Rules
Rules are ways to detect security risks and vulnerabilities across your codebase and enforce best practices. Bearer CLI's security report allows you to quickly identify rule violations in your code.
The built-in rules aim to keep you protected from the most critical security risks and vulnerabilities of web applications and include corresponding Common Weakness Enumeration (CWE) and OWASP links to help you identify them.
Don't find a rule you are looking for? You can develop a custom rule that allow you to add specific requirements to suit your organization's needs.
-
java_lang_cookie_missing_http_only
Missing secure options for cookie detected.
- JAVA
- CWE-614
- A05:2021
-
java_lang_cookie_missing_secure
Missing secure options for cookie detected.
- JAVA
- CWE-614
- A05:2021
-
java_lang_file_permission_others
File permission open to 'other' detected.
- JAVA
- CWE-732
-
java_lang_hardcoded_database_password
Hardcoded database password detected
- JAVA
- CWE-259
- A07:2021
-
java_lang_http_response_splitting
HTTP response splitting vulnerability detected.
- JAVA
- CWE-79
- CWE-113
- A03:2021
-
java_lang_information_leakage
Possible information leakage detected.
- JAVA
- CWE-209
- A04:2021
-
java_lang_insecure_cookie
Missing secure options for cookie detected.
- JAVA
- CWE-614
- A05:2021
-
java_lang_insufficiently_random_values
Insufficiently random value detected.
- JAVA
- CWE-330
- A02:2021
-
java_lang_ldap_injection
LDAP injection threat detected
- JAVA
- CWE-90
- A03:2021
-
java_lang_log_injection
Log injection detected.
- JAVA
- CWE-117
- A09:2021
-
java_lang_logger
Sensitive data in a logger message detected.
- JAVA
- CWE-209
- CWE-532
- A04:2021
- A09:2021
-
java_lang_missing_database_authentication
Missing authentication for database detected
- JAVA
- CWE-306
- A07:2021
-
java_lang_missing_integrity_check
Missing support for integrity check detected.
- JAVA
- CWE-353
- A08:2021
-
java_lang_os_command_injection
Command injection vulnerability detected.
- JAVA
- CWE-78
- A03:2021
-
java_lang_padding_oracle_encryption_vulnerability
Padding Oracle encryption vulnerability detected.
- JAVA
- CWE-327
- A02:2021
-
java_lang_path_traversal
Possible path traversal vulnerability detected
- JAVA
- CWE-22
- A01:2021
-
java_lang_rsa_no_padding
RSA algorithm with no padding detected.
- JAVA
- CWE-327
- CWE-780
- A02:2021
-
java_lang_sqli
Unsanitized user input in SQL query detected.
- JAVA
- CWE-89
- A03:2021
-
java_lang_trust_boundary_violation
Trust boundary violation detected.
- JAVA
- CWE-501
- A04:2021
-
java_lang_weak_encryption_des
Weak encryption algorithm (DES) detected.
- JAVA
- CWE-326
- CWE-327
- A02:2021
-
java_lang_weak_hash_md5
Weak hashing library (MD5) detected
- JAVA
- CWE-327
- A02:2021
-
java_lang_weak_hash_sha1
Weak hashing library (SHA-1) detected
- JAVA
- CWE-327
- A02:2021
-
java_lang_weak_password_encryption_des
Weak encryption algorithm (DES) used for password detected.
- JAVA
- CWE-326
- CWE-327
- CWE-916
- A02:2021
-
java_lang_weak_password_hash_md5
Weak hashing library (MD5) detected
- JAVA
- CWE-327
- CWE-916
- A02:2021
-
java_lang_weak_password_hash_sha1
Weak hashing library (SHA-1) detected
- JAVA
- CWE-327
- CWE-916
- A02:2021
-
java_lang_xpath_injection
XPATH injection threat detected
- JAVA
- CWE-643
- A03:2021
-
java_lang_xss_response_writer
Possible cross site scripting threat detected.
- JAVA
- CWE-79
- A03:2021
-
java_spring_sqli
Unsanitized user input in SQL query detected.
- JAVA
- CWE-89
- A03:2021
-
javascript_express_cross_site_scripting
Cross-site scripting (XSS) vulnerability detected.
- JAVASCRIPT
- CWE-79
- A03:2021
-
javascript_express_default_cookie_config
Cookie with default config detected.
- JAVASCRIPT
- CWE-523
- CWE-522
- A02:2021
- A04:2021
-
javascript_express_default_session_config
Session cookie with default config detected.
- JAVASCRIPT
- CWE-523
- CWE-522
- A02:2021
- A04:2021
-
javascript_express_exposed_dir_listing
Missing access restriction to directory listing detected.
- JAVASCRIPT
- CWE-548
- A01:2021
-
javascript_express_external_file_upload
External control of filename or path detected.
- JAVASCRIPT
- CWE-73
- A04:2021
-
javascript_express_external_resource
Rendering of resources resolved from external name or reference detected.
- JAVASCRIPT
- CWE-706
- A01:2021
-
javascript_express_hardcoded_secret
Hard-coded secret detected.
- JAVASCRIPT
- CWE-798
- A07:2021
-
javascript_express_helmet_missing
Security misconfiguration detected (Helmet missing).
- JAVASCRIPT
- CWE-693
-
javascript_express_https_protocol_missing
Missing https protocol detected.
- JAVASCRIPT
- CWE-693
-
javascript_express_insecure_allow_origin
Insecure Access-Control-Allow-Origin detected.
- JAVASCRIPT
- CWE-346
- A07:2021
-
javascript_express_insecure_cookie
Missing secure options for cookie detected.
- JAVASCRIPT
- CWE-1004
- CWE-614
- A05:2021
-
javascript_express_jwt_not_revoked
Unrevoked JWT detected.
- JAVASCRIPT
- CWE-525
- A04:2021
-
javascript_express_open_redirect
Open redirect detected.
- JAVASCRIPT
- CWE-601
- A01:2021
-
javascript_express_path_traversal
Possible path traversal vulnerability detected.
- JAVASCRIPT
- CWE-22
- A01:2021
-
javascript_express_reduce_fingerprint
Security misconfiguration detected (server fingerprinting).
- JAVASCRIPT
- CWE-693
-
javascript_express_server_side_request_forgery
Risk of server-side request forgery detected.
- JAVASCRIPT
- CWE-918
- A10:2021
-
javascript_express_static_asset_with_session
Static asset with active session detected.
- JAVASCRIPT
- CWE-352
- CWE-668
- A01:2021
-
javascript_express_ui_redress
User Interface (UI) redress vulnerability (clickjacking) detected.
- JAVASCRIPT
- CWE-1021
- A04:2021
-
javascript_express_unsafe_deserialization
Deserialization of untrusted data detected.
- JAVASCRIPT
- CWE-502
- A08:2021
-
javascript_express_xml_external_entity_vulnerability
XML External Entity vulnerability detected.
- JAVASCRIPT
- CWE-611
- A05:2021
-
javascript_lang_dangerous_insert_html
Dangerous dynamic HTML insert detected.
- JAVASCRIPT
- CWE-79
- A03:2021
-
javascript_lang_eval_user_input
Dangerous use of eval with user input detected
- JAVASCRIPT
- CWE-94
- CWE-95
- A03:2021
-
javascript_lang_exception
Sensitive data in a exception message detected.
- JAVASCRIPT
- CWE-210
-
javascript_lang_file_generation
Sensitive data detected as part of a dynamic file generation.
- JAVASCRIPT
- CWE-313
- A04:2021
-
javascript_lang_format_string_using_user_input
User input in format string detected.
- JAVASCRIPT
- CWE-134
-
javascript_lang_hardcoded_secret
Hardcoded secret detected
- JAVASCRIPT
- CWE-798
- A07:2021
-
javascript_lang_http_insecure
Connection with an insecure HTTP communication detected.
- JAVASCRIPT
- CWE-319
- A02:2021
-
javascript_lang_http_url_using_user_input
HTTP communication with user-controlled destination detected.
- JAVASCRIPT
- CWE-918
- A10:2021
-
javascript_lang_import_using_user_input
Loading of resource resolved from external name detected.
- JAVASCRIPT
- CWE-22
- CWE-95
- A01:2021
- A03:2021
-
javascript_lang_jwt
Sensitive data in a JWT detected.
- JAVASCRIPT
- CWE-312
- A04:2021
-
javascript_lang_jwt_hardcoded_secret
Hardcoded JWT secret detected
- JAVASCRIPT
- CWE-798
- A07:2021
-
javascript_lang_jwt_weak_encryption
Weak JWT encryption detected
- JAVASCRIPT
- CWE-327
- A02:2021
-
javascript_lang_logger
Sensitive data in a logger message detected.
- JAVASCRIPT
- CWE-1295
- CWE-532
- A09:2021
-
javascript_lang_manual_html_sanitization
Manual HTML sanitization detected.
- JAVASCRIPT
- CWE-79
- A03:2021
-
javascript_lang_message_handler_origin
Unchecked origin in message handler detected.
- JAVASCRIPT
- CWE-346
- A07:2021
-
javascript_lang_open_redirect
Open redirect detected.
- JAVASCRIPT
- CWE-601
- A01:2021
-
javascript_lang_os_command_injection
OS command injection vulnerability detected.
- JAVASCRIPT
- CWE-78
- A03:2021
-
javascript_lang_post_message_origin
Permissive origin in postMessage detected.
- JAVASCRIPT
- CWE-923
-
javascript_lang_raw_html_using_user_input
Unsanitized user input detected in raw HTML string.
- JAVASCRIPT
- CWE-79
- A03:2021
-
javascript_lang_regex_using_user_input
Regular expression built from user input detected.
- JAVASCRIPT
- CWE-1333
-
javascript_lang_session
Sensitive data stored in HTML local storage detected.
- JAVASCRIPT
- CWE-312
- A04:2021
-
javascript_lang_sql_injection
SQL injection vulnerability detected.
- JAVASCRIPT
- CWE-89
- A03:2021
-
javascript_lang_weak_encryption_des
Weak encryption algorithm (DES) detected.
- JAVASCRIPT
- CWE-327
- A02:2021
-
javascript_lang_weak_encryption_rc4
Weak encryption algorithm (RC4) detected.
- JAVASCRIPT
- CWE-327
- A02:2021
-
javascript_lang_weak_hash_md5
Weak hashing library (MD5) detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
-
javascript_lang_weak_hash_sha1
Weak hashing library (SHA1) detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
-
javascript_lang_weak_password_encryption_des
Weak encryption algorithm (DES) used for password detected.
- JAVASCRIPT
- CWE-327
- A02:2021
-
javascript_lang_weak_password_encryption_rc4
Weak encryption algorithm (RC4) used for password detected.
- JAVASCRIPT
- CWE-327
- A02:2021
-
javascript_lang_weak_password_hash_argon2
Insecure Argon2 type used for password hashing.
- JAVASCRIPT
- CWE-327
- CWE-916
- A02:2021
-
javascript_lang_weak_password_hash_md5
Weak hashing library (MD5) used for password detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
-
javascript_lang_weak_password_hash_sha1
Weak hashing library (SHA1) used for password detected.
- JAVASCRIPT
- CWE-327
- CWE-328
- A02:2021
-
javascript_lang_websocket_insecure
Insecure websocket communication detected.
- JAVASCRIPT
- CWE-319
- A02:2021
-
javascript_react_dangerously_set_inner_html
React's dangerously set inner HTML detected.
- JAVASCRIPT
- CWE-79
- A03:2021
-
javascript_react_google_analytics
Sensitive data sent to Google Analytics detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_airbrake
Sensitive data sent to Airbrake detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_algolia
Sensitive data sent to Algolia detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_bugsnag
Sensitive data sent to Bugsnag detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_datadog
Sensitive data sent to Datadog detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_datadog_browser
Sensitive data sent to Datadog detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_dom_purify
Insecure use of DOMPurify detected.
- JAVASCRIPT
- CWE-79
- A03:2021
-
javascript_third_parties_dynamodb_query_injection
Raw user input in data store query detected.
- JAVASCRIPT
- CWE-89
- A03:2021
-
javascript_third_parties_elasticsearch
Sensitive data sent to ElasticSearch detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_google_analytics
Sensitive data sent to Google Analytic detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_google_tag_manager
Sensitive data sent to Google Tag Manager detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_honeybadger
Sensitive data sent to Honeybadger detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_new_relic
Sensitive data sent to New Relic detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_open_telemetry
Sensitive data sent to Open Telemetry detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_openai
Sensitive data sent to OpenAI detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_passport_hardcoded_secret
Hardcoded passport secret detected
- JAVASCRIPT
- CWE-798
- A07:2021
-
javascript_third_parties_rollbar
Sensitive data sent to Rollbar detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_segment
Sensitive data sent to Segment detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
javascript_third_parties_sentry
Sensitive data sent to Sentry detected.
- JAVASCRIPT
- CWE-201
- A01:2021
-
ruby_lang_cookies
Sensitive data stored in a cookie detected.
- RUBY
- CWE-315
- CWE-539
- A04:2021
- A05:2021
-
ruby_lang_deserialization_of_user_input
User input detected in an unsafe deserialization method.
- RUBY
- CWE-502
- A08:2021
-
ruby_lang_eval_using_user_input
Potential command injection with user input detected.
- RUBY
- CWE-94
- CWE-95
- A03:2021
-
ruby_lang_exception
Sensitive data in a exception message detected.
- RUBY
- CWE-210
-
ruby_lang_exec_using_user_input
Execution of OS command formed with user input detected.
- RUBY
- CWE-78
- A03:2021
-
ruby_lang_file_generation
Sensitive data detected as part of a dynamic file generation.
- RUBY
- CWE-532
- CWE-313
- A04:2021
- A09:2021
-
ruby_lang_format_string_using_user_input
User input in format string detected.
- RUBY
- CWE-134
-
ruby_lang_ftp_using_user_input
Do not use user input with FTP.
- RUBY
- CWE-22
- A01:2021
-
ruby_lang_hardcoded_secret
Hard-coded secret detected.
- RUBY
- CWE-798
- A07:2021
-
ruby_lang_http_get_params
Sensitive data communicated through GET parameters detected.
- RUBY
- CWE-598
- A04:2021
-
ruby_lang_http_insecure
Connection through an insecure HTTP communication detected.
- RUBY
- CWE-319
- A02:2021
-
ruby_lang_http_url_using_user_input
HTTP communication with user-controlled destination detected.
- RUBY
- CWE-918
- A10:2021
-
ruby_lang_insecure_ftp
Communication with an insecure FTP server detected.
- RUBY
- CWE-319
- A02:2021
-
ruby_lang_jwt
Sensitive data in a JWT detected.
- RUBY
- CWE-315
- A05:2021
-
ruby_lang_logger
Sensitive data in a logger message detected.
- RUBY
- CWE-209
- CWE-532
- A04:2021
- A09:2021
-
ruby_lang_manual_html_sanitization
Manual HTML sanitization detected.
- RUBY
- CWE-79
- A03:2021
-
ruby_lang_path_using_user_input
Do not use user input to form file paths.
- RUBY
- CWE-22
- CWE-73
- A01:2021
- A04:2021
-
ruby_lang_raw_html_using_user_input
Unsanitized user input detected in raw HTML string.
- RUBY
- CWE-79
- A03:2021
-
ruby_lang_reflection_using_user_input
Use of reflection influenced by user input detected.
- RUBY
- CWE-94
- A03:2021
-
ruby_lang_regex_using_user_input
Regular expression built from user input detected.
- RUBY
- CWE-1333
-
ruby_lang_ssl_verification
Missing SSL certificate verification detected.
- RUBY
- CWE-295
- A07:2021
-
ruby_lang_weak_encryption_blowfish
Weak encryption library (Blowfish) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
-
ruby_lang_weak_encryption_dsa
Weak encryption algorithm (DSA) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
-
ruby_lang_weak_encryption_rc4
Weak encryption algorithm (RC4) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
-
ruby_lang_weak_encryption_rsa
Weak encryption algorithm (RSA) detected.
- RUBY
- CWE-331
- CWE-326
- A02:2021
-
ruby_lang_weak_hash_dss
Weak hashing library (DSS) detected.
- RUBY
- CWE-331
- CWE-328
- A02:2021
-
ruby_lang_weak_hash_md
Weak hashing library (MD5) detected.
- RUBY
- CWE-331
- CWE-328
- A02:2021
-
ruby_lang_weak_hash_sha
Weak hashing library (SHA) detected.
- RUBY
- CWE-331
- CWE-328
- A02:2021
-
ruby_lang_weak_password_encryption_blowfish
Weak encryption (Blowfish) of a password detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
-
ruby_lang_weak_password_encryption_dsa
Weak encryption algorithm (DSA) detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
-
ruby_lang_weak_password_encryption_rc4
Weak encryption algorithm (RC4) detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
-
ruby_lang_weak_password_encryption_rsa
Weak encryption algorithm (RSA) detected.
- RUBY
- CWE-331
- CWE-326
- CWE-916
- A02:2021
-
ruby_lang_weak_password_hash_dss
Weak password hashing (DSS) detected.
- RUBY
- CWE-331
- CWE-328
- CWE-916
- A02:2021
-
ruby_lang_weak_password_hash_md
Weak password hashing (MD5) detected.
- RUBY
- CWE-331
- CWE-328
- CWE-916
- A02:2021
-
ruby_lang_weak_password_hash_sha
Weak password hashing (SHA) detected.
- RUBY
- CWE-331
- CWE-328
- CWE-916
- A02:2021
-
ruby_lang_websocket_insecure
Insecure websocket communication detected.
- RUBY
- CWE-319
- A02:2021
-
ruby_rails_default_encryption
Missing application-level encryption of sensitive data detected.
- RUBY
- CWE-312
- A04:2021
-
ruby_rails_detailed_exceptions
Detailed error reporting detected.
- RUBY
- CWE-209
- A04:2021
-
ruby_rails_http_verb_confusion
Potential for HTTP verb confusion detected.
- RUBY
- CWE-650
- A04:2021
-
ruby_rails_insecure_communication
Missing force SSL configuration for incoming communication detected.
- RUBY
- CWE-319
- A02:2021
-
ruby_rails_insecure_disabling_of_callback
Insecure disabling of callback detected.
- RUBY
- CWE-284
- A01:2021
-
ruby_rails_insecure_http_password
Insecure HTTP Password.
- RUBY
- CWE-798
- CWE-522
- A04:2021
- A07:2021
-
ruby_rails_insecure_smtp
Communication with an insecure SMTP connection detected.
- RUBY
- CWE-319
- A02:2021
-
ruby_rails_logger
Sensitive data sent to Rails loggers detected.
- RUBY
- CWE-209
- CWE-532
- A04:2021
- A09:2021
-
ruby_rails_open_redirect
Open redirect detected
- RUBY
- CWE-601
- A01:2021
-
ruby_rails_password_length
Password length (< 8) requirement is too short.
- RUBY
- CWE-521
- A07:2021
-
ruby_rails_permissive_parameters
Overly permissive request parameters detected.
- RUBY
- CWE-915
- A08:2021
-
ruby_rails_permissive_regex_validation
Validation using permissive regular expression detected.
- RUBY
- CWE-625
-
ruby_rails_render_using_user_input
Unsanitized user input detected in response.
- RUBY
- CWE-79
- A03:2021
-
ruby_rails_session
Sensitive data stored in a session cookie detected.
- RUBY
- CWE-315
- A05:2021
-
ruby_rails_session_key_using_user_input
User input detected in a session key.
- RUBY
- CWE-276
- A01:2021
-
ruby_rails_session_with_httponly_disabled
Session store with HttpOnly set to false detected.
- RUBY
- CWE-1004
- A05:2021
-
ruby_rails_sql_injection
Unsanitized user input in SQL query detected.
- RUBY
- CWE-89
- A03:2021
-
ruby_rails_unsafe_cookie_serialization_strategy
Unsafe cookie serialization strategy detected.
- RUBY
- CWE-94
- A03:2021
-
ruby_rails_unsafe_mass_assignment
Possibly dangerous permitted parameter key detected.
- RUBY
- CWE-915
- A08:2021
-
ruby_rails_weak_custom_key
Weak model-specific encryption key detected
- RUBY
- CWE-326
- A02:2021
-
ruby_third_parties_airbrake
Sensitive data sent to Airbrake detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_algolia
Sensitive data sent to Algolia detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_bigquery
Sensitive data sent to BigQuery detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_bugsnag
Sensitive data sent to Bugsnag detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_clickhouse
Sensitive data sent to ClickHouse detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_datadog
Sensitive data sent to Datadog detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_elasticsearch
Sensitive data sent to Elasticsearch detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_google_analytics
Sensitive data sent to Google Analytics detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_google_dataflow
Sensitive data sent to Google Dataflow detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_honeybadger
Sensitive data sent to Honeybadger detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_new_relic
Sensitive data sent to New Relic detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_open_telemetry
Sensitive data sent to Open Telemetry detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_rollbar
Sensitive data sent to Rollbar detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_scout_apm
Sensitive data sent to Scout APM detected.
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_segment
Sensitive data sent to Segment detected..
- RUBY
- CWE-201
- A01:2021
-
ruby_third_parties_sentry
Sensitive data sent to Sentry detected.
- RUBY
- CWE-201
- A01:2021
Ready to take the next step? Learn more about Bearer Cloud.