# Supported FP Rules A false positive rule is a rule that Mobb executes against reported SAST findings to reliably identify if the code instances are not actually vulnerable. All FP rules meet the following criteria: * High confidence that the identified finding is a false positive * Tested against real-world code samples to avoid suppressing true positives * Clear explanation is provided for why the finding is considered a false positive Here are the categories of FP rules that Mobb currently supports. If there's an FP pattern you'd like to see added, please contact us at . {% hint style="info" %} Since different SAST tools may report false positives under inconsistent names, the issue names shown are normalized by Mobb. {% endhint %}
List of Supported Issue Types for Snyk **C#** * Cross-site Scripting (XSS) * [Hardcoded Secret](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules) * [Log Forging](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-36-log-forging) * [No Hardcoded Credentials](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules) * [No Hardcoded Credentials Test](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Insufficiently Random Values](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-87-use-of-insufficiently-random-values) **GO** * Command Injection * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * Hardcoded Non Crypto Secret * Hardcoded Non CryptoSecret Test * Hardcoded Password * Hardcoded Password Test * Hardcoded Secret Test * No Hardcoded Credentials * No Hardcoded Credentials Test * SQL Injection **Java** * [Arbitrary File Write via Archive Extraction (Zip Slip)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-9-arbitrary-file-write-via-archive-extraction-zip-slip) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * No Hardcoded Credentials * NoHardcoded Credentials Test * [Open Redirect](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [XML External Entity (XXE) Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-123-xml-external-entity-xxe-injection) **JavaScript / TypeScript** * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * [Indirect Command Injection via User Controlled Environment](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-13-indirect-command-injection-via-user-controlled-environment) * [NoSQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-149-nosql-injection) * [Open Redirect](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-121-open-redirect) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-102-regular-expression-denial-of-service-redos) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Hardcoded Credentials](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-56-use-of-hardcoded-credentials) **PHP** * Hardcoded Credential * Hardcoded Credential Test * Hardcoded Non Crypto Secret * Hardcoded Password * Hardcoded Password Test **Python** * [Arbitrary File Write via Archive Extraction (Tar Slip)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Code Injection](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * Cross Site Scripting (XSS) * Hardcoded Iv * Hardcoded Key * HardcodedNonCryptoSecret * HardcodedNonCryptoSecret/test * [Jinja auto-escape is set to false](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules/python-rules) * No Hardcoded Credentials Test * No Hardcoded Passwords Test * NoHardcodedCredentials * NoHardcodedPasswords * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection)
List of Supported Issue Types for Fortify **CPP** * [Buffer Overflow](https://vulncat.fortify.com/en/detail?category=Buffer%20Overflow) * [String Termination Error](https://vulncat.fortify.com/en/detail?category=String%20Termination%20Error) **C#** * Cross-Site Scripting: Persistent * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#C%23%2FVB.NET%2FASP.NET) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#C%23%2FVB.NET%2FASP.NET) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#C%23%2FVB.NET%2FASP.NET) * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#C%23%2FVB.NET%2FASP.NET) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#C%23%2FVB.NET%2FASP.NET) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation: Base Path Overwriting](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Base%20Path%20Overwriting#C%23%2FVB.NET%2FASP.NET) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#C%23%2FVB.NET%2FASP.NET) **DEFAULT** * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password) * [Password Management: Password in Configuration File](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Configuration%20File) * [Password Management: Weak Cryptography](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Weak%20Cryptography) **DOCKERFILE** **GO** * [Key Management: Hardcoded HMAC Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20HMAC%20Key#Golang) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Golang) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#Golang) **Java** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Reques%20Forgery) * [Cross-Site Scripting: Reflected](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Reflected#Java%2FJSP) * [Denial of Service](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service) * [Header Manipulation](https://vulncat.fortify.com/en/detail?category=Header%20Manipulation) * [HTML5: Missing Content Security Policy](https://vulncat.fortify.com/en/detail?category=HTML5\&subcategory=Missing%20Content%20Security%20Policy) * [HTTP Parameter Pollution](https://vulncat.fortify.com/en/detail?category=HTTP%20Parameter%20Pollution) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#Java%2fJSP) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#Java%2fJSP) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Java%2FJSP) * [Log Forging (debug)](https://vulncat.fortify.com/en/detail?category=Log%20Forging%20%28debug%29#Java%2FJSP) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#Java%2fJSP) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#Java%2fJSP) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Java%2FJSP) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Java%2FJSP) * [Path Manipulation: Zip Entry Overwrite](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Zip%20Entry%20Overwrite#Java%2FJSP) * [Privacy Violation](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation#Java%2FJSP) * [Server-Side Request Forgery](https://vulncat.fortify.com/en/detail?category=Server-Side%20Request%20Forgery#Java%2FJSP) * [Spring Security Misconfiguration: Default Permit](https://vulncat.fortify.com/en/detail?category=Spring%20Security%20Misconfiguration\&subcategory=Default%20Permit) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Java%2FJSP) * [SQL Injection: Persistence](https://vulncat.fortify.com/en/detail?category=SQL%20Injection\&subcategory=Persistence#Java%2fJSP) * [System Information Leak](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak#Java%2FJSP) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Java%2FJSP) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#Java%2FJSP) * [XML Entity Expansion Injection](https://vulncat.fortify.com/en/detail?category=XML%20Entity%20Expansion%20Injection#Java%2FJSP) * [XML External Entity Injection](https://vulncat.fortify.com/en/detail?category=XML%20External%20Entity%20Injection#Java%2FJSP) **JavaScript / TypeScript** * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#JavaScript%2FTypeScript) * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials#JavaScript%2FTypeScript) * [Cross-Site Scripting: DOM](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=DOM#JavaScript%2FTypeScript) * [Cross-Site Scripting: Self](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Self#JavaScript%2FTypeScript) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#JavaScript%2FTypeScript) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#JavaScript%2FTypeScript) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#JavaScript%2FTypeScript) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#JavaScript%2FTypeScript) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#JavaScript%2FTypeScript) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#JavaScript%2FTypeScript) **PHP** * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password+Management\&subcategory=Hardcoded+Password) * [Weak Cryptographic Hash: Hardcoded Salt](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash\&subcategory=Hardcoded%20Salt#PHP) **Python** * [Dynamic Code Evaluation: Code Injection](https://vulncat.fortify.com/en/detail?category=Dynamic%20Code%20Evaluation#Universal) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password+Management\&subcategory=Hardcoded+Password#Python) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Python) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Python) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#Python) **XML** * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Universal) **YAML** * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#YAML)
List of Supported Issue Types for Checkmarx **C#** * Dynamic SQL Queries * Hardcoded Credentials * Hardcoded password in Connection String * JWT Use Of Hardcoded Secret * Log Forging * Path Traversal * Reflected XSS * Reflected XSS All Clients * SQL Injection * Stored XSS * Use Of Broken Or Risky Cryptographic Algorithm * Use Of Hardcoded Password * Use of Insufficiently Random Values **GO** * Command Injection * Hardcoded AWS Credentials * Hardcoded Password in Connection String * Log Forging * Second Order SQL Injection * SQL Injection * Use of Hardcoded Password **Java** * Absolute Path Traversal * Improper Restriction of Stored XXE Ref * Improper Restriction of XXE Ref * Information Exposure Through an Error Message * Log Forging * [Open Redirect](https://deu.ast.checkmarx.net/resourceManagement/presets/description/601/5854466950125120303) * [Password In Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/2940637487142405047) * Privacy Violation * Reflected XSS All Clients * Relative Path Traversal * [Reversible One Way Hash](https://deu.ast.checkmarx.net/resourceManagement/presets/description/328/7875786759696254599) * SQL Injection * SQL Injection Evasion Attack * SSRF * Stored Absolute Path Traversal * Stored Log Forging * Stored XSS * Unchecked Input for Loop Condition * [Unsafe Object Binding](https://deu.ast.checkmarx.net/resourceManagement/presets/description/915/18167789603095321044) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/15434822379289186737) **JavaScript / TypeScript** * Absolute Path Traversal * Client DOM Code Injection * Client DOM Open Redirect * Client DOM Stored XSS * Client DOM XSS * Client Password In Comment * Client Potential XSS * Client Regex Injection * [Client Weak Cryptographic Hash](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/6215771209953606521) * Command Injection * Hardcoded password in Connection String * [HttpOnly Cookie Flag Not Set](https://deu.ast.checkmarx.net/resourceManagement/presets/description/1004/9800224272094099502) * JWT Use Of Hardcoded Secret * Log Forging * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) * Open Redirect * Relative Path Traversal * Secret\_Leak * SQL Injection * SSRF * Stored XSS * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/16841165964473079218) * Use Of Hardcoded Password **PHP** * Hardcoded Salt * Use of Hardcoded Cryptographic IV * Use Of Hardcoded Password **Python** * [Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/13646819717326216658) * Command Argument Injection * Hardcoded AWS Credentials * Hardcoded Password in Connection String * [Hardcoded Secrets](https://deu.ast.checkmarx.net/) * [Log Forging](https://deu.ast.checkmarx.net/resourceManagement/presets/description/117/4488286415414676575) * [Password in Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/13336864677243390331) * Reversible One Way Hash * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/631642030927601838) * [SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/17810866942529238742) * [Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/14606273189609098459) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Unchecked Input for Loop Condition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/606/12513885999564608658) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/10201415834072344741) * Use of Hardcoded Cryptographic Key * Use Of Hardcoded Password * [XSS](https://deu.ast.checkmarx.net/resourceManagement/presets/description/79/11301225196674651062)
List of Supported Issue Types for SonarQube **C#** * Dropbox app credentials should not be disclosed * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2077/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-6418) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/csharp/RSPEC-2083/) * [JWT secret keys should not be disclosed](https://rules.sonarsource.com/csharp/RSPEC-6781) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-5145/) * [Secure random number generators should not output predictable values](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-4347/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-4790/) **DEFAULT** * [Alchemy API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6719/) * [Amazon Web Services credentials should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6290/) * [AMQP credentials should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6736/) * [Azure Bot Framework secrets and tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-7017/) * [Azure Logic App Secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-7008/) * [Cryptographic private keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6706/) * [Database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6703/) * [Discord Webhook URLs should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6708/) * [Django secret keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6687/) * [Equinix tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6992/) * [GitHub tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6689/) * [Google API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6334/) * [Google Cloud service accounts keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6335/) * [Google OAuth client secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6691/) * [Grafana tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6762/) * [Infura API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6783/) * [Mailgun API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6723/) * [MongoDB database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6694/) * [MySQL database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6697/) * [OVH keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6999/) * [PostgreSQL database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6698/) * [RapidAPI keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6700/) * [Redis credentials should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6739/) * [SendGrid keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6696/) * [Spotify API secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6699/) * [Stripe endpoint secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6718/) **DOCKERFILE** * [S6471 Running containers as a privileged user is security-sensitive](https://rules.sonarsource.com/docker/RSPEC-6471/) **GO** * Constructing arguments of system commands from user input is security-sensitive * Database queries should not be vulnerable to injection attacks * Formatting SQL queries is security-sensitive * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/go/RSPEC-2068/) * Using weak hashing algorithms is security-sensitive **Java** * [Accessing files should not lead to filesystem oracle attacks](https://rules.sonarsource.com/java/RSPEC-6549/) * [Credentials should not be hard-coded](https://rules.sonarsource.com/java/RSPEC-6437/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-3649/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/java/RSPEC-5131/) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/java/RSPEC-6096/) * [Generic exceptions should never be thrown](https://rules.sonarsource.com/java/RSPEC-112/) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/java/RSPEC-2068/) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/java/RSPEC-6418/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/java/RSPEC-2083/) * [javasecurity:S5146 HTTP request redirections should not be open to forging attacks](https://next.sonarqube.com/sonarqube/coding_rules?open=javasecurity%3AS5146\&rule_key=javasecurity%3AS5146) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-5145/) * [Server-side requests should not be vulnerable to traversing attacks](https://rules.sonarsource.com/java/RSPEC-7044/) * [Unnecessary imports should be removed](https://rules.sonarsource.com/java/RSPEC-1128/) * [Unused "private" fields should be removed](https://rules.sonarsource.com/java/RSPEC-1068/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/java/RSPEC-4790/) **JavaScript / TypeScript** * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-3649/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-3649/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/javascript/RSPEC-5696/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5696/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/javascript/RSPEC-6105/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/typescript/RSPEC-6105/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5334/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5131/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2077/) * [Function returns should not be invariant](https://rules.sonarsource.com/javascript/RSPEC-3516/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/javascript/RSPEC-5146/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5146/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/javascript/RSPEC-2083/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2083/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5147/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-5147/) * [OS commands should not be vulnerable to command injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2076/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/javascript/RSPEC-2631/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/typescript/RSPEC-2631/) * [Server-side requests should not be vulnerable to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5144/) * [Using shell interpreter when executing OS commands is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-4721/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-4790/) * [Variables should be declared explicitly](https://rules.sonarsource.com/javascript/RSPEC-2703/) **PHP** * [Credentials should not be hard-coded](https://rules.sonarsource.com/php/RPSEC-6437) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/php/RPSEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/php/RPSEC-6418) **Python** * ["Exception" and "BaseException" should not be raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S112) * [Constructing arguments of system commands from user input is security-sensitive](https://rules.sonarsource.com/python/RSPEC-6350/) * [Credentials should not be hard-coded](https://rules.sonarsource.com/python/RPSEC-6437) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-3649/) * [Disabling auto-escaping in template engines is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5247/) * [Do not use identity comparisons (is / is not) with cached types](https://rules.sonarsource.com/python/RSPEC-5795/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5334/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/python/RSPEC-5131/) * [Flask secret keys should not be disclosed](https://rules.sonarsource.com/python/RPSEC-6779) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2077/) * [Function parameters' default values should not be modified or assigned](https://rules.sonarsource.com/python/RSPEC-5717/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/python/RPSEC-S2068) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/ipython/RPSEC-2068) * [JWT secret keys should not be disclosed](https://rules.sonarsource.com/python/RPSEC-6781) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5145/) * [Loop boundaries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-6680/) * [python:S5443 Using publicly writable directories is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5443/) * [python:S5754 "SystemExit" should be re-raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5754) * [Unused assignments should be removed](https://rules.sonarsource.com/python/RSPEC-1854/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4790/) **YAML** * [Credentials should not be hard-coded](https://rules.sonarsource.com/docker/RSPEC-6437/)
List of Supported Issue Types for CodeQL **CPP** * [No space for zero terminator](https://codeql.github.com/codeql-query-help/cpp/cpp-no-space-for-terminator/) **C#** * [Cross-site scripting](https://codeql.github.com/codeql-query-help/csharp/cs-web-xss/) * Hard-coded Connection String Credentials * Hard-coded credentials * [Insecure randomness](https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/csharp/cs-log-forging/) * SQL Injection * SQL Injection * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/csharp/cs-path-injection/) * [URL redirection from remote source](https://codeql.github.com/codeql-query-help/csharp/cs-web-unvalidated-url-redirection/) **GO** * Command Injection * Hardcoded Credentials * [Log entries created from user input](https://codeql.github.com/codeql-query-help/go/go-log-injection/) * [Open URL redirect](https://codeql.github.com/codeql-query-help/go/go-unvalidated-url-redirection/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/go/go-reflected-xss/) * SQL Injection * Stored cross-site scripting * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/go/go-weak-cryptographic-algorithm/) * [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/go/go-weak-sensitive-data-hashing/) **Java** * [Arbitrary file access during archive extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/java/java-zipslip/) * [Cross-Site Request Forgery](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/java/java-xss/) * [Hardcoded Credential API Call](https://codeql.github.com/codeql-query-help/hardcoded-credential-api-call) * [Hardcoded Credential Comparison](https://codeql.github.com/codeql-query-help/java-cwe/) * [Hardcoded Password Field](https://codeql.github.com/codeql-query-help/hardcoded-password-field) * [Information exposure through an error message](https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/) * [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) * [Log Injection](https://codeql.github.com/codeql-query-help/java/java-log-injection/) * [Partial path traversal vulnerability](https://codeql.github.com/codeql-query-help/java/java-partial-path-traversal/) * [Query built by concatenation with a possibly-untrusted string](https://codeql.github.com/codeql-query-help/java/java-concatenated-sql-query/) * [Query built from user-controlled sources](https://codeql.github.com/codeql-query-help/java/java-sql-injection/) * [Resolving XML external entity in user-controlled data](https://codeql.github.com/codeql-query-help/java/java-xxe/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/java/java-ssrf/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/java/java-path-injection/) * [Use of a broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-weak-cryptographic-algorithm/) * [Use of a potentially broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/) * [Use of a potentially broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/) **JavaScript / TypeScript** * [Client-side cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss/) * [Client-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-client-side-unvalidated-url-redirection/) * [Cross-window communication with unrestricted target origin](https://codeql.github.com/codeql-query-help/javascript/js-cross-window-information-leak/) * [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/javascript/js-sql-injection/) * [DOM text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/) * [Hard-coded credentials](https://codeql.github.com/codeql-query-help/javascript/js-hardcoded-credentials/) * [Incomplete string escaping or encoding](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/) * [Indirect uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-indirect-command-line-injection/) * [Inefficient regular expression](https://codeql.github.com/codeql-query-help/javascript/js-redos/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/javascript/js-insufficient-password-hash/) * [Log injection](https://codeql.github.com/codeql-query-help/javascript/js-log-injection/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-reflected-xss/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/javascript/js-regex-injection/) * [Sensitive server cookie exposed to the client](https://codeql.github.com/codeql-query-help/javascript/js-client-exposed-cookie/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/) * [Server-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-server-side-unvalidated-url-redirection/) * [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/javascript/js-path-injection/) * [Unsafe HTML constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) * [Unsafe jQuery plugin](https://codeql.github.com/codeql-query-help/javascript/js-unsafe-jquery-plugin/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-constructed-from-input/) * [Untrusted data passed to external API](https://codeql.github.com/codeql-query-help/javascript-cwe/) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/javascript/js-weak-cryptographic-algorithm/) **Python** * [Arbitrary file write during tarfile extraction](https://codeql.github.com/codeql-query-help/python/py-tarslip/) * [Code injection](https://codeql.github.com/codeql-query-help/python/py-code-injection/) * [Hardcoded Credentials](https://codeql.github.com/codeql-query-help/python/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Log Injection](https://codeql.github.com/codeql-query-help/python/py-log-injection/) * [SQL query built from user-controlled sources](https://codeql.github.com/codeql-query-help/python/py-sql-injection/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/python/py-command-line-injection/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/python/py-shell-command-constructed-from-input/) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/python/py-weak-cryptographic-algorithm/) * [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/python/py-weak-sensitive-data-hashing/) * [XSS](https://codeql.github.com/codeql-query-help/python/py-reflective-xss/) **YAML** * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) * [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) * [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/)
List of Supported Issue Types for Semgrep/Opengrep **C#** * [csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash](https://semgrep.dev/r?q=csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash) * [csharp/lang.best-practice.structured-logging.structured-logging](https://semgrep.dev/r?q=csharp.lang.best-practice.structured-logging.structured-logging) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [lang.security.sqli.csharp-sqli.csharp-sqli](https://semgrep.dev/r?q=lang.security.sqli.csharp-sqli.csharp-sqli) * [OS command injection](https://semgrep.dev/r/security_code_scan.SCS0001-1) * [security\_code\_scan.SCS0002-1](https://semgrep.dev/p/security-code-scan) * [Use of cryptographically weak Pseudo-Random Number Generator (PRNG)](https://semgrep.dev/r?q=gitlab.security_code_scan.SCS0005-1) **DEFAULT** * [secrets.gitleaks.jwt.jwt](https://semgrep.dev/r/?q=secrets.gitleaks.jwt.jwt) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r/?q=secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r/?q=secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r/?q=secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r/?q=secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r/?q=secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r/?q=secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r/?q=secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r/?q=secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r/?q=secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r/?q=secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) **DOCKERFILE** * [security.missing-user-entrypoint.missing-user-entrypoint](https://semgrep.dev/r?q=security.missing-user-entrypoint.missing-user-entrypoint) * [security.missing-user.missing-user](https://semgrep.dev/r?q=security.missing-user.missing-user) **GO** * [Cookie Missing HTTP only](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly) * [go.lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [go.lang.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=go.lang.security.injection.open-redirect.open-redirect) * [jwt-go.security.jwt.hardcoded-jwt-key](https://semgrep.dev/r/jwt-go.security.jwt.hardcoded-jwt-key) * [lang.security.audit.crypto.use\_of\_weak\_crypto.use-of-md5](https://semgrep.dev/r?q=lang.security.audit.crypto.use_of_weak_crypto.use-of-md5) * [lang.security.audit.crypto.use\_of\_weak\_crypto.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1) * [lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [lang.security.audit.database.string-formatted-query](https://semgrep.dev/r?q=lang.security.audit.database.string-formatted-query) * [lang.security.audit.sqli.pgx-sqli.pgx-sqli](https://semgrep.dev/r?q=go.lang.security.audit.sqli.pgx-sqli.pgx-sqli) * [lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter](https://semgrep.dev/r?q=+go+lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter) * [lang.security.injection.tainted-sql-string](https://semgrep.dev/r?q=lang.security.injection.tainted-sql-string) * [OS command injection](https://semgrep.dev/r?q=gitlab.gosec.G204-1) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) * [secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token) * [secrets.security.detected-artifactory-password.detected-artifactory-password](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-password.detected-artifactory-password) * [secrets.security.detected-artifactory-token.detected-artifactory-token](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-token.detected-artifactory-token) * [secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key) * [secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key) * [secrets.security.detected-aws-session-token.detected-aws-session-token](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-session-token.detected-aws-session-token) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r?q=generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-codeclimate.detected-codeclimate](https://semgrep.dev/r?q=generic.secrets.security.detected-codeclimate.detected-codeclimate) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r?q=generic.secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-facebook-access-token.detected-facebook-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token) * [secrets.security.detected-facebook-oauth.detected-facebook-oauth](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-github-token.detected-github-token](https://semgrep.dev/r?q=generic.secrets.security.detected-github-token.detected-github-token) * [secrets.security.detected-google-api-key.detected-google-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-api-key.detected-google-api-key) * [secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key) * [secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account](https://semgrep.dev/r?q=generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account) * [secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token) * [secrets.security.detected-google-oauth.detected-google-oauth-url](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth.detected-google-oauth-url) * [secrets.security.detected-heroku-api-key.detected-heroku-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key) * [secrets.security.detected-hockeyapp.detected-hockeyapp](https://semgrep.dev/r?q=generic.secrets.security.detected-hockeyapp.detected-hockeyapp) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r?q=generic.secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-kolide-api-key.detected-kolide-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key) * [secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key) * [secrets.security.detected-mailgun-api-key.detected-mailgun-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key) * [secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token) * [secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token](https://semgrep.dev/r?q=generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token) * [secrets.security.detected-outlook-team.detected-outlook-team](https://semgrep.dev/r?q=generic.secrets.security.detected-outlook-team.detected-outlook-team) * [secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-paypal-braintree%E2%80%A6cess-token.detected-paypal-braintree-access-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r?q=generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-picatic-api-key.detected-picatic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r?q=generic.secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sauce-token.detected-sauce-token](https://semgrep.dev/r?q=generic.secrets.security.detected-sauce-token.detected-sauce-token) * [secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key) * [secrets.security.detected-slack-token.detected-slack-token](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-token.detected-slack-token) * [secrets.security.detected-slack-webhook.detected-slack-webhook](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-webhook.detected-slack-webhook) * [secrets.security.detected-snyk-api-key.detected-snyk-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key) * [secrets.security.detected-softlayer-api-key.detected-softlayer-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-square-access-token.detected-square-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-square-access-token.detected-square-access-token) * [secrets.security.detected-square-oauth-secret.detected-square-oauth-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret) * [secrets.security.detected-ssh-password.detected-ssh-password](https://semgrep.dev/r?q=generic.secrets.security.detected-ssh-password.detected-ssh-password) * [secrets.security.detected-stripe-api-key.detected-stripe-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key) * [secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) * [secrets.security.detected-twilio-api-key.detected-twilio-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key) * [secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri](https://semgrep.dev/r?q=generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri) **Java** * File Path Traversal in HttpServlet * [find\_sec\_bugs.DES\_USAGE-1](https://semgrep.dev/r?q=find_sec_bugs.DES_USAGE-1) * [find\_sec\_bugs.DMI\_CONSTANT\_DB\_PASSWORD-1.HARD\_CODE\_PASSWORD-3](https://semgrep.dev/r?q=find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3) * [find\_sec\_bugs.FILE\_UPLOAD\_FILENAME-1](https://semgrep.dev/r?q=find_sec_bugs.FILE_UPLOAD_FILENAME-1) * [find\_sec\_bugs.HARD\_CODE\_KEY-4](https://semgrep.dev/r?q=find_sec_bugs.HARD_CODE_KEY-4) * [find\_sec\_bugs.HARD\_CODE\_PASSWORD-1](https://semgrep.dev/r?q=find_sec_bugs.HARD_CODE_PASSWORD-1) * [find\_sec\_bugs.PATH\_TRAVERSAL\_OUT-1.PATH\_TRAVERSAL\_OUT-1](https://semgrep.dev/r?q=find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1) * [find\_sec\_bugs.PT\_ABSOLUTE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.PT\_RELATIVE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.UNVALIDATED\_REDIRECT-1.URL\_REWRITING-1](https://semgrep.dev/r?q=find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1) * [find\_sec\_bugs.WEAK\_FILENAMEUTILS-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_FILENAMEUTILS-1) * [find\_sec\_bugs.WEAK\_MESSAGE\_DIGEST\_MD5-1.WEAK\_MESSAGE\_DIGEST\_SHA1-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-2](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-2) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1.SQL\_INJECTION-1.SQL\_INJECTION\_HIBERNATE-1.SQL\_INJECTION\_VERTX-1.SQL\_PREPARED\_STATEMENT\_GENERATED\_FROM\_NONCONSTANT\_STRING-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1) * [java.lang.security.audit.formatted-sql-string.formatted-sql-string](https://semgrep.dev/r?q=java.lang.security.audit.formatted-sql-string.formatted-sql-string) * [java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) * [java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) * java.mobb.custom\_injection * java/mobb.pt\_find\_transitives * [lang.security.audit.crypto.use-of-md5.use-of-md5](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-md5.use-of-md5) * [lang.security.audit.crypto.use-of-sha1.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-sha1.use-of-sha1) * [lang.security.audit.crypto.use-of-sha1.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-sha1.use-of-sha1) * [lang.security.audit.unvalidated-redirect.unvalidated-redirect](https://semgrep.dev/r?q=java.lang.security.audit.unvalidated-redirect.unvalidated-redirect) * [mobsfscan.crypto.weak\_hashes.weak\_hash](https://semgrep.dev/r?q=mobsfscan.crypto.weak_hashes.weak_hash) * Path Traversal * Relative File Path Traversal in HttpServlet * [Server-Side-Request-Forgery (SSRF)](https://semgrep.dev/r?q=gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1) * [spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect](https://semgrep.dev/r?q=java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect) * SQL Injection * Tainted File Path **JavaScript / TypeScript** * [browser.security.eval-detected.eval-detected](https://semgrep.dev/r?q=browser.security.eval-detected.eval-detected) * [browser.security.insecure-document-method.insecure-document-method](https://semgrep.dev/r?q=browser.security.insecure-document-method.insecure-document-method) * [detect-non-literal-regexp](https://semgrep.dev/r?q=detect-non-literal-regexp) * [Detected possible path traversal](https://semgrep.dev/r?q=eslint.detect-non-literal-fs-filename) * [Detected possible path traversal](https://semgrep.dev/r?q=lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.](https://semgrep.dev/r?q=lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal) * [eslint.detect-child-process](https://semgrep.dev/r?q=gitlab.eslint.detect-child-process) * [eslint.detect-eval-with-expression](https://semgrep.dev/r?q=eslint.detect-eval-with-expression) * [eslint.detect-non-literal-regexp](https://semgrep.dev/r?q=eslint.detect-non-literal-regexp) * [eslint.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=gitlab.eslint.react-dangerouslysetinnerhtml) * [express.security.audit.express-open-redirect.express-open-redirect](https://semgrep.dev/r?q=express.security.audit.express-open-redirect.express-open-redirect) * [express.security.audit.possible-user-input-redirect.unknown-value-in-redirect](https://semgrep.dev/r?q=express.security.audit.possible-user-input-redirect.unknown-value-in-redirect) * [express.security.audit.xss.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write) * [express.security.audit.xss.direct-response-write.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write.direct-response-write) * [express.security.injection.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string) * [express.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string.tainted-sql-string) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key) * * [javascript-crypto-rule-node\_md5](https://semgrep.dev/r?q=javascript-crypto-rule-node_md5) * [javascript-crypto-rule-node\_sha1](https://semgrep.dev/r?q=javascript-crypto-rule-node_sha1) * [javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_knex_sqli_injection) * [javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_injection) * [javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_js_injection) * [javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_sqli_injection) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=javascript-xss-rule-express_xss) * [javascript.browser.security.insecure-innerhtml.insecure-innerhtml](https://semgrep.dev/r?q=javascript.browser.security.insecure-innerhtml.insecure-innerhtml) * [javascript.browser.security.raw-html-concat.raw-html-concat](https://semgrep.dev/r?q=javascript.browser.security.raw-html-concat.raw-html-concat) * [javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration](https://semgrep.dev/r?q=javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration) * [javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm](https://semgrep.dev/r?q=javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm) * [javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape](https://semgrep.dev/r?q=javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape) * [javascript.express.security.injection.raw-html-format.raw-html-format](https://semgrep.dev/r?q=javascript.express.security.injection.raw-html-format.raw-html-format) * [javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector](https://semgrep.dev/r?q=javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector) * [javascript.jssha.jssha-sha1.jssha-sha1](https://semgrep.dev/r?q=javascript.jssha.jssha-sha1.jssha-sha1) * [javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp) * [javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring](https://semgrep.dev/r?q=javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) * javascript.mobb.log\_forging * [javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm](https://semgrep.dev/r?q=javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm) * [jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret](https://semgrep.dev/r/jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret) * [lang.security.audit.sqli.node-knex-sqli.node-knex-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-knex-sqli.node-knex-sqli) * [lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli) * [mobb.security.audit.express-check-cmdi](https://semgrep.dev/r?q=mobb.express-check-cmdi) * [njsscan.crypto.crypto\_node.node\_md5](https://semgrep.dev/r?q=njsscan.crypto.crypto_node.node_md5) * [njsscan.dos.regex\_injection.regex\_injection\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_injection.regex_injection_dos) * [njsscan.eval.eval\_node.eval\_nodejs](https://semgrep.dev/r?q=njsscan.eval.eval_node.eval_nodejs) * [njsscan.generic.hardcoded\_secrets.node\_password](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_password) * [njsscan.generic.hardcoded\_secrets.node\_secret](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_secret) * [njsscan.traversal.path\_traversal.generic\_path\_traversal](https://semgrep.dev/r?q=njsscan.traversal.path_traversal.generic_path_traversal) * [njsscan.xss.xss\_node.express\_xss](https://semgrep.dev/r?q=njsscan.xss.xss_node.express_xss) * [nodejs\_scan.javascript-crypto-rule-node\_md5](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_md5) * [nodejs\_scan.javascript-crypto-rule-node\_sha1](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_sha1) * [nodejs\_scan.javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_knex_sqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_js_injection) * [nodejs\_scan.javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_sqli_injection) * [nodejs\_scan.javascript-eval-rule-eval\_nodejs](https://semgrep.dev/r?q=nodejs_scan.javascript-eval-rule-eval_nodejs) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-jwt-rule-hardcoded\_jwt\_secret](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret) * [nodejs\_scan.javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [nodejs\_scan.javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=nodejs_scan.javascript-xss-rule-express_xss) * [Please provide a new title that explains javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator](https://semgrep.dev/r?q=javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator) * [Possible writing outside of the destination, make sure that the target path is nested in the intended destination](https://semgrep.dev/r?q=express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr_warning) * [react.security.audit.react-unsanitized-method.react-unsanitized-method](https://semgrep.dev/r?q=react.security.audit.react-unsanitized-method.react-unsanitized-method) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key.generic-api-key) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=njsscan.ssrf.ssrf_node.node_ssrf) * [typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml) **Python** * [A missing encoding argument in open() can lead corrupted data](https://semgrep.dev/r/lang.best-practice.unspecified-open-encoding.unspecified-open-encoding) * [B602: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B602) * [B603: subprocess\_without\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B603) * [B604: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B604) * [bandit.B307](https://semgrep.dev/r?q=bandit.B307) * [django.security.injection.code.user-eval-format-string.user-eval-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-eval-format-string.user-eval-format-string) * [django.security.injection.code.user-eval.user-eval](https://semgrep.dev/r?q=django.security.injection.code.user-eval.user-eval) * [django.security.injection.code.user-exec-format-string.user-exec-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-exec-format-string.user-exec-format-string) * [django.security.injection.code.user-exec.user-exec](https://semgrep.dev/r?q=django.security.injection.code.user-exec.user-exec) * [django.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=django.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.subprocess-injection](https://semgrep.dev/r?q=flask.security.injection.subprocess-injection) * [flask.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=flask.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.user-eval.eval-injection](https://semgrep.dev/r?q=flask.security.injection.user-eval.eval-injection) * [flask.security.injection.user-exec.exec-injection](https://semgrep.dev/r?q=flask.security.injection.user-exec.exec-injection) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key.generic-api-key) * [jwt.security.jwt-hardcode.jwt-python-hardcoded-secret](https://semgrep.dev/r?q=python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret) * [lang.maintainability.is-function-without-parentheses.is-function-without-parentheses](https://semgrep.dev/r?q=lang.maintainability.is-function-without-parentheses.is-function-without-parentheses) * [lang.security.audit.dangerous-asyncio-create-exec-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-asyncio-create-exec-audit) * [lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [lang.security.audit.eval-detected.eval-detected](https://semgrep.dev/r?q=lang.security.audit.eval-detected.eval-detected) * [lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=lang.security.audit.exec-detected.exec-detected) * [lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure](https://semgrep.dev/r?q=python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure) * [lang.security.dangerous-subprocess-use](https://semgrep.dev/r?q=lang.security.dangerous-subprocess-use) * [Please provide a new title that explains lang.correctness.return-in-init.return-in-init](https://semgrep.dev/r/?q=python.lang.correctness.return-in-init.return-in-init) * [Possible cmdi attack](https://semgrep.dev/r?q=bandit.B603) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B605) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B606) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B607) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-partial-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret](https://semgrep.dev/r?q=python.pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret) * [python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5) * [python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1) * [python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true](https://semgrep.dev/r?q=python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true) * [python.django.security.audit.avoid-mark-safe.avoid-mark-safe](https://semgrep.dev/r?q=python.django.security.audit.avoid-mark-safe.avoid-mark-safe) * [python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2](https://semgrep.dev/r?q=python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2) * [python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup](https://semgrep.dev/r?q=python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup) * [python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled](https://semgrep.dev/r?q=python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled) * [python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [python.lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=python.lang.security.audit.exec-detected.exec-detected) * [python.lang.security.audit.formatted-sql-query.formatted-sql-query](https://semgrep.dev/r?q=python.lang.security.audit.formatted-sql-query.formatted-sql-query) * [python.lang.security.audit.sha224-hash.sha224-hash](https://semgrep.dev/r?q=python.lang.security.audit.sha224-hash.sha224-hash) * [python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli](https://semgrep.dev/r?q=python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli) * [python.lang.security.audit.subprocess-shell-true.subprocess-shell-true](https://semgrep.dev/r?q=lang.security.audit.subprocess-shell-true.subprocess-shell-true) * [python.lang.security.insecure-hash-algorithm-md5](https://github.com/mobb-dev/opengrep-rules/blob/main/python/lang/security/insecure-hash-algorithms-md5.yaml) * [python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5) * [python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1) * [python.lang.security.insecure-hash-function.insecure-hash-function](https://semgrep.dev/r?q=python.lang.security.insecure-hash-function.insecure-hash-function) * [python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2) * [python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4) * [python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5) * [python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1) * [python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text](https://semgrep.dev/r?q=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text) * [python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query](https://semgrep.dev/r?q=python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query) * [python.tarfile-extractall-traversal.tarfile-extractall-traversal](https://semgrep.dev/r?q=python.tarfile-extractall-traversal.tarfile-extractall-traversal) * [python\_exec\_rule-subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token) * [secrets.security.detected-artifactory-password.detected-artifactory-password](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-password.detected-artifactory-password) * [secrets.security.detected-artifactory-token.detected-artifactory-token](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-token.detected-artifactory-token) * [secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key) * [secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key) * [secrets.security.detected-aws-session-token.detected-aws-session-token](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-session-token.detected-aws-session-token) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r?q=generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-codeclimate.detected-codeclimate](https://semgrep.dev/r?q=generic.secrets.security.detected-codeclimate.detected-codeclimate) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r?q=generic.secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-facebook-access-token.detected-facebook-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token) * [secrets.security.detected-facebook-oauth.detected-facebook-oauth](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-github-token.detected-github-token](https://semgrep.dev/r?q=generic.secrets.security.detected-github-token.detected-github-token) * [secrets.security.detected-google-api-key.detected-google-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-api-key.detected-google-api-key) * [secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key) * [secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account](https://semgrep.dev/r?q=generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account) * [secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token) * [secrets.security.detected-google-oauth.detected-google-oauth-url](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth.detected-google-oauth-url) * [secrets.security.detected-heroku-api-key.detected-heroku-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key) * [secrets.security.detected-hockeyapp.detected-hockeyapp](https://semgrep.dev/r?q=generic.secrets.security.detected-hockeyapp.detected-hockeyapp) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r?q=generic.secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-kolide-api-key.detected-kolide-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key) * [secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key) * [secrets.security.detected-mailgun-api-key.detected-mailgun-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key) * [secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token) * [secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token](https://semgrep.dev/r?q=generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token) * [secrets.security.detected-outlook-team.detected-outlook-team](https://semgrep.dev/r?q=generic.secrets.security.detected-outlook-team.detected-outlook-team) * [secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-paypal-braintree%E2%80%A6cess-token.detected-paypal-braintree-access-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r?q=generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-picatic-api-key.detected-picatic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r?q=generic.secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sauce-token.detected-sauce-token](https://semgrep.dev/r?q=generic.secrets.security.detected-sauce-token.detected-sauce-token) * [secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key) * [secrets.security.detected-slack-token.detected-slack-token](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-token.detected-slack-token) * [secrets.security.detected-slack-webhook.detected-slack-webhook](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-webhook.detected-slack-webhook) * [secrets.security.detected-snyk-api-key.detected-snyk-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key) * [secrets.security.detected-softlayer-api-key.detected-softlayer-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-square-access-token.detected-square-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-square-access-token.detected-square-access-token) * [secrets.security.detected-square-oauth-secret.detected-square-oauth-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret) * [secrets.security.detected-ssh-password.detected-ssh-password](https://semgrep.dev/r?q=generic.secrets.security.detected-ssh-password.detected-ssh-password) * [secrets.security.detected-stripe-api-key.detected-stripe-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key) * [secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) * [secrets.security.detected-twilio-api-key.detected-twilio-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key) * [secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri](https://semgrep.dev/r?q=generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri) * [sqlalchemy.correctness.delete-where.delete-where-no-execute](https://semgrep.dev/r?q=sqlalchemy.correctness.delete-where.delete-where-no-execute) * [sqli](https://semgrep.dev/r?q=bandit.B608) * [sqli](https://semgrep.dev/r?q=bandit.B610) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611-2) * [sqli](https://semgrep.dev/r?q=bandit.B612) * [sqli](https://semgrep.dev/r?q=django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute) * [The application may be vulnerable to a path traversal if it extracts untrusted archive files.](https://semgrep.dev/r?q=bandit.B202) * [The application was found calling the `exec` function with a non-literal variable](https://semgrep.dev/r?q=bandit.B102) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-1) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-2) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-3) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-4) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-5) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-6) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-7) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-8) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-1) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-10) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-11) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-12) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-2) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-3) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-4) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-5) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-6) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-7) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-8) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-9) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B324) * [XSS](https://semgrep.dev/r?q=bandit.B703) **SQL** * [secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token) * [secrets.security.detected-artifactory-password.detected-artifactory-password](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-password.detected-artifactory-password) * [secrets.security.detected-artifactory-token.detected-artifactory-token](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-token.detected-artifactory-token) * [secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key) * [secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key) * [secrets.security.detected-aws-session-token.detected-aws-session-token](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-session-token.detected-aws-session-token) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r?q=generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-codeclimate.detected-codeclimate](https://semgrep.dev/r?q=generic.secrets.security.detected-codeclimate.detected-codeclimate) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r?q=generic.secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-facebook-access-token.detected-facebook-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token) * [secrets.security.detected-facebook-oauth.detected-facebook-oauth](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-github-token.detected-github-token](https://semgrep.dev/r?q=generic.secrets.security.detected-github-token.detected-github-token) * [secrets.security.detected-google-api-key.detected-google-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-api-key.detected-google-api-key) * [secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key) * [secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account](https://semgrep.dev/r?q=generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account) * [secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token) * [secrets.security.detected-google-oauth.detected-google-oauth-url](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth.detected-google-oauth-url) * [secrets.security.detected-heroku-api-key.detected-heroku-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key) * [secrets.security.detected-hockeyapp.detected-hockeyapp](https://semgrep.dev/r?q=generic.secrets.security.detected-hockeyapp.detected-hockeyapp) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r?q=generic.secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-kolide-api-key.detected-kolide-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key) * [secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key) * [secrets.security.detected-mailgun-api-key.detected-mailgun-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key) * [secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token) * [secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token](https://semgrep.dev/r?q=generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token) * [secrets.security.detected-outlook-team.detected-outlook-team](https://semgrep.dev/r?q=generic.secrets.security.detected-outlook-team.detected-outlook-team) * [secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-paypal-braintree%E2%80%A6cess-token.detected-paypal-braintree-access-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r?q=generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-picatic-api-key.detected-picatic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r?q=generic.secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sauce-token.detected-sauce-token](https://semgrep.dev/r?q=generic.secrets.security.detected-sauce-token.detected-sauce-token) * [secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key) * [secrets.security.detected-slack-token.detected-slack-token](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-token.detected-slack-token) * [secrets.security.detected-slack-webhook.detected-slack-webhook](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-webhook.detected-slack-webhook) * [secrets.security.detected-snyk-api-key.detected-snyk-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key) * [secrets.security.detected-softlayer-api-key.detected-softlayer-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-square-access-token.detected-square-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-square-access-token.detected-square-access-token) * [secrets.security.detected-square-oauth-secret.detected-square-oauth-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret) * [secrets.security.detected-ssh-password.detected-ssh-password](https://semgrep.dev/r?q=generic.secrets.security.detected-ssh-password.detected-ssh-password) * [secrets.security.detected-stripe-api-key.detected-stripe-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key) * [secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) * [secrets.security.detected-twilio-api-key.detected-twilio-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key) * [secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri](https://semgrep.dev/r?q=generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri) **YAML** * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key.generic-api-key) * [Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security\_opt' to prevent this.](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges) * [Service has a writable filesystem](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service) * [Service port is exposed on all interfaces](https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces) * [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection)
List of Supported Issue Types for Datadog **GO** * SQL Injection **Java** * [Avoid user-input file](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/spring-request-file-tainted/) * [Avoid using printStackTrace()](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-best-practices/avoid-printstacktrace/) * [MD2, MD4, and MD5 are weak hash functions](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/weak-message-digest-md5/) * [Prevent path traversal](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/path-traversal/) * [SHA-1 is a weak hash function](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/weak-message-digest-sha1/) **JavaScript / TypeScript** * Command Injection * [Do not use weak hash functions](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-node-security/insecure-hash/) * Path traversal * SQL Injection * SQL Injection **Python** * [Avoid SQL injections](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/variable-sql-statement-injection/) * [Do not use an empty list as a default parameter](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/no-empty-list-as-parameter/) * Insecure hash functions * [no-exec](https://docs.datadoghq.com/security/default_rules/#command-injection)