Snyk Code security rules

Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code.

If you have followed a link for code quality from an IDE, see the language documentation for that information.

This page lists the security rules used by Snyk Code when scanning your source code for vulnerabilities.

Each rule includes the following information.

  • Number and Rule Name: Consecutive number for each rule and the Snyk name of the rule.

  • CWE(s): The CWE numbers that are covered by this rule.

  • OWASP Top 10/SANS 25: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.

  • Supported Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.

  • Autofixable: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages.

Rule (1) External Control of System or Configuration Setting

CWE (15) External Control of System or Configuration Setting

Supported languages: Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration

Rule (2) Configuration Issue: Electron Disable Security Warnings

CWE (16) Configuration

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration

Rule (3) Configuration Issues: Electron Insecure Web Preferences

CWE (16) Configuration

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration

Rule (4) Configuration Issues: Electron Load Insecure Content

CWE (16) Configuration

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration

Rule (5) Insufficient postMessage Validation

CWE (20) Improper Input Validation

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (6) Improper Input Validation

CWE (20) Improper Input Validation

Supported languages: Ruby

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (7) Incomplete URL sanitization

CWE (20) Improper Input Validation

Supported languages: Python

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (8) Arbitrary File Write via Archive Extraction (Tar Slip)

CWE (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Supported languages: Python

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (9) Arbitrary File Write via Archive Extraction (Zip Slip)

CWE (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Supported languages: C# and ASP.NET, JavaScript and TypeScript, PHP

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (10) Path Traversal

CWE (23) Relative Path Traversal

Supported languages: C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Rule (11) Java Naming and Directory Interface (JNDI) Injection

CWE (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Supported languages: Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (12) Command Injection

CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Supported languages: Apex, C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (13) Indirect Command Injection via User Controlled Environment

CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Supported languages: Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (14) Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)

CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (15) Cross-site Scripting (XSS)

CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Supported languages: Apex, C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (16) JavaScript Enabled

CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Supported languages: Java, Kotlin

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (17) Jinja auto-escape is set to false.

CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Supported languages: Python

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (18) Use dangerouslySetInnerHTML to be explicit that this function is dangerous and also trigger react updates

CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (19) Unauthorized File Access

CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Supported languages: Java, Kotlin

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (20) GraphQL Injection

CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (21) SOQL Injection

CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Supported languages: Apex

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (22) SOSL Injection

CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Supported languages: Apex

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (23) SQL Injection

CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Supported languages: C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (24) Unsafe SOQL Concatenation

CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Supported languages: Apex

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (25) Unsafe SOSL Concatenation

CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Supported languages: Apex

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (26) LDAP Injection

CWE (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Supported languages: C++ (Beta), C# and ASP.NET, Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (27) XML Injection

CWE (91) XML Injection (aka Blind XPath Injection)

Supported languages: Apex, C# and ASP.NET, Visual Basic

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (28) Code Injection

CWE (94) Improper Control of Generation of Code ('Code Injection')

Supported languages: C# and ASP.NET, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (29) Remote Code Execution via Endpoint

CWE (94) Improper Control of Generation of Code ('Code Injection')

Supported languages: Ruby

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (30) Code Execution via Third Party Package Context

CWE (94) Improper Control of Generation of Code ('Code Injection')

Supported languages: Java, Kotlin

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (31) Improper Neutralization of Directives in Statically Saved Code

CWE (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Supported languages: JavaScript and TypeScript, Python, Ruby

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (32) File Inclusion

CWE (98) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Supported languages: PHP

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (33) Improper Neutralization of CRLF Sequences in HTTP Headers

CWE (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Supported languages: Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (34) Disabled Neutralization of CRLF Sequences in HTTP Headers

CWE (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Supported languages: Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection

Rule (35) Process Control

CWE (114) Process Control

Supported languages: Java, Kotlin, Scala

Rule (36) Log Forging

CWE (117) Improper Output Neutralization for Logs

Supported languages: C# and ASP.NET

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures

Rule (37) Buffer Overflow

CWE (122) Heap-based Buffer Overflow

Supported languages: C++ (Beta)

Rule (38) Potential buffer overflow from usage of unsafe function

CWE (122) Heap-based Buffer Overflow

Supported languages: C++ (Beta)

Rule (39) Potential Negative Number Used as Index

CWE (125, 787) Out-of-bounds Read, Out-of-bounds Write

Supported languages: C++ (Beta)

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (40) Size Used as Index

CWE (125, 787) Out-of-bounds Read, Out-of-bounds Write

Supported languages: C++ (Beta)

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (41) Buffer Over-read

CWE (126) Buffer Over-read

Supported languages: JavaScript and TypeScript

Rule (42) Use of Externally-Controlled Format String

CWE (134) Use of Externally-Controlled Format String

Supported languages: C++ (Beta), Java, JavaScript and TypeScript, Kotlin, Scala

Rule (43) Memory Allocation Of String Length

CWE (170) Improper Null Termination

Supported languages: C++ (Beta)

Rule (44) Improper Null Termination

CWE (170) Improper Null Termination

Supported languages: C++ (Beta)

Rule (45) Integer Overflow

CWE (190) Integer Overflow or Wraparound

Supported languages: C++ (Beta)

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (46) Clear Text Logging

CWE (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information

Supported languages: Go, Swift

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (47) Clear Text Sensitive Storage

CWE (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information

Supported languages: Apex, JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (48) Information Exposure

CWE (200) Exposure of Sensitive Information to an Unauthorized Actor

Supported languages: C# and ASP.NET, Java, JavaScript and TypeScript, Kotlin, PHP, Ruby, Scala, Swift

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (49) File Access Enabled

CWE (200) Exposure of Sensitive Information to an Unauthorized Actor

Supported languages: Java, Kotlin

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (50) Introspection Enabled

CWE (200) Exposure of Sensitive Information to an Unauthorized Actor

Supported languages: JavaScript and TypeScript

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (51) Observable Timing Discrepancy (Timing Attack)

CWE (208) Observable Timing Discrepancy

Supported languages: Java, JavaScript and TypeScript, Kotlin, Scala

Rule (52) Generation of Error Message Containing Sensitive Information

CWE (209) Generation of Error Message Containing Sensitive Information

Supported languages: Go

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Rule (53) Server Information Exposure

CWE (209) Generation of Error Message Containing Sensitive Information

Supported languages: Java, Kotlin, Python, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Rule (54) Debug Features Enabled

CWE (215) Insertion of Sensitive Information Into Debugging Code

Supported languages: C# and ASP.NET, Visual Basic, XML

Rule (55) Unprotected Storage of Credentials

CWE (256) Plaintext Storage of a Password

Supported languages: Java, Kotlin, Scala

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Rule (56) Use of Hardcoded Credentials

CWE (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials

Supported languages: Apex, C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic, XML

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (57) Use of Sticky broadcasts

CWE (265) Privilege Issues

Supported languages: Java, Kotlin

Rule (58) Android Uri Permission Manipulation

CWE (266) Incorrect Privilege Assignment

Supported languages: Java, Kotlin

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Rule (59) Improper Handling of Insufficient Permissions or Privileges

CWE (280) Improper Handling of Insufficient Permissions or Privileges

Supported languages: Java, Kotlin, Python

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design

Rule (60) Access Violation

CWE (284, 285) Improper Access Control, Improper Authorization

Supported languages: Apex

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Rule (61) Binding to all network interfaces may open service to unintended traffic

CWE (284) Improper Access Control

Supported languages: Python

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Rule (62) Improper Access Control: Email Content Injection

CWE (284) Improper Access Control

Supported languages: Apex, Go

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Rule (63) Session Manipulation

CWE (285) Improper Authorization

Supported languages: Ruby

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

Rule (64) Anonymous LDAP binding allows a client to connect without logging in

CWE (287) Improper Authentication

Supported languages: C++ (Beta)

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (65) Broken User Authentication

CWE (287) Improper Authentication

Supported languages: Python

OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

OWASP Top 10/SANS 25: SANS/CWE Top 25

Rule (66) Device Authentication Bypass

CWE (287) Improper