Supported FP Rules

C#

• Cross-site Scripting (XSS)

• Hardcoded Secret

• Log Forging

• No Hardcoded Credentials

• No Hardcoded Credentials Test

• Path Traversal

• SQL Injection

• Use of Insufficiently Random Values

GO

• Hardcoded Non Crypto Secret

• Hardcoded Non CryptoSecret Test

• Hardcoded Password

• Hardcoded Password Test

• Hardcoded Secret Test

• No Hardcoded Credentials

• No Hardcoded Credentials Test

Java

• Arbitrary File Write via Archive Extraction (Zip Slip)

• No Hardcoded Credentials

• NoHardcoded Credentials Test

• Open Redirect

• Path Traversal

• Server-Side Request Forgery (SSRF)

• SQL Injection

• XML External Entity (XXE) Injection

JavaScript / TypeScript

• Cross-site Scripting (XSS)

• NoSQL Injection

• Regular Expression Denial of Service (ReDoS)

• SQL Injection

• Use of Hardcoded Credentials

PHP

• Hardcoded Credential

• Hardcoded Credential Test

• Hardcoded Non Crypto Secret

• Hardcoded Password

• Hardcoded Password Test

Python

• Arbitrary File Write via Archive Extraction (Tar Slip)

• Code Injection

• Command Injection

• Cross Site Scripting (XSS)

• Hardcoded Iv

• Hardcoded Key

• HardcodedNonCryptoSecret

• HardcodedNonCryptoSecret/test

• Jinja auto-escape is set to false

• No Hardcoded Credentials Test

• No Hardcoded Passwords Test

• NoHardcodedCredentials

• NoHardcodedPasswords

• SQL Injection

CPP

• Buffer Overflow

• String Termination Error

C#

• Cross-Site Scripting: Persistent

• Insecure Randomness

• Insecure Randomness: Hardcoded Seed

• Log Forging

• Open Redirect

• Password Management: Hardcoded Password

• Path Manipulation

• Path Manipulation: Base Path Overwriting

• Mass Assignment: Request Parameters Bound via Input Formatter

• SQL Injection

DEFAULT

• Credential Management: Hardcoded API Credentials

• Key Management: Hardcoded Encryption Key

• Password Management: Hardcoded Password

• Password Management: Password in Configuration File

• Password Management: Weak Cryptography

GO

• Key Management: Hardcoded HMAC Key

• Log Forging

• Password Management: Hardcoded Password

Java

• Header Manipulation

• HTTP Parameter Pollution

• Insecure Randomness: Hardcoded Seed

• Key Management: Hardcoded Encryption Key

• Mass Assignment: Insecure Binder Configuration

• Open Redirect

• Password Management: Hardcoded Password

• Password Management: Password in Comment

• Path Manipulation

• Path Manipulation: Zip Entry Overwrite

• Privacy Violation

• Server-Side Request Forgery

• SQL Injection

• System Information Leak

• System Information Leak: Internal

• Weak Cryptographic Hash

• XML Entity Expansion Injection

• XML External Entity Injection

JavaScript / TypeScript

• Credential Management: Hardcoded API Credentials

• Cross-Site Scripting: DOM

• Cross-Site Scripting: Self

• Key Management: Hardcoded Encryption Key

• Password Management: Hardcoded Password

PHP

• Key Management: Hardcoded Encryption Key

• Password Management: Hardcoded Password

• Weak Cryptographic Hash: Hardcoded Salt

Python

• Password Management: Hardcoded Password

• SQL Injection

• Weak Cryptographic Hash

YAML

• Password Management: Hardcoded Password

C#

• Hardcoded Credentials

• Hardcoded password in Connection String

• JWT Use Of Hardcoded Secret

• Log Forging

• Path Traversal

• Reflected XSS

• Reflected XSS All Clients

• SQL Injection

• Stored XSS

• Use Of Hardcoded Password

• Use of Insufficiently Random Values

GO

• Hardcoded AWS Credentials

• Hardcoded Password in Connection String

• Log Forging

• Use of Hardcoded Password

Java

• Absolute Path Traversal

• Improper Restriction of Stored XXE Ref

• Improper Restriction of XXE Ref

• Information Exposure Through an Error Message

• Open Redirect

• Password In Comment

• Privacy Violation

• Relative Path Traversal

• Reversible One Way Hash

• SQL Injection

• SQL Injection Evasion Attack

• SSRF

• Stored Absolute Path Traversal

• Unchecked Input for Loop Condition

• Unsafe Object Binding

• Use Of Broken Or Risky Cryptographic Algorithm

JavaScript / TypeScript

• Client DOM Stored XSS

• Client DOM XSS

• Client Potential XSS

• Client Regex Injection

• Client Weak Cryptographic Hash

• Hardcoded password in Connection String

• HttpOnly Cookie Flag Not Set

• JWT Use Of Hardcoded Secret

• Missing HSTS Header

• Secret_Leak

• SQL Injection

• Stored XSS

• Use Of Broken Or Risky Cryptographic Algorithm

• Use Of Hardcoded Password

PHP

• Hardcoded Salt

• Use of Hardcoded Cryptographic IV

• Use Of Hardcoded Password

Python

• Code Injection

• Hardcoded AWS Credentials

• Hardcoded Password in Connection String

• Hardcoded Secrets

• Log Forging

• Reversible One Way Hash

• Second Order SQL Injection

• SQL Injection

• Stored Code Injection

• Stored Command Argument Injection

• Stored Command Argument Injection

• Unchecked Input for Loop Condition

• Use Of Broken Or Risky Cryptographic Algorithm

• Use of Hardcoded Cryptographic Key

• Use Of Hardcoded Password

• XSS

C#

• Hard-coded credentials are security-sensitive

• I/O function calls should not be vulnerable to path injection attacks

• JWT secret keys should not be disclosed

• Logging should not be vulnerable to injection attacks

• Secure random number generators should not output predictable values

DEFAULT

• Alchemy API keys should not be disclosed

• Amazon Web Services credentials should not be disclosed

• AMQP credentials should not be disclosed

• Azure Bot Framework secrets and tokens should not be disclosed

• Azure Logic App Secrets should not be disclosed

• Cryptographic private keys should not be disclosed

• Database passwords should not be disclosed

• Discord Webhook URLs should not be disclosed

• Django secret keys should not be disclosed

• Equinix tokens should not be disclosed

• GitHub tokens should not be disclosed

• Google API keys should not be disclosed

• Google Cloud service accounts keys should not be disclosed

• Google OAuth client secrets should not be disclosed

• Grafana tokens should not be disclosed

• Infura API keys should not be disclosed

• Mailgun API keys should not be disclosed

• MongoDB database passwords should not be disclosed

• MySQL database passwords should not be disclosed

• OVH keys should not be disclosed

• PostgreSQL database passwords should not be disclosed

• RapidAPI keys should not be disclosed

• Redis credentials should not be disclosed

• SendGrid keys should not be disclosed

• Spotify API secrets should not be disclosed

• Stripe endpoint secrets should not be disclosed

GO

• Hard-coded credentials are security-sensitive

Java

• Accessing files should not lead to filesystem oracle attacks

• Credentials should not be hard-coded

• Database queries should not be vulnerable to injection attacks

• Extracting archives should not lead to zip slip vulnerabilities

• Generic exceptions should never be thrown

• Hard-coded passwords are security-sensitive

• Hard-coded secrets are security-sensitive

• I/O function calls should not be vulnerable to path injection attacks

• javasecurity:S5146 HTTP request redirections should not be open to forging attacks

• Server-side requests should not be vulnerable to traversing attacks

• Unnecessary imports should be removed

• Unused "private" fields should be removed

• Using weak hashing algorithms is security-sensitive

JavaScript / TypeScript

• Database queries should not be vulnerable to injection attacks

• Database queries should not be vulnerable to injection attacks

• DOM updates should not lead to cross-site scripting (XSS) attacks

• DOM updates should not lead to cross-site scripting (XSS) attacks

• Formatting SQL queries is security-sensitive

• Function returns should not be invariant

• Hard-coded credentials are security-sensitive

• Hard-coded credentials are security-sensitive

• Hard-coded passwords are security-sensitive

• Hard-coded passwords are security-sensitive

• Hard-coded secrets are security-sensitive

• Hard-coded secrets are security-sensitive

• NoSQL operations should not be vulnerable to injection attacks

• NoSQL operations should not be vulnerable to injection attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

• Using weak hashing algorithms is security-sensitive

• Variables should be declared explicitly

PHP

• Credentials should not be hard-coded

• Hard-coded credentials are security-sensitive

• Hard-coded secrets are security-sensitive

Python

• "Exception" and "BaseException" should not be raised

• Credentials should not be hard-coded

• Database queries should not be vulnerable to injection attacks

• Disabling auto-escaping in template engines is security-sensitive

• Do not use identity comparisons (is / is not) with cached types

• Dynamic code execution should not be vulnerable to injection attacks

• Flask secret keys should not be disclosed

• Formatting SQL queries is security-sensitive

• Function parameters' default values should not be modified or assigned

• Hard-coded credentials are security-sensitive

• Hard-coded credentials are security-sensitive

• JWT secret keys should not be disclosed

• Logging should not be vulnerable to injection attacks

• Loop boundaries should not be vulnerable to injection attacks

• python:S5443 Using publicly writable directories is security-sensitive

• python:S5754 "SystemExit" should be re-raised

• Unused assignments should be removed

• Using weak hashing algorithms is security-sensitive

YAML

• Credentials should not be hard-coded

CPP

• No space for zero terminator

C#

• Insecure randomness

• Log entries created from user input

• Uncontrolled data used in path expression

GO

• Hardcoded Credentials

• Log entries created from user input

Java

• Arbitrary file access during archive extraction (”Zip Slip”)

• Hardcoded Credential API Call

• Hardcoded Password Field

• Query built by concatenation with a possibly-untrusted string

• Query built from user-controlled sources

• Resolving XML external entity in user-controlled data

• Server-side request forgery

• Uncontrolled data used in path expression

• Use of a broken or risky cryptographic algorithm

• Use of a potentially broken or risky cryptographic algorithm

• Use of a potentially broken or risky cryptographic algorithm

JavaScript / TypeScript

• Client-side cross-site scripting

• Database query built from user-controlled sources

• Hard-coded credentials

• Inefficient regular expression

• Insecure randomness

• Reflected cross-site scripting

• Regular expression injection

• Use of a broken or weak cryptographic algorithm

Python

• Arbitrary file write during tarfile extraction

• Code injection

• Hardcoded Credentials

• Jinja2 templating with autoescape=False

• Jinja2 templating with autoescape=False

• Log Injection

• SQL query built from user-controlled sources

• Use of a broken or weak cryptographic algorithm

• Use of a broken or weak cryptographic hashing algorithm on sensitive data

• XSS

C#

• csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash

• csharp/lang.best-practice.structured-logging.structured-logging

• lang.security.sqli.csharp-sqli.csharp-sqli

• security_code_scan.SCS0001-1

• security_code_scan.SCS0002-1

• Use of cryptographically weak Pseudo-Random Number Generator (PRNG)

DEFAULT

• secrets.security.detected-aws-account-id.detected-aws-account-id

• secrets.security.detected-bcrypt-hash.detected-bcrypt-hash

• secrets.security.detected-etc-shadow.detected-etc-shadow

• secrets.security.detected-generic-api-key.detected-generic-api-key

• secrets.security.detected-generic-secret.detected-generic-secret

• secrets.security.detected-jwt-token.detected-jwt-token

• secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block

• secrets.security.detected-private-key.detected-private-key

• secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key

• secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key

DOCKERFILE

• security.missing-user-entrypoint.missing-user-entrypoint

• security.missing-user.missing-user

GO

• Cookie Missing HTTP only

• go.lang.security.audit.dangerous-exec-command.dangerous-exec-command

• go.lang.security.injection.open-redirect.open-redirect

• jwt-go.security.jwt.hardcoded-jwt-key

• lang.security.audit.crypto.use_of_weak_crypto.use-of-md5

• lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1

• lang.security.audit.dangerous-exec-command.dangerous-exec-command

• lang.security.audit.sqli.pgx-sqli.pgx-sqli

• lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter

• secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token

• secrets.security.detected-artifactory-password.detected-artifactory-password

• secrets.security.detected-artifactory-token.detected-artifactory-token

• secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value

• secrets.security.detected-aws-account-id.detected-aws-account-id

• secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key

• secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key

• secrets.security.detected-aws-session-token.detected-aws-session-token

• secrets.security.detected-bcrypt-hash.detected-bcrypt-hash

• secrets.security.detected-codeclimate.detected-codeclimate

• secrets.security.detected-etc-shadow.detected-etc-shadow

• secrets.security.detected-facebook-access-token.detected-facebook-access-token

• secrets.security.detected-facebook-oauth.detected-facebook-oauth

• secrets.security.detected-generic-api-key.detected-generic-api-key

• secrets.security.detected-generic-secret.detected-generic-secret

• secrets.security.detected-github-token.detected-github-token

• secrets.security.detected-google-api-key.detected-google-api-key

• secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key

• secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account

• secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token

• secrets.security.detected-google-oauth.detected-google-oauth-url

• secrets.security.detected-heroku-api-key.detected-heroku-api-key

• secrets.security.detected-hockeyapp.detected-hockeyapp

• secrets.security.detected-jwt-token.detected-jwt-token

• secrets.security.detected-kolide-api-key.detected-kolide-api-key

• secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key

• secrets.security.detected-mailgun-api-key.detected-mailgun-api-key

• secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token

• secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token

• secrets.security.detected-outlook-team.detected-outlook-team

• secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token

• secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block

• secrets.security.detected-picatic-api-key.detected-picatic-api-key

• secrets.security.detected-private-key.detected-private-key

• secrets.security.detected-sauce-token.detected-sauce-token

• secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key

• secrets.security.detected-slack-token.detected-slack-token

• secrets.security.detected-slack-webhook.detected-slack-webhook

• secrets.security.detected-snyk-api-key.detected-snyk-api-key

• secrets.security.detected-softlayer-api-key.detected-softlayer-api-key

• secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key

• secrets.security.detected-square-access-token.detected-square-access-token

• secrets.security.detected-square-oauth-secret.detected-square-oauth-secret

• secrets.security.detected-ssh-password.detected-ssh-password

• secrets.security.detected-stripe-api-key.detected-stripe-api-key

• secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key

• secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key

• secrets.security.detected-twilio-api-key.detected-twilio-api-key

• secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri

Java

• java/mobb.pt_find_transitives

• lang.security.audit.crypto.use-of-md5.use-of-md5

• lang.security.audit.crypto.use-of-sha1.use-of-sha1

• lang.security.audit.sqli.jdbc-sqli.jdbc-sqli

• lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request

• lang.security.audit.unvalidated-redirect.unvalidated-redirect

• spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect

JavaScript / TypeScript

• browser.security.eval-detected.eval-detected

• browser.security.insecure-document-method.insecure-document-method

• https://semgrep.dev/r?q=javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization

• javascript.browser.security.raw-html-concat.raw-html-concat

• javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration

• javascript.crypto-js.cryptojs-weak-algorithm.cryptojs-weak-algorithm

• javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape

• javascript.express.security.injection.raw-html-format.raw-html-format

• javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector

• javascript.jssha.jssha-sha1.jssha-sha1

• javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp

• javascript.node-stdlib.cryptography.crypto-weak-algorithm.crypto-weak-algorithm

• jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret

• lang.security.audit.sqli.node-knex-sqli.node-knex-sqli

• lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli

• react.security.audit.react-unsanitized-method.react-unsanitized-method

• typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml

Python

• A missing encoding argument in open() can lead corrupted data

• django.security.injection.code.user-exec-format-string.user-exec-format-string

• django.security.injection.code.user-exec.user-exec

• django.security.injection.tainted-sql-string.tainted-sql-string

• flask.security.injection.tainted-sql-string.tainted-sql-string

• flask.security.injection.user-exec.exec-injection

• jwt.security.jwt-hardcode.jwt-python-hardcoded-secret

• lang.security.audit.exec-detected.exec-detected

• lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure

• pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret

• python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5

• python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1

• python.django.security.audit.avoid-mark-safe.avoid-mark-safe

• python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2

• python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup

• python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled

• python.lang.security.audit.exec-detected.exec-detected

• python.lang.security.audit.formatted-sql-query.formatted-sql-query

• python.lang.security.audit.sha224-hash.sha224-hash

• python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli

• python.lang.security.audit.subprocess-shell-true.subprocess-shell-true

• python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5

• python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1

• python.lang.security.insecure-hash-function.insecure-hash-function

• python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2

• python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4

• python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5

• python.pycryptodome.security.insecure-hash-algorithm-sha1.insecure-hash-algorithm-sha1

• python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text

• python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query

• python.tarfile-extractall-traversal.tarfile-extractall-traversal

• secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token

• secrets.security.detected-artifactory-password.detected-artifactory-password

• secrets.security.detected-artifactory-token.detected-artifactory-token

• secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value

• secrets.security.detected-aws-account-id.detected-aws-account-id

• secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key

• secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key

• secrets.security.detected-aws-session-token.detected-aws-session-token

• secrets.security.detected-bcrypt-hash.detected-bcrypt-hash

• secrets.security.detected-codeclimate.detected-codeclimate

• secrets.security.detected-etc-shadow.detected-etc-shadow

• secrets.security.detected-facebook-access-token.detected-facebook-access-token

• secrets.security.detected-facebook-oauth.detected-facebook-oauth

• secrets.security.detected-generic-api-key.detected-generic-api-key

• secrets.security.detected-generic-secret.detected-generic-secret

• secrets.security.detected-github-token.detected-github-token

• secrets.security.detected-google-api-key.detected-google-api-key

• secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key

• secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account

• secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token

• secrets.security.detected-google-oauth.detected-google-oauth-url

• secrets.security.detected-heroku-api-key.detected-heroku-api-key

• secrets.security.detected-hockeyapp.detected-hockeyapp

• secrets.security.detected-jwt-token.detected-jwt-token

• secrets.security.detected-kolide-api-key.detected-kolide-api-key

• secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key

• secrets.security.detected-mailgun-api-key.detected-mailgun-api-key

• secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token

• secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token

• secrets.security.detected-outlook-team.detected-outlook-team

• secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token

• secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block

• secrets.security.detected-picatic-api-key.detected-picatic-api-key

• secrets.security.detected-private-key.detected-private-key

• secrets.security.detected-sauce-token.detected-sauce-token

• secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key

• secrets.security.detected-slack-token.detected-slack-token

• secrets.security.detected-slack-webhook.detected-slack-webhook

• secrets.security.detected-snyk-api-key.detected-snyk-api-key

• secrets.security.detected-softlayer-api-key.detected-softlayer-api-key

• secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key

• secrets.security.detected-square-access-token.detected-square-access-token

• secrets.security.detected-square-oauth-secret.detected-square-oauth-secret

• secrets.security.detected-ssh-password.detected-ssh-password

• secrets.security.detected-stripe-api-key.detected-stripe-api-key

• secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key

• secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key

• secrets.security.detected-twilio-api-key.detected-twilio-api-key

• secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri

SQL

• secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token

• secrets.security.detected-artifactory-password.detected-artifactory-password

• secrets.security.detected-artifactory-token.detected-artifactory-token

• secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value

• secrets.security.detected-aws-account-id.detected-aws-account-id

• secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key

• secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key

• secrets.security.detected-aws-session-token.detected-aws-session-token

• secrets.security.detected-bcrypt-hash.detected-bcrypt-hash

• secrets.security.detected-codeclimate.detected-codeclimate

• secrets.security.detected-etc-shadow.detected-etc-shadow

• secrets.security.detected-facebook-access-token.detected-facebook-access-token

• secrets.security.detected-facebook-oauth.detected-facebook-oauth

• secrets.security.detected-generic-api-key.detected-generic-api-key

• secrets.security.detected-generic-secret.detected-generic-secret

• secrets.security.detected-github-token.detected-github-token

• secrets.security.detected-google-api-key.detected-google-api-key

• secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key

• secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account

• secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token

• secrets.security.detected-google-oauth.detected-google-oauth-url

• secrets.security.detected-heroku-api-key.detected-heroku-api-key

• secrets.security.detected-hockeyapp.detected-hockeyapp

• secrets.security.detected-jwt-token.detected-jwt-token

• secrets.security.detected-kolide-api-key.detected-kolide-api-key

• secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key

• secrets.security.detected-mailgun-api-key.detected-mailgun-api-key

• secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token

• secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token

• secrets.security.detected-outlook-team.detected-outlook-team

• secrets.security.detected-paypal-braintree…cess-token.detected-paypal-braintree-access-token

• secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block

• secrets.security.detected-picatic-api-key.detected-picatic-api-key

• secrets.security.detected-private-key.detected-private-key

• secrets.security.detected-sauce-token.detected-sauce-token

• secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key

• secrets.security.detected-slack-token.detected-slack-token

• secrets.security.detected-slack-webhook.detected-slack-webhook

• secrets.security.detected-snyk-api-key.detected-snyk-api-key

• secrets.security.detected-softlayer-api-key.detected-softlayer-api-key

• secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key

• secrets.security.detected-square-access-token.detected-square-access-token

• secrets.security.detected-square-oauth-secret.detected-square-oauth-secret

• secrets.security.detected-ssh-password.detected-ssh-password

• secrets.security.detected-stripe-api-key.detected-stripe-api-key

• secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key

• secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key

• secrets.security.detected-twilio-api-key.detected-twilio-api-key

• secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri

YAML

• yaml.docker-compose.security.no-new-privileges.no-new-privileges

• Service has a writable filesystem

• Service port is exposed on all interfaces

Java

• Avoid user-input file

• Avoid using printStackTrace()

• MD2, MD4, and MD5 are weak hash functions

• Prevent path traversal

• SHA-1 is a weak hash function

JavaScript / TypeScript

• Do not use weak hash functions

Python

• Avoid SQL injections

• Do not use an empty list as a default parameter

• no-exec