Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. advanced-security

SAST

JFrog Advanced Security SAST engine is a local, fast, and accurate static application security testing solution that enables developers to identify and fix security issues early in the development process. Our solution runs directly on your local environment, minimizing delays and maintaining data privacy. It is designed for developers, with out-of-the-box functionality, low false positives, and easy integration into your workflow.

Key Benefits of JFrog SAST

  • Speed & Efficiency: JFrog SAST runs locally on developers’ machines and CI servers, scanning at a speed of approximately 2,000 lines of code per second. This enables rapid scans while maintaining high-quality analysis and low false positive rates, thanks to its cross-file and data flow analysis.
  • Accuracy: Our SAST engine performs comprehensive cross-file analysis, tracing the data flow from the source to the sink. This allows us to accurately detect vulnerabilities while minimizing noise and false positives. Our proprietary fingerprint algorithm ensures that vulnerabilities marked for ignore won’t reappear due to irrelevant code changes like spaces or new lines—an issue many competitors face.
  • OWASP Top 10 & Beyond: JFrog SAST covers the OWASP Top 10 vulnerabilities and goes beyond by identifying additional critical security risks, helping developers secure their code at the earliest stages.
  • Developer-Centric: With zero configuration required out of the box, JFrog SAST integrates seamlessly into your workflow through IDE plugins, CLI tools, and Frogbot. It gives developers easy access to actionable findings without interrupting their development process. Security experts can also configure policies and watches to prioritize specific vulnerabilities for enforcement.
  • Local Security: JFrog SAST runs locally on your environment, ensuring that source code remains secure and does not need to be uploaded to external services for analysis. This maintains the privacy of your codebase.

How JFrog SAST Outperforms Competitors

  • Integration with CI/CD, Securely, and with Privacy: JFrog SAST integrates deeply into CI/CD pipelines, supporting multiple DevOps tools without requiring cloud-based services. It can run locally on your workstation or CI server, making it ideal for air-gapped and self-hosted environments.
  • Low False Positive Rate: Thanks to the cross-file analysis, JFrog SAST reduces the number of false positives and ensures that only genuine security risks are flagged. Developers no longer have to sift through irrelevant findings.
  • Accurate Fingerprint Algorithm: Our fingerprint algorithm ensures that once a vulnerability is marked as ignored, it won’t reappear in subsequent scans, even if non-relevant code changes occur (such as spaces or newlines). This eliminates the need for security experts to repeatedly reassess triaged issues previously.
  • Data Flow Analysis: JFrog SAST tracks the flow of data within your code, providing visibility into how vulnerabilities propagate from source functions to sinks. This enables both developers and security experts to quickly identify and understand potential security risks.
  • Actionable Fixes: Each vulnerability is accompanied by clear, actionable steps on how to fix or mitigate the issue. Developers can follow these steps to quickly resolve vulnerabilities and enhance the overall security of their code.
  • Customizable Policies: Developers can configure severity thresholds and apply specific policies to decide which vulnerabilities trigger alerts. This customization gives teams more control over their scanning process, ensuring that only the most critical issues are prioritized.

Prerequisites

Language support

LanguageSupported FrameworksSupported LibrariesNot Supported
PHPLaravel, Symfony, CodeIgniter, Yii2, WordPressGuzzle, PDO
PythonFlask, Django, FastAPISQLAlchemy, psycopg2, MySQLdb, mysql.connector, pymongo, requests, bleach, tkinter, pandas, numpyPython 1.x, 2.x
JavaScriptExpress.js, Koa, Fastify, NestJSmysql / mysql2, pg, mongodb, sequelize, knex, sqlite3, redis, axios, node-fetch, request, needle, ws, DOMPurify, escape-html, xss, sanitize-html, validator, lodash, Handlebars, EJS, Pug, Mustache, multiparty, formidable, unified, path-sanitizer, sanitize-filename, sqlstringJSX
TypeScriptExpress.js, Koa, Fastify, NestJSSame as JavaScript librariesTSX
JavaSpring Framework, JAX-RS, Micronaut, Struts, Vaadin, Wicket, Grails, Seam, AtmosphereHibernate, JPA, MyBatis, OWASP ESAPI, Apache Commons, Thymeleaf, FreeMarker, Velocity, JSP templatingLegacy JSP (standalone only)
C# / .NETASP.NET Core, ASP.NET MVC, ASP.NET Web Forms, Nancy, ServiceStack, BlazorEntity Framework, Dapper, NHibernate, PetaPoco, Microsoft AntiXss, Razor, Telerik UI, Infragistics, ComponentArt, log4net, NLog, Serilog, Microsoft.Extensions.LoggingASPX (legacy templates only)
C / C++Pistache, Wt, Qt, MFCSQLite3, MySQL C API, libpq, ODBC, mysqlpp, libpqxx, Boost, OpenSSL, Crypto++, Libgcrypt, pugixml, RapidJSON, nlohmann/json, TinyXML2, yaml-cpp, protobuf, FlatBuffers, Cap'n Proto, cereal
GolangGin, Echo, Chi, Gorilla Mux, Beego, fasthttp, grpcGORM, sqlx, pgx, go-sql-driver, go-redis, gocql, mongo-go-driver, viperhtml/template (no taint-tracking support)
RustActix-web, Rocket, Axum, Warp, Tide, Poem, Salvo, Hyper, IronDiesel, SQLx, tokio-postgres, rusqlite, mysql, mongodb, redis, tiberius, reqwest, hyper, surf, ureq, isahc, attohttpc, tokio, async-std, futures, serde_json, serde_yaml, bincode, postcard, rmp-serde, askama, tera, handlebars, maud, sailfish, liquid, minijinja, yarte, ammonia, base64, hex, clap, structopt, rdkafka, lapin, nats, tonic

Analysis capabilities

Understanding the dependencies in the code (call flow, type propagation, constants, etc.) in the full-project context:

  • Cross-functional
  • Cross-file
  • Cross-module

Querying capabilities (custom queries)

📘

This feature is in Beta and subject to changes.

Ability to construct code queries based on types, constants, external API names, data reachability, control flow dependencies, etc. of unlimited complexity.

List of SAST Rules

JFrog SAST offers a comprehensive set of rules designed to identify security vulnerabilities across your codebase. These rules are mapped to the OWASP Top 10 vulnerabilities, as well as additional critical security issues beyond the OWASP Top 10. The mapping provides clear visibility into which specific vulnerabilities are being addressed and how they align with widely recognized security standards. In this section, you’ll find a detailed table of the SAST rules, and their corresponding OWASP categories, helping you better understand how JFrog SAST ensures your code is protected against the most critical security risks.

Python

Rule IDSeverityCWEOWASP Top 10 (2021)
python-code-injectionHighCWE-94A03
python-command-injectionHighCWE-78A03
python-ldap-injectionHighCWE-90A03
python-process-controlHighCWE-114
python-stored-code-injectionHighCWE-94A03
python-stored-command-injectionHighCWE-78A03
python-stored-ldapHighCWE-90A03
python-sql-injectionHighCWE-89A03
python-unsafe-deserializationHighCWE-502A08
python-xssHighCWE-79A03
python-prompt-injection-rceHigh
python-deno-insecure-permissionsHighCWE-276A01
python-docker-cli-privilegedHighCWE-250
python-podman-cli-privilegedHighCWE-250
python-firejail-noprofileHighCWE-693
python-firejail-debuggers-allowedHighCWE-693
python-nsjail-host-filesystem-accessHighCWE-22A01
python-nsjail-privilege-escalationHighCWE-269A04
python-bwrap-root-bindingHighCWE-22A01
python-flatpak-host-filesystem-accessHighCWE-22A01
python-systemd-nspawn-root-bindHighCWE-22A01
python-smolagents-local-rceHighCWE-94A03
python-docker-sdk-privilegedHighCWE-250
python-docker-sdk-socket-mountHighCWE-250
python-jinja2-escape-by-modificationHighCWE-94A03
python-pyyaml-unsafe-deserializationHighCWE-502A08
python-eval-globals-injectionHighCWE-94A03
python-jinja2-globals-injectionHighCWE-94A03
python-evaluator-function-injectionHighCWE-94A03
python-cookie-poisoningMediumCWE-472A04
python-db-connection-string-injectionMediumCWE-99A03
python-dos-by-sleepMediumCWE-400
python-elevate-access-privilegesMediumCWE-284A01
python-http-header-injectionMediumCWE-644A03
python-inadequate-paddingMediumCWE-780A02
python-insecure-randomMediumCWE-338A02
python-insecure-websocketMediumCWE-1385
python-no-encryption-in-connection-stringMediumCWE-319A02
python-password-in-cookieMediumCWE-200A01
python-path-traversalMediumCWE-22A01
python-redosMediumCWE-1333
python-regex-injectionMediumCWE-625
python-response-splittingMediumCWE-113A03
python-2nd-order-sql-injectionMediumCWE-89A03
python-short-crypto-keyMediumCWE-326A02
python-stored-path-traversalMediumCWE-22A01
python-stored-xpathMediumCWE-643A03
python-stored-xssMediumCWE-79A03
python-ssrfMediumCWE-918A10
python-sstiMediumCWE-1336
python-weak-crypto-algorithmMediumCWE-327A02
python-weak-ssl-protocolMediumCWE-327A02
python-xml-injectionMediumCWE-91A03
python-xpath-injectionMediumCWE-643A03
python-xslt-injectionMediumCWE-91A03
python-xxeMediumCWE-611A05
python-tainted-os-commandMediumCWE-78A03
python-stored-tainted-os-commandMediumCWE-78A03
python-environment-variable-injectionMediumCWE-74A03
python-unicode-case-mappingMediumCWE-178
python-missing-ssl-validationMediumCWE-295A07
python-unsafe-hashMediumCWE-328A02
python-flask-debugMediumCWE-1295
python-firejail-debug-modeMediumCWE-200A01
python-nsjail-network-sharingMediumCWE-284A01
python-nsjail-proc-writableMediumCWE-693
python-bwrap-network-sharingMediumCWE-284A01
python-chroot-misuseMediumCWE-693
python-docker-sdk-host-networkMediumCWE-284A01
python-hardcoded-credentialsLowCWE-798A07
python-insecure-portLowCWE-319A02
python-insecure-protocolLowCWE-319A02
python-open-redirectLowCWE-601A01
python-potential-redosLowCWE-1333
python-stored-cookie-poisoningLowCWE-472A04
python-stored-http-header-injectionLowCWE-644A03
python-stored-redirectLowCWE-601A01
python-stored-response-splittingLowCWE-113A03
python-stack-trace-exposureLowCWE-209A04
python-parameter-injectionLowCWE-88A03
python-stored-parameter-injectionLowCWE-88A03
python-stored-environment-variable-injectionLowCWE-74A03
python-externally-controllable-file-permissionsLowCWE-732
python-weak-file-permissionsLowCWE-732

Java

Rule IDSeverityCWEOWASP Top 10 (2021)
java-code-injectionHighCWE-94A03
java-command-injectionHighCWE-78A03
java-ldap-injectionHighCWE-90A03
java-process-controlHighCWE-114
java-sql-injectionHighCWE-89A03
java-stored-code-injectionHighCWE-94A03
java-stored-command-injectionHighCWE-78A03
java-stored-ldapHighCWE-90A03
java-unsafe-deserializationHighCWE-502A08
java-xssHighCWE-79A03
java-jndi-injectionHighCWE-642A04
java-cookie-poisoningMediumCWE-472A04
java-db-connection-string-injectionMediumCWE-99A03
java-dos-by-sleepMediumCWE-400
java-elevate-access-privilegesMediumCWE-284A01
java-http-header-injectionMediumCWE-644A03
java-inadequate-paddingMediumCWE-780A02
java-insecure-randomMediumCWE-338A02
java-insecure-websocketMediumCWE-1385
java-no-encryption-in-connection-stringMediumCWE-319A02
java-password-in-cookieMediumCWE-200A01
java-path-traversalMediumCWE-22A01
java-redosMediumCWE-1333
java-regex-injectionMediumCWE-625
java-response-splittingMediumCWE-113A03
java-2nd-order-sql-injectionMediumCWE-89A03
java-short-crypto-keyMediumCWE-326A02
java-ssrfMediumCWE-918A10
java-sstiMediumCWE-1336
java-stored-path-traversalMediumCWE-22A01
java-stored-reflectionMediumCWE-470A03
java-stored-xpathMediumCWE-643A03
java-stored-xssMediumCWE-79A03
java-reflectionMediumCWE-470A03
java-weak-crypto-algorithmMediumCWE-327A02
java-weak-ssl-protocolMediumCWE-327A02
java-xml-injectionMediumCWE-91A03
java-xpath-injectionMediumCWE-643A03
java-xslt-injectionMediumCWE-91A03
java-xxeMediumCWE-611A05
java-unsafe-certificateMediumCWE-295A07
java-misconfigMediumCWE-933
java-stored-misconfigMediumCWE-933
java-hardcoded-credentialsLowCWE-798A07
java-insecure-portLowCWE-319A02
java-insecure-protocolLowCWE-319A02
java-open-redirectLowCWE-601A01
java-potential-redosLowCWE-1333
java-stack-trace-exposureLowCWE-209A04
java-stored-cookie-poisoningLowCWE-472A04
java-stored-http-header-injectionLowCWE-644A03
java-stored-redirectLowCWE-601A01
java-stored-response-splittingLowCWE-113A03
java-stored-trust-boundaryLowCWE-501A04
java-trust-boundaryLowCWE-501A04
java-javascript-enabledLowCWE-749

JavaScript

Rule IDSeverityCWEOWASP Top 10 (2021)
js-archive-slipHighCWE-22A01
js-code-injectionHighCWE-94A03
js-command-injectionHighCWE-78A03
js-ldap-injectionHighCWE-90A03
js-process-controlHighCWE-114
js-sql-injectionHighCWE-89A03
js-unsafe-deserializationHighCWE-502A08
js-xssHighCWE-79A03
js-template-injectionHighCWE-73A04
js-dom-based-xssHighCWE-79A03
js-dom-xss-angularHighCWE-79A03
js-cookie-poisoningMediumCWE-472A04
js-db-connection-string-injectionMediumCWE-99A03
js-dos-by-sleepMediumCWE-400
js-elevate-access-privilegesMediumCWE-284A01
js-http-header-injectionMediumCWE-644A03
js-inadequate-paddingMediumCWE-780A02
js-insecure-randomMediumCWE-338A02
js-insecure-websocketMediumCWE-1385
js-no-encryption-in-connection-stringMediumCWE-319A02
js-password-in-cookieMediumCWE-200A01
js-path-traversalMediumCWE-22A01
js-redosMediumCWE-1333
js-regex-injectionMediumCWE-625
js-response-splittingMediumCWE-113A03
js-short-crypto-keyMediumCWE-326A02
js-ssrfMediumCWE-918A10
js-sstiMediumCWE-1336
js-weak-crypto-algorithmMediumCWE-327A02
js-weak-ssl-protocolMediumCWE-327A02
js-xml-injectionMediumCWE-91A03
js-xpath-injectionMediumCWE-643A03
js-xslt-injectionMediumCWE-91A03
js-xxeMediumCWE-611A05
js-helperMedium
js-lfiMediumCWE-98A03
js-remote-param-injectionMediumCWE-88A03
js-unsafe-hashMediumCWE-328A02
js-insecure-cookieMediumCWE-614A05
js-http-onlyMediumCWE-1004A05
js-improper-samesiteMediumCWE-1275A01
js-prototype-pollutionMediumCWE-1321
js-hardcoded-credentialsLowCWE-798A07
js-insecure-portLowCWE-319A02
js-insecure-protocolLowCWE-319A02
js-open-redirectLowCWE-601A01
js-potential-redosLowCWE-1333
js-stack-trace-exposureLowCWE-209A04
js-weak-json-token-encryptLowCWE-347A02
js-dom-based-open-redirectLowCWE-601A01
js-express-without-helmetLowCWE-693
js-cors-misconfigLowCWE-942A05

Go

Rule IDSeverityCWEOWASP Top 10 (2021)
go-code-injectionHighCWE-94A03
go-command-injectionHighCWE-78A03
go-process-controlHighCWE-114
go-sql-injectionHighCWE-89A03
go-stored-code-injectionHighCWE-94A03
go-stored-command-injectionHighCWE-78A03
go-unsafe-deserializationHighCWE-502A08
go-xssHighCWE-79A03
go-improper-certificate-validationHighCWE-295A07
go-insecure-tlsHighCWE-295A07
go-cookie-poisoningMediumCWE-472A04
go-db-connection-string-injectionMediumCWE-99A03
go-dos-by-sleepMediumCWE-400
go-elevate-access-privilegesMediumCWE-284A01
go-inadequate-paddingMediumCWE-780A02
go-insecure-randomMediumCWE-338A02
go-insecure-websocketMediumCWE-1385
go-no-encryption-in-connection-stringMediumCWE-319A02
go-password-in-cookieMediumCWE-200A01
go-path-traversalMediumCWE-22A01
go-redosMediumCWE-1333
go-regex-injectionMediumCWE-625
go-2nd-order-sql-injectionMediumCWE-89A03
go-short-crypto-keyMediumCWE-326A02
go-ssrfMediumCWE-918A10
go-sstiMediumCWE-1336
go-stored-path-traversalMediumCWE-22A01
go-stored-xpathMediumCWE-643A03
go-stored-xssMediumCWE-79A03
go-weak-crypto-algorithmMediumCWE-327A02
go-weak-ssl-protocolMediumCWE-327A02
go-xml-injectionMediumCWE-91A03
go-xpath-injectionMediumCWE-643A03
go-xxeMediumCWE-611A05
go-helperMedium
go-cleartext-loggingMediumCWE-312A04
go-weak-password-recoveryMediumCWE-640A07
go-hardcoded-credentialsLowCWE-798A07
go-insecure-portLowCWE-319A02
go-insecure-protocolLowCWE-319A02
go-open-redirectLowCWE-601A01
go-potential-redosLowCWE-1333
go-stack-trace-exposureLowCWE-209A04
go-stored-cookie-poisoningLowCWE-472A04
go-stored-redirectLowCWE-601A01
go-parameter-injectionLowCWE-88A03
go-key-past-expirationLowCWE-322A02

C/C++

Rule IDSeverityCWEOWASP Top 10 (2021)
cpp-classic-buffer-overflowHighCWE-120
cpp-command-injectionHighCWE-78A03
cpp-process-controlHighCWE-114
cpp-sql-injectionHighCWE-89A03
cpp-stored-command-injectionHighCWE-78A03
cpp-unsafe-deserializationHighCWE-502A08
cpp-xssHighCWE-79A03
cpp-cgi-xssHighCWE-79A03
cpp-uncontrolled-format-stringHighCWE-134
cpp-tainted-write-sizeHighCWE-129
cpp-write-buffer-size-mismatchHighCWE-787
cpp-cookie-poisoningMediumCWE-472A04
cpp-db-connection-string-injectionMediumCWE-99A03
cpp-dos-by-sleepMediumCWE-400
cpp-elevate-access-privilegesMediumCWE-284A01
cpp-http-header-injectionMediumCWE-644A03
cpp-inadequate-paddingMediumCWE-780A02
cpp-insecure-randomMediumCWE-338A02
cpp-insecure-websocketMediumCWE-1385
cpp-no-encryption-in-connection-stringMediumCWE-319A02
cpp-password-in-cookieMediumCWE-200A01
cpp-path-traversalMediumCWE-22A01
cpp-redosMediumCWE-1333
cpp-regex-injectionMediumCWE-625
cpp-response-splittingMediumCWE-113A03
cpp-2nd-order-sql-injectionMediumCWE-89A03
cpp-short-crypto-keyMediumCWE-326A02
cpp-ssrfMediumCWE-918A10
cpp-sstiMediumCWE-1336
cpp-stored-path-traversalMediumCWE-22A01
cpp-stored-xssMediumCWE-79A03
cpp-use-after-freeMediumCWE-416
cpp-weak-crypto-algorithmMediumCWE-327A02
cpp-weak-ssl-protocolMediumCWE-327A02
cpp-xxeMediumCWE-611A05
cpp-cgi-stored-xssMediumCWE-79A03
cpp-tainted-read-sizeMediumCWE-129
cpp-read-buffer-size-mismatchMediumCWE-131
cpp-double-freeMediumCWE-415
cpp-unsanitized-alloc-sizeMediumCWE-789
cpp-tainted-alloc-sizeMediumCWE-789
cpp-unsanitized-memory-read-offsetMediumCWE-126
cpp-unsanitized-memory-write-offsetMediumCWE-125
cpp-tainted-memory-read-offsetMediumCWE-126
cpp-tainted-memory-write-offsetMediumCWE-125
cpp-improper-certificate-validationMediumCWE-295A07
cpp-hardcoded-credentialsLowCWE-798A07
cpp-insecure-portLowCWE-319A02
cpp-insecure-protocolLowCWE-319A02
cpp-potential-redosLowCWE-1333
cpp-stack-trace-exposureLowCWE-209A04
cpp-dangerous-functionsLowCWE-242
cpp-off-by-one-in-allocationLowCWE-193
cpp-obsolete-functionsInternalCWE-477

C#

Rule IDSeverityCWEOWASP Top 10 (2021)
cs-archive-slipHighCWE-22A01
cs-code-injectionHighCWE-94A03
cs-command-injectionHighCWE-78A03
cs-ldap-injectionHighCWE-90A03
cs-process-controlHighCWE-114
cs-sql-injectionHighCWE-89A03
cs-stored-code-injectionHighCWE-94A03
cs-stored-command-injectionHighCWE-78A03
cs-stored-ldapHighCWE-90A03
cs-unsafe-deserializationHighCWE-502A08
cs-xssHighCWE-79A03
cs-cookie-poisoningMediumCWE-472A04
cs-db-connection-string-injectionMediumCWE-99A03
cs-dos-by-sleepMediumCWE-400
cs-elevate-access-privilegesMediumCWE-284A01
cs-http-header-injectionMediumCWE-644A03
cs-improper-xml-validationMediumCWE-112
cs-inadequate-paddingMediumCWE-780A02
cs-insecure-randomMediumCWE-338A02
cs-insecure-websocketMediumCWE-1385
cs-no-encryption-in-connection-stringMediumCWE-319A02
cs-password-in-cookieMediumCWE-200A01
cs-path-traversalMediumCWE-22A01
cs-redosMediumCWE-1333
cs-regex-injectionMediumCWE-625
cs-response-splittingMediumCWE-113A03
cs-2nd-order-sql-injectionMediumCWE-89A03
cs-short-crypto-keyMediumCWE-326A02
cs-ssrfMediumCWE-918A10
cs-sstiMediumCWE-1336
cs-stored-path-traversalMediumCWE-22A01
cs-stored-reflectionMediumCWE-470A03
cs-stored-xpathMediumCWE-643A03
cs-stored-xssMediumCWE-79A03
cs-reflectionMediumCWE-470A03
cs-weak-crypto-algorithmMediumCWE-327A02
cs-weak-ssl-protocolMediumCWE-327A02
cs-xml-injectionMediumCWE-91A03
cs-xpath-injectionMediumCWE-643A03
cs-xslt-injectionMediumCWE-91A03
cs-xxeMediumCWE-611A05
cs-debug-logging-tracing-enabledMediumCWE-1295
cs-hardcoded-credentialsLowCWE-798A07
cs-insecure-portLowCWE-319A02
cs-insecure-protocolLowCWE-319A02
cs-open-redirectLowCWE-601A01
cs-potential-redosLowCWE-1333
cs-stack-trace-exposureLowCWE-209A04
cs-stored-cookie-poisoningLowCWE-472A04
cs-stored-http-header-injectionLowCWE-644A03
cs-stored-redirectLowCWE-601A01
cs-stored-response-splittingLowCWE-113A03

Rust

Rule IDSeverityCWEOWASP Top 10 (2021)
rust-classic-buffer-overflowHighCWE-120
rust-command-injectionHighCWE-78A03
rust-redis-lua-script-injectionHighCWE-94A03
rust-sql-injectionHighCWE-89A03
rust-stored-command-injectionHighCWE-78A03
rust-unsafe-deserializationHighCWE-502A08
rust-xssHighCWE-79A03
rust-elevate-access-privilegesMediumCWE-284A01
rust-insecure-websocketMediumCWE-1385
rust-nosql-injectionMediumCWE-89A03
rust-path-traversalMediumCWE-22A01
rust-2nd-order-sql-injectionMediumCWE-89A03
rust-ssrfMediumCWE-918A10
rust-stored-path-traversalMediumCWE-22A01
rust-stored-redis-lua-script-injectionMediumCWE-94A03
rust-stored-xssMediumCWE-79A03
rust-use-after-freeMediumCWE-416
rust-hardcoded-credentialsLowCWE-798A07
rust-insecure-portLowCWE-319A02
rust-insecure-protocolLowCWE-319A02
rust-stored-nosql-injectionLowCWE-89A03

PHP

Rule IDSeverityCWEOWASP Top 10 (2021)
php-code-injectionHighCWE-94A03
php-command-injectionHighCWE-78A03
php-sql-injectionHighCWE-89A03
php-stored-code-injectionHighCWE-94A03
php-stored-command-injectionHighCWE-78A03
php-xssHighCWE-79A03
php-dos-by-sleepMediumCWE-400
php-insecure-randomMediumCWE-338A02
php-no-encryption-in-connection-stringMediumCWE-319A02
php-path-traversalMediumCWE-22A01
php-2nd-order-sql-injectionMediumCWE-89A03
php-ssrfMediumCWE-918A10
php-stored-path-traversalMediumCWE-22A01
php-stored-xssMediumCWE-79A03
php-xxeMediumCWE-611A05
php-hardcoded-credentialsLowCWE-798A07
php-insecure-protocolLowCWE-319A02
php-insecure-portLowCWE-319A02
php-open-redirectLowCWE-601A01
php-stack-trace-exposureLowCWE-209A04
php-stored-redirectLowCWE-601A01

Updated 3 months ago