{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."},"help":{"markdown":"Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval","id":"bash.curl.security.curl-eval.curl-eval","name":"bash.curl.security.curl-eval.curl-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: bash.curl.security.curl-eval.curl-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."},"help":{"markdown":"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash","id":"bash.curl.security.curl-pipe-bash.curl-pipe-bash","name":"bash.curl.security.curl-pipe-bash.curl-pipe-bash","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: bash.curl.security.curl-pipe-bash.curl-pipe-bash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'."},"help":{"markdown":"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering","id":"bash.lang.security.ifs-tampering.ifs-tampering","name":"bash.lang.security.ifs-tampering.ifs-tampering","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: bash.lang.security.ifs-tampering.ifs-tampering"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead."},"help":{"markdown":"Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn)\n - [https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s](https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s)\n","text":"Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn","id":"c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn","name":"c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"help":{"markdown":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n","text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","id":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","name":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead."},"help":{"markdown":"Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged](https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged)\n - [https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS](https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS)\n - [https://stackoverflow.com/a/40335556](https://stackoverflow.com/a/40335556)\n","text":"Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn","id":"c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn","name":"c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function."},"help":{"markdown":"Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion)\n - [https://lwn.net/Articles/606141/](https://lwn.net/Articles/606141/)\n","text":"Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion","id":"c.lang.security.random-fd-exhaustion.random-fd-exhaustion","name":"c.lang.security.random-fd-exhaustion.random-fd-exhaustion","properties":{"precision":"very-high","tags":["CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.random-fd-exhaustion.random-fd-exhaustion"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"help":{"markdown":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n","text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","id":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","name":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from ``"},"help":{"markdown":"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from ``\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug)\n - [https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/](https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from ``\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug","id":"csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug","name":"csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug","properties":{"precision":"very-high","tags":["CWE-11: ASP.NET Misconfiguration: Creating Debug Binary","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"help":{"markdown":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","id":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","name":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","properties":{"precision":"very-high","tags":["CWE-1323: Improper Management of Sensitive Trace Data","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305."},"help":{"markdown":"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n","text":"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode","id":"csharp.dotnet.security.use_ecb_mode.use_ecb_mode","name":"csharp.dotnet.security.use_ecb_mode.use_ecb_mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"help":{"markdown":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n","text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","id":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","name":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used."},"help":{"markdown":"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\n","text":"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation","id":"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation","name":"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead."},"help":{"markdown":"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\n","text":"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation","id":"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation","name":"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"."},"help":{"markdown":"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n","text":"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings","id":"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings","name":"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."},"help":{"markdown":"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n","text":"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection","id":"csharp.lang.security.injections.os-command.os-command-injection","name":"csharp.lang.security.injections.os-command.os-command-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.injections.os-command.os-command-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure"},"help":{"markdown":"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n","text":"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior."},"help":{"markdown":"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n","text":"Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver","id":"csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver","name":"csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"help":{"markdown":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n","text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","id":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","name":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"help":{"markdown":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n","text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","id":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","name":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server."},"help":{"markdown":"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks)\n","text":"The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization","id":"csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization","name":"csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure"},"help":{"markdown":"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\n","text":"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization","id":"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization","name":"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None."},"help":{"markdown":"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization)\n - [https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks](https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks)\n","text":"TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization","id":"csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization","name":"csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure"},"help":{"markdown":"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\n","text":"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"help":{"markdown":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n","text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","id":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","name":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0"},"help":{"markdown":"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n","text":"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli","id":"csharp.lang.security.sqli.csharp-sqli.csharp-sqli","name":"csharp.lang.security.sqli.csharp-sqli.csharp-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."},"help":{"markdown":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf","id":"csharp.lang.security.ssrf.http-client.ssrf","name":"csharp.lang.security.ssrf.http-client.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A01:2025 - Broken Access Control","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.http-client.ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."},"help":{"markdown":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf","id":"csharp.lang.security.ssrf.rest-client.ssrf","name":"csharp.lang.security.ssrf.rest-client.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A01:2025 - Broken Access Control","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.rest-client.ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself."},"help":{"markdown":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf","id":"csharp.lang.security.ssrf.web-client.ssrf","name":"csharp.lang.security.ssrf.web-client.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A01:2025 - Broken Access Control","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-client.ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"help":{"markdown":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf","id":"csharp.lang.security.ssrf.web-request.ssrf","name":"csharp.lang.security.ssrf.web-request.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A01:2025 - Broken Access Control","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."},"help":{"markdown":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n","text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override","id":"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override","name":"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."},"help":{"markdown":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n","text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override","id":"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override","name":"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."},"help":{"markdown":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n","text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults","id":"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults","name":"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. "},"help":{"markdown":"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url)\n - [https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url)\n - [https://github.com/semgrep/semgrep-rules/issues/3032](https://github.com/semgrep/semgrep-rules/issues/3032)\n","text":"When `--extra-index-url` is used in a `pip install` command, this is usually meant to install a package from a package index other than the public one. However, if a package is added with the same name to the public PyPi repository, and if the version number is high enough, this package will be installed when building this docker image. This package may be a malicious dependency. Such an attack is called a dependency confusion attack. If using a private package index, prefer to use `--index-url` if possible. \nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url","id":"dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url","name":"dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url","properties":{"precision":"very-high","tags":["CWE-427: Uncontrolled Search Path Element","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"help":{"markdown":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n","text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","id":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","name":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","CWE-862: Missing Authorization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","id":"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","name":"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","id":"dockerfile.security.missing-user.missing-user","name":"dockerfile.security.missing-user.missing-user","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.missing-user.missing-user"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities."},"help":{"markdown":"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n","text":"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile","id":"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile","name":"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Semgrep found a bash reverse shell"},"help":{"markdown":"Semgrep found a bash reverse shell\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Semgrep found a bash reverse shell\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell","id":"generic.ci.security.bash-reverse-shell.bash_reverse_shell","name":"generic.ci.security.bash-reverse-shell.bash_reverse_shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"help":{"markdown":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n","text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal","id":"generic.nginx.security.alias-path-traversal.alias-path-traversal","name":"generic.nginx.security.alias-path-traversal.alias-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block."},"help":{"markdown":"The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n","text":"The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition","id":"generic.nginx.security.header-redefinition.header-redefinition","name":"generic.nginx.security.header-redefinition.header-redefinition","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-redefinition.header-redefinition"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"help":{"markdown":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect","id":"generic.nginx.security.insecure-redirect.insecure-redirect","name":"generic.nginx.security.insecure-redirect.insecure-redirect","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"help":{"markdown":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n","text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal","id":"generic.nginx.security.missing-internal.missing-internal","name":"generic.nginx.security.missing-internal.missing-internal","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions."},"help":{"markdown":"This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n","text":"This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version","id":"generic.nginx.security.missing-ssl-version.missing-ssl-version","name":"generic.nginx.security.missing-ssl-version.missing-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Amazon MWS Auth Token detected"},"help":{"markdown":"Amazon MWS Auth Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Amazon MWS Auth Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token","id":"generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token","name":"generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Artifactory token detected"},"help":{"markdown":"Artifactory token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Artifactory token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password","id":"generic.secrets.security.detected-artifactory-password.detected-artifactory-password","name":"generic.secrets.security.detected-artifactory-password.detected-artifactory-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-artifactory-password.detected-artifactory-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Artifactory token detected"},"help":{"markdown":"Artifactory token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Artifactory token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token","id":"generic.secrets.security.detected-artifactory-token.detected-artifactory-token","name":"generic.secrets.security.detected-artifactory-token.detected-artifactory-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-artifactory-token.detected-artifactory-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file."},"help":{"markdown":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","name":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS AppSync GraphQL Key detected"},"help":{"markdown":"AWS AppSync GraphQL Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS AppSync GraphQL Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key","id":"generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key","name":"generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Secret Access Key detected"},"help":{"markdown":"AWS Secret Access Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Secret Access Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","name":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Session Token detected"},"help":{"markdown":"AWS Session Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Session Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token","id":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","name":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"bcrypt hash detected"},"help":{"markdown":"bcrypt hash detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"bcrypt hash detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","id":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","name":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"CodeClimate detected"},"help":{"markdown":"CodeClimate detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"CodeClimate detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate","id":"generic.secrets.security.detected-codeclimate.detected-codeclimate","name":"generic.secrets.security.detected-codeclimate.detected-codeclimate","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"linux shadow file detected"},"help":{"markdown":"linux shadow file detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"linux shadow file detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow","id":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","name":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook Access Token detected"},"help":{"markdown":"Facebook Access Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook Access Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token","id":"generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token","name":"generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook OAuth detected"},"help":{"markdown":"Facebook OAuth detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook OAuth detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","id":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","name":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic API Key detected"},"help":{"markdown":"Generic API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key)\n - [https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json)\n","text":"Generic API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key","id":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","name":"generic.secrets.security.detected-generic-api-key.detected-generic-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-api-key.detected-generic-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"GitHub Token detected"},"help":{"markdown":"GitHub Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"GitHub Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token","id":"generic.secrets.security.detected-github-token.detected-github-token","name":"generic.secrets.security.detected-github-token.detected-github-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-github-token.detected-github-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Google OAuth Access Token detected"},"help":{"markdown":"Google OAuth Access Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Google OAuth Access Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token","id":"generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token","name":"generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Heroku API Key detected"},"help":{"markdown":"Heroku API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Heroku API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","id":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","name":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"HockeyApp detected"},"help":{"markdown":"HockeyApp detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"HockeyApp detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp","id":"generic.secrets.security.detected-hockeyapp.detected-hockeyapp","name":"generic.secrets.security.detected-hockeyapp.detected-hockeyapp","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-hockeyapp.detected-hockeyapp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"JWT token detected"},"help":{"markdown":"JWT token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"JWT token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","name":"generic.secrets.security.detected-jwt-token.detected-jwt-token","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Kolide API Key detected"},"help":{"markdown":"Kolide API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Kolide API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key","id":"generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key","name":"generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"MailChimp API Key detected"},"help":{"markdown":"MailChimp API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"MailChimp API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key","id":"generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key","name":"generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Mailgun API Key detected"},"help":{"markdown":"Mailgun API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Mailgun API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key","id":"generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key","name":"generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"NPM registry authentication token detected"},"help":{"markdown":"NPM registry authentication token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"NPM registry authentication token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token","id":"generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token","name":"generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Onfido live API Token detected"},"help":{"markdown":"Onfido live API Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n","text":"Onfido live API Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","id":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","name":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Outlook Team detected"},"help":{"markdown":"Outlook Team detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Outlook Team detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team","id":"generic.secrets.security.detected-outlook-team.detected-outlook-team","name":"generic.secrets.security.detected-outlook-team.detected-outlook-team","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"PayPal Braintree Access Token detected"},"help":{"markdown":"PayPal Braintree Access Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"PayPal Braintree Access Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token","id":"generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token","name":"generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit."},"help":{"markdown":"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block","id":"generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block","name":"generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Picatic API Key detected"},"help":{"markdown":"Picatic API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Picatic API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key","id":"generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key","name":"generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"help":{"markdown":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key","id":"generic.secrets.security.detected-private-key.detected-private-key","name":"generic.secrets.security.detected-private-key.detected-private-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Sauce Token detected"},"help":{"markdown":"Sauce Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Sauce Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token","id":"generic.secrets.security.detected-sauce-token.detected-sauce-token","name":"generic.secrets.security.detected-sauce-token.detected-sauce-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sauce-token.detected-sauce-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SendGrid API Key detected"},"help":{"markdown":"SendGrid API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SendGrid API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","id":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","name":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Slack Token detected"},"help":{"markdown":"Slack Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token)\n - [https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58](https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58)\n","text":"Slack Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token","id":"generic.secrets.security.detected-slack-token.detected-slack-token","name":"generic.secrets.security.detected-slack-token.detected-slack-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-slack-token.detected-slack-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Slack Webhook detected"},"help":{"markdown":"Slack Webhook detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook)\n - [https://api.slack.com/messaging/webhooks](https://api.slack.com/messaging/webhooks)\n","text":"Slack Webhook detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook","id":"generic.secrets.security.detected-slack-webhook.detected-slack-webhook","name":"generic.secrets.security.detected-slack-webhook.detected-slack-webhook","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-slack-webhook.detected-slack-webhook"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Snyk API Key detected"},"help":{"markdown":"Snyk API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Snyk API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","id":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","name":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SoftLayer API Key detected"},"help":{"markdown":"SoftLayer API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SoftLayer API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key","id":"generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key","name":"generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SonarQube Docs API Key detected"},"help":{"markdown":"SonarQube Docs API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SonarQube Docs API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","id":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","name":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square Access Token detected"},"help":{"markdown":"Square Access Token detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Square Access Token detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token","id":"generic.secrets.security.detected-square-access-token.detected-square-access-token","name":"generic.secrets.security.detected-square-access-token.detected-square-access-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-access-token.detected-square-access-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square OAuth Secret detected"},"help":{"markdown":"Square OAuth Secret detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n","text":"Square OAuth Secret detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","id":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","name":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SSH Password detected"},"help":{"markdown":"SSH Password detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SSH Password detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password","id":"generic.secrets.security.detected-ssh-password.detected-ssh-password","name":"generic.secrets.security.detected-ssh-password.detected-ssh-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-ssh-password.detected-ssh-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe API Key detected"},"help":{"markdown":"Stripe API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","id":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","name":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe Restricted API Key detected"},"help":{"markdown":"Stripe Restricted API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe Restricted API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key","id":"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key","name":"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","MEDIUM CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Telegram Bot API Key detected"},"help":{"markdown":"Telegram Bot API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Telegram Bot API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key","id":"generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key","name":"generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Twilio API Key detected"},"help":{"markdown":"Twilio API Key detected\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Twilio API Key detected\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key","id":"generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key","name":"generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detects potential Google Maps API keys in code"},"help":{"markdown":"Detects potential Google Maps API keys in code\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\n","text":"Detects potential Google Maps API keys in code\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak","id":"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak","name":"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak","properties":{"precision":"very-high","tags":["CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory","MEDIUM CONFIDENCE","OWASP-A3:2017 Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"help":{"markdown":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\n#### š Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n","text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\nš Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters","id":"generic.unicode.security.bidi.contains-bidirectional-characters","name":"generic.unicode.security.bidi.contains-bidirectional-characters","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your