
- CWE-22
- CWE-73
- A01:2021
- A04:2021
php_lang_permissive_allow_origin

Permissive Access-Control-Allow-Origin detected.
- PHP
- CWE-346
- A07:2021
php_lang_phpinfo

Exposure of Sensitive Information to an Unauthorized Actor.
- PHP
- CWE-200
- A01:2021
php_lang_raw_html_using_user_input

Unsanitized user input detected in raw HTML string.
- PHP
- CWE-79
- A03:2021
php_lang_raw_output_using_user_input

Unsanitized user input detected in echo.
- PHP
- CWE-79
- A03:2021
php_lang_reflection_using_user_input

Use of reflection influenced by user input detected.
- PHP
- CWE-94
- A03:2021
php_lang_regex_using_user_input

Regular expression built from user input detected.
- PHP
- CWE-1333
php_lang_session_key_using_user_input

User input detected in a session key.
- PHP
- CWE-276
- A01:2021
php_lang_sql_injection

Potential SQL injection with user input detected.
- PHP
- CWE-89
- A03:2021
php_lang_ssl_verification

Missing SSL certificate verification detected.
- PHP
- CWE-295
- A07:2021
php_lang_ui_redress

User Interface (UI) redress vulnerability (clickjacking) detected.
- PHP
- CWE-1021
- A04:2021
php_lang_weak_hash_md

Weak hashing library (MDx) detected
- PHP
- CWE-327
- A02:2021
php_lang_weak_hash_sha1

Weak hashing library (SHA-1) detected
- PHP
- CWE-327
- A02:2021
php_lang_weak_password_hash_md

Weak hashing library (MDx) detected
- PHP
- CWE-327
- CWE-916
- A02:2021
php_lang_weak_password_hash_sha1

Weak hashing library (SHA-1) detected
- PHP
- CWE-327
- CWE-916
- A02:2021
php_lang_websocket_insecure

Insecure websocket communication detected.
- PHP
- CWE-319
- A02:2021
php_lang_xml_external_entity_vulnerability

XML External Entity vulnerability detected.
- PHP
- CWE-611
- A05:2021
php_lang_xpath_injection

XPath injection threat detected
- PHP
- CWE-643
- A03:2021
php_symfony_cookies

Sensitive data stored in a cookie detected.
- PHP
- CWE-315
- CWE-539
- A04:2021
- A05:2021
php_symfony_csrf_protection_disabled

Insecure Cross-Site Request Forgery (CSRF) configuration detected.
- PHP
- CWE-352
- A01:2021
php_symfony_insecure_allow_origin

Insecure Access-Control-Allow-Origin detected.
- PHP
- CWE-346
- A07:2021
php_symfony_insecure_cookie

Insecure options for cookie detected.
- PHP
- CWE-1004
- CWE-614
- A05:2021
php_symfony_insecure_smtp

Communication with an insecure SMTP connection detected.
- PHP
- CWE-319
- A02:2021
php_symfony_open_redirect

Open redirect detected.
- PHP
- CWE-601
- A01:2021
php_symfony_permissive_allow_origin

Permissive Access-Control-Allow-Origin detected.
- PHP
- CWE-346
- A07:2021
php_symfony_permissive_regex_validation

Validation using permissive regular expression detected.
- PHP
- CWE-625
php_symfony_session_key_using_user_input

User input detected in a session key.
- PHP
- CWE-276
- A01:2021
php_symfony_sql_injection

Potential SQL injection with user input detected.
- PHP
- CWE-89
- A03:2021
php_symfony_ui_redress

User Interface (UI) redress vulnerability (clickjacking) detected.
- PHP
- CWE-1021
- A04:2021
php_third_parties_airbrake

Sensitive data sent to Airbrake detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_algolia

Sensitive data sent to Algolia detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_bigquery

Sensitive data sent to BigQuery detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_bugsnag

Sensitive data sent to Bugsnag detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_clickhouse

Sensitive data sent to ClickHouse detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_datadog

Sensitive data sent to Datadog detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_elasticsearch

Sensitive data sent to Elasticsearch detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_honeybadger

Sensitive data sent to Honeybadger detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_logger

Sensitive data in a logger message detected.
- PHP
- CWE-209
- CWE-532
- A04:2021
- A09:2021
php_third_parties_new_relic

Sensitive data sent to New Relic detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_open_telemetry

Sensitive data sent to Open Telemetry detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_rollbar

Sensitive data sent to Rollbar detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_scout_apm

Sensitive data sent to Scout APM detected.
- PHP
- CWE-201
- A01:2021
php_third_parties_segment

Sensitive data sent to Segment detected..
- PHP
- CWE-201
- A01:2021
php_third_parties_sentry

Sensitive data sent to Sentry detected.
- PHP
- CWE-201
- A01:2021
python_lang_logger

Sensitive data in a logger message detected.
- PYTHON
- CWE-209
- CWE-532
- A04:2021
- A09:2021
python_lang_weak_hash_md5

Weak hashing library (MD5) detected.
- PYTHON
- CWE-331
- CWE-328
- A02:2021
python_lang_weak_hash_sha1

Weak hashing library (SHA1) detected.
- PYTHON
- CWE-331
- CWE-328
- A02:2021
python_lang_weak_password_encryption_md5

Weak encryption algorithm (MD5) used for password detected.
- PYTHON
- CWE-331
- CWE-328
- A02:2021
python_lang_weak_password_encryption_sha1

Weak encryption algorithm (SHA1) used for password detected.
- PYTHON
- CWE-331
- CWE-328
- A02:2021
ruby_lang_cookies

Sensitive data stored in a cookie detected.
- RUBY
- CWE-315
- CWE-539
- A04:2021
- A05:2021
ruby_lang_deserialization_of_user_input

User input detected in an unsafe deserialization method.
- RUBY
- CWE-502
- A08:2021
ruby_lang_eval_linter

Use of eval detected.
- RUBY
- CWE-94
- A03:2021
ruby_lang_eval_using_user_input

Potential command injection with user input detected.
- RUBY
- CWE-94
- CWE-95
- A03:2021
ruby_lang_exception

Sensitive data in a exception message detected.
- RUBY
- CWE-210
ruby_lang_exec_using_user_input

Execution of OS command formed with user input detected.
- RUBY
- CWE-78
- A03:2021
ruby_lang_file_generation

Sensitive data detected as part of a dynamic file generation.
- RUBY
- CWE-532
- CWE-313
- A04:2021
- A09:2021
ruby_lang_format_string_using_user_input

User input in format string detected.
- RUBY
- CWE-134
ruby_lang_ftp_using_user_input

Do not use user input with FTP.
- RUBY
- CWE-22
- A01:2021
ruby_lang_hardcoded_secret

Hard-coded secret detected.
- RUBY
- CWE-798
- A07:2021
ruby_lang_http_get_params

Sensitive data communicated through GET parameters detected.
- RUBY
- CWE-598
- A04:2021
ruby_lang_http_insecure

Communication through an insecure HTTP connection detected.
- RUBY
- CWE-319
- A02:2021
ruby_lang_http_url_using_user_input

HTTP communication with user-controlled destination detected.
- RUBY
- CWE-918
- A10:2021
ruby_lang_insecure_ftp

Communication with an insecure FTP server detected.
- RUBY
- CWE-319
- A02:2021
ruby_lang_jwt

Sensitive data in a JWT detected.
- RUBY
- CWE-315
- A05:2021
ruby_lang_logger

Sensitive data in a logger message detected.
- RUBY
- CWE-209
- CWE-532
- A04:2021
- A09:2021
ruby_lang_manual_html_sanitization

Manual HTML sanitization detected.
- RUBY
- CWE-79
- A03:2021
ruby_lang_path_using_user_input

Unsanitized user input detected in file path.
- RUBY
- CWE-22
- CWE-73
- A01:2021
- A04:2021
ruby_lang_raw_html_using_user_input

Unsanitized user input detected in raw HTML string.
- RUBY
- CWE-79
- A03:2021
ruby_lang_reflection_using_user_input

Use of reflection influenced by user input detected.
- RUBY
- CWE-94
- A03:2021
ruby_lang_regex_using_user_input

Regular expression built from user input detected.
- RUBY
- CWE-1333
ruby_lang_ssl_verification

Missing SSL certificate verification detected.
- RUBY
- CWE-295
- A07:2021
ruby_lang_weak_encryption_blowfish

Weak encryption library (Blowfish) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
ruby_lang_weak_encryption_dsa

Weak encryption algorithm (DSA) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
ruby_lang_weak_encryption_rc4

Weak encryption algorithm (RC4) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
ruby_lang_weak_encryption_rsa

Weak encryption algorithm (RSA) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
ruby_lang_weak_hash_dss

Weak hashing library (DSS) detected.
- RUBY
- CWE-331
- CWE-328
- A02:2021
ruby_lang_weak_hash_md

Weak hashing library (MD5) detected.
- RUBY
- CWE-331
- CWE-328
- A02:2021
ruby_lang_weak_hash_sha

Weak hashing library (SHA) detected.
- RUBY
- CWE-331
- CWE-328
- A02:2021
ruby_lang_weak_password_encryption_blowfish

Weak encryption (Blowfish) of a password detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
ruby_lang_weak_password_encryption_dsa

Weak encryption algorithm (DSA) detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
ruby_lang_weak_password_encryption_rc4

Weak encryption algorithm (RC4) detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
ruby_lang_weak_password_encryption_rsa

Weak encryption algorithm (RSA) detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
ruby_lang_weak_password_hash_dss

Weak password hashing (DSS) detected.
- RUBY
- CWE-331
- CWE-328
- CWE-916
- A02:2021
ruby_lang_weak_password_hash_md

Weak password hashing (MD5) detected.
- RUBY
- CWE-331
- CWE-328
- CWE-916
- A02:2021
ruby_lang_weak_password_hash_sha

Weak password hashing (SHA) detected.
- RUBY
- CWE-331
- CWE-328
- CWE-916
- A02:2021
ruby_lang_websocket_insecure

Insecure websocket communication detected.
- RUBY
- CWE-319
- A02:2021
ruby_rails_default_encryption

Missing application-level encryption of sensitive data detected.
- RUBY
- CWE-312
- A04:2021
ruby_rails_detailed_exceptions

Detailed error reporting detected.
- RUBY
- CWE-209
- A04:2021
ruby_rails_http_verb_confusion

Potential for HTTP verb confusion detected.
- RUBY
- CWE-650
- A04:2021
ruby_rails_insecure_communication

Missing force SSL configuration for incoming communication detected.
- RUBY
- CWE-319
- A02:2021
ruby_rails_insecure_disabling_of_callback

Insecure disabling of callback detected.
- RUBY
- CWE-284
- A01:2021
ruby_rails_insecure_http_password

Insecure HTTP Password.
- RUBY
- CWE-798
- CWE-522
- A04:2021
- A07:2021
ruby_rails_insecure_smtp

Communication with an insecure SMTP connection detected.
- RUBY
- CWE-319
- A02:2021
ruby_rails_logger

Sensitive data sent to Rails loggers detected.
- RUBY
- CWE-209
- CWE-532
- A04:2021
- A09:2021
ruby_rails_open_redirect

Open redirect detected
- RUBY
- CWE-601
- A01:2021
ruby_rails_password_length

Password length (< 8) requirement is too short.
- RUBY
- CWE-521
- A07:2021
ruby_rails_permissive_parameters

Overly permissive request parameters detected.
- RUBY
- CWE-915
- A08:2021
ruby_rails_permissive_regex_validation

Validation using permissive regular expression detected.
- RUBY
- CWE-625
ruby_rails_render_using_user_input

Unsanitized user input detected in response.
- RUBY
- CWE-79
- A03:2021
ruby_rails_session

Sensitive data stored in a session cookie detected.
- RUBY
- CWE-315
- A05:2021
ruby_rails_session_key_using_user_input

User input detected in a session key.
- RUBY
- CWE-276
- A01:2021
ruby_rails_session_with_httponly_disabled

Session store with HttpOnly set to false detected.
- RUBY
- CWE-1004
- A05:2021
ruby_rails_sql_injection

Unsanitized user input in SQL query detected.
- RUBY
- CWE-89
- A03:2021
ruby_rails_unsafe_cookie_serialization_strategy

Unsafe cookie serialization strategy detected.
- RUBY
- CWE-94
- A03:2021
ruby_rails_unsafe_mass_assignment

Possibly dangerous permitted parameter key detected.
- RUBY
- CWE-915
- A08:2021
ruby_rails_weak_custom_key

Weak model-specific encryption key detected
- RUBY
- CWE-326
- A02:2021
ruby_third_parties_airbrake

Sensitive data sent to Airbrake detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_algolia

Sensitive data sent to Algolia detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_bigquery

Sensitive data sent to BigQuery detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_bugsnag

Sensitive data sent to Bugsnag detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_clickhouse

Sensitive data sent to ClickHouse detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_datadog

Sensitive data sent to Datadog detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_elasticsearch

Sensitive data sent to Elasticsearch detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_google_analytics

Sensitive data sent to Google Analytics detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_google_dataflow

Sensitive data sent to Google Dataflow detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_honeybadger

Sensitive data sent to Honeybadger detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_new_relic

Sensitive data sent to New Relic detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_open_telemetry

Sensitive data sent to Open Telemetry detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_rollbar

Sensitive data sent to Rollbar detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_scout_apm

Sensitive data sent to Scout APM detected.
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_segment

Sensitive data sent to Segment detected..
- RUBY
- CWE-201
- A01:2021
ruby_third_parties_sentry

Sensitive data sent to Sentry detected.
- RUBY
- CWE-201
- A01:2021

Ready to take the next step? Learn more about Bearer Cloud.

Rules

go_gorilla_insecure_cookie

go_gosec_blocklist_cgi

go_gosec_blocklist_des

go_gosec_blocklist_md5

go_gosec_blocklist_rc4

go_gosec_blocklist_sha1

go_gosec_crypto_bad_tls_settings

go_gosec_crypto_insecure_ignore_host_key

go_gosec_crypto_weak_crypto

go_gosec_crypto_weak_key_strength

go_gosec_crypto_weak_random

go_gosec_crypto_weak_tls_version

go_gosec_file_permissions_file_perm

go_gosec_file_permissions_mkdir

go_gosec_filesystem_decompression_bomb

go_gosec_filesystem_dirtraversal

go_gosec_filesystem_filereadtaint

go_gosec_filesystem_poor_write_permissions

go_gosec_filesystem_tempfile

go_gosec_filesystem_ziparchive

go_gosec_http_http_serve

go_gosec_http_http_slowloris

go_gosec_injection_ssrf_injection

go_gosec_injection_subproc_injection

go_gosec_injection_template_injection

go_gosec_leak_pprof_endpoint

go_gosec_memory_integer_overflow

go_gosec_memory_math_big_rat

go_gosec_memory_memory_aliasing

go_gosec_network_bind_to_all_interfaces

go_gosec_secrets_secrets

go_gosec_sql_concat_sqli

go_gosec_subproc_subproc

go_gosec_unsafe_unsafe

go_lang_information_leakage

go_lang_insecure_cookie

go_lang_logger

go_lang_weak_hash_md5

go_lang_weak_hash_sha1

go_lang_weak_password_encryption_md5

go_lang_weak_password_encryption_sha1

go_lang_xml_external_entity_vulnerability

java_lang_cookie_missing_http_only

java_lang_cookie_missing_secure

java_lang_file_permission_others

java_lang_hardcoded_database_password

java_lang_http_response_splitting

java_lang_information_leakage

java_lang_insecure_cookie

java_lang_insufficiently_random_values

java_lang_ldap_injection

java_lang_log_injection

java_lang_logger

java_lang_missing_database_authentication

java_lang_missing_integrity_check

java_lang_os_command_injection

java_lang_padding_oracle_encryption_vulnerability

java_lang_path_traversal

java_lang_rsa_no_padding

java_lang_sqli

java_lang_trust_boundary_violation

java_lang_weak_encryption_des

java_lang_weak_hash_md5

java_lang_weak_hash_sha1

java_lang_weak_password_encryption_des

java_lang_weak_password_hash_md5

java_lang_weak_password_hash_sha1

java_lang_xpath_injection

java_lang_xss_response_writer

java_spring_sqli

javascript_express_cross_site_scripting

javascript_express_default_cookie_config

javascript_express_default_session_config

javascript_express_exposed_dir_listing

javascript_express_external_file_upload

javascript_express_external_resource

javascript_express_hardcoded_secret

javascript_express_helmet_missing

javascript_express_https_protocol_missing