Security Rules used by Snyk Code

Important! Snyk Security Rules list is updated continuously. This list is constantly growing, and the rules within it may change, in order to provide you with the best protection and security solutions for your code.
The following table lists the security rules that are used by Snyk Code when scanning your source code for vulnerabilities:
Notes:
No. & Rule Name column - __ contains consecutive numbers for each rule, and the Snyk name of the rule.
CWE(s) column - the CWE numbers covered by this rule.
OWASP Top 10/SANS 25 column - indicates if and to which OWASP Top 10 items (2021 edition) the rule belongs, and if it is included in SANS 25.
Supported Languages column - lists the programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
No. & Rule Name
CWE(s)
OWASP Top 10/SANS 25
Supported Languages
(1) Use of Hardcoded Credentials
(798) Use of Hard-coded Credentials
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
PHP
​
(259) Use of Hard-coded Password
SANS/CWE Top 25
Ruby
​
​
​
Go
​
​
​
Java
​
​
​
JavaScript,
TypeScript
​
​
​
Python
​
​
​
C# & ASP.NET
​
​
​
Apex
​
​
​
​
(2) Use of Password Hash With Insufficient Computational Effort
(916) Use of Password Hash With Insufficient Computational Effort
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
​
​
​
JavaScript,
TypeScript
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Apex
​
​
​
​
(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
(614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
PHP
​
​
​
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Python
​
​
​
​
(4) Hardcoded Secret
(547) Use of Hard-coded, Security-relevant Constants
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript,
TypeScript
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Python
​
​
​
Ruby
​
​
​
Apex
​
​
​
​
(5) Insecure Data Transmission
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Ruby
​
​
​
C# & ASP.NET
​
​
​
​
(6) Command Injection
(78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Apex
​
​
​
​
(7) Cross-site Scripting (XSS)
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Apex
​
​
​
​
(8) Server-Side Request Forgery (SSRF)
(918) Server-Side Request Forgery (SSRF)
OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
Python
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Apex
​
​
​
​
(9) Open Redirect
(601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
​
​
​
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Apex
​
​
​
​
(10) Regular expression injection
(400) Uncontrolled Resource Consumption
​
Java
​
(730)
​
C# & ASP.NET
​
​
​
Apex
​
​
​
​
(11) XML Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
C# & ASP.NET
​
​
SANS/CWE Top 25
Apex
​
​
​
​
(12) SQL Injection
(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
Apex
​
​
​
​
(13) Log Forging
(117) Improper Output Neutralization for Logs
OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
C# & ASP.NET
​
​
​
​
(14) Use of Hardcoded Cryptographic Key
(321) Use of Hard-coded Cryptographic Key
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
​
​
​
Ruby
​
​
​
Apex
​
​
​
​
(15) XML External Entity (XXE) Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript,
TypeScript
​
​
SANS/CWE Top 25
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
PHP
​
​
​
​
(16) Inadequate Encryption Strength
(326) Inadequate Encryption Strength
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
​
(17) Use of Insufficiently Random Values
(330) Use of Insufficiently Random Values
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
PHP
​
​
​
Java
​
​
​
C# & ASP.NET
​
​
​
Go
​
​
​
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
​
(18) Sensitive Cookie Without 'HttpOnly' Flag
(1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Python
​
​
​
Java
​
​
​
C# & ASP.NET
​
​
​
Go
​
​
​
JavaScript,
TypeScript
​
​
​
PHP
​
​
​
Ruby
​
​
​
​
(19) Request Validation Disabled
(554) ASP.NET Misconfiguration: Not Using Input Validation Framework
​
C# & ASP.NET
​
​
​
​
(20) IgnoreAntiforgeryToken in Use
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET
​
​
SANS/CWE Top 25
​
(21) Debug Features Enabled
(215) Insertion of Sensitive Information Into Debugging Code
​
C# & ASP.NET
​
​
​
​
(22) Deserialization of Untrusted Data
(502) Deserialization of Untrusted Data
OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Python
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
PHP
​
​
​
​
(23) ASP SSL Disabled
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET
​
​
​
​
(24) Code Injection
(94) Improper Control of Generation of Code ('Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
​
​
​
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
PHP
​
​
​
​
(25) Information Exposure
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
​
(26) Exposure of Private Personal Information to an Unauthorized Actor
(359) Exposure of Private Personal Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET
​
​
​
​
(27) Cleartext Storage of Sensitive Information in a Cookie
(315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
​
​
​
C# & ASP.NET
​
​
​
​
(28) LDAP Injection
(90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
​
​
​
C# & ASP.NET
​
​
​
​
(29) Path Traversal
(23) Relative Path Traversal
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
​
​
​
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
​
(30) XPath Injection
(643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
​
​
​
JavaScript,
TypeScript
​
​
​
Ruby
​
​
​
C# & ASP.NET
​
​
​
Java
​
​
​
Go
​
​
​
PHP
​
​
​
​
(31) Arbitrary File Write via Archive Extraction (Zip Slip)
(22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
​
​
SANS/CWE Top 25
JavaScript,
TypeScript
​
​
​
C# & ASP.NET
​
​
​
​

No. & Rule Name	CWE(s)	OWASP Top 10/SANS 25	Supported Languages
(1) Use of Hardcoded Credentials	(798) Use of Hard-coded Credentials	OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures	PHP
	(259) Use of Hard-coded Password	SANS/CWE Top 25	Ruby
			Go
			Java
			JavaScript, TypeScript
			Python
			C# & ASP.NET
			Apex

(2) Use of Password Hash With Insufficient Computational Effort	(916) Use of Password Hash With Insufficient Computational Effort	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures	Python
			JavaScript, TypeScript
			C# & ASP.NET
			Java
			Go
			PHP
			Apex

(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute	(614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration	PHP
			JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Python

(4) Hardcoded Secret	(547) Use of Hard-coded, Security-relevant Constants	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration	JavaScript, TypeScript
			C# & ASP.NET
			Java
			Go
			PHP
			Python
			Ruby
			Apex

(5) Insecure Data Transmission	(319) Cleartext Transmission of Sensitive Information	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures	Ruby
			C# & ASP.NET

(6) Command Injection	(78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	OWASP Top Ten 2021 Category A03:2021 - Injection	Python
		SANS/CWE Top 25	JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Go
			PHP
			Apex

(7) Cross-site Scripting (XSS)	(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	OWASP Top Ten 2021 Category A03:2021 - Injection	Python
		SANS/CWE Top 25	JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Go
			PHP
			Apex

(8) Server-Side Request Forgery (SSRF)	(918) Server-Side Request Forgery (SSRF)	OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)	Python
		SANS/CWE Top 25	JavaScript, TypeScript
			C# & ASP.NET
			Java
			Go
			PHP
			Apex

(9) Open Redirect	(601) URL Redirection to Untrusted Site ('Open Redirect')	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control	Python
			JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Go
			PHP
			Apex

(10) Regular expression injection	(400) Uncontrolled Resource Consumption		Java
	(730)		C# & ASP.NET
			Apex

(11) XML Injection	(611) Improper Restriction of XML External Entity Reference	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration	C# & ASP.NET
		SANS/CWE Top 25	Apex

(12) SQL Injection	(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	OWASP Top Ten 2021 Category A03:2021 - Injection	Python
		SANS/CWE Top 25	JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Go
			PHP
			Apex

(13) Log Forging	(117) Improper Output Neutralization for Logs	OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures	C# & ASP.NET

(14) Use of Hardcoded Cryptographic Key	(321) Use of Hard-coded Cryptographic Key	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures	Python
			Ruby
			Apex

(15) XML External Entity (XXE) Injection	(611) Improper Restriction of XML External Entity Reference	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration	JavaScript, TypeScript
		SANS/CWE Top 25	Ruby
			C# & ASP.NET
			Java
			PHP

(16) Inadequate Encryption Strength	(326) Inadequate Encryption Strength	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures	C# & ASP.NET
			Java
			Go
			PHP

(17) Use of Insufficiently Random Values	(330) Use of Insufficiently Random Values	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures	PHP
			Java
			C# & ASP.NET
			Go
			JavaScript, TypeScript
			Ruby

(18) Sensitive Cookie Without 'HttpOnly' Flag	(1004) Sensitive Cookie Without 'HttpOnly' Flag	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration	Python
			Java
			C# & ASP.NET
			Go
			JavaScript, TypeScript
			PHP
			Ruby

(19) Request Validation Disabled	(554) ASP.NET Misconfiguration: Not Using Input Validation Framework		C# & ASP.NET

(20) IgnoreAntiforgeryToken in Use	(352) Cross-Site Request Forgery (CSRF)	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control	C# & ASP.NET
		SANS/CWE Top 25
(21) Debug Features Enabled	(215) Insertion of Sensitive Information Into Debugging Code		C# & ASP.NET

(22) Deserialization of Untrusted Data	(502) Deserialization of Untrusted Data	OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures	Python
		SANS/CWE Top 25	JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			PHP

(23) ASP SSL Disabled	(319) Cleartext Transmission of Sensitive Information	OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures	C# & ASP.NET

(24) Code Injection	(94) Improper Control of Generation of Code ('Code Injection')	OWASP Top Ten 2021 Category A03:2021 - Injection	Python
			JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			PHP

(25) Information Exposure	(200) Exposure of Sensitive Information to an Unauthorized Actor	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control	PHP
		SANS/CWE Top 25	JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java

(26) Exposure of Private Personal Information to an Unauthorized Actor	(359) Exposure of Private Personal Information to an Unauthorized Actor	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control	C# & ASP.NET

(27) Cleartext Storage of Sensitive Information in a Cookie	(315) Cleartext Storage of Sensitive Information in a Cookie	OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration	Java
			C# & ASP.NET

(28) LDAP Injection	(90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')	OWASP Top Ten 2021 Category A03:2021 - Injection	Java
			C# & ASP.NET

(29) Path Traversal	(23) Relative Path Traversal	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control	Python
			JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Go
			PHP

(30) XPath Injection	(643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')	OWASP Top Ten 2021 Category A03:2021 - Injection	Python
			JavaScript, TypeScript
			Ruby
			C# & ASP.NET
			Java
			Go
			PHP

(31) Arbitrary File Write via Archive Extraction (Zip Slip)	(22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	OWASP Top Ten 2021 Category A01:2021 - Broken Access Control	PHP
		SANS/CWE Top 25	JavaScript, TypeScript
			C# & ASP.NET