Security Rules used by Snyk Code
Last updated: June, 2022
Important! Snyk Security Rules list is updated continuously. This list is constantly growing, and the rules within it may change, in order to provide you with the best protection and security solutions for your code.
The following table lists the security rules that are used by Snyk Code when scanning your source code for vulnerabilities:
Notes:
  • No. & Rule Name column - __ contains consecutive numbers for each rule, and the Snyk name of the rule.
  • CWE(s) column - the CWE numbers covered by this rule.
  • OWASP Top 10/SANS 25 column - indicates if and to which OWASP Top 10 items (2021 edition) the rule belongs, and if it is included in SANS 25.
  • Supported Languages column - lists the programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
No. & Rule Name
CWE(s)
OWASP Top 10/SANS 25
Supported Languages
(1) Use of Hardcoded Credentials
(798) Use of Hard-coded Credentials
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
PHP
(259) Use of Hard-coded Password
SANS/CWE Top 25
Ruby
Go
Java
JavaScript, TypeScript
Python
C# & ASP.NET (Beta)
(2) Use of Password Hash With Insufficient Computational Effort
(916) Use of Password Hash With Insufficient Computational Effort
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
JavaScript, TypeScript
C# & ASP.NET (Beta)
Java
Go
PHP
(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
(614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
PHP
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Python
(4) Hardcoded Secret
(547) Use of Hard-coded, Security-relevant Constants
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
C# & ASP.NET (Beta)
Java
Go
PHP
Python
Ruby
(5) Insecure Data Transmission
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Ruby
C# & ASP.NET (Beta)
(6) Command Injection
(78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript,
TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(7) Cross-site Scripting (XSS)
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(8) Server-Side Request Forgery (SSRF)
(918) Server-Side Request Forgery (SSRF)
OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
Python
SANS/CWE Top 25
JavaScript, TypeScript
C# & ASP.NET (Beta)
Java
Go
PHP
(9) Open Redirect
(601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(10) Regular expression injection
(400) Uncontrolled Resource Consumption
Java
(730)
C# & ASP.NET (Beta)
(11) XML Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
C# & ASP.NET (Beta)
SANS/CWE Top 25
(12) SQL Injection
(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(13) Log Forging
(117) Improper Output Neutralization for Logs
OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
C# & ASP.NET (Beta)
(14) Use of Hardcoded Cryptographic Key
(321) Use of Hard-coded Cryptographic Key
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
Ruby
(15) XML External Entity (XXE) Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
SANS/CWE Top 25
Ruby
C# & ASP.NET (Beta)
Java
PHP
(16) Inadequate Encryption Strength
(326) Inadequate Encryption Strength
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET (Beta)
Java
Go
PHP
(17) Use of Insufficiently Random Values
(330) Use of Insufficiently Random Values
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
PHP
Java
C# & ASP.NET (Beta)
Go
JavaScript, TypeScript
Ruby
(18) Sensitive Cookie Without 'HttpOnly' Flag
(1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Python
Java
C# & ASP.NET (Beta)
Go
JavaScript, TypeScript
PHP
Ruby
(19) Request Validation Disabled
(554) ASP.NET Misconfiguration: Not Using Input Validation Framework
C# & ASP.NET (Beta)
(20) IgnoreAntiforgeryToken in Use
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET (Beta)
SANS/CWE Top 25
(21) Debug Features Enabled
(215) Insertion of Sensitive Information Into Debugging Code
C# & ASP.NET (Beta)
(22) Deserialization of Untrusted Data
(502) Deserialization of Untrusted Data
OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
PHP
(23) ASP SSL Disabled
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET (Beta)
(24) Code Injection
(94) Improper Control of Generation of Code ('Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
PHP
(25) Information Exposure
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
(26) Exposure of Private Personal Information to an Unauthorized Actor
(359) Exposure of Private Personal Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET (Beta)
(27) Cleartext Storage of Sensitive Information in a Cookie
(315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
C# & ASP.NET (Beta)
(28) LDAP Injection
(90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
C# & ASP.NET (Beta)
(29) Path Traversal
(23) Relative Path Traversal
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(30) XPath Injection
(643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(31) Arbitrary File Write via Archive Extraction (Zip Slip)
(22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
SANS/CWE Top 25
JavaScript, TypeScript
C# & ASP.NET (Beta)
(32) Improper Certificate Validation
(295) Improper Certificate Validation
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Go
Java
Ruby
(33) Insecure TLS Configuration
(327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Go
(34) Clear Text Logging
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Go
(312) Cleartext Storage of Sensitive Information
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
SANS/CWE Top 25
(35) Generation of Error Message Containing Sensitive Information
(209) Generation of Error Message Containing Sensitive Information
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Go
(36) Improper Authentication
(287) Improper Authentication
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
SANS/CWE Top 25
(37) Use of a Broken or Risky Cryptographic Algorithm
(327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Java
JavaScript, TypeScript
(38) Use of Potentially Dangerous Function
(676) Use of Potentially Dangerous Function
Java
(39) Use of Hardcoded, Security-relevant Constants
(547) Use of Hard-coded, Security-relevant Constants
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
(40) JWT Signature Verification Bypass
(347) Improper Verification of Cryptographic Signature
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Java
(41) Cleartext Transmission of Sensitive Information
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Java
JavaScript, TypeScript
(42) Improper Validation of Certificate with Host Mismatch
(297) Improper Validation of Certificate with Host Mismatch
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(43) Insufficient Session Expiration
(613) Insufficient Session Expiration
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(44) Origin Validation Error
(942) Permissive Cross-domain Policy with Untrusted Domains
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Python
(346) Origin Validation Error
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
JavaScript, TypeScript
PHP
(45) Cross-Site Request Forgery (CSRF)
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
SANS/CWE Top 25
Ruby
Java
JavaScript, TypeScript
PHP
(46) Disabled Neutralization of CRLF Sequences in HTTP Headers
(113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(47) JavaScript Enabled
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
SANS/CWE Top 25
(48) File Access Enabled
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Java
SANS/CWE Top 25
(49) Android Fragment Injection
(470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(50) Spring Cross-Site Request Forgery (CSRF)
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Java
SANS/CWE Top 25
(51) Struts Development Mode Enabled
(489) Active Debug Code
Java
(52) Android Debug Mode Enabled
(489) Active Debug Code
Java
(53) Process Control
(114) Process Control
Java
(54) Use of Externally-Controlled Format String
(134) Use of Externally-Controlled Format String
Java
JavaScript, TypeScript
(55) External Control of System or Configuration Setting
(15) External Control of System or Configuration Setting
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
(56) Server Information Exposure
(209) Generation of Error Message Containing Sensitive Information
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Python
Java
(57) Improper Neutralization of CRLF Sequences in HTTP Headers
(113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(58) Trust Boundary Violation
(501) Trust Boundary Violation
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Java
(59) Android Intent Forwarding
(940) Improper Verification of Source of a Communication Channel
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(60) Unauthorized File Access
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
SANS/CWE Top 25
(61) Code Execution via Third Party Package Context
(94) Improper Control of Generation of Code ('Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(62) Android Uri Permission Manipulation
(266) Incorrect Privilege Assignment
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Java
(63) Java Naming and Directory Interface (JNDI) Injection
(74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(64) Code Execution via Third Party Package Installation
(940) Improper Verification of Source of a Communication Channel
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(65) Observable Timing Discrepancy (Timing Attack)
(208) Observable Timing Discrepancy
JavaScript, TypeScript
(66) Buffer Over-read
(126) Buffer Over-read
JavaScript, TypeScript
(67) Improper Restriction of Rendered UI Layers or Frames
(1021) Improper Restriction of Rendered UI Layers or Frames
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
PHP
JavaScript, TypeScript
(68) Unchecked Input for Loop Condition
(400) Uncontrolled Resource Consumption
JavaScript, TypeScript
(606) Unchecked Input for Loop Condition
(69) Improper Input Validation
(20) Improper Input Validation
OWASP Top Ten 2021 Category A03:2021 - Injection
JavaScript, TypeScript