# Security Rules used by Snyk Code
{% hint style="info" %}
**Important!** Snyk Security Rules list is updated continuously. This list is constantly growing, and the rules within it may change, in order to provide you with the best protection and security solutions for your code.
{% endhint %}
The following table lists the security rules that are used by Snyk Code when scanning your source code for vulnerabilities:
**Notes**:
* **No. & Rule Name** column - \_\_ contains consecutive numbers for each rule, and the Snyk name of the rule.
* **CWE(s)** column - the [CWE numbers](https://cwe.mitre.org/) covered by this rule.
* **OWASP Top 10/SANS 25** column - indicates if and to which [OWASP Top 10 items](https://owasp.org/Top10/) (2021 edition) the rule belongs, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/).
* **Supported Languages** column - lists the programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
| No. & Rule Name | CWE(s) | OWASP Top 10/SANS 25 | Supported Languages |
| --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | ----------------------------------- |
| **(1) Use of Hardcoded Credentials** | (798) Use of Hard-coded Credentials | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | PHP |
| | (259) Use of Hard-coded Password | SANS/CWE Top 25 | Ruby |
| | | | Go |
| | | | Java |
| | | | JavaScript,
TypeScript
|
| | | | Python |
| | | | C# & ASP.NET |
| | | | Apex |
| | | | |
| **(2) Use of Password Hash With Insufficient Computational Effort** | (916) Use of Password Hash With Insufficient Computational Effort | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Python |
| | | | JavaScript,
TypeScript
|
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Apex |
| | | | |
| **(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute** | (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | PHP |
| | | | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Python |
| | | | |
| **(4) Hardcoded Secret** | (547) Use of Hard-coded, Security-relevant Constants | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | JavaScript,
TypeScript
|
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Python |
| | | | Ruby |
| | | | Apex |
| | | | |
| **(5) Insecure Data Transmission** | (319) Cleartext Transmission of Sensitive Information | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Ruby |
| | | | C# & ASP.NET |
| | | | |
| **(6) Command Injection** | (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Python |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Apex |
| | | | |
| **(7) Cross-site Scripting (XSS)** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | Python |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Apex |
| | | | |
| **(8) Server-Side Request Forgery (SSRF)** | (918) Server-Side Request Forgery (SSRF) | OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | Python |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Apex |
| | | | |
| **(9) Open Redirect** | (601) URL Redirection to Untrusted Site ('Open Redirect') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Python |
| | | | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Apex |
| | | | |
| **(10) Regular expression injection** | (400) Uncontrolled Resource Consumption | | Java |
| | (730) | | C# & ASP.NET |
| | | | Apex |
| | | | |
| **(11) XML Injection** | (611) Improper Restriction of XML External Entity Reference | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | C# & ASP.NET |
| | | SANS/CWE Top 25 | Apex |
| | | | |
| **(12) SQL Injection** | (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Python |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | Apex |
| | | | |
| **(13) Log Forging** | (117) Improper Output Neutralization for Logs | OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures | C# & ASP.NET |
| | | | |
| **(14) Use of Hardcoded Cryptographic Key** | (321) Use of Hard-coded Cryptographic Key | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Python |
| | | | Ruby |
| | | | Apex |
| | | | |
| **(15) XML External Entity (XXE) Injection** | (611) Improper Restriction of XML External Entity Reference | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | JavaScript,
TypeScript
|
| | | SANS/CWE Top 25 | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | PHP |
| | | | |
| **(16) Inadequate Encryption Strength** | (326) Inadequate Encryption Strength | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | |
| **(17) Use of Insufficiently Random Values** | (330) Use of Insufficiently Random Values | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | PHP |
| | | | Java |
| | | | C# & ASP.NET |
| | | | Go |
| | | | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | |
| **(18) Sensitive Cookie Without 'HttpOnly' Flag** | (1004) Sensitive Cookie Without 'HttpOnly' Flag | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | Python |
| | | | Java |
| | | | C# & ASP.NET |
| | | | Go |
| | | | JavaScript,
TypeScript
|
| | | | PHP |
| | | | Ruby |
| | | | |
| **(19) Request Validation Disabled** | (554) ASP.NET Misconfiguration: Not Using Input Validation Framework | | C# & ASP.NET |
| | | | |
| **(20) IgnoreAntiforgeryToken in Use** | (352) Cross-Site Request Forgery (CSRF) | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | C# & ASP.NET |
| | | SANS/CWE Top 25 | |
| **(21) Debug Features Enabled** | (215) Insertion of Sensitive Information Into Debugging Code | | C# & ASP.NET |
| | | | |
| **(22) Deserialization of Untrusted Data** | (502) Deserialization of Untrusted Data | OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures | Python |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | PHP |
| | | | |
| **(23) ASP SSL Disabled** | (319) Cleartext Transmission of Sensitive Information | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | C# & ASP.NET |
| | | | |
| **(24) Code Injection** | (94) Improper Control of Generation of Code ('Code Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Python |
| | | | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | PHP |
| | | | |
| **(25) Information Exposure** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | PHP |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | |
| **(26) Exposure of Private Personal Information to an Unauthorized Actor** | (359) Exposure of Private Personal Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | C# & ASP.NET |
| | | | |
| **(27) Cleartext Storage of Sensitive Information in a Cookie** | (315) Cleartext Storage of Sensitive Information in a Cookie | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | Java |
| | | | C# & ASP.NET |
| | | | |
| **(28) LDAP Injection** | (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | | C# & ASP.NET |
| | | | |
| **(29) Path Traversal** | (23) Relative Path Traversal | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Python |
| | | | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | |
| **(30) XPath Injection** | (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Python |
| | | | JavaScript,
TypeScript
|
| | | | Ruby |
| | | | C# & ASP.NET |
| | | | Java |
| | | | Go |
| | | | PHP |
| | | | |
| **(31) Arbitrary File Write via Archive Extraction (Zip Slip)** | (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | PHP |
| | | SANS/CWE Top 25 | JavaScript,
TypeScript
|
| | | | C# & ASP.NET |
| | | | |
| **(32) Improper Certificate Validation** | (295) Improper Certificate Validation | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Go |
| | | | Java |
| | | | Ruby |
| | | | |
| **(33) Insecure TLS Configuration** | (327) Use of a Broken or Risky Cryptographic Algorithm | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Go |
| | | | |
| **(34) Clear Text Logging** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Go |
| | (312) Cleartext Storage of Sensitive Information | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | |
| | | SANS/CWE Top 25 | |
| **(35) Generation of Error Message Containing Sensitive Information** | (209) Generation of Error Message Containing Sensitive Information | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | Go |
| | | | |
| **(36) Improper Authentication** | (287) Improper Authentication | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Java |
| | | SANS/CWE Top 25 | |
| **(37) Use of a Broken or Risky Cryptographic Algorithm** | (327) Use of a Broken or Risky Cryptographic Algorithm | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Java |
| | | | JavaScript,
TypeScript
|
| | | | |
| **(38) Use of Potentially Dangerous Function** | (676) Use of Potentially Dangerous Function | | Java |
| | | | |
| **(39) Use of Hardcoded, Security-relevant Constants** | (547) Use of Hard-coded, Security-relevant Constants | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | Java |
| | | | |
| **(40) JWT Signature Verification Bypass** | (347) Improper Verification of Cryptographic Signature | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Java |
| | | | |
| **(41) Cleartext Transmission of Sensitive Information** | (319) Cleartext Transmission of Sensitive Information | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Java |
| | | | JavaScript,
TypeScript
|
| | | | |
| **(42) Improper Validation of Certificate with Host Mismatch** | (297) Improper Validation of Certificate with Host Mismatch | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Java |
| | | | |
| **(43) Insufficient Session Expiration** | (613) Insufficient Session Expiration | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Java |
| | | | |
| **(44) Origin Validation Error** | (942) Permissive Cross-domain Policy with Untrusted Domains | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | Python |
| | (346) Origin Validation Error | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Java |
| | | | JavaScript,
TypeScript
|
| | | | PHP |
| | | | |
| **(45) Cross-Site Request Forgery (CSRF)** | (352) Cross-Site Request Forgery (CSRF) | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Python |
| | | SANS/CWE Top 25 | Ruby |
| | | | Java |
| | | | JavaScript,
TypeScript
|
| | | | PHP |
| | | | |
| **(46) Disabled Neutralization of CRLF Sequences in HTTP Headers** | (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | | |
| **(47) JavaScript Enabled** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | SANS/CWE Top 25 | |
| **(48) File Access Enabled** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Java |
| | | SANS/CWE Top 25 | |
| **(49) Android Fragment Injection** | (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | | |
| **(50) Spring Cross-Site Request Forgery (CSRF)** | (352) Cross-Site Request Forgery (CSRF) | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Java |
| | | SANS/CWE Top 25 | |
| **(51) Struts Development Mode Enabled** | (489) Active Debug Code | | Java |
| | | | |
| **(52) Android Debug Mode Enabled** | (489) Active Debug Code | | Java |
| | | | |
| **(53) Process Control** | (114) Process Control | | Java |
| | | | |
| **(54) Use of Externally-Controlled Format String** | (134) Use of Externally-Controlled Format String | | Java |
| | | | JavaScript,
TypeScript
|
| | | | |
| **(55) External Control of System or Configuration Setting** | (15) External Control of System or Configuration Setting | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | Java |
| | | | |
| **(56) Server Information Exposure** | (209) Generation of Error Message Containing Sensitive Information | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | Python |
| | | | Java |
| | | | |
| **(57) Improper Neutralization of CRLF Sequences in HTTP Headers** | (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | | |
| **(58) Trust Boundary Violation** | (501) Trust Boundary Violation | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | Java |
| | | | |
| **(59) Android Intent Forwarding** | (940) Improper Verification of Source of a Communication Channel | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Java |
| | | | |
| **(60) Unauthorized File Access** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | SANS/CWE Top 25 | |
| **(61) Code Execution via Third Party Package Context** | (94) Improper Control of Generation of Code ('Code Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | | |
| **(62) Android Uri Permission Manipulation** | (266) Incorrect Privilege Assignment | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | Java |
| | | | |
| **(63) Java Naming and Directory Interface (JNDI) Injection** | (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Java |
| | | | |
| **(64) Code Execution via Third Party Package Installation** | (940) Improper Verification of Source of a Communication Channel | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Java |
| | | | |
| **(65) Observable Timing Discrepancy (Timing Attack)** | (208) Observable Timing Discrepancy | | JavaScript,
TypeScript
|
| | | | |
| **(66) Buffer Over-read** | (126) Buffer Over-read | | JavaScript,
TypeScript
|
| | | | |
| **(67) Improper Restriction of Rendered UI Layers or Frames** | (1021) Improper Restriction of Rendered UI Layers or Frames | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | PHP |
| | | | JavaScript,
TypeScript
|
| | | | |
| **(68) Unchecked Input for Loop Condition** | (400) Uncontrolled Resource Consumption | | JavaScript,
TypeScript
|
| | (606) Unchecked Input for Loop Condition | | |
| | | | |
| **(69) Improper Input Validation** | (20) Improper Input Validation | OWASP Top Ten 2021 Category A03:2021 - Injection | JavaScript,
TypeScript
|
| | | SANS/CWE Top 25 | Ruby |
| | | | |
| **(70) Allocation of Resources Without Limits or Throttling** | (770) Allocation of Resources Without Limits or Throttling | | PHP |
| | | | JavaScript,
TypeScript
|
| | | | |
| **(71) Permissive Cross-domain Policy** | (942) Permissive Cross-domain Policy with Untrusted Domains | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | JavaScript,
TypeScript
|
| | | | |
| **(72) Denial of Service (DoS) through Nested GraphQL Queries** | (400) Uncontrolled Resource Consumption | | JavaScript,
TypeScript
|
| | | | |
| **(73) Introspection Enabled** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | JavaScript,
TypeScript
|
| | | SANS/CWE Top 25 | |
| **(74) Weak Password Recovery Mechanism for Forgotten Password** | (640) Weak Password Recovery Mechanism for Forgotten Password | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | PHP |
| | | | JavaScript,
TypeScript
|
| | | | |
| **(75) Prototype Pollution** | (1321) Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | | JavaScript,
TypeScript
|
| | | | |
| **(76) Regular Expression Denial of Service (ReDoS)** | (400) Uncontrolled Resource Consumption | | PHP |
| | | | JavaScript,
TypeScript
|
| | | | Python |
| | | | Ruby |
| | | | |
| **(77) Improper Neutralization of Directives in Statically Saved Code** | (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | JavaScript,
TypeScript
|
| | | | Python |
| | | | Ruby |
| | | | |
| **(78) GraphQL Injection** | (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | JavaScript,
TypeScript
|
| | | SANS/CWE Top 25 | Apex |
| | | | |
| **(79) NoSQL Injection** | (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | JavaScript,
TypeScript
|
| | | SANS/CWE Top 25 | Apex |
| | | | |
| **(80) XML internal entity expansion** | (776) Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | JavaScript,
TypeScript
|
| | | | |
| **(81) Inadequate Padding for Public Key Encryption** | (326) Inadequate Encryption Strength | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | PHP |
| | | | |
| **(82) File Inclusion** | (98) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | OWASP Top Ten 2021 Category A03:2021 - Injection | PHP |
| | | | |
| **(83) Broken User Authentication** | (287) Improper Authentication | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Python |
| | | SANS/CWE Top 25 | |
| **(84) Insecure File Permissions** | (732) Incorrect Permission Assignment for Critical Resource | SANS/CWE Top 25 | Python |
| | | | |
| **(85) Improper Handling of Insufficient Permissions or Privileges** | (280) Improper Handling of Insufficient Permissions or Privileges | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | Python |
| | | | |
| **(86) Arbitrary File Write via Archive Extraction (Tar Slip)** | (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Python |
| | | SANS/CWE Top 25 | |
| **(87) Improperly Controlled Modification of Dynamically-Determined Object Attributes** | (915) Improperly Controlled Modification of Dynamically-Determined Object Attributes | OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures | Ruby |
| | | | |
| **(88) Unsafe Reflection** | (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | OWASP Top Ten 2021 Category A03:2021 - Injection | Ruby |
| | | | |