# Supported FP Rules A false positive rule is a rule that Mobb executes against reported SAST findings to reliably identify if the code instances are not actually vulnerable. All FP rules meet the following criteria: * High confidence that the identified finding is a false positive * Tested against real-world code samples to avoid suppressing true positives * Clear explanation is provided for why the finding is considered a false positive Here are the categories of FP rules that Mobb currently supports. If there's an FP pattern you'd like to see added, please contact us at . {% hint style="info" %} Since different SAST tools may report false positives under inconsistent names, the issue names shown are normalized by Mobb. {% endhint %}
List of Supported Issue Types for Snyk **C#** * Cross-site Scripting (XSS) * [Hardcoded Secret](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules) * [Log Forging](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-36-log-forging) * [No Hardcoded Credentials](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules) * [No Hardcoded Credentials Test](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Insufficiently Random Values](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-87-use-of-insufficiently-random-values) **GO** * Command Injection * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * Hardcoded Non Crypto Secret * Hardcoded Non CryptoSecret Test * Hardcoded Password * Hardcoded Password Test * Hardcoded Secret Test * No Hardcoded Credentials * No Hardcoded Credentials Test * SQL Injection **Java** * [Arbitrary File Write via Archive Extraction (Zip Slip)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-9-arbitrary-file-write-via-archive-extraction-zip-slip) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * No Hardcoded Credentials * NoHardcoded Credentials Test * [Open Redirect](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [XML External Entity (XXE) Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-123-xml-external-entity-xxe-injection) **JavaScript / TypeScript** * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * [Indirect Command Injection via User Controlled Environment](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-13-indirect-command-injection-via-user-controlled-environment) * [NoSQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-149-nosql-injection) * [Open Redirect](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-121-open-redirect) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Prototype Pollution](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules#:~:text=Prototype%20Pollution) * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-102-regular-expression-denial-of-service-redos) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Hardcoded Credentials](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-56-use-of-hardcoded-credentials) **PHP** * Hardcoded Credential * Hardcoded Credential Test * Hardcoded Non Crypto Secret * Hardcoded Password * Hardcoded Password Test **Python** * [Arbitrary File Write via Archive Extraction (Tar Slip)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Code Injection](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * Cross Site Scripting (XSS) * Hardcoded Iv * Hardcoded Key * HardcodedNonCryptoSecret * HardcodedNonCryptoSecret/test * [Incomplete URL sanitization](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Jinja auto-escape is set to false](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules/python-rules#:~:text=Jinja%20auto%2Descape%20is%20set%20to%20false.) * No Hardcoded Credentials Test * No Hardcoded Passwords Test * NoHardcodedCredentials * NoHardcodedPasswords * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection)
List of Supported Issue Types for Fortify **CPP** * [Buffer Overflow](https://vulncat.fortify.com/en/detail?category=Buffer%20Overflow) * [String Termination Error](https://vulncat.fortify.com/en/detail?category=String%20Termination%20Error) **C#** * Cross-Site Scripting: Persistent * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#C%23%2FVB.NET%2FASP.NET) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#C%23%2FVB.NET%2FASP.NET) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#C%23%2FVB.NET%2FASP.NET) * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#C%23%2FVB.NET%2FASP.NET) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#C%23%2FVB.NET%2FASP.NET) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation: Base Path Overwriting](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Base%20Path%20Overwriting#C%23%2FVB.NET%2FASP.NET) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#C%23%2FVB.NET%2FASP.NET) **DEFAULT** * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password) * [Password Management: Password in Configuration File](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Configuration%20File) * [Password Management: Weak Cryptography](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Weak%20Cryptography) **DOCKERFILE** **GO** * [Key Management: Hardcoded HMAC Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20HMAC%20Key#Golang) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Golang) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#Golang) **Java** * [Often Misused: Boolean.getBoolean()](https://vulncat.fortify.com/en/detail?category=Often%20Misused\&subcategory=Boolean.getBoolean\(\)) * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Reques%20Forgery) * [Cross-Site Scripting: Reflected](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Reflected#Java%2FJSP) * [Denial of Service](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service) * [Header Manipulation](https://vulncat.fortify.com/en/detail?category=Header%20Manipulation) * [HTML5: Missing Content Security Policy](https://vulncat.fortify.com/en/detail?category=HTML5\&subcategory=Missing%20Content%20Security%20Policy) * [HTTP Parameter Pollution](https://vulncat.fortify.com/en/detail?category=HTTP%20Parameter%20Pollution) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#Java%2fJSP) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#Java%2fJSP) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Java%2FJSP) * [Log Forging (debug)](https://vulncat.fortify.com/en/detail?category=Log%20Forging%20%28debug%29#Java%2FJSP) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#Java%2fJSP) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#Java%2fJSP) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Java%2FJSP) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Java%2FJSP) * [Path Manipulation: Zip Entry Overwrite](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Zip%20Entry%20Overwrite#Java%2FJSP) * [Privacy Violation](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation#Java%2FJSP) * [Server-Side Request Forgery](https://vulncat.fortify.com/en/detail?category=Server-Side%20Request%20Forgery#Java%2FJSP) * [Spring Security Misconfiguration: Default Permit](https://vulncat.fortify.com/en/detail?category=Spring%20Security%20Misconfiguration\&subcategory=Default%20Permit) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Java%2FJSP) * [SQL Injection: Persistence](https://vulncat.fortify.com/en/detail?category=SQL%20Injection\&subcategory=Persistence#Java%2fJSP) * [System Information Leak](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak#Java%2FJSP) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Java%2FJSP) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#Java%2FJSP) * [XML Entity Expansion Injection](https://vulncat.fortify.com/en/detail?category=XML%20Entity%20Expansion%20Injection#Java%2FJSP) * [XML External Entity Injection](https://vulncat.fortify.com/en/detail?category=XML%20External%20Entity%20Injection#Java%2FJSP) **JavaScript / TypeScript** * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#JavaScript%2FTypeScript) * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials#JavaScript%2FTypeScript) * [Cross-Site Scripting: DOM](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=DOM#JavaScript%2FTypeScript) * [Cross-Site Scripting: Self](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Self#JavaScript%2FTypeScript) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#JavaScript%2FTypeScript) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#JavaScript%2FTypeScript) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#JavaScript%2FTypeScript) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#JavaScript%2FTypeScript) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#JavaScript%2FTypeScript) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#JavaScript%2FTypeScript) **PHP** * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password+Management\&subcategory=Hardcoded+Password) * [Weak Cryptographic Hash: Hardcoded Salt](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash\&subcategory=Hardcoded%20Salt#PHP) **Python** * [Dynamic Code Evaluation: Code Injection](https://vulncat.fortify.com/en/detail?category=Dynamic%20Code%20Evaluation#Universal) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password+Management\&subcategory=Hardcoded+Password#Python) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Python) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Python) * [Weak Cryptographic Hash](https://vulncat.fortify.com/en/detail?category=Weak%20Cryptographic%20Hash#Python) **XML** * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Universal) **YAML** * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#YAML)
List of Supported Issue Types for Checkmarx **C#** * Dynamic SQL Queries * Hardcoded Credentials * Hardcoded password in Connection String * JWT Use Of Hardcoded Secret * Log Forging * Path Traversal * Reflected XSS * Reflected XSS All Clients * SQL Injection * Stored XSS * Use Of Broken Or Risky Cryptographic Algorithm * Use Of Hardcoded Password * Use of Insufficiently Random Values **GO** * Command Injection * Hardcoded AWS Credentials * Hardcoded Password in Connection String * Log Forging * Second Order SQL Injection * SQL Injection * Use of Hardcoded Password **Java** * Absolute Path Traversal * Improper Restriction of Stored XXE Ref * Improper Restriction of XXE Ref * Information Exposure Through an Error Message * Log Forging * [Open Redirect](https://deu.ast.checkmarx.net/resourceManagement/presets/description/601/5854466950125120303) * [Password In Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/2940637487142405047) * Privacy Violation * Reflected XSS All Clients * Relative Path Traversal * [Reversible One Way Hash](https://deu.ast.checkmarx.net/resourceManagement/presets/description/328/7875786759696254599) * SQL Injection * SQL Injection Evasion Attack * SSRF * Stored Absolute Path Traversal * Stored Log Forging * Stored XSS * Unchecked Input for Loop Condition * [Unsafe Object Binding](https://deu.ast.checkmarx.net/resourceManagement/presets/description/915/18167789603095321044) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/15434822379289186737) **JavaScript / TypeScript** * Absolute Path Traversal * Client DOM Code Injection * Client DOM Open Redirect * Client DOM Stored XSS * Client DOM XSS * Client Password In Comment * Client Potential XSS * Client Regex Injection * [Client Weak Cryptographic Hash](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/6215771209953606521) * Command Injection * Hardcoded password in Connection String * [HttpOnly Cookie Flag Not Set](https://deu.ast.checkmarx.net/resourceManagement/presets/description/1004/9800224272094099502) * JWT Use Of Hardcoded Secret * Log Forging * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) * Open Redirect * Prototype Pollution * Relative Path Traversal * Secret\_Leak * SQL Injection * SSRF * Stored XSS * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/16841165964473079218) * Use Of Hardcoded Password **PHP** * Hardcoded Salt * Use of Hardcoded Cryptographic IV * Use Of Hardcoded Password **Python** * [Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/13646819717326216658) * Command Argument Injection * Hardcoded AWS Credentials * Hardcoded Password in Connection String * [Hardcoded Secrets](https://deu.ast.checkmarx.net/) * [Log Forging](https://deu.ast.checkmarx.net/resourceManagement/presets/description/117/4488286415414676575) * [Password in Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/13336864677243390331) * Reversible One Way Hash * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/631642030927601838) * [SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/17810866942529238742) * [Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/14606273189609098459) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Unchecked Input for Loop Condition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/606/12513885999564608658) * [Use Of Broken Or Risky Cryptographic Algorithm](https://deu.ast.checkmarx.net/resourceManagement/presets/description/327/10201415834072344741) * Use of Hardcoded Cryptographic Key * Use Of Hardcoded Password * [XSS](https://deu.ast.checkmarx.net/resourceManagement/presets/description/79/11301225196674651062)
List of Supported Issue Types for SonarQube **C#** * Dropbox app credentials should not be disclosed * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2077/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-6418) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/csharp/RSPEC-2083/) * [JWT secret keys should not be disclosed](https://rules.sonarsource.com/csharp/RSPEC-6781) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-5145/) * [Secure random number generators should not output predictable values](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-4347/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-4790/) **DEFAULT** * [Alchemy API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6719/) * [Amazon Web Services credentials should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6290/) * [AMQP credentials should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6736/) * [Azure Bot Framework secrets and tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-7017/) * [Azure Logic App Secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-7008/) * [Cryptographic private keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6706/) * [Database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6703/) * [Discord Webhook URLs should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6708/) * [Django secret keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6687/) * [Equinix tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6992/) * [GitHub tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6689/) * [Google API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6334/) * [Google Cloud service accounts keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6335/) * [Google OAuth client secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6691/) * [Grafana tokens should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6762/) * [Infura API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6783/) * [Mailgun API keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6723/) * [MongoDB database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6694/) * [MySQL database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6697/) * [OVH keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6999/) * [PostgreSQL database passwords should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6698/) * [RapidAPI keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6700/) * [Redis credentials should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6739/) * [SendGrid keys should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6696/) * [Spotify API secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6699/) * [Stripe endpoint secrets should not be disclosed](https://rules.sonarsource.com/secrets/RSPEC-6718/) **DOCKERFILE** * [S6471 Running containers as a privileged user is security-sensitive](https://rules.sonarsource.com/docker/RSPEC-6471/) **GO** * Constructing arguments of system commands from user input is security-sensitive * Database queries should not be vulnerable to injection attacks * Formatting SQL queries is security-sensitive * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/go/RSPEC-2068/) * Using weak hashing algorithms is security-sensitive **Java** * [Accessing files should not lead to filesystem oracle attacks](https://rules.sonarsource.com/java/RSPEC-6549/) * [Credentials should not be hard-coded](https://rules.sonarsource.com/java/RSPEC-6437/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-3649/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/java/RSPEC-5131/) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/java/RSPEC-6096/) * [Generic exceptions should never be thrown](https://rules.sonarsource.com/java/RSPEC-112/) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/java/RSPEC-2068/) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/java/RSPEC-6418/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/java/RSPEC-2083/) * [javasecurity:S5146 HTTP request redirections should not be open to forging attacks](https://next.sonarqube.com/sonarqube/coding_rules?open=javasecurity%3AS5146\&rule_key=javasecurity%3AS5146) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-5145/) * [Security - Nonconstant string passed to execute or addBatch method on an SQL statement](https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE) * [Server-side requests should not be vulnerable to traversing attacks](https://rules.sonarsource.com/java/RSPEC-7044/) * [Unnecessary imports should be removed](https://rules.sonarsource.com/java/RSPEC-1128/) * [Unused "private" fields should be removed](https://rules.sonarsource.com/java/RSPEC-1068/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/java/RSPEC-4790/) **JavaScript / TypeScript** * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-3649/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-3649/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/javascript/RSPEC-5696/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5696/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/javascript/RSPEC-6105/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/typescript/RSPEC-6105/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5334/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5131/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2077/) * [Function returns should not be invariant](https://rules.sonarsource.com/javascript/RSPEC-3516/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/javascript/RSPEC-5146/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5146/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/javascript/RSPEC-2083/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2083/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5147/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-5147/) * [OS commands should not be vulnerable to command injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2076/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/javascript/RSPEC-2631/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/typescript/RSPEC-2631/) * [Server-side requests should not be vulnerable to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5144/) * [Using shell interpreter when executing OS commands is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-4721/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-4790/) * [Variables should be declared explicitly](https://rules.sonarsource.com/javascript/RSPEC-2703/) **PHP** * [Credentials should not be hard-coded](https://rules.sonarsource.com/php/RPSEC-6437) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/php/RPSEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/php/RPSEC-6418) **Python** * ["Exception" and "BaseException" should not be raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S112) * [Constructing arguments of system commands from user input is security-sensitive](https://rules.sonarsource.com/python/RSPEC-6350/) * [Credentials should not be hard-coded](https://rules.sonarsource.com/python/RPSEC-6437) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-3649/) * [Disabling auto-escaping in template engines is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5247/) * [Do not use identity comparisons (is / is not) with cached types](https://rules.sonarsource.com/python/RSPEC-5795/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5334/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/python/RSPEC-5131/) * [Flask secret keys should not be disclosed](https://rules.sonarsource.com/python/RPSEC-6779) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2077/) * [Function parameters' default values should not be modified or assigned](https://rules.sonarsource.com/python/RSPEC-5717/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/python/RPSEC-S2068) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/ipython/RPSEC-2068) * [JWT secret keys should not be disclosed](https://rules.sonarsource.com/python/RPSEC-6781) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5145/) * [Loop boundaries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-6680/) * [python:S5443 Using publicly writable directories is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5443/) * [python:S5754 "SystemExit" should be re-raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5754) * [Unused assignments should be removed](https://rules.sonarsource.com/python/RSPEC-1854/) * [Using weak hashing algorithms is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4790/) **YAML** * [Credentials should not be hard-coded](https://rules.sonarsource.com/docker/RSPEC-6437/)
List of Supported Issue Types for CodeQL **CPP** * [No space for zero terminator](https://codeql.github.com/codeql-query-help/cpp/cpp-no-space-for-terminator/) **C#** * [Cross-site scripting](https://codeql.github.com/codeql-query-help/csharp/cs-web-xss/) * Hard-coded Connection String Credentials * Hard-coded credentials * [Insecure randomness](https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/csharp/cs-log-forging/) * SQL Injection * SQL Injection * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/csharp/cs-path-injection/) * [URL redirection from remote source](https://codeql.github.com/codeql-query-help/csharp/cs-web-unvalidated-url-redirection/) **GO** * [Bad redirect check](https://codeql.github.com/codeql-query-help/go/go-bad-redirect-check/) * Command Injection * Hardcoded Credentials * [Incorrect conversion between integer types](https://codeql.github.com/codeql-query-help/go/go-incorrect-integer-conversion/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/go/go-log-injection/) * [Open URL redirect](https://codeql.github.com/codeql-query-help/go/go-unvalidated-url-redirection/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/go/go-reflected-xss/) * SQL Injection * Stored cross-site scripting * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/go/go-weak-cryptographic-algorithm/) * [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/go/go-weak-sensitive-data-hashing/) **Java** * [Arbitrary file access during archive extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/java/java-zipslip/) * [Cross-Site Request Forgery](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/java/java-xss/) * [Executing a command with a relative path](https://codeql.github.com/codeql-query-help/java/java-relative-path-command/) * [Hard-coded credential in sensitive call](https://codeql.github.com/codeql-query-help/java-cwe/) * [Hardcoded Credential API Call](https://codeql.github.com/codeql-query-help/hardcoded-credential-api-call) * [Hardcoded Credential Comparison](https://codeql.github.com/codeql-query-help/java-cwe/) * [Hardcoded Password Field](https://codeql.github.com/codeql-query-help/hardcoded-password-field) * [Improper validation of user-provided array index](https://codeql.github.com/codeql-query-help/java/java-improper-validation-of-array-index/) * [Information exposure through an error message](https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/) * [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) * [Log Injection](https://codeql.github.com/codeql-query-help/java/java-log-injection/) * [Partial path traversal vulnerability](https://codeql.github.com/codeql-query-help/java/java-partial-path-traversal/) * [Query built by concatenation with a possibly-untrusted string](https://codeql.github.com/codeql-query-help/java/java-concatenated-sql-query/) * [Query built from user-controlled sources](https://codeql.github.com/codeql-query-help/java/java-sql-injection/) * [Resolving XML external entity in user-controlled data](https://codeql.github.com/codeql-query-help/java/java-xxe/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/java/java-ssrf/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/java/java-path-injection/) * [Use of a broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-weak-cryptographic-algorithm/) * [Use of a potentially broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/) * [Use of a potentially broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/) * [User-controlled data in numeric cast](https://codeql.github.com/codeql-query-help/java/java-tainted-numeric-cast/) **JavaScript / TypeScript** * [Bad HTML filtering regexp](https://codeql.github.com/codeql-query-help/javascript/js-bad-tag-filter/) * [Client-side cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss/) * [Client-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-client-side-unvalidated-url-redirection/) * [Cross-window communication with unrestricted target origin](https://codeql.github.com/codeql-query-help/javascript/js-cross-window-information-leak/) * [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/javascript/js-sql-injection/) * [DOM text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/) * [Hard-coded credentials](https://codeql.github.com/codeql-query-help/javascript/js-hardcoded-credentials/) * [Incomplete string escaping or encoding](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/) * [Indirect uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-indirect-command-line-injection/) * [Inefficient regular expression](https://codeql.github.com/codeql-query-help/javascript/js-redos/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/javascript/js-insufficient-password-hash/) * [Log injection](https://codeql.github.com/codeql-query-help/javascript/js-log-injection/) * [Prototype-polluting assignment](https://codeql.github.com/codeql-query-help/javascript/js-prototype-polluting-assignment/) * [Prototype-polluting function](https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-reflected-xss/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/javascript/js-regex-injection/) * [Sensitive server cookie exposed to the client](https://codeql.github.com/codeql-query-help/javascript/js-client-exposed-cookie/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/) * [Server-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-server-side-unvalidated-url-redirection/) * [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/javascript/js-path-injection/) * [Unsafe HTML constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) * [Unsafe jQuery plugin](https://codeql.github.com/codeql-query-help/javascript/js-unsafe-jquery-plugin/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-constructed-from-input/) * [Untrusted data passed to external API](https://codeql.github.com/codeql-query-help/javascript-cwe/) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/javascript/js-weak-cryptographic-algorithm/) **Python** * [Arbitrary file write during tarfile extraction](https://codeql.github.com/codeql-query-help/python/py-tarslip/) * [Code injection](https://codeql.github.com/codeql-query-help/python/py-code-injection/) * [Full server-side request forgery](https://codeql.github.com/codeql-query-help/python/py-full-ssrf/) * [Hardcoded Credentials](https://codeql.github.com/codeql-query-help/python/) * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/python/py-incomplete-url-substring-sanitization/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Log Injection](https://codeql.github.com/codeql-query-help/python/py-log-injection/) * [SQL query built from user-controlled sources](https://codeql.github.com/codeql-query-help/python/py-sql-injection/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/python/py-command-line-injection/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/python/py-shell-command-constructed-from-input/) * [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/python/py-weak-cryptographic-algorithm/) * [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/python/py-weak-sensitive-data-hashing/) * [XSS](https://codeql.github.com/codeql-query-help/python/py-reflective-xss/) **YAML** * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) * [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) * [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/)
List of Supported Issue Types for Semgrep/Opengrep **C#** * [csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash](https://semgrep.dev/r?q=csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash) * [csharp/lang.best-practice.structured-logging.structured-logging](https://semgrep.dev/r?q=csharp.lang.best-practice.structured-logging.structured-logging) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [lang.security.sqli.csharp-sqli.csharp-sqli](https://semgrep.dev/r?q=lang.security.sqli.csharp-sqli.csharp-sqli) * [OS command injection](https://semgrep.dev/r/security_code_scan.SCS0001-1) * [security\_code\_scan.SCS0002-1](https://semgrep.dev/p/security-code-scan) * [Use of cryptographically weak Pseudo-Random Number Generator (PRNG)](https://semgrep.dev/r?q=gitlab.security_code_scan.SCS0005-1) **DEFAULT** * [generic.secrets.gitleaks.hashicorp-tf-password.hashicorp-tf-password](https://semgrep.dev/r?q=generic.secrets.gitleaks.hashicorp-tf-password.hashicorp-tf-password) * [generic.secrets.gitleaks.private-key.private-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.private-key.private-key) * [secrets.gitleaks.jwt.jwt](https://semgrep.dev/r/?q=secrets.gitleaks.jwt.jwt) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r/?q=secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r/?q=secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r/?q=secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r/?q=secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r/?q=secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r/?q=secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r/?q=secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r/?q=secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r/?q=secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r/?q=secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) **DOCKERFILE** * [security.missing-user-entrypoint.missing-user-entrypoint](https://semgrep.dev/r?q=security.missing-user-entrypoint.missing-user-entrypoint) * [security.missing-user.missing-user](https://semgrep.dev/r?q=security.missing-user.missing-user) **GO** * [Cookie Missing HTTP only](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly) * [go.lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [go.lang.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=go.lang.security.injection.open-redirect.open-redirect) * [jwt-go.security.jwt.hardcoded-jwt-key](https://semgrep.dev/r/jwt-go.security.jwt.hardcoded-jwt-key) * [lang.security.audit.crypto.use\_of\_weak\_crypto.use-of-md5](https://semgrep.dev/r?q=lang.security.audit.crypto.use_of_weak_crypto.use-of-md5) * [lang.security.audit.crypto.use\_of\_weak\_crypto.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1) * [lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [lang.security.audit.database.string-formatted-query](https://semgrep.dev/r?q=lang.security.audit.database.string-formatted-query) * [lang.security.audit.sqli.pgx-sqli.pgx-sqli](https://semgrep.dev/r?q=go.lang.security.audit.sqli.pgx-sqli.pgx-sqli) * [lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter](https://semgrep.dev/r?q=+go+lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter) * [lang.security.injection.tainted-sql-string](https://semgrep.dev/r?q=lang.security.injection.tainted-sql-string) * [OS command injection](https://semgrep.dev/r?q=gitlab.gosec.G204-1) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) * [secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token) * [secrets.security.detected-artifactory-password.detected-artifactory-password](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-password.detected-artifactory-password) * [secrets.security.detected-artifactory-token.detected-artifactory-token](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-token.detected-artifactory-token) * [secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key) * [secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key) * [secrets.security.detected-aws-session-token.detected-aws-session-token](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-session-token.detected-aws-session-token) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r?q=generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-codeclimate.detected-codeclimate](https://semgrep.dev/r?q=generic.secrets.security.detected-codeclimate.detected-codeclimate) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r?q=generic.secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-facebook-access-token.detected-facebook-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token) * [secrets.security.detected-facebook-oauth.detected-facebook-oauth](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-github-token.detected-github-token](https://semgrep.dev/r?q=generic.secrets.security.detected-github-token.detected-github-token) * [secrets.security.detected-google-api-key.detected-google-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-api-key.detected-google-api-key) * [secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key) * [secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account](https://semgrep.dev/r?q=generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account) * [secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token) * [secrets.security.detected-google-oauth.detected-google-oauth-url](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth.detected-google-oauth-url) * [secrets.security.detected-heroku-api-key.detected-heroku-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key) * [secrets.security.detected-hockeyapp.detected-hockeyapp](https://semgrep.dev/r?q=generic.secrets.security.detected-hockeyapp.detected-hockeyapp) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r?q=generic.secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-kolide-api-key.detected-kolide-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key) * [secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key) * [secrets.security.detected-mailgun-api-key.detected-mailgun-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key) * [secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token) * [secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token](https://semgrep.dev/r?q=generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token) * [secrets.security.detected-outlook-team.detected-outlook-team](https://semgrep.dev/r?q=generic.secrets.security.detected-outlook-team.detected-outlook-team) * [secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r?q=generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-picatic-api-key.detected-picatic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r?q=generic.secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sauce-token.detected-sauce-token](https://semgrep.dev/r?q=generic.secrets.security.detected-sauce-token.detected-sauce-token) * [secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key) * [secrets.security.detected-slack-token.detected-slack-token](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-token.detected-slack-token) * [secrets.security.detected-slack-webhook.detected-slack-webhook](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-webhook.detected-slack-webhook) * [secrets.security.detected-snyk-api-key.detected-snyk-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key) * [secrets.security.detected-softlayer-api-key.detected-softlayer-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-square-access-token.detected-square-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-square-access-token.detected-square-access-token) * [secrets.security.detected-square-oauth-secret.detected-square-oauth-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret) * [secrets.security.detected-ssh-password.detected-ssh-password](https://semgrep.dev/r?q=generic.secrets.security.detected-ssh-password.detected-ssh-password) * [secrets.security.detected-stripe-api-key.detected-stripe-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key) * [secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) * [secrets.security.detected-twilio-api-key.detected-twilio-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key) * [secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri](https://semgrep.dev/r?q=generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri) **Java** * File Path Traversal in HttpServlet * [find\_sec\_bugs.DES\_USAGE-1](https://semgrep.dev/r?q=find_sec_bugs.DES_USAGE-1) * [find\_sec\_bugs.DMI\_CONSTANT\_DB\_PASSWORD-1.HARD\_CODE\_PASSWORD-3](https://semgrep.dev/r?q=find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3) * [find\_sec\_bugs.FILE\_UPLOAD\_FILENAME-1](https://semgrep.dev/r?q=find_sec_bugs.FILE_UPLOAD_FILENAME-1) * [find\_sec\_bugs.HARD\_CODE\_KEY-4](https://semgrep.dev/r?q=find_sec_bugs.HARD_CODE_KEY-4) * [find\_sec\_bugs.HARD\_CODE\_PASSWORD-1](https://semgrep.dev/r?q=find_sec_bugs.HARD_CODE_PASSWORD-1) * [find\_sec\_bugs.PATH\_TRAVERSAL\_OUT-1.PATH\_TRAVERSAL\_OUT-1](https://semgrep.dev/r?q=find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1) * [find\_sec\_bugs.PT\_ABSOLUTE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.PT\_RELATIVE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.UNVALIDATED\_REDIRECT-1.URL\_REWRITING-1](https://semgrep.dev/r?q=find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1) * [find\_sec\_bugs.WEAK\_FILENAMEUTILS-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_FILENAMEUTILS-1) * [find\_sec\_bugs.WEAK\_MESSAGE\_DIGEST\_MD5-1.WEAK\_MESSAGE\_DIGEST\_SHA1-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1) * find\_sec\_bugs.XSS\_REQUEST\_PARAMETER\_TO\_SERVLET\_WRITER-1 * find\_sec\_bugs.XSS\_SERVLET-2.XSS\_SERVLET\_PARAMETER-1 * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-2](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-2) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1.SQL\_INJECTION-1.SQL\_INJECTION\_HIBERNATE-1.SQL\_INJECTION\_VERTX-1.SQL\_PREPARED\_STATEMENT\_GENERATED\_FROM\_NONCONSTANT\_STRING-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1) * [java.lang.security.audit.formatted-sql-string.formatted-sql-string](https://semgrep.dev/r?q=java.lang.security.audit.formatted-sql-string.formatted-sql-string) * [java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) * [java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) * [java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false](https://semgrep.dev/r?q=java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false) * java.mobb.custom\_injection * java/mobb.pt\_find\_transitives * [lang.security.audit.crypto.use-of-md5.use-of-md5](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-md5.use-of-md5) * [lang.security.audit.crypto.use-of-sha1.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-sha1.use-of-sha1) * [lang.security.audit.crypto.use-of-sha1.use-of-sha1](https://semgrep.dev/r?q=lang.security.audit.crypto.use-of-sha1.use-of-sha1) * [lang.security.audit.unvalidated-redirect.unvalidated-redirect](https://semgrep.dev/r?q=java.lang.security.audit.unvalidated-redirect.unvalidated-redirect) * lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer * [mobsfscan.crypto.weak\_hashes.weak\_hash](https://semgrep.dev/r?q=mobsfscan.crypto.weak_hashes.weak_hash) * Path Traversal * Relative File Path Traversal in HttpServlet * [Server-Side-Request-Forgery (SSRF)](https://semgrep.dev/r?q=gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1) * [spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect](https://semgrep.dev/r?q=java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect) * SQL Injection * Tainted File Path **JavaScript / TypeScript** * [browser.security.eval-detected.eval-detected](https://semgrep.dev/r?q=browser.security.eval-detected.eval-detected) * [browser.security.insecure-document-method.insecure-document-method](https://semgrep.dev/r?q=browser.security.insecure-document-method.insecure-document-method) * [browser.security.open-redirect-from-function.js-open-redirect-from-function](https://github.com/mobb-dev/opengrep-rules/blob/f1d2b562b414783763fd02a6ed2736eaed622efa/javascript/browser/security/open-redirect-from-function.yaml) * [detect-non-literal-regexp](https://semgrep.dev/r?q=detect-non-literal-regexp) * [Detected possible path traversal](https://semgrep.dev/r?q=eslint.detect-non-literal-fs-filename) * [Detected possible path traversal](https://semgrep.dev/r?q=lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.](https://semgrep.dev/r?q=lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal) * [eslint.detect-child-process](https://semgrep.dev/r?q=gitlab.eslint.detect-child-process) * [eslint.detect-eval-with-expression](https://semgrep.dev/r?q=eslint.detect-eval-with-expression) * [eslint.detect-non-literal-regexp](https://semgrep.dev/r?q=eslint.detect-non-literal-regexp) * [eslint.detect-object-injection](https://semgrep.dev/r?q=eslint.detect-object-injection) * [eslint.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=gitlab.eslint.react-dangerouslysetinnerhtml) * [express.security.audit.express-open-redirect.express-open-redirect](https://semgrep.dev/r?q=express.security.audit.express-open-redirect.express-open-redirect) * [express.security.audit.possible-user-input-redirect.unknown-value-in-redirect](https://semgrep.dev/r?q=express.security.audit.possible-user-input-redirect.unknown-value-in-redirect) * [express.security.audit.xss.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write) * [express.security.audit.xss.direct-response-write.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write.direct-response-write) * [express.security.injection.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string) * [express.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string.tainted-sql-string) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key) * [gitlab.eslint.detect-object-injection](https://semgrep.dev/r?q=gitlab.eslint.detect-object-injection) * * [javascript-crypto-rule-node\_md5](https://semgrep.dev/r?q=javascript-crypto-rule-node_md5) * [javascript-crypto-rule-node\_sha1](https://semgrep.dev/r?q=javascript-crypto-rule-node_sha1) * [javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_knex_sqli_injection) * [javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_injection) * [javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_js_injection) * [javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_sqli_injection) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=javascript-xss-rule-express_xss) * [javascript.browser.security.insecure-innerhtml.insecure-innerhtml](https://semgrep.dev/r?q=javascript.browser.security.insecure-innerhtml.insecure-innerhtml) * [javascript.browser.security.raw-html-concat.raw-html-concat](https://semgrep.dev/r?q=javascript.browser.security.raw-html-concat.raw-html-concat) * [javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration](https://semgrep.dev/r?q=javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration) * [javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm](https://semgrep.dev/r?q=javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm) * [javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape](https://semgrep.dev/r?q=javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape) * [javascript.express.security.injection.raw-html-format.raw-html-format](https://semgrep.dev/r?q=javascript.express.security.injection.raw-html-format.raw-html-format) * [javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector](https://semgrep.dev/r?q=javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector) * [javascript.jssha.jssha-sha1.jssha-sha1](https://semgrep.dev/r?q=javascript.jssha.jssha-sha1.jssha-sha1) * [javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp) * javascript.lang.security.audit.prototype-pollution-loop-mobb.prototype-pollution-loop-mobb * [javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop](https://semgrep.dev/r?q=javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop) * [javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring](https://semgrep.dev/r?q=javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) * [javascript.lang.security.html-in-template-string.html-in-template-string](https://semgrep.dev/r?q=javascript.lang.security.html-in-template-string.html-in-template-string) * javascript.mobb.log\_forging * [javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm](https://semgrep.dev/r?q=javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm) * [jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret](https://semgrep.dev/r/jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret) * [lang.security.audit.sqli.node-knex-sqli.node-knex-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-knex-sqli.node-knex-sqli) * [lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli) * [mobb.security.audit.express-check-cmdi](https://semgrep.dev/r?q=mobb.express-check-cmdi) * [njsscan.crypto.crypto\_node.node\_md5](https://semgrep.dev/r?q=njsscan.crypto.crypto_node.node_md5) * [njsscan.dos.regex\_injection.regex\_injection\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_injection.regex_injection_dos) * [njsscan.eval.eval\_node.eval\_nodejs](https://semgrep.dev/r?q=njsscan.eval.eval_node.eval_nodejs) * [njsscan.generic.hardcoded\_secrets.node\_password](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_password) * [njsscan.generic.hardcoded\_secrets.node\_secret](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_secret) * [njsscan.traversal.path\_traversal.generic\_path\_traversal](https://semgrep.dev/r?q=njsscan.traversal.path_traversal.generic_path_traversal) * [njsscan.xss.xss\_node.express\_xss](https://semgrep.dev/r?q=njsscan.xss.xss_node.express_xss) * [nodejs\_scan.javascript-crypto-rule-node\_md5](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_md5) * [nodejs\_scan.javascript-crypto-rule-node\_sha1](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_sha1) * [nodejs\_scan.javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_knex_sqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_js_injection) * [nodejs\_scan.javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_sqli_injection) * [nodejs\_scan.javascript-eval-rule-eval\_nodejs](https://semgrep.dev/r?q=nodejs_scan.javascript-eval-rule-eval_nodejs) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-jwt-rule-hardcoded\_jwt\_secret](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret) * [nodejs\_scan.javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [nodejs\_scan.javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=nodejs_scan.javascript-xss-rule-express_xss) * [Please provide a new title that explains javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator](https://semgrep.dev/r?q=javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator) * [Possible writing outside of the destination, make sure that the target path is nested in the intended destination](https://semgrep.dev/r?q=express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr_warning) * [react.security.audit.react-unsanitized-method.react-unsanitized-method](https://semgrep.dev/r?q=react.security.audit.react-unsanitized-method.react-unsanitized-method) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key.generic-api-key) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=njsscan.ssrf.ssrf_node.node_ssrf) * [typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml) **Python** * [A missing encoding argument in open() can lead corrupted data](https://semgrep.dev/r/lang.best-practice.unspecified-open-encoding.unspecified-open-encoding) * [B602: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B602) * [B603: subprocess\_without\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B603) * [B604: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B604) * [bandit.B307](https://semgrep.dev/r?q=bandit.B307) * [django.security.injection.code.user-eval-format-string.user-eval-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-eval-format-string.user-eval-format-string) * [django.security.injection.code.user-eval.user-eval](https://semgrep.dev/r?q=django.security.injection.code.user-eval.user-eval) * [django.security.injection.code.user-exec-format-string.user-exec-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-exec-format-string.user-exec-format-string) * [django.security.injection.code.user-exec.user-exec](https://semgrep.dev/r?q=django.security.injection.code.user-exec.user-exec) * [django.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=django.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.subprocess-injection](https://semgrep.dev/r?q=flask.security.injection.subprocess-injection) * [flask.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=flask.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.user-eval.eval-injection](https://semgrep.dev/r?q=flask.security.injection.user-eval.eval-injection) * [flask.security.injection.user-exec.exec-injection](https://semgrep.dev/r?q=flask.security.injection.user-exec.exec-injection) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key.generic-api-key) * [jwt.security.jwt-hardcode.jwt-python-hardcoded-secret](https://semgrep.dev/r?q=python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret) * [lang.maintainability.is-function-without-parentheses.is-function-without-parentheses](https://semgrep.dev/r?q=lang.maintainability.is-function-without-parentheses.is-function-without-parentheses) * [lang.security.audit.dangerous-asyncio-create-exec-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-asyncio-create-exec-audit) * [lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [lang.security.audit.eval-detected.eval-detected](https://semgrep.dev/r?q=lang.security.audit.eval-detected.eval-detected) * [lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=lang.security.audit.exec-detected.exec-detected) * [lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure](https://semgrep.dev/r?q=python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure) * [lang.security.dangerous-subprocess-use](https://semgrep.dev/r?q=lang.security.dangerous-subprocess-use) * [Please provide a new title that explains lang.correctness.return-in-init.return-in-init](https://semgrep.dev/r/?q=python.lang.correctness.return-in-init.return-in-init) * [Possible cmdi attack](https://semgrep.dev/r?q=bandit.B603) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B605) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B606) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B607) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-partial-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret](https://semgrep.dev/r?q=python.pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret) * [python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5) * [python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1) * [python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true](https://semgrep.dev/r?q=python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true) * [python.django.security.audit.avoid-mark-safe.avoid-mark-safe](https://semgrep.dev/r?q=python.django.security.audit.avoid-mark-safe.avoid-mark-safe) * [python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2](https://semgrep.dev/r?q=python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2) * [python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup](https://semgrep.dev/r?q=python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup) * [python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled](https://semgrep.dev/r?q=python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled) * [python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [python.lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=python.lang.security.audit.exec-detected.exec-detected) * [python.lang.security.audit.formatted-sql-query.formatted-sql-query](https://semgrep.dev/r?q=python.lang.security.audit.formatted-sql-query.formatted-sql-query) * [python.lang.security.audit.sha224-hash.sha224-hash](https://semgrep.dev/r?q=python.lang.security.audit.sha224-hash.sha224-hash) * [python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli](https://semgrep.dev/r?q=python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli) * [python.lang.security.audit.subprocess-shell-true.subprocess-shell-true](https://semgrep.dev/r?q=lang.security.audit.subprocess-shell-true.subprocess-shell-true) * [python.lang.security.insecure-hash-algorithm-md5](https://github.com/mobb-dev/opengrep-rules/blob/main/python/lang/security/insecure-hash-algorithms-md5.yaml) * [python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5) * [python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1) * [python.lang.security.insecure-hash-function.insecure-hash-function](https://semgrep.dev/r?q=python.lang.security.insecure-hash-function.insecure-hash-function) * [python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2) * [python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4) * [python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5) * [python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1](https://semgrep.dev/r?q=python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1) * [python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text](https://semgrep.dev/r?q=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text) * [python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query](https://semgrep.dev/r?q=python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query) * [python.tarfile-extractall-traversal.tarfile-extractall-traversal](https://semgrep.dev/r?q=python.tarfile-extractall-traversal.tarfile-extractall-traversal) * [python\_exec\_rule-subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token) * [secrets.security.detected-artifactory-password.detected-artifactory-password](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-password.detected-artifactory-password) * [secrets.security.detected-artifactory-token.detected-artifactory-token](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-token.detected-artifactory-token) * [secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key) * [secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key) * [secrets.security.detected-aws-session-token.detected-aws-session-token](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-session-token.detected-aws-session-token) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r?q=generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-codeclimate.detected-codeclimate](https://semgrep.dev/r?q=generic.secrets.security.detected-codeclimate.detected-codeclimate) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r?q=generic.secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-facebook-access-token.detected-facebook-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token) * [secrets.security.detected-facebook-oauth.detected-facebook-oauth](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-github-token.detected-github-token](https://semgrep.dev/r?q=generic.secrets.security.detected-github-token.detected-github-token) * [secrets.security.detected-google-api-key.detected-google-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-api-key.detected-google-api-key) * [secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key) * [secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account](https://semgrep.dev/r?q=generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account) * [secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token) * [secrets.security.detected-google-oauth.detected-google-oauth-url](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth.detected-google-oauth-url) * [secrets.security.detected-heroku-api-key.detected-heroku-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key) * [secrets.security.detected-hockeyapp.detected-hockeyapp](https://semgrep.dev/r?q=generic.secrets.security.detected-hockeyapp.detected-hockeyapp) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r?q=generic.secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-kolide-api-key.detected-kolide-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key) * [secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key) * [secrets.security.detected-mailgun-api-key.detected-mailgun-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key) * [secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token) * [secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token](https://semgrep.dev/r?q=generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token) * [secrets.security.detected-outlook-team.detected-outlook-team](https://semgrep.dev/r?q=generic.secrets.security.detected-outlook-team.detected-outlook-team) * [secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r?q=generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-picatic-api-key.detected-picatic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r?q=generic.secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sauce-token.detected-sauce-token](https://semgrep.dev/r?q=generic.secrets.security.detected-sauce-token.detected-sauce-token) * [secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key) * [secrets.security.detected-slack-token.detected-slack-token](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-token.detected-slack-token) * [secrets.security.detected-slack-webhook.detected-slack-webhook](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-webhook.detected-slack-webhook) * [secrets.security.detected-snyk-api-key.detected-snyk-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key) * [secrets.security.detected-softlayer-api-key.detected-softlayer-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-square-access-token.detected-square-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-square-access-token.detected-square-access-token) * [secrets.security.detected-square-oauth-secret.detected-square-oauth-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret) * [secrets.security.detected-ssh-password.detected-ssh-password](https://semgrep.dev/r?q=generic.secrets.security.detected-ssh-password.detected-ssh-password) * [secrets.security.detected-stripe-api-key.detected-stripe-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key) * [secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) * [secrets.security.detected-twilio-api-key.detected-twilio-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key) * [secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri](https://semgrep.dev/r?q=generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri) * [sqlalchemy.correctness.delete-where.delete-where-no-execute](https://semgrep.dev/r?q=sqlalchemy.correctness.delete-where.delete-where-no-execute) * [sqli](https://semgrep.dev/r?q=bandit.B608) * [sqli](https://semgrep.dev/r?q=bandit.B610) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611-2) * [sqli](https://semgrep.dev/r?q=bandit.B612) * [sqli](https://semgrep.dev/r?q=django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute) * [The application may be vulnerable to a path traversal if it extracts untrusted archive files.](https://semgrep.dev/r?q=bandit.B202) * [The application was found calling the `exec` function with a non-literal variable](https://semgrep.dev/r?q=bandit.B102) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-1) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-2) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-3) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-4) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-5) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-6) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-7) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B303-8) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-1) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-10) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-11) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-12) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-2) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-3) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-4) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-5) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-6) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-7) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-8) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B304-9) * [The application was found using an insecure or risky digest or signature algorithm](https://semgrep.dev/r?q=bandit.B324) * [XSS](https://semgrep.dev/r?q=bandit.B703) **SQL** * [secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token) * [secrets.security.detected-artifactory-password.detected-artifactory-password](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-password.detected-artifactory-password) * [secrets.security.detected-artifactory-token.detected-artifactory-token](https://semgrep.dev/r?q=generic.secrets.security.detected-artifactory-token.detected-artifactory-token) * [secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value) * [secrets.security.detected-aws-account-id.detected-aws-account-id](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-account-id.detected-aws-account-id) * [secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key) * [secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key) * [secrets.security.detected-aws-session-token.detected-aws-session-token](https://semgrep.dev/r?q=generic.secrets.security.detected-aws-session-token.detected-aws-session-token) * [secrets.security.detected-bcrypt-hash.detected-bcrypt-hash](https://semgrep.dev/r?q=generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash) * [secrets.security.detected-codeclimate.detected-codeclimate](https://semgrep.dev/r?q=generic.secrets.security.detected-codeclimate.detected-codeclimate) * [secrets.security.detected-etc-shadow.detected-etc-shadow](https://semgrep.dev/r?q=generic.secrets.security.detected-etc-shadow.detected-etc-shadow) * [secrets.security.detected-facebook-access-token.detected-facebook-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token) * [secrets.security.detected-facebook-oauth.detected-facebook-oauth](https://semgrep.dev/r?q=generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-api-key.detected-generic-api-key) * [secrets.security.detected-generic-secret.detected-generic-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-generic-secret.detected-generic-secret) * [secrets.security.detected-github-token.detected-github-token](https://semgrep.dev/r?q=generic.secrets.security.detected-github-token.detected-github-token) * [secrets.security.detected-google-api-key.detected-google-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-api-key.detected-google-api-key) * [secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key) * [secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account](https://semgrep.dev/r?q=generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account) * [secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token) * [secrets.security.detected-google-oauth.detected-google-oauth-url](https://semgrep.dev/r?q=generic.secrets.security.detected-google-oauth.detected-google-oauth-url) * [secrets.security.detected-heroku-api-key.detected-heroku-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key) * [secrets.security.detected-hockeyapp.detected-hockeyapp](https://semgrep.dev/r?q=generic.secrets.security.detected-hockeyapp.detected-hockeyapp) * [secrets.security.detected-jwt-token.detected-jwt-token](https://semgrep.dev/r?q=generic.secrets.security.detected-jwt-token.detected-jwt-token) * [secrets.security.detected-kolide-api-key.detected-kolide-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key) * [secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key) * [secrets.security.detected-mailgun-api-key.detected-mailgun-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key) * [secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token](https://semgrep.dev/r?q=generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token) * [secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token](https://semgrep.dev/r?q=generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token) * [secrets.security.detected-outlook-team.detected-outlook-team](https://semgrep.dev/r?q=generic.secrets.security.detected-outlook-team.detected-outlook-team) * [secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token) * [secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block](https://semgrep.dev/r?q=generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block) * [secrets.security.detected-picatic-api-key.detected-picatic-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key) * [secrets.security.detected-private-key.detected-private-key](https://semgrep.dev/r?q=generic.secrets.security.detected-private-key.detected-private-key) * [secrets.security.detected-sauce-token.detected-sauce-token](https://semgrep.dev/r?q=generic.secrets.security.detected-sauce-token.detected-sauce-token) * [secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key) * [secrets.security.detected-slack-token.detected-slack-token](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-token.detected-slack-token) * [secrets.security.detected-slack-webhook.detected-slack-webhook](https://semgrep.dev/r?q=generic.secrets.security.detected-slack-webhook.detected-slack-webhook) * [secrets.security.detected-snyk-api-key.detected-snyk-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key) * [secrets.security.detected-softlayer-api-key.detected-softlayer-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key) * [secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key) * [secrets.security.detected-square-access-token.detected-square-access-token](https://semgrep.dev/r?q=generic.secrets.security.detected-square-access-token.detected-square-access-token) * [secrets.security.detected-square-oauth-secret.detected-square-oauth-secret](https://semgrep.dev/r?q=generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret) * [secrets.security.detected-ssh-password.detected-ssh-password](https://semgrep.dev/r?q=generic.secrets.security.detected-ssh-password.detected-ssh-password) * [secrets.security.detected-stripe-api-key.detected-stripe-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key) * [secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key) * [secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key) * [secrets.security.detected-twilio-api-key.detected-twilio-api-key](https://semgrep.dev/r?q=generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key) * [secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri](https://semgrep.dev/r?q=generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri) **YAML** * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r?q=secrets.gitleaks.generic-api-key.generic-api-key) * [secrets.security.detected-generic-api-key.detected-generic-api-key](https://semgrep.dev/r?q=generic.secrets.gitleaks.generic-api-key.generic-api-key) * [Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security\_opt' to prevent this.](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges) * [Service has a writable filesystem](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service) * [Service port is exposed on all interfaces](https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces) * [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection)
List of Supported Issue Types for Datadog **GO** * SQL Injection **Java** * [Avoid user-input file](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/spring-request-file-tainted/) * [Avoid using printStackTrace()](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-best-practices/avoid-printstacktrace/) * [MD2, MD4, and MD5 are weak hash functions](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/weak-message-digest-md5/) * [Prevent path traversal](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/path-traversal/) * [SHA-1 is a weak hash function](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/weak-message-digest-sha1/) * XSS Protection **JavaScript / TypeScript** * Command Injection * [Do not use weak hash functions](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-node-security/insecure-hash/) * Path traversal * SQL Injection * SQL Injection **Python** * [Avoid SQL injections](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/variable-sql-statement-injection/) * [Do not use an empty list as a default parameter](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/no-empty-list-as-parameter/) * Insecure hash functions * [no-exec](https://docs.datadoghq.com/security/default_rules/#command-injection)
List of Supported Issue Types for Polaris **Java** * [Cross-Site Request Forgery](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/csrf_protection_disabled.html) * [CSRF — database update](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/csrf.html) * [Open Redirect](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/open_redirect.html) * Path Manipulation * SQL Injection * XML External Entity * [XSS](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/xss.html) **JavaScript / TypeScript** * [Cross-site Scripting](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/xss.html) * [DOM XSS](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/dom_xss.html) * [Hardcoded Credentials](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/hardcoded_credentials.html) * Hardcoded Secret * [Open Redirect](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/open_redirect.html) * Regex Injection * SQL Injection * [Sqli](https://documentation.blackduck.com/bundle/coverity-docs/page/sigma-checkers/topics/checkers/sqli.html) * [Unchecked Origin of Message Event](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/unchecked_origin_of_message_event.html) * [Unrestricted PostMessage Target](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/unrestricted_postmessage_target.html) * [Weak Hash](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/weak_hash.html)
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mobb.ai/mobb-user-docs/supported-fp-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.