{
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
  "runs": [
    {
      "invocations": [
        {
          "executionSuccessful": true,
          "toolExecutionNotifications": [
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line scripts/check-caiq-citations.mjs:36:\n `/<!--\\s*\\[planned-marker:WS-(\\d{2})\\]\\s*-->/g;\n\n// ---- C-c: content-state predicate map ----\n\n/**\n * Each entry returns true iff the named workstream has shipped its public-facing\n * surface — meaning any `[planned-marker:WS-NN]` in CAIQ/FAQ source is now stale\n * and should be replaced with a live citation.\n *\n * Convention: when a workstream ships its public-facing artefacts, the implementer\n * adds a predicate here AND removes the corresponding `[planned — see WS-NN]` /\n * `[planned-marker:WS-NN]` markers from the CAIQ source. If they forget step 2,\n * C-c on the next main-branch CI run catches it and fails the build.\n */\nexport const` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/lib/recommendations/generators/validationGaps.ts:71:\n `satisfies ApplyValidationRuleMeta` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line scripts/upgrade-igk0-overnight.sh:230:\n `/ 60` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/pages/PortalAnalysis.tsx:244:\n `import(\"@/components/portal-analysis/HubSpotTierIndicator\").` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line supabase/functions/analyze-properties/index.ts:281:\n `import(\"./types.ts\").` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line scripts/worktree-new.sh:8:\n `<` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line supabase/functions/spot-check-accounts/index.ts:517:\n `satisfies SpotCheckResponse` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/types/analysis.ts:206:\n `?` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/services/PropertyChangeTracker.ts:171:\n `new:` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line scripts/build-caiq.mjs:1:\n `#!/usr/bin/env node\n/**\n * Build CAIQ v4.0.3 deliverables from docs/legal/caiq-v4.md.\n *\n * Outputs (3):\n *   public/trust/caiq-v4.pdf  (jsPDF; deterministic)\n *   public/trust/caiq-v4.csv  (RFC 4180; no copyright row — comments illegal in CSV)\n *   public/trust/caiq-v4-csa-licensed.txt  (committed; static; CSA copyright companion)\n *\n * Validation gates (G1-G9):\n *   G1: yaml block presence per question\n *   G2: required keys + answer/SSRM enum + N/A → blank SSRM\n *   G3: heading id matches yaml id\n *   G4: out-of-scope answers carry the verbatim phrase\n *   G5: uncertain answers carry the verbatim phrase\n *   G6: every [planned — see WS-NN] paired with HTML marker comment\n *   G7: legal-tinted CCM domains require founderReviewed timestamp\n *   G8: answer prose excludes tables, code blocks, headings (jsPDF render-safety)\n *   G9: PDF cover + companion .txt carry CSA copyright (XLSX surface dropped 2026-05-05)\n *\n * Per founder decision 2026-05-05, STAR Level 1 submission is deferred until\n * a buyer asks. The build pipeline does NOT produce an XLSX output.\n */\nimport { readFileSync, writeFileSync, existsSync } from \"node:fs\";\nimport { createHash } from \"node:crypto\";\nimport { jsPDF } from \"jspdf\";\nimport { parseCaiq } from \"./lib/caiq-parse.mjs\";\nimport { checkPageBreak } from \"./lib/pdf-primitives.mjs\";\n\nconst SOURCE = \"docs/legal/caiq-v4.md\";\nconst PDF_OUT = \"public/trust/caiq-v4.pdf\";\nconst CSV_OUT = \"public/trust/caiq-v4.csv\";\nconst TXT_OUT = \"public/trust/caiq-v4-csa-licensed.txt\";\nconst FAQ_SOURCE = \"docs/legal/nordscope-security-faq.md\";\nconst FAQ_PDF_OUT = \"public/trust/nordscope-security-faq.pdf\";\n\n// G10 — section (a) of the NordScope Security FAQ MUST NOT contain explicit\n// liability-disclosure language. Liability terms are deferred to deal-time DPA\n// + MSA per spec S7 AC6 (2026-05-04 scope-narrowing decision).\nconst LIABILITY_DISCLOSURE_RE = /(unlimited|limited to|liability.*shall|liable for|liability.*cap)/i;\n\nconst OUT_OF_SCOPE_PHRASE = \"Out of scope — see the ISMS scope statement\";\nconst UNCERTAIN_PHRASE = \"[uncertain — pending verification]\";\nconst VALID_ANSWERS = new Set([\"Yes\", \"No\", \"N/A\"]);\nconst VALID_SSRM = new Set([\n  \"CSP-owned\",\n  \"CSC-owned\",\n  \"Third-party outsourced\",\n  \"Shared CSP and CSC\",\n  \"Shared CSP and third party\",\n]);\nconst REQUIRED_YAML_KEYS = [\"id\", \"domain\", \"controlId\", \"answer\", \"status\", \"evidence\", \"lastEdited\"];\n\nexport const CSA_COPYRIGHT = `© Copyright 2023 Cloud Security Alliance — All rights reserved.\nCloud Security Alliance Consensus Assessments Initiative Questionnaire Version 4.0.3.\nPersonal, informational, non-commercial use only. May not be modified, altered, or redistributed.\nhttps://cloudsecurityalliance.org/`;\n\nexport function runValidationGates(source) {\n  const { meta, questions } = parseCaiq(source);\n\n  // G1: yaml block presence — verify every ### Q- heading has a matching question block\n  const headings = [...source.matchAll(/^### Q-([A-Z&]+-\\d+\\.\\d+):/gm)];\n  if (headings.length !== questions.length) {\n    const headingIds = new Set(headings.map((h) => h[1]));\n    const parsedIds = new Set(questions.map((q) => q.id));\n    for (const id of headingIds) {\n      if (!parsedIds.has(id)) throw new Error(`G1: Q-${id} heading has no fenced yaml block`);\n    }\n  }\n\n  for (const q of questions) {\n    // G2: required keys + answer/SSRM enum + N/A → blank SSRM\n    for (const key of REQUIRED_YAML_KEYS) {\n      if (q.yaml[key] === undefined) throw new Error(`G2: Q-${q.id} missing ${key}`);\n    }\n    if (!VALID_ANSWERS.has(q.yaml.answer)) {\n      throw new Error(`G2: Q-${q.id} answer \"${q.yaml.answer}\" not in {Yes,No,N/A}`);\n    }\n    if (q.yaml.answer === \"N/A\") {\n      if (q.yaml.ssrm) throw new Error(`G2: Q-${q.id} N/A answer must have blank ssrm`);\n    } else {\n      if (!q.yaml.ssrm) throw new Error(`G2: Q-${q.id} ${q.yaml.answer} answer requires ssrm`);\n      if (!VALID_SSRM.has(q.yaml.ssrm)) {\n        throw new Error(`G2: Q-${q.id} ssrm \"${q.yaml.ssrm}\" not in canonical 5`);\n      }\n    }\n    if (!Array.isArray(q.yaml.evidence) || q.yaml.evidence.length === 0) {\n      throw new Error(`G2: Q-${q.id} evidence must be non-empty array`);\n    }\n    // G3: heading id matches yaml id\n    if (q.yaml.id !== q.id) {\n      throw new Error(`G3: Q-${q.id} heading id mismatches yaml id (${q.yaml.id})`);\n    }\n    // G4: out-of-scope verbatim phrase\n    if (q.yaml.status === \"out-of-scope\" && !q.body.includes(OUT_OF_SCOPE_PHRASE)) {\n      throw new Error(`G4: Q-${q.id} out-of-scope answer missing verbatim phrase`);\n    }\n    // G5: uncertain verbatim phrase\n    if (q.yaml.status === \"uncertain\" && !q.body.includes(UNCERTAIN_PHRASE)) {\n      throw new Error(`G5: Q-${q.id} uncertain answer missing verbatim phrase`);\n    }\n    // G6: planned-marker pairing + shape validation (strict, both directions)\n    //\n    // Forward (since 2026-05-04): every visible `[planned — see WS-NN]` must have\n    // a paired HTML comment marker. Catches dangling visible references.\n    //\n    // Shape (added 2026-05-22 with ADR-008): every `<!-- [planned-marker:X] -->`\n    // HTML comment must have X ∈ {WS-NN, unscoped}. Catches typo'd tags (`WS-NN`\n    // missing closing bracket, malformed body, unknown tag), which the CSV stripper\n    // would otherwise silently swallow.\n    //\n    // Inverse (tightened 2026-05-22 Track C, closes #1414): every `WS-NN` HTML\n    // marker must have a matching `[planned — see WS-NN]` visible-text reference.\n    // `unscoped` markers are exempt by design — their visible-text counterpart is\n    // bare `[planned]` (no attribution), with the deferral justification in ADR-008.\n    // The previous shape-only relaxation was temporary while 23 orphan WS-NN markers\n    // (created by PR #1364's visible-text strip) were audited. Track C reconciled\n    // those orphans; this strict check is now the load-bearing invariant for marker\n    // accounting and prevents future PRs from silently introducing new orphans.\n    // Forward direction: visible `[planned — see WS-NN]` → paired HTML comment.\n    // Marker form for WS-NN is the plain form (no trailing annotation inside the\n    // comment); unscoped markers carry the ` — see ADR-008` annotation. The\n    // form-asymmetry guard in the inverse pass below prevents WS-NN markers\n    // from accidentally growing annotations that the forward `includes()` would\n    // then miss (caught by feature-dev:code-reviewer 2026-05-22).\n    for (const m of q.body.matchAll(/\\[planned — see WS-(\\d{2})\\]/g)) {\n      const ws = m[1];\n      if (!q.body.includes(`<!-- [planned-marker:WS-${ws}] -->`)) {\n        throw new Error(`G6: Q-${q.id} [planned — see WS-${ws}] missing paired marker comment`);\n      }\n    }\n    // Inverse direction: every HTML marker → enum + form + visible-text pairing.\n    // Capture trailing content separately so we can enforce WS-NN plain-form.\n    for (const m of q.body.matchAll(/<!--\\s*\\[planned-marker:([^\\]]+)\\]([^>]*)-->/g)) {\n      const tag = m[1].trim();\n      const trailing = m[2].trim();\n      if (tag === \"unscoped\") continue; // unscoped allows annotation (see ADR-008)\n      if (!/^WS-\\d{2}$/.test(tag)) {\n        throw new Error(`G6: Q-${q.id} <!-- [planned-marker:${tag}] --> tag not in allowed enum {WS-NN, unscoped}`);\n      }\n      if (trailing !== \"\") {\n        throw new Error(`G6: Q-${q.id} <!-- [planned-marker:${tag}]${m[2]} --> WS-NN markers must be plain-form (no trailing annotation inside the comment; only unscoped markers may carry annotations)`);\n      }\n      if (!q.body.includes(`[planned — see ${tag}]`)) {\n        throw new Error(`G6: Q-${q.id} <!-- [planned-marker:${tag}] --> has no paired visible-text [planned — see ${tag}]`);\n      }\n    }\n    // G7: founder-review gate (legal-tinted CCM domains)\n    const prefix = q.id.split(\"-\")[0];\n    if ((meta.founderReviewedDomains || []).includes(prefix)) {\n      if (!q.yaml.founderReviewed) {\n        throw new Error(`G7: Q-${q.id} legal-tinted (${prefix}) missing founderReviewed`);\n      }\n      if (!/^\\d{4}-\\d{2}-\\d{2}$/.test(q.yaml.founderReviewed)) {\n        throw new Error(`G7: Q-${q.id} founderReviewed format invalid: \"${q.yaml.founderReviewed}\"`);\n      }\n      if (q.yaml.founderReviewed < q.yaml.lastEdited) {\n        throw new Error(\n          `G7: Q-${q.id} founderReviewed (${q.yaml.founderReviewed}) precedes lastEdited (${q.yaml.lastEdited})`\n        );\n      }\n    }\n    // G8: answer prose construct precedence\n    if (/^\\|[^\\n]+\\|/m.test(q.body)) throw new Error(`G8: Q-${q.id} answer contains table (unsupported)`);\n    if (/^```/m.test(q.body)) throw new Error(`G8: Q-${q.id} answer contains code block (unsupported)`);\n    if (/^#{1,6}\\s/m.test(q.body)) throw new Error(`G8: Q-${q.id} answer contains heading (unsupported)`);\n  }\n  return { meta, questions };\n}\n\nfunction deterministicFileId(source) {\n  return createHash(\"sha256\").update(source).digest(\"hex\").slice(0, 32).toUpperCase();\n}\n\n// FAQ parsing: front matter + intro + per-section (id, title, paragraphs).\n// Section headings match `## (a) Section title` ... `## (j) Section title`.\nexport function parseFaq(source) {\n  const fmMatch = source.match(/^---\\r?\\n([\\s\\S]*?)\\r?\\n---/);\n  if (!fmMatch) throw new Error(\"FAQ: missing front-matter\");\n  const frontMatter = {};\n  for (const line of fmMatch[1].split(\"\\n\")) {\n    const kv = line.match(/^(\\w+):\\s*(.+)$/);\n    if (kv) frontMatter[kv[1]] = kv[2].trim();\n  }\n  const body = source.slice(fmMatch[0].length);\n  const sections = [];\n  const headingRe = /^##\\s+\\(([a-z])\\)\\s+(.+)$/gm;\n  const matches = [...body.matchAll(headingRe)];\n  for (let i = 0; i < matches.length; i++) {\n    const m = matches[i];\n    const id = m[1];\n    const title = m[2].trim();\n    const start = m.index + m[0].length;\n    const end = i + 1 < matches.length ? matches[i + 1].index : body.length;\n    const sectionBody = body.slice(start, end).trim();\n    const paragraphs = sectionBody\n      .split(/\\n{2,}/)\n      .map((p) => p.replace(/\\s+/g, \" \").trim())\n      .filter(Boolean);\n    sections.push({ id, title, paragraphs });\n  }\n  if (sections.length === 0) {\n    throw new Error(\"FAQ: no `## (x) ...` sections found\");\n  }\n  // Optional intro paragraph between H1 and first H2\n  const introMatch = body.match(/^#\\s+[^\\n]+\\n+([\\s\\S]*?)(?=\\n##\\s+\\([a-z]\\))/m);\n  const intro = introMatch ? introMatch[1].trim().replace(/\\s+/g, \" \") : \"\";\n  return { frontMatter, intro, sections };\n}\n\nexport function runG10Check(faqSource) {\n  const { sections } = parseFaq(faqSource);\n  const sectionA = sections.find((s) => s.id === \"a\");\n  if (!sectionA) throw new Error(\"G10: FAQ missing section (a)\");\n  const sectionAText = [sectionA.title, ...sectionA.paragraphs].join(\"\\n\");\n  if (LIABILITY_DISCLOSURE_RE.test(sectionAText)) {\n    throw new Error(\n      `G10: FAQ section (a) contains liability disclosure language matching ${LIABILITY_DISCLOSURE_RE} — defer to deal-time DPA per spec S7 AC6`\n    );\n  }\n}\n\nexport async function buildFaqPdfBuffer(faqSource) {\n  const { frontMatter, intro, sections } = parseFaq(faqSource);\n  runG10Check(faqSource);\n  const doc = new jsPDF({ compress: false });\n  doc.setProperties({ creationDate: new Date(frontMatter.lastReviewed + \"T00:00:00Z\") });\n  doc.setFileId(deterministicFileId(faqSource));\n  // Cover\n  doc.setFontSize(20);\n  doc.text(\"NordScope Security FAQ\", 20, 30);\n  doc.setFontSize(11);\n  doc.text(\"EU Sole-Trader SaaS Posture\", 20, 40);\n  doc.setFontSize(10);\n  doc.text(`Version: ${frontMatter.version || \"(unspecified)\"}`, 20, 55);\n  doc.text(`Last reviewed: ${frontMatter.lastReviewed || \"(unspecified)\"}`, 20, 62);\n  doc.text(`Next review due: ${frontMatter.nextReviewDue || \"(unspecified)\"}`, 20, 69);\n  let yPos = 85;\n  // Intro\n  if (intro) {\n    doc.setFontSize(10);\n    const introLines = doc.splitTextToSize(intro, 170);\n    doc.text(introLines, 20, yPos);\n    yPos += introLines.length * 5 + 6;\n  }\n  // Sections\n  for (const section of sections) {\n    yPos = checkPageBreak(doc, yPos + 4);\n    doc.setFontSize(13);\n    doc.setFont(\"helvetica\", \"bold\");\n    const heading = `(${section.id}) ${section.title}`;\n    doc.text(heading, 20, yPos);\n    yPos += 8;\n    doc.setFontSize(10);\n    doc.setFont(\"helvetica\", \"normal\");\n    for (const para of section.paragraphs) {\n      const lines = doc.splitTextToSize(para, 170);\n      yPos = checkPageBreak(doc, yPos);\n      doc.text(lines, 20, yPos);\n      yPos += lines.length * 5 + 4;\n    }\n  }\n  return Buffer.from(doc.output(\"arraybuffer\"));\n}\n\nexport async function buildPdfBuffer(source) {\n  const { meta, questions } = runValidationGates(source);\n  const doc = new jsPDF({ compress: false });\n  doc.setProperties({ creationDate: new Date(meta.lastReviewed + \"T00:00:00Z\") });\n  doc.setFileId(deterministicFileId(source));\n  // Cover\n  doc.setFontSize(20);\n  doc.text(\"CAIQ v4.0.3 Pre-Fill — PortalPilot by NordScope\", 20, 30);\n  doc.setFontSize(10);\n  doc.text(`Last reviewed: ${meta.lastReviewed}`, 20, 45);\n  doc.text(`Next review due: ${meta.nextReviewDue || \"(unspecified)\"}`, 20, 52);\n  // CSA copyright (G9)\n  doc.setFontSize(8);\n  CSA_COPYRIGHT.split(\"\\n\").forEach((line, i) => doc.text(line, 20, 270 + i * 4));\n  // Q&A pages — minimal placeholder layout (extended in chunks 2-5)\n  let yPos = 30;\n  for (const q of questions) {\n    doc.addPage();\n    yPos = 30;\n    doc.setFontSize(11);\n    doc.setFont(\"helvetica\", \"bold\");\n    const title = `Q-${q.id}: ${q.text.slice(0, 100)}${q.text.length > 100 ? \"…\" : \"\"}`;\n    doc.text(title, 20, yPos);\n    yPos += 8;\n    doc.setFontSize(9);\n    doc.setFont(\"helvetica\", \"normal\");\n    doc.text(`Answer: ${q.yaml.answer}${q.yaml.ssrm ? `  |  SSRM: ${q.yaml.ssrm}` : \"\"}`, 20, yPos);\n    yPos += 8;\n    yPos = checkPageBreak(doc, yPos);\n  }\n  return Buffer.from(doc.output(\"arraybuffer\"));\n}\n\nexport function buildCsv(questions) {\n  const rows = [\n    [\n      \"ID\",\n      \"Domain\",\n      \"Control ID\",\n      \"Question\",\n      \"Answer\",\n      \"SSRM\",\n      \"CSP Implementation\",\n      \"CSC Responsibilities\",\n      \"Evidence\",\n      \"Status\",\n    ],\n  ];\n  for (const q of questions) {\n    // Lookahead tolerates 1+ newlines between CSP and CSC sections — a single-newline\n    // separator (\\n) would otherwise cause CSP to absorb the entire CSC section.\n    // Caught by Mistral chunk review 2026-05-05 (Critical #3).\n    const cspMatch = q.body.match(\n      /\\*\\*CSP Implementation Description\\.?\\*\\*\\s*([\\s\\S]*?)(?=\\n+\\*\\*CSC|$)/\n    );\n    const cscMatch = q.body.match(/\\*\\*CSC Responsibilities\\.?\\*\\*\\s*([\\s\\S]*?)$/);\n    // Strip [planned-marker:*] HTML comments — they are source-side citation\n    // tags read by scripts/check-caiq-citations.mjs + runbook §CAIQ review\n    // cadence, NOT customer-facing content. Leaving them in the CSV exposes\n    // internal workstream IDs (and ADR references for `unscoped` markers — see\n    // ADR-008) to procurement reviewers (audit 2026-05-21 + 2026-05-22).\n    // Matches:\n    //   <!-- [planned-marker:WS-NN] -->                    (ws-attributed)\n    //   <!-- [planned-marker:unscoped] — see ADR-008 -->  (tracked-but-unscoped)\n    const stripMarkers = (s) =>\n      s.replace(/<!--\\s*\\[planned-marker:[^\\]]+\\][^>]*-->\\s*/g, \"\").trim();\n    rows.push([\n      q.id,\n      q.yaml.domain,\n      q.yaml.controlId,\n      q.text,\n      q.yaml.answer || \"\",\n      q.yaml.ssrm || \"\",\n      stripMarkers(cspMatch?.[1] || \"\"),\n      stripMarkers(cscMatch?.[1] || \"\"),\n      (q.yaml.evidence || []).join(\" | \"),\n      q.yaml.status,\n    ]);\n  }\n  // RFC 4180: every field quoted; embedded quotes doubled; CRLF line endings\n  return rows.map((r) => r.map((c) => `\"${String(c).replace(/\"/g, '\"\"')}\"`).join(\",\")).join(\"\\r\\n\");\n}\n\nasync function main() {\n  const source = readFileSync(SOURCE, \"utf8\");\n  const { meta, questions } = runValidationGates(source);\n  // PDF determinism self-test removed 2026-05-20 (closes #1350). jsPDF's\n  // fileId/creationDate randomness is empirically non-deterministic across\n  // some runtime conditions — same reason the FAQ PDF self-test was dropped\n  // (see comment below lines ~325-329). Minor byte-level drift between\n  // renders doesn't change reader-perceived content; validation gates G1-G10\n  // cover semantic correctness, which is what procurement reviewers verify.\n  const buf1 = await buildPdfBuffer(source);\n  writeFileSync(PDF_OUT, buf1);\n  writeFileSync(CSV_OUT, buildCsv(questions));\n  // G9 verification — txt file is committed; verify presence + CSA attribution\n  if (!existsSync(TXT_OUT)) {\n    throw new Error(`G9: ${TXT_OUT} missing — commit the static CSA license companion file`);\n  }\n  const txt = readFileSync(TXT_OUT, \"utf8\");\n  if (!txt.includes(\"Cloud Security Alliance\")) {\n    throw new Error(`G9: ${TXT_OUT} missing CSA attribution`);\n  }\n  // FAQ render — G10 is enforced inside buildFaqPdfBuffer (parser + section-(a) liability check).\n  // No determinism self-test on the FAQ output: jsPDF's text shaping via splitTextToSize() is\n  // empirically non-deterministic across some Node/runtime conditions (observed on the Coolify\n  // production runner; v3.54.0 happened to pass, v3.54.1+v3.55.0 builds failed). Minor byte-level\n  // drift between renders does not change reader-perceived content. The CAIQ PDF retains its\n  // determinism self-test (above) because that surface IS deterministic in practice.\n  if (existsSync(FAQ_SOURCE)) {\n    const faqSource = readFileSync(FAQ_SOURCE, \"utf8\");\n    const faqBuf = await buildFaqPdfBuffer(faqSource);\n    writeFileSync(FAQ_PDF_OUT, faqBuf);\n    console.log(\n      `Built ${questions.length} CAIQ questions → caiq-v4.pdf + caiq-v4.csv | NordScope FAQ → nordscope-security-faq.pdf. lastReviewed=${meta.lastReviewed}.`\n    );\n  } else {\n    console.log(\n      `Built ${questions.length} questions → caiq-v4.pdf + caiq-v4.csv (txt is static, committed). lastReviewed=${meta.lastReviewed}.`\n    );\n  }\n}\n\nif (import.meta.url === `file://${process.argv[1]}`) {\n  main().catch((e) => {\n    console.error(e.message);\n    process.exit(1);\n  });\n}\n` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line supabase/functions/portal-repair/index.ts:80:\n `satisfies RepairReport` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/pages/DesignSystem.tsx:83:\n `return (\n    <div className=\"min-h-screen bg-background\">\n      {/* Header */}\n      <header className=\"border-b border-border bg-card sticky top-0 z-10\">\n        <div className=\"container mx-auto px-4 py-4\">\n          <div className=\"flex items-center gap-4\">\n            <Link to=\"/dashboard\">\n              <Button variant=\"ghost\" size=\"sm\">\n                <ArrowLeft className=\"h-4 w-4 mr-2\" />\n                Back\n              </Button>\n            </Link>\n            <div>\n              <h1 className=\"text-xl font-semibold text-foreground\">Design System</h1>\n              <p className=\"text-sm text-muted-foreground\">Semantic tokens, patterns, and components</p>\n            </div>\n          </div>\n        </div>\n      </header>\n\n      <main className=\"container mx-auto px-4 py-8 space-y-8\">\n        {/* Overview */}\n        <Alert>\n          <Info className=\"h-4 w-4\" />\n          <AlertTitle>Design System Guidelines</AlertTitle>\n          <AlertDescription>\n            All colors must use semantic tokens. Direct Tailwind colors (e.g., <code className=\"font-mono text-xs bg-muted px-1 rounded\">text-green-500</code>) are forbidden. \n            Use tokens like <code className=\"font-mono text-xs bg-muted px-1 rounded\">text-success</code> instead.\n          </AlertDescription>\n        </Alert>\n\n        <Tabs defaultValue=\"colors\" className=\"space-y-4\">\n          <TabsList className=\"grid grid-cols-5 w-full max-w-2xl\">\n            <TabsTrigger value=\"colors\" className=\"gap-2\">\n              <Palette className=\"h-4 w-4\" />\n              Colors\n            </TabsTrigger>\n            <TabsTrigger value=\"semantic\" className=\"gap-2\">\n              <Layers className=\"h-4 w-4\" />\n              Semantic\n            </TabsTrigger>\n            <TabsTrigger value=\"typography\" className=\"gap-2\">\n              <Type className=\"h-4 w-4\" />\n              Typography\n            </TabsTrigger>\n            <TabsTrigger value=\"components\" className=\"gap-2\">\n              <Box className=\"h-4 w-4\" />\n              Components\n            </TabsTrigger>\n            <TabsTrigger value=\"patterns\" className=\"gap-2\">\n              <Code className=\"h-4 w-4\" />\n              Patterns\n            </TabsTrigger>\n          </TabsList>\n\n          {/* Colors Tab */}\n          <TabsContent value=\"colors\" className=\"space-y-4\">\n            {/* Core Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Core Colors</CardTitle>\n                <CardDescription>Primary application colors for backgrounds, text, and surfaces</CardDescription>\n              </CardHeader>\n              <CardContent className=\"grid gap-3 sm:grid-cols-2 lg:grid-cols-3\">\n                <TokenSwatch name=\"background\" cssVar=\"--background\" className=\"bg-background\" />\n                <TokenSwatch name=\"foreground\" cssVar=\"--foreground\" className=\"bg-foreground\" textClass=\"text-background\" />\n                <TokenSwatch name=\"card\" cssVar=\"--card\" className=\"bg-card\" />\n                <TokenSwatch name=\"primary\" cssVar=\"--primary\" className=\"bg-primary\" />\n                <TokenSwatch name=\"secondary\" cssVar=\"--secondary\" className=\"bg-secondary\" />\n                <TokenSwatch name=\"muted\" cssVar=\"--muted\" className=\"bg-muted\" />\n                <TokenSwatch name=\"accent\" cssVar=\"--accent\" className=\"bg-accent\" />\n                <TokenSwatch name=\"border\" cssVar=\"--border\" className=\"bg-border\" />\n              </CardContent>\n            </Card>\n\n            {/* Status Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Status Colors</CardTitle>\n                <CardDescription>Semantic colors for feedback and state indication</CardDescription>\n              </CardHeader>\n              <CardContent className=\"grid gap-3 sm:grid-cols-2 lg:grid-cols-4\">\n                <TokenSwatch name=\"success\" cssVar=\"--success\" className=\"bg-success\" />\n                <TokenSwatch name=\"warning\" cssVar=\"--warning\" className=\"bg-warning\" />\n                <TokenSwatch name=\"destructive\" cssVar=\"--destructive\" className=\"bg-destructive\" />\n                <TokenSwatch name=\"info\" cssVar=\"--info\" className=\"bg-info\" />\n              </CardContent>\n            </Card>\n\n            {/* Brand Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Brand Colors</CardTitle>\n                <CardDescription>HubSpot brand integration colors</CardDescription>\n              </CardHeader>\n              <CardContent className=\"grid gap-3 sm:grid-cols-2\">\n                <TokenSwatch name=\"hubspot\" cssVar=\"--hubspot\" className=\"bg-hubspot\" />\n                <TokenSwatch name=\"hubspot-foreground\" cssVar=\"--hubspot-foreground\" className=\"bg-hubspot-foreground border-2\" />\n              </CardContent>\n            </Card>\n\n            {/* Category Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Category Colors</CardTitle>\n                <CardDescription>For badges, charts, and visual differentiation (use instead of arbitrary colors)</CardDescription>\n              </CardHeader>\n              <CardContent className=\"grid gap-3 sm:grid-cols-2 lg:grid-cols-5\">\n                <TokenSwatch name=\"category-1\" cssVar=\"--category-1\" className=\"bg-category-1\" />\n                <TokenSwatch name=\"category-2\" cssVar=\"--category-2\" className=\"bg-category-2\" />\n                <TokenSwatch name=\"category-3\" cssVar=\"--category-3\" className=\"bg-category-3\" />\n                <TokenSwatch name=\"category-4\" cssVar=\"--category-4\" className=\"bg-category-4\" />\n                <TokenSwatch name=\"category-5\" cssVar=\"--category-5\" className=\"bg-category-5\" />\n              </CardContent>\n            </Card>\n\n            {/* Chart Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Chart Colors</CardTitle>\n                <CardDescription>Dedicated colors for data visualization (Recharts integration)</CardDescription>\n              </CardHeader>\n              <CardContent>\n                <div className=\"grid gap-3 sm:grid-cols-5\">\n                  {[1, 2, 3, 4, 5].map((n) => (\n                    <div key={n} className=\"text-center space-y-2\">\n                      <div \n                        className=\"h-16 rounded-md border border-border\" \n                        style={{ backgroundColor: `hsl(var(--chart-${n}))` }}\n                      />\n                      <p className=\"font-mono text-xs text-muted-foreground\">chart-{n}</p>\n                    </div>\n                  ))}\n                </div>\n                <CodeExample \n                  label=\"Usage in Recharts\"\n                  code={`<Bar dataKey=\"value\" fill=\"hsl(var(--chart-1))\" />\n<Line stroke=\"hsl(var(--chart-2))\" />`}\n                />\n              </CardContent>\n            </Card>\n          </TabsContent>\n\n          {/* Semantic Usage Tab */}\n          <TabsContent value=\"semantic\" className=\"space-y-4\">\n            {/* Text Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Text Colors</CardTitle>\n                <CardDescription>Semantic text color classes for different contexts</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"grid gap-3 sm:grid-cols-2\">\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-foreground font-medium\">text-foreground</p>\n                    <p className=\"text-xs text-muted-foreground\">Primary text content</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-muted-foreground font-medium\">text-muted-foreground</p>\n                    <p className=\"text-xs text-muted-foreground\">Secondary/helper text</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-success font-medium\">text-success</p>\n                    <p className=\"text-xs text-muted-foreground\">Positive states, completion</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-warning font-medium\">text-warning</p>\n                    <p className=\"text-xs text-muted-foreground\">Caution, attention needed</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-destructive font-medium\">text-destructive</p>\n                    <p className=\"text-xs text-muted-foreground\">Errors, critical issues</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-info font-medium\">text-info</p>\n                    <p className=\"text-xs text-muted-foreground\">Informational, neutral highlights</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-hubspot font-medium\">text-hubspot</p>\n                    <p className=\"text-xs text-muted-foreground\">HubSpot brand elements</p>\n                  </div>\n                  <div className=\"p-3 rounded-lg border border-border space-y-2\">\n                    <p className=\"text-primary font-medium\">text-primary</p>\n                    <p className=\"text-xs text-muted-foreground\">Primary actions, links</p>\n                  </div>\n                </div>\n\n                <CodeExample \n                  label=\"❌ Don't use direct colors\"\n                  code={`// BAD - Direct Tailwind colors\n<span className=\"text-green-500\">Success</span>\n<span className=\"text-red-400\">Error</span>\n<span className=\"text-amber-500\">Warning</span>`}\n                />\n                <CodeExample \n                  label=\"✅ Use semantic tokens\"\n                  code={`// GOOD - Semantic tokens\n<span className=\"text-success\">Success</span>\n<span className=\"text-destructive\">Error</span>\n<span className=\"text-warning\">Warning</span>`}\n                />\n              </CardContent>\n            </Card>\n\n            {/* Background Colors */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Background Colors</CardTitle>\n                <CardDescription>Surface and container backgrounds with opacity modifiers</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"grid gap-3 sm:grid-cols-2 lg:grid-cols-3\">\n                  <div className=\"p-4 rounded-lg bg-success/10 border border-success/30\">\n                    <p className=\"text-success font-mono text-sm\">bg-success/10</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Success container</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg bg-warning/10 border border-warning/30\">\n                    <p className=\"text-warning font-mono text-sm\">bg-warning/10</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Warning container</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg bg-destructive/10 border border-destructive/30\">\n                    <p className=\"text-destructive font-mono text-sm\">bg-destructive/10</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Error container</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg bg-info/10 border border-info/30\">\n                    <p className=\"text-info font-mono text-sm\">bg-info/10</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Info container</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg bg-primary/10 border border-primary/30\">\n                    <p className=\"text-primary font-mono text-sm\">bg-primary/10</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Primary highlight</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg bg-muted border border-border\">\n                    <p className=\"text-muted-foreground font-mono text-sm\">bg-muted</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Subtle background</p>\n                  </div>\n                </div>\n\n                <CodeExample \n                  label=\"Opacity modifier pattern\"\n                  code={`// Use /10, /20, /30 for transparent backgrounds\n<div className=\"bg-success/10 border border-success/30\">\n  <span className=\"text-success\">Healthy</span>\n</div>`}\n                />\n              </CardContent>\n            </Card>\n\n            {/* Category Usage */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Category Colors Usage</CardTitle>\n                <CardDescription>When you need distinct colors for differentiation (not status-based)</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"flex flex-wrap gap-2\">\n                  <Badge className=\"bg-category-1 text-category-1-foreground\">Contacts</Badge>\n                  <Badge className=\"bg-category-2 text-category-2-foreground\">Deals</Badge>\n                  <Badge className=\"bg-category-3 text-category-3-foreground\">Companies</Badge>\n                  <Badge className=\"bg-category-4 text-category-4-foreground\">Tickets</Badge>\n                  <Badge className=\"bg-category-5 text-category-5-foreground\">Products</Badge>\n                </div>\n\n                <CodeExample \n                  label=\"Category badges\"\n                  code={`<Badge className=\"bg-category-1 text-category-1-foreground\">\n  Contacts\n</Badge>\n<span className=\"text-category-2\">Deals section</span>`}\n                />\n              </CardContent>\n            </Card>\n          </TabsContent>\n\n          {/* Typography Tab */}\n          <TabsContent value=\"typography\" className=\"space-y-4\">\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Font Families</CardTitle>\n                <CardDescription>Inter for everything, Roboto Mono only for code/terminal</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"space-y-3\">\n                  <div className=\"p-4 rounded-lg border border-border\">\n                    <p className=\"font-sans text-2xl font-semibold mb-2\">Inter (font-sans)</p>\n                    <p className=\"font-sans text-muted-foreground\">Used for body text, headings, and UI elements. Clean and highly readable.</p>\n                    <p className=\"font-mono text-xs text-muted-foreground mt-2\">Class: font-sans (default)</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg border border-border bg-zinc-900\">\n                    <p className=\"font-mono text-2xl font-bold text-zinc-100 mb-2\">Roboto Mono (font-mono)</p>\n                    <p className=\"font-mono text-zinc-400\">Reserved for code, terminal output, property names, and technical IDs only. NOT for scores or numbers.</p>\n                    <p className=\"font-mono text-xs text-zinc-500 mt-2\">Class: font-mono</p>\n                  </div>\n                </div>\n\n                <CodeExample \n                  label=\"Typography usage\"\n                  code={`// Numbers and scores use Inter (default font)\n<span className=\"text-2xl font-bold\">87</span>\n\n// Use tabular-nums for vertical alignment in tables\n<td className=\"text-right tabular-nums\">1,234</td>\n\n// font-mono ONLY for code/terminal/IDs\n<code className=\"font-mono text-xs\">property_name</code>`}\n                />\n              </CardContent>\n            </Card>\n\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Text Sizes & Weights</CardTitle>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"space-y-2\">\n                  <p className=\"text-xs text-muted-foreground\">text-xs (12px)</p>\n                  <p className=\"text-sm text-muted-foreground\">text-sm (14px)</p>\n                  <p className=\"text-base\">text-base (16px)</p>\n                  <p className=\"text-lg font-medium\">text-lg font-medium (18px)</p>\n                  <p className=\"text-xl font-semibold\">text-xl font-semibold (20px)</p>\n                  <p className=\"text-2xl font-bold\">text-2xl font-bold (24px)</p>\n                </div>\n              </CardContent>\n            </Card>\n          </TabsContent>\n\n          {/* Components Tab */}\n          <TabsContent value=\"components\" className=\"space-y-4\">\n            {/* Status Indicators */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Status Indicators</CardTitle>\n                <CardDescription>Consistent patterns for showing status across the app</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"grid gap-4 sm:grid-cols-2\">\n                  <div className=\"p-4 rounded-lg border border-border space-y-3\">\n                    <p className=\"font-medium text-sm\">With Icons</p>\n                    <div className=\"space-y-2\">\n                      <div className=\"flex items-center gap-2 text-success\">\n                        <CheckCircle2 className=\"h-4 w-4\" />\n                        <span className=\"text-sm\">Healthy / Complete</span>\n                      </div>\n                      <div className=\"flex items-center gap-2 text-warning\">\n                        <AlertTriangle className=\"h-4 w-4\" />\n                        <span className=\"text-sm\">Warning / Attention</span>\n                      </div>\n                      <div className=\"flex items-center gap-2 text-destructive\">\n                        <XCircle className=\"h-4 w-4\" />\n                        <span className=\"text-sm\">Error / Critical</span>\n                      </div>\n                      <div className=\"flex items-center gap-2 text-info\">\n                        <Info className=\"h-4 w-4\" />\n                        <span className=\"text-sm\">Information</span>\n                      </div>\n                    </div>\n                  </div>\n\n                  <div className=\"p-4 rounded-lg border border-border space-y-3\">\n                    <p className=\"font-medium text-sm\">Badge Variants</p>\n                    <div className=\"flex flex-wrap gap-2\">\n                      <Badge className=\"bg-success/20 text-success border-success/30\">Healthy</Badge>\n                      <Badge className=\"bg-warning/20 text-warning border-warning/30\">Needs Work</Badge>\n                      <Badge className=\"bg-destructive/20 text-destructive border-destructive/30\">Critical</Badge>\n                      <Badge className=\"bg-info/20 text-info border-info/30\">Info</Badge>\n                    </div>\n                  </div>\n                </div>\n\n                <CodeExample \n                  label=\"Status badge pattern\"\n                  code={`// Consistent status badge pattern\n<Badge className=\"bg-success/20 text-success border-success/30\">\n  Healthy\n</Badge>\n\n// With icon\n<div className=\"flex items-center gap-2 text-warning\">\n  <AlertTriangle className=\"h-4 w-4\" />\n  <span>Needs attention</span>\n</div>`}\n                />\n              </CardContent>\n            </Card>\n\n            {/* Score Display */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Score Display</CardTitle>\n                <CardDescription>Numbers and metrics use Inter (the default font)</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"grid gap-4 sm:grid-cols-3\">\n                  <div className=\"p-4 rounded-lg border border-border text-center\">\n                    <p className=\"text-4xl font-bold text-success\">87</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Healthy Score</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg border border-border text-center\">\n                    <p className=\"text-4xl font-bold text-warning\">62</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Needs Work</p>\n                  </div>\n                  <div className=\"p-4 rounded-lg border border-border text-center\">\n                    <p className=\"text-4xl font-bold text-destructive\">34</p>\n                    <p className=\"text-xs text-muted-foreground mt-1\">Critical</p>\n                  </div>\n                </div>\n\n                <CodeExample \n                  label=\"Score color logic\"\n                  code={`const getScoreColor = (score: number) => {\n  if (score >= 80) return 'text-success';\n  if (score >= 60) return 'text-warning';\n  return 'text-destructive';\n};\n\n<span className={\\`text-4xl font-bold \\${getScoreColor(score)}\\`}>\n  {score}\n</span>`}\n                />\n              </CardContent>\n            </Card>\n\n            {/* Progress Bars */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Progress Bars</CardTitle>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"space-y-3\">\n                  <div className=\"space-y-1\">\n                    <div className=\"flex justify-between text-xs\">\n                      <span className=\"text-muted-foreground\">Success</span>\n                      <span className=\"text-success\">85%</span>\n                    </div>\n                    <div className=\"h-2 bg-muted rounded-full overflow-hidden\">\n                      <div className=\"h-full bg-success rounded-full\" style={{ width: '85%' }} />\n                    </div>\n                  </div>\n                  <div className=\"space-y-1\">\n                    <div className=\"flex justify-between text-xs\">\n                      <span className=\"text-muted-foreground\">Warning</span>\n                      <span className=\"text-warning\">62%</span>\n                    </div>\n                    <div className=\"h-2 bg-muted rounded-full overflow-hidden\">\n                      <div className=\"h-full bg-warning rounded-full\" style={{ width: '62%' }} />\n                    </div>\n                  </div>\n                  <div className=\"space-y-1\">\n                    <div className=\"flex justify-between text-xs\">\n                      <span className=\"text-muted-foreground\">Critical</span>\n                      <span className=\"text-destructive\">28%</span>\n                    </div>\n                    <div className=\"h-2 bg-muted rounded-full overflow-hidden\">\n                      <div className=\"h-full bg-destructive rounded-full\" style={{ width: '28%' }} />\n                    </div>\n                  </div>\n                </div>\n              </CardContent>\n            </Card>\n          </TabsContent>\n\n          {/* Patterns Tab */}\n          <TabsContent value=\"patterns\" className=\"space-y-4\">\n            {/* Terminal/Diagnostic Context */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Terminal/Diagnostic Context</CardTitle>\n                <CardDescription>Zinc colors are allowed ONLY in terminal-themed diagnostic displays (per ADR-004)</CardDescription>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <div className=\"bg-zinc-900 p-4 rounded-lg font-mono text-xs space-y-1\">\n                  <p className=\"text-zinc-400\">// Terminal-style diagnostic output</p>\n                  <p><span className=\"text-zinc-500\">[INFO]</span> <span className=\"text-zinc-300\">Scanning portal properties...</span></p>\n                  <p><span className=\"text-success\">[PASS]</span> <span className=\"text-zinc-300\">RLS policies configured</span></p>\n                  <p><span className=\"text-warning\">[WARN]</span> <span className=\"text-zinc-300\">3 unused properties detected</span></p>\n                  <p><span className=\"text-destructive\">[FAIL]</span> <span className=\"text-zinc-300\">Missing validation rules</span></p>\n                </div>\n\n                <Alert>\n                  <AlertTriangle className=\"h-4 w-4\" />\n                  <AlertTitle>Zinc Exception</AlertTitle>\n                  <AlertDescription>\n                    Zinc colors (zinc-100 through zinc-900) are ONLY permitted in terminal/diagnostic contexts. \n                    All other UI must use semantic tokens.\n                  </AlertDescription>\n                </Alert>\n              </CardContent>\n            </Card>\n\n            {/* Common Patterns */}\n            <Card>\n              <CardHeader>\n                <CardTitle className=\"text-lg\">Common Code Patterns</CardTitle>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <CodeExample \n                  label=\"Status-based styling function\"\n                  code={`type Status = 'healthy' | 'warning' | 'critical' | 'info';\n\nconst getStatusStyles = (status: Status) => {\n  const styles = {\n    healthy: {\n      text: 'text-success',\n      bg: 'bg-success/10',\n      border: 'border-success/30',\n    },\n    warning: {\n      text: 'text-warning',\n      bg: 'bg-warning/10',\n      border: 'border-warning/30',\n    },\n    critical: {\n      text: 'text-destructive',\n      bg: 'bg-destructive/10',\n      border: 'border-destructive/30',\n    },\n    info: {\n      text: 'text-info',\n      bg: 'bg-info/10',\n      border: 'border-info/30',\n    },\n  };\n  return styles[status];\n};`}\n                />\n\n                <CodeExample \n                  label=\"Score-based color function\"\n                  code={`const getScoreColor = (score: number): string => {\n  if (score >= 80) return 'text-success';\n  if (score >= 60) return 'text-warning';\n  if (score >= 40) return 'text-hubspot';\n  return 'text-destructive';\n};\n\nconst getScoreBg = (score: number): string => {\n  if (score >= 80) return 'bg-success/10 border-success/30';\n  if (score >= 60) return 'bg-warning/10 border-warning/30';\n  if (score >= 40) return 'bg-hubspot/10 border-hubspot/30';\n  return 'bg-destructive/10 border-destructive/30';\n};`}\n                />\n\n                <CodeExample \n                  label=\"Trend indicator pattern\"\n                  code={`const TrendBadge = ({ value }: { value: number }) => {\n  const isPositive = value > 0;\n  const isNeutral = value === 0;\n  \n  return (\n    <span className={cn(\n      'text-sm font-medium',\n      isNeutral && 'text-muted-foreground',\n      isPositive && 'text-success',\n      !isPositive && !isNeutral && 'text-destructive'\n    )}>\n      {isPositive ? '+' : ''}{value}%\n    </span>\n  );\n};`}\n                />\n              </CardContent>\n            </Card>\n\n            {/* Don't Do */}\n            <Card className=\"border-destructive/50\">\n              <CardHeader>\n                <CardTitle className=\"text-lg text-destructive flex items-center gap-2\">\n                  <XCircle className=\"h-5 w-5\" />\n                  Don't Do This\n                </CardTitle>\n              </CardHeader>\n              <CardContent className=\"space-y-5\">\n                <CodeExample \n                  label=\"❌ Direct Tailwind colors\"\n                  code={`// BAD - These will fail code review\n<span className=\"text-green-500\">Success</span>\n<span className=\"text-red-400\">Error</span>\n<div className=\"bg-amber-500/20\">Warning box</div>\n<div className=\"border-blue-500\">Info border</div>\n<Badge className=\"bg-purple-600\">Category</Badge>`}\n                />\n                <CodeExample \n                  label=\"✅ Use semantic tokens instead\"\n                  code={`// GOOD - Semantic tokens\n<span className=\"text-success\">Success</span>\n<span className=\"text-destructive\">Error</span>\n<div className=\"bg-warning/20\">Warning box</div>\n<div className=\"border-info\">Info border</div>\n<Badge className=\"bg-category-2\">Category</Badge>`}\n                />\n              </CardContent>\n            </Card>\n          </TabsContent>\n        </Tabs>\n      </main>\n    </div>\n  );\n` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line scripts/verify-backups.sh:73:\n `/ 3600` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/hooks/useWorkflowsAnalyze.ts:124:\n `}` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/lib/recommendations/generators/dataGovernance.ts:328:\n `satisfies CreateGroupAndMoveMeta` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/components/dashboard/rollback-panel/utils.ts:15:\n `}` was unexpected"
              }
            }
          ]
        }
      ],
      "results": [
        {
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": ".github/workflows/deploy-status-probe.yml",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 71,
                  "endLine": 74,
                  "startColumn": 9,
                  "startLine": 71
                }
              }
            }
          ],
          "message": {
            "text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."
          },
          "properties": {},
          "ruleId": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"
        },
        {
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "nginx.conf",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 14,
                  "endLine": 15,
                  "startColumn": 9,
                  "startLine": 15
                }
              }
            }
          ],
          "message": {
            "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation."
          },
          "properties": {},
          "ruleId": "generic.nginx.security.request-host-used.request-host-used"
        },
        {
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "second-opinion/omlx_provider.py",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 18,
                  "endLine": 161,
                  "startColumn": 17,
                  "startLine": 157
                }
              }
            }
          ],
          "message": {
            "text": "Detected a python logger call with a potential hardcoded secret \"oMLX returned content=null (model=%s, finish=%s, tokens=%s) — \"\n                    \"reasoning model truncated mid-thought. Caller should bump max_tokens.\" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging  sensitive information."
          },
          "properties": {},
          "ruleId": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure"
        },
        {
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "second-opinion/omlx_provider.py",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 14,
                  "endLine": 172,
                  "startColumn": 13,
                  "startLine": 169
                }
              }
            }
          ],
          "message": {
            "text": "Detected a python logger call with a potential hardcoded secret \"oMLX response (model=%s, content_len=%d, tokens=%s, finish=%s)\" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging  sensitive information."
          },
          "properties": {},
          "ruleId": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure"
        },
        {
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/components/team-discussions/DiscussionThread.tsx",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "endColumn": 81,
                  "endLine": 345,
                  "startColumn": 50,
                  "startLine": 345
                }
              }
            }
          ],
          "message": {
            "text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
          },
          "properties": {},
          "ruleId": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml"
        }
      ],
      "tool": {
        "driver": {
          "name": "Semgrep OSS",
          "rules": [
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
              },
              "help": {
                "markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n",
                "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
              "id": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
              "name": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."
              },
              "help": {
                "markdown": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
              "id": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
              "name": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue."
              },
              "help": {
                "markdown": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html)\n",
                "text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
              "id": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
              "name": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
              },
              "help": {
                "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode)\n - [https://jwt-scala.github.io/jwt-scala/](https://jwt-scala.github.io/jwt-scala/)\n",
                "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
              "id": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
              "name": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."
              },
              "help": {
                "markdown": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n",
                "text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5",
              "id": "clojure.lang.security.use-of-md5.use-of-md5",
              "name": "clojure.lang.security.use-of-md5.use-of-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."
              },
              "help": {
                "markdown": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
              "id": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
              "name": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-276: Incorrect Default Permissions",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability."
              },
              "help": {
                "markdown": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."
              },
              "help": {
                "markdown": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
              "id": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
              "name": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."
              },
              "help": {
                "markdown": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n",
                "text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
              "id": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
              "name": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "HIGH CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'."
              },
              "help": {
                "markdown": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands"
              },
              "help": {
                "markdown": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection)\n - [https://codeberg.org/fennix/funjection](https://codeberg.org/fennix/funjection)\n",
                "text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection",
              "id": "python.twilio.security.twiml-injection.twiml-injection",
              "name": "python.twilio.security.twiml-injection.twiml-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-91: XML Injection",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.twilio.security.twiml-injection.twiml-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'."
              },
              "help": {
                "markdown": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args)\n - [https://docs.python.org/3/library/asyncio-subprocess.html](https://docs.python.org/3/library/asyncio-subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout.  A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"
              },
              "help": {
                "markdown": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout.  A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n",
                "text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout.  A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
              "id": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
              "name": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1333: Inefficient Regular Expression Complexity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."
              },
              "help": {
                "markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
                "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
              "id": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
              "name": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."
              },
              "help": {
                "markdown": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
              "id": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
              "name": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'."
              },
              "help": {
                "markdown": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
              "id": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
              "name": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."
              },
              "help": {
                "markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher",
              "id": "kotlin.lang.security.ecb-cipher.ecb-cipher",
              "name": "kotlin.lang.security.ecb-cipher.ecb-cipher",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.lang.security.ecb-cipher.ecb-cipher"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."
              },
              "help": {
                "markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response",
              "id": "python.aws-lambda.security.tainted-html-response.tainted-html-response",
              "name": "python.aws-lambda.security.tainted-html-response.tainted-html-response",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://bento.dev/checks/boto3/hardcoded-access-token/](https://bento.dev/checks/boto3/hardcoded-access-token/)\n - [https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/](https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token",
              "id": "python.boto3.security.hardcoded-token.hardcoded-token",
              "name": "python.boto3.security.hardcoded-token.hardcoded-token",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.boto3.security.hardcoded-token.hardcoded-token"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection"
              },
              "help": {
                "markdown": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true)\n - [https://flask.palletsprojects.com/en/latest/api/#flask.url_for](https://flask.palletsprojects.com/en/latest/api/#flask.url_for)\n - [https://portswigger.net/kb/issues/00500300_host-header-injection](https://portswigger.net/kb/issues/00500300_host-header-injection)\n",
                "text": "Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
              "id": "python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
              "name": "python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-673: External Influence of Sphere Definition",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead."
              },
              "help": {
                "markdown": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n",
                "text": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm",
              "id": "csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm",
              "name": "csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli",
              "id": "java.aws-lambda.security.tainted-sqli.tainted-sqli",
              "name": "java.aws-lambda.security.tainted-sqli.tainted-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.aws-lambda.security.tainted-sqli.tainted-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection."
              },
              "help": {
                "markdown": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator)\n - [https://laravel.com/docs/9.x/validation#rule-unique](https://laravel.com/docs/9.x/validation#rule-unique)\n",
                "text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
              "id": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
              "name": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set 'verify' to `true` before using the token."
              },
              "help": {
                "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set 'verify' to `true` before using the token.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify)\n - [https://www.npmjs.com/package/jwt-simple](https://www.npmjs.com/package/jwt-simple)\n - [https://cwe.mitre.org/data/definitions/287](https://cwe.mitre.org/data/definitions/287)\n - [https://cwe.mitre.org/data/definitions/345](https://cwe.mitre.org/data/definitions/345)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n",
                "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set 'verify' to `true` before using the token.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
              "id": "javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
              "name": "javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-287: Improper Authentication",
                  "CWE-345: Insufficient Verification of Data Authenticity",
                  "CWE-347: Improper Verification of Cryptographic Signature",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default",
              "id": "python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default",
              "name": "python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1275: Sensitive Cookie with Improper SameSite Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."
              },
              "help": {
                "markdown": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell)\n - [https://docs.python.org/3/library/asyncio-subprocess.html](https://docs.python.org/3/library/asyncio-subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
                "text": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
              "id": "python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
              "name": "python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
                "text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
              "id": "java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
              "name": "java.lang.security.audit.crypto.use-of-rc2.use-of-rc2",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
              },
              "help": {
                "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string",
              "id": "java.spring.security.injection.tainted-sql-string.tainted-sql-string",
              "name": "java.spring.security.injection.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher."
              },
              "help": {
                "markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/rsa#rsa](https://www.pycryptodome.org/src/public_key/rsa#rsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n",
                "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "id": "python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "name": "python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs."
              },
              "help": {
                "markdown": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.csv-writer-injection.csv-writer-injection)\n - [https://github.com/raphaelm/defusedcsv](https://github.com/raphaelm/defusedcsv)\n - [https://owasp.org/www-community/attacks/CSV_Injection](https://owasp.org/www-community/attacks/CSV_Injection)\n - [https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities](https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities)\n",
                "text": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.csv-writer-injection.csv-writer-injection",
              "id": "python.flask.security.injection.csv-writer-injection.csv-writer-injection",
              "name": "python.flask.security.injection.csv-writer-injection.csv-writer-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.csv-writer-injection.csv-writer-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys.  The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
              },
              "help": {
                "markdown": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys.  The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n",
                "text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys.  The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
              "id": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
              "name": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability."
              },
              "help": {
                "markdown": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
              "id": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
              "name": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
              },
              "help": {
                "markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash",
              "id": "python.lang.security.audit.sha224-hash.sha224-hash",
              "name": "python.lang.security.audit.sha224-hash.sha224-hash",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.sha224-hash.sha224-hash"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."
              },
              "help": {
                "markdown": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
                "text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
              "id": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
              "name": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."
              },
              "help": {
                "markdown": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
              "id": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
              "name": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1220: Insufficient Granularity of Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
              },
              "help": {
                "markdown": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
                "text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
              "id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
              "name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n",
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
              "id": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
              "name": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
              },
              "help": {
                "markdown": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
              "id": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
              "name": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`."
              },
              "help": {
                "markdown": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find)\n - [https://brakemanscanner.org/docs/warning_types/unscoped_find/](https://brakemanscanner.org/docs/warning_types/unscoped_find/)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb)\n",
                "text": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
              "id": "ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
              "name": "ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."
              },
              "help": {
                "markdown": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n",
                "text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
              "id": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
              "name": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value",
              "id": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value",
              "name": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme."
              },
              "help": {
                "markdown": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse)\n - [https://pkg.go.dev/path#Clean](https://pkg.go.dev/path#Clean)\n - [http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html](http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html)\n - [https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/](https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/)\n - [https://dzx.cz/2021/04/02/go_path_traversal/](https://dzx.cz/2021/04/02/go_path_traversal/)\n - [https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme](https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme)\n",
                "text": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
              "id": "go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
              "name": "go.lang.security.filepath-clean-misuse.filepath-clean-misuse",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.filepath-clean-misuse.filepath-clean-misuse"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."
              },
              "help": {
                "markdown": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
              "id": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
              "name": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."
              },
              "help": {
                "markdown": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
                "text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
              "id": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
              "name": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities"
              },
              "help": {
                "markdown": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection)\n - [https://github.com/cyrus-and/chrome-remote-interface](https://github.com/cyrus-and/chrome-remote-interface)\n",
                "text": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
              "id": "javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
              "name": "javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."
              },
              "help": {
                "markdown": "The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n",
                "text": "The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
              "id": "javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
              "name": "javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-310: CWE CATEGORY: Cryptographic Issues",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."
              },
              "help": {
                "markdown": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
              "id": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
              "name": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."
              },
              "help": {
                "markdown": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n",
                "text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
              "id": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
              "name": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
              },
              "help": {
                "markdown": "Ensure all Cloud SQL database instance requires all incoming connections to use SSL\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure all Cloud SQL database instance requires all incoming connections to use SSL\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl",
              "id": "terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl",
              "name": "terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1",
              "id": "clojure.lang.security.use-of-sha1.use-of-sha1",
              "name": "clojure.lang.security.use-of-sha1.use-of-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
              },
              "help": {
                "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host",
              "id": "php.lang.security.injection.tainted-url-host.tainted-url-host",
              "name": "php.lang.security.injection.tainted-url-host.tainted-url-host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect."
              },
              "help": {
                "markdown": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect)\n - [https://brakemanscanner.org/docs/warning_types/redirect/](https://brakemanscanner.org/docs/warning_types/redirect/)\n",
                "text": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
              "id": "ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
              "name": "ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli)\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html)\n - [https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html](https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli",
              "id": "python.aws-lambda.security.mysql-sqli.mysql-sqli",
              "name": "python.aws-lambda.security.mysql-sqli.mysql-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.mysql-sqli.mysql-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n",
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
              "id": "javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
              "name": "javascript.aws-lambda.security.mysql-sqli.mysql-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.mysql-sqli.mysql-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure MSSQL is using the latest version of TLS encryption"
              },
              "help": {
                "markdown": "Ensure MSSQL is using the latest version of TLS encryption\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure MSSQL is using the latest version of TLS encryption\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version",
              "id": "terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version",
              "name": "terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability."
              },
              "help": {
                "markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
              "id": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
              "name": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dangerous-system-call.dangerous-system-call"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here."
              },
              "help": {
                "markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
              "id": "python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
              "name": "python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Stripe Restricted API Key detected"
              },
              "help": {
                "markdown": "Stripe Restricted API Key detected\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
                "text": "Stripe Restricted API Key detected\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
              "id": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
              "name": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true."
              },
              "help": {
                "markdown": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n",
                "text": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token",
              "id": "csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token",
              "name": "csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-347: Improper Verification of Cryptographic Signature",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "RSA keys should be at least 2048 bits based on NIST recommendation."
              },
              "help": {
                "markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
                "text": "RSA keys should be at least 2048 bits based on NIST recommendation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
              "id": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
              "name": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
              "id": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
              "name": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
              },
              "help": {
                "markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
              "id": "java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
              "name": "java.lang.security.audit.crypto.use-of-sha224.use-of-sha224",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead."
              },
              "help": {
                "markdown": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function",
              "id": "python.lang.security.insecure-hash-function.insecure-hash-function",
              "name": "python.lang.security.insecure-hash-function.insecure-hash-function",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.insecure-hash-function.insecure-hash-function"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."
              },
              "help": {
                "markdown": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n",
                "text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
              "id": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
              "name": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."
              },
              "help": {
                "markdown": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n",
                "text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
              "id": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
              "name": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
              },
              "help": {
                "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "id": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "name": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.aws-lambda.security.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
              },
              "help": {
                "markdown": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305."
              },
              "help": {
                "markdown": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n",
                "text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
              "id": "csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
              "name": "csharp.dotnet.security.use_ecb_mode.use_ecb_mode",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."
              },
              "help": {
                "markdown": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n",
                "text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
              "id": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
              "name": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."
              },
              "help": {
                "markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
                "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
              "id": "python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
              "name": "python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible."
              },
              "help": {
                "markdown": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)\n - [https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback](https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback)\n - [https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/](https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/)\n - [https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html)\n",
                "text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat",
              "id": "javascript.lang.security.audit.code-string-concat.code-string-concat",
              "name": "javascript.lang.security.audit.code-string-concat.code-string-concat",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.lang.security.audit.code-string-concat.code-string-concat"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control."
              },
              "help": {
                "markdown": "Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb)\n",
                "text": "Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling",
              "id": "ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling",
              "name": "ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-540: Inclusion of Sensitive Information in Source Code",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions."
              },
              "help": {
                "markdown": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n",
                "text": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version",
              "id": "generic.nginx.security.missing-ssl-version.missing-ssl-version",
              "name": "generic.nginx.security.missing-ssl-version.missing-ssl-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use."
              },
              "help": {
                "markdown": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher)\n - [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites)\n",
                "text": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
              "id": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
              "name": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements."
              },
              "help": {
                "markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
              "id": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
              "name": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
                "text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
              "id": "java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
              "name": "java.lang.security.audit.crypto.use-of-rc4.use-of-rc4",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings"
              },
              "help": {
                "markdown": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings)\n",
                "text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
              "id": "terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
              "name": "terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-287: Improper Authentication",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users."
              },
              "help": {
                "markdown": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://cwe.mitre.org/data/definitions/862.html](https://cwe.mitre.org/data/definitions/862.html)\n - [https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0](https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0)\n",
                "text": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization",
              "id": "csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization",
              "name": "csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-862: Missing Authorization",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."
              },
              "help": {
                "markdown": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
              "id": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
              "name": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
              },
              "help": {
                "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host",
              "id": "python.flask.security.injection.tainted-url-host.tainted-url-host",
              "name": "python.flask.security.injection.tainted-url-host.tainted-url-host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.tainted-url-host.tainted-url-host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output.  Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
              },
              "help": {
                "markdown": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output.  Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n",
                "text": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output.  Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
              "id": "python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
              "name": "python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."
              },
              "help": {
                "markdown": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli",
              "id": "java.spring.security.audit.spring-sqli.spring-sqli",
              "name": "java.spring.security.audit.spring-sqli.spring-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.audit.spring-sqli.spring-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
              "id": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
              "name": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-string.tainted-html-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "`MinVersion` is missing from this TLS configuration.  By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled.  Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3."
              },
              "help": {
                "markdown": "`MinVersion` is missing from this TLS configuration.  By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled.  Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)\n - [https://go.dev/doc/go1.22#minor_library_changes](https://go.dev/doc/go1.22#minor_library_changes)\n - [https://pkg.go.dev/crypto/tls#:~:text=MinVersion](https://pkg.go.dev/crypto/tls#:~:text=MinVersion)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n",
                "text": "`MinVersion` is missing from this TLS configuration.  By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled.  Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
              "id": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
              "name": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."
              },
              "help": {
                "markdown": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n",
                "text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection",
              "id": "generic.nginx.security.header-injection.header-injection",
              "name": "generic.nginx.security.header-injection.header-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.header-injection.header-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications."
              },
              "help": {
                "markdown": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection)\n - [https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool](https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool)\n",
                "text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
              "id": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
              "name": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities"
              },
              "help": {
                "markdown": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection)\n - [https://phantomjs.org/page-automation.html](https://phantomjs.org/page-automation.html)\n",
                "text": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection",
              "id": "javascript.express.security.express-phantom-injection.express-phantom-injection",
              "name": "javascript.express.security.express-phantom-injection.express-phantom-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-phantom-injection.express-phantom-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
              },
              "help": {
                "markdown": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
                "text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
              "id": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
              "name": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution."
              },
              "help": {
                "markdown": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/90](https://cwe.mitre.org/data/definitions/90)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example)\n",
                "text": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection",
              "id": "csharp.dotnet.security.audit.ldap-injection.ldap-injection",
              "name": "csharp.dotnet.security.audit.ldap-injection.ldap-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.audit.ldap-injection.ldap-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
              },
              "help": {
                "markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash",
              "id": "ruby.lang.security.audit.sha224-hash.sha224-hash",
              "name": "ruby.lang.security.audit.sha224-hash.sha224-hash",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.audit.sha224-hash.sha224-hash"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The 'final' call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call 'final' will invalidate all integrity guarantees of the released ciphertext."
              },
              "help": {
                "markdown": "The 'final' call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call 'final' will invalidate all integrity guarantees of the released ciphertext.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final)\n - [https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding](https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n",
                "text": "The 'final' call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call 'final' will invalidate all integrity guarantees of the released ciphertext.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final",
              "id": "javascript.node-crypto.security.aead-no-final.aead-no-final",
              "name": "javascript.node-crypto.security.aead-no-final.aead-no-final",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-310: CWE CATEGORY: Cryptographic Issues",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.node-crypto.security.aead-no-final.aead-no-final"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"
              },
              "help": {
                "markdown": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n",
                "text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
              "id": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
              "name": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
              },
              "help": {
                "markdown": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
              "id": "terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
              "name": "terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."
              },
              "help": {
                "markdown": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n",
                "text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection",
              "id": "php.laravel.security.laravel-sql-injection.laravel-sql-injection",
              "name": "php.laravel.security.laravel-sql-injection.laravel-sql-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information."
              },
              "help": {
                "markdown": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
                "text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
              "id": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
              "name": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
              },
              "help": {
                "markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
              "id": "javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
              "name": "javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection."
              },
              "help": {
                "markdown": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
                "text": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect",
              "id": "javascript.browser.security.open-redirect.js-open-redirect",
              "name": "javascript.browser.security.open-redirect.js-open-redirect",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.browser.security.open-redirect.js-open-redirect"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request."
              },
              "help": {
                "markdown": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
              "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
              "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs."
              },
              "help": {
                "markdown": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
              "id": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
              "name": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead."
              },
              "help": {
                "markdown": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter)\n",
                "text": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding",
              "id": "csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding",
              "name": "csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-780: Use of RSA Algorithm without OAEP",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure that Cloud SQL database Instances are not open to the world"
              },
              "help": {
                "markdown": "Ensure that Cloud SQL database Instances are not open to the world\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Ensure that Cloud SQL database Instances are not open to the world\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database",
              "id": "terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database",
              "name": "terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1220: Insufficient Granularity of Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views."
              },
              "help": {
                "markdown": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response",
              "id": "scala.play.security.tainted-html-response.tainted-html-response",
              "name": "scala.play.security.tainted-html-response.tainted-html-response",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.play.security.tainted-html-response.tainted-html-response"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
              },
              "help": {
                "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n",
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "id": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "name": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."
              },
              "help": {
                "markdown": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n",
                "text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
              "id": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
              "name": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-778: Insufficient Logging",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A09:2021 - Security Logging and Monitoring Failures",
                  "OWASP-A09:2025 - Security Logging & Alerting Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."
              },
              "help": {
                "markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
              "id": "javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
              "name": "javascript.aws-lambda.security.tainted-html-response.tainted-html-response",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-response.tainted-html-response"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional."
              },
              "help": {
                "markdown": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)\n",
                "text": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
              "id": "typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
              "name": "typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-306: Missing Authentication for Critical Function",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using RSA without OAEP mode weakens the encryption."
              },
              "help": {
                "markdown": "Using RSA without OAEP mode weakens the encryption.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\n",
                "text": "Using RSA without OAEP mode weakens the encryption.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
              "id": "java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
              "name": "java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991.  It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys.  It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."
              },
              "help": {
                "markdown": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991.  It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys.  It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n",
                "text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991.  It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys.  It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key.  Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
              "id": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
              "name": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead."
              },
              "help": {
                "markdown": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
              "id": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
              "name": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-780: Use of RSA Algorithm without OAEP",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.rsa-padding-set.rsa-padding-set"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value",
              "id": "python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value",
              "name": "python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML."
              },
              "help": {
                "markdown": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
                "text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write",
              "id": "javascript.express.security.audit.xss.direct-response-write.direct-response-write",
              "name": "javascript.express.security.audit.xss.direct-response-write.direct-response-write",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.xss.direct-response-write.direct-response-write"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli)\n - [https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute](https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
              "id": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
              "name": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
              },
              "help": {
                "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n",
                "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
              "id": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
              "name": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated."
              },
              "help": {
                "markdown": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
              "id": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
              "name": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
              },
              "help": {
                "markdown": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
                "text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
              "id": "clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
              "name": "clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value",
              "id": "python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value",
              "name": "python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "AWS EC2 Instance allowing use of the IMDSv1"
              },
              "help": {
                "markdown": "AWS EC2 Instance allowing use of the IMDSv1\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional)\n - [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options)\n",
                "text": "AWS EC2 Instance allowing use of the IMDSv1\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional",
              "id": "terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional",
              "name": "terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#httponly-attribute](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#httponly-attribute)\n",
                "text": "Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value",
              "id": "python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value",
              "name": "python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
              "id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
              "name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct."
              },
              "help": {
                "markdown": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n",
                "text": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
              "id": "go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
              "name": "go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key",
              "id": "go.jwt-go.security.jwt.hardcoded-jwt-key",
              "name": "go.jwt-go.security.jwt.hardcoded-jwt-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.jwt-go.security.jwt.hardcoded-jwt-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."
              },
              "help": {
                "markdown": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
                "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
              "id": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
              "name": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."
              },
              "help": {
                "markdown": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n",
                "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
              "id": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
              "name": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies."
              },
              "help": {
                "markdown": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
              "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
              "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."
              },
              "help": {
                "markdown": "The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n",
                "text": "The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
              "id": "javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
              "name": "javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1204: Generation of Weak Initialization Vector (IV)",
                  "HIGH CONFIDENCE",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks."
              },
              "help": {
                "markdown": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
              "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
              "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."
              },
              "help": {
                "markdown": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
                "text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
              "id": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
              "name": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
              },
              "help": {
                "markdown": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n",
                "text": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
              "id": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
              "name": "typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."
              },
              "help": {
                "markdown": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n",
                "text": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
              "id": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
              "name": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."
              },
              "help": {
                "markdown": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n",
                "text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
              "id": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
              "name": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
              },
              "help": {
                "markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n",
                "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
              "id": "java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
              "name": "java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."
              },
              "help": {
                "markdown": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval",
              "id": "bash.curl.security.curl-eval.curl-eval",
              "name": "bash.curl.security.curl-eval.curl-eval",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: bash.curl.security.curl-eval.curl-eval"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."
              },
              "help": {
                "markdown": "User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
                "text": "User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
              "id": "python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
              "name": "python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user data flowing into eval. This is code injection and should be avoided."
              },
              "help": {
                "markdown": "Detected user data flowing into eval. This is code injection and should be avoided.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n",
                "text": "Detected user data flowing into eval. This is code injection and should be avoided.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection",
              "id": "python.flask.security.injection.user-eval.eval-injection",
              "name": "python.flask.security.injection.user-eval.eval-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.user-eval.eval-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
              },
              "help": {
                "markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
              "id": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
              "name": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Unencrypted request over HTTP detected."
              },
              "help": {
                "markdown": "Unencrypted request over HTTP detected.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n",
                "text": "Unencrypted request over HTTP detected.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request",
              "id": "typescript.react.security.react-insecure-request.react-insecure-request",
              "name": "typescript.react.security.react-insecure-request.react-insecure-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers."
              },
              "help": {
                "markdown": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing)\n - [https://cwe.mitre.org/data/definitions/548.html](https://cwe.mitre.org/data/definitions/548.html)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration/](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n - [https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing)\n",
                "text": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing",
              "id": "csharp.dotnet.security.audit.open-directory-listing.open-directory-listing",
              "name": "csharp.dotnet.security.audit.open-directory-listing.open-directory-listing",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-548: Exposure of Information Through Directory Listing",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.audit.open-directory-listing.open-directory-listing"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information."
              },
              "help": {
                "markdown": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
                "text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
              "id": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
              "name": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.command.command-injection-os-system.command-injection-os-system"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
                "text": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
              "id": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
              "name": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
              },
              "help": {
                "markdown": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
                "text": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
              "id": "python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
              "name": "python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected."
              },
              "help": {
                "markdown": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n",
                "text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
              "id": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
              "name": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-libxml-noent.express-libxml-noent"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher."
              },
              "help": {
                "markdown": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n - [https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2](https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2)\n",
                "text": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version",
              "id": "python.lang.security.audit.weak-ssl-version.weak-ssl-version",
              "name": "python.lang.security.audit.weak-ssl-version.weak-ssl-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.weak-ssl-version.weak-ssl-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."
              },
              "help": {
                "markdown": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n",
                "text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
              "id": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
              "name": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."
              },
              "help": {
                "markdown": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n",
                "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
              "id": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
              "name": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-329: Generation of Predictable IV with CBC Mode",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."
              },
              "help": {
                "markdown": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n",
                "text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
              "id": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
              "name": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-916: Use of Password Hash With Insufficient Computational Effort",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."
              },
              "help": {
                "markdown": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n",
                "text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
              "id": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
              "name": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1220: Insufficient Granularity of Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
              },
              "help": {
                "markdown": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
              "id": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
              "name": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL."
              },
              "help": {
                "markdown": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n",
                "text": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct SQL.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
              "id": "python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
              "name": "python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."
              },
              "help": {
                "markdown": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n",
                "text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
              "id": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
              "name": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-913: Improper Control of Dynamically-Managed Code Resources",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default",
              "id": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default",
              "name": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."
              },
              "help": {
                "markdown": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n",
                "text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection",
              "id": "csharp.dotnet.security.razor-template-injection.razor-template-injection",
              "name": "csharp.dotnet.security.razor-template-injection.razor-template-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."
              },
              "help": {
                "markdown": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n",
                "text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
              "id": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
              "name": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-16: CWE CATEGORY: Configuration",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string",
              "id": "python.aws-lambda.security.tainted-html-string.tainted-html-string",
              "name": "python.aws-lambda.security.tainted-html-string.tainted-html-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.tainted-html-string.tainted-html-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`."
              },
              "help": {
                "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://www.php.net/password_hash](https://www.php.net/password_hash)\n",
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password",
              "id": "php.lang.security.md5-used-as-password.md5-used-as-password",
              "name": "php.lang.security.md5-used-as-password.md5-used-as-password",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.md5-used-as-password.md5-used-as-password"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."
              },
              "help": {
                "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
              "id": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
              "name": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS."
              },
              "help": {
                "markdown": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n",
                "text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
              "id": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
              "name": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct."
              },
              "help": {
                "markdown": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n",
                "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
              "id": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
              "name": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."
              },
              "help": {
                "markdown": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n",
                "text": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls",
              "id": "go.lang.security.audit.net.use-tls.use-tls",
              "name": "go.lang.security.audit.net.use-tls.use-tls",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
              "id": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
              "name": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "certificate verification explicitly disabled, insecure connections possible"
              },
              "help": {
                "markdown": "certificate verification explicitly disabled, insecure connections possible\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
                "text": "certificate verification explicitly disabled, insecure connections possible\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
              "id": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
              "name": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-295: Improper Certificate Validation",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format)\n - [https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render)\n - [https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format",
              "id": "python.django.security.injection.raw-html-format.raw-html-format",
              "name": "python.django.security.injection.raw-html-format.raw-html-format",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.raw-html-format.raw-html-format"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"
              },
              "help": {
                "markdown": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n",
                "text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
              "id": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
              "name": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."
              },
              "help": {
                "markdown": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
              "id": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
              "name": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."
              },
              "help": {
                "markdown": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource](https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource)\n",
                "text": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
              "id": "scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
              "name": "scala.lang.security.audit.io-source-ssrf.io-source-ssrf",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.io-source-ssrf.io-source-ssrf"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API."
              },
              "help": {
                "markdown": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
                "text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
              "id": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
              "name": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."
              },
              "help": {
                "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
              "id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
              "name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain."
              },
              "help": {
                "markdown": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n",
                "text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
              "id": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
              "name": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs."
              },
              "help": {
                "markdown": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret)\n - [https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY](https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n",
                "text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret",
              "id": "python.django.security.hashids-with-django-secret.hashids-with-django-secret",
              "name": "python.django.security.hashids-with-django-secret.hashids-with-django-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 – Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.hashids-with-django-secret.hashids-with-django-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. "
              },
              "help": {
                "markdown": "Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. \n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file)\n - [https://kubernetes.io/docs/concepts/configuration/secret/](https://kubernetes.io/docs/concepts/configuration/secret/)\n - [https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF)\n - [https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html](https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html)\n - [https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/](https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/)\n - [https://github.com/bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets)\n - [https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/](https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/)\n - [https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/](https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/)\n",
                "text": "Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. \n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file",
              "id": "yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file",
              "name": "yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from()."
              },
              "help": {
                "markdown": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\n",
                "text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
              "id": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
              "name": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "HIGH CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings."
              },
              "help": {
                "markdown": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\n",
                "text": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration",
              "id": "javascript.express.security.cors-misconfiguration.cors-misconfiguration",
              "name": "javascript.express.security.cors-misconfiguration.cors-misconfiguration",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-346: Origin Validation Error",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.cors-misconfiguration.cors-misconfiguration"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block."
              },
              "help": {
                "markdown": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled)\n",
                "text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
              "id": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
              "name": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-295: Improper Certificate Validation",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'."
              },
              "help": {
                "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
              "id": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
              "name": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."
              },
              "help": {
                "markdown": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n",
                "text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
              "id": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
              "name": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The 'phpinfo' function may reveal sensitive information about your environment."
              },
              "help": {
                "markdown": "The 'phpinfo' function may reveal sensitive information about your environment.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use)\n - [https://www.php.net/manual/en/function.phpinfo](https://www.php.net/manual/en/function.phpinfo)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php)\n",
                "text": "The 'phpinfo' function may reveal sensitive information about your environment.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use",
              "id": "php.lang.security.phpinfo-use.phpinfo-use",
              "name": "php.lang.security.phpinfo-use.phpinfo-use",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.phpinfo-use.phpinfo-use"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
              },
              "help": {
                "markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
                "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
              "id": "yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
              "name": "yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."
              },
              "help": {
                "markdown": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n",
                "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root",
              "id": "dockerfile.security.last-user-is-root.last-user-is-root",
              "name": "dockerfile.security.last-user-is-root.last-user-is-root",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-269: Improper Privilege Management",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. "
              },
              "help": {
                "markdown": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. \n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. \n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication",
              "id": "python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication",
              "name": "python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers.  Each block of data is encrypted in the same way.  This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM."
              },
              "help": {
                "markdown": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers.  Each block of data is encrypted in the same way.  This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n",
                "text": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers.  Each block of data is encrypted in the same way.  This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
              "id": "python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
              "name": "python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value",
              "id": "python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value",
              "name": "python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1275: Sensitive Cookie with Improper SameSite Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
              "id": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
              "name": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead."
              },
              "help": {
                "markdown": "Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
              "id": "python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
              "name": "python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."
              },
              "help": {
                "markdown": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n",
                "text": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string",
              "id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string",
              "name": "go.lang.security.audit.net.formatted-template-string.formatted-template-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature.  Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature.  Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature.  Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
              "id": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
              "name": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher."
              },
              "help": {
                "markdown": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute)\n - [https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5](https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5)\n",
                "text": "Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
              "id": "generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
              "name": "generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
              },
              "help": {
                "markdown": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
              "id": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
              "name": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."
              },
              "help": {
                "markdown": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n",
                "text": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
              "id": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
              "name": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-287: Improper Authentication",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."
              },
              "help": {
                "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
              "id": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
              "name": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1",
              "id": "kotlin.lang.security.use-of-sha1.use-of-sha1",
              "name": "kotlin.lang.security.use-of-sha1.use-of-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.lang.security.use-of-sha1.use-of-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead."
              },
              "help": {
                "markdown": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query)\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
              "id": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
              "name": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. "
              },
              "help": {
                "markdown": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. \n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. \n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication",
              "id": "python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication",
              "name": "python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."
              },
              "help": {
                "markdown": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n",
                "text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
              "id": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
              "name": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1275: Sensitive Cookie with Improper SameSite Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."
              },
              "help": {
                "markdown": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
                "text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path",
              "id": "java.spring.security.injection.tainted-file-path.tainted-file-path",
              "name": "java.spring.security.injection.tainted-file-path.tainted-file-path",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-23: Relative Path Traversal",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
              "id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
              "name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'."
              },
              "help": {
                "markdown": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information."
              },
              "help": {
                "markdown": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands)\n - [https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/](https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/)\n - [https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w](https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w)\n - [https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files](https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files)\n",
                "text": "The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
              "id": "yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
              "name": "yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-749: Exposed Dangerous Method or Function",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist."
              },
              "help": {
                "markdown": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n",
                "text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host",
              "id": "go.lang.security.injection.tainted-url-host.tainted-url-host",
              "name": "go.lang.security.injection.tainted-url-host.tainted-url-host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.injection.tainted-url-host.tainted-url-host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions."
              },
              "help": {
                "markdown": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
              "id": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
              "name": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package."
              },
              "help": {
                "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://pkg.go.dev/golang.org/x/crypto/bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt)\n",
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "id": "go.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "name": "go.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.md5-used-as-password.md5-used-as-password"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on."
              },
              "help": {
                "markdown": "Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass)\n - [https://www.playframework.com/documentation/2.8.x/Migration25#CSRF-changes](https://www.playframework.com/documentation/2.8.x/Migration25#CSRF-changes)\n - [https://owasp.org/www-community/attacks/csrf](https://owasp.org/www-community/attacks/csrf)\n",
                "text": "Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass",
              "id": "scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass",
              "name": "scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Make sure that unverified user data can not reach `vm2`."
              },
              "help": {
                "markdown": "Make sure that unverified user data can not reach `vm2`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "Make sure that unverified user data can not reach `vm2`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection",
              "id": "javascript.express.security.express-vm2-injection.express-vm2-injection",
              "name": "javascript.express.security.express-vm2-injection.express-vm2-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls."
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli)\n - [https://pkg.go.dev/database/sql#DB.Query](https://pkg.go.dev/database/sql#DB.Query)\n",
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli",
              "id": "go.aws-lambda.security.database-sqli.database-sqli",
              "name": "go.aws-lambda.security.database-sqli.database-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.aws-lambda.security.database-sqli.database-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes.  E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain."
              },
              "help": {
                "markdown": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes.  E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.redirect-to-request-uri.redirect-to-request-uri)\n - [https://www.php.net/manual/en/reserved.variables.server.php](https://www.php.net/manual/en/reserved.variables.server.php)\n - [https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html)\n",
                "text": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes.  E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.redirect-to-request-uri.redirect-to-request-uri",
              "id": "php.lang.security.redirect-to-request-uri.redirect-to-request-uri",
              "name": "php.lang.security.redirect-to-request-uri.redirect-to-request-uri",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.redirect-to-request-uri.redirect-to-request-uri"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead."
              },
              "help": {
                "markdown": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
                "text": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
              "id": "ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
              "name": "ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-295: Improper Certificate Validation",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead."
              },
              "help": {
                "markdown": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
              "id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
              "name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
              },
              "help": {
                "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
              "id": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
              "name": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."
              },
              "help": {
                "markdown": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n",
                "text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
              "id": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
              "name": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-778: Insufficient Logging",
                  "HIGH CONFIDENCE",
                  "OWASP-A09:2021 - Security Logging and Monitoring Failures",
                  "OWASP-A09:2025 - Security Logging & Alerting Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\""
              },
              "help": {
                "markdown": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check)\n - [https://pkg.go.dev/github.com/gorilla/websocket#Upgrader](https://pkg.go.dev/github.com/gorilla/websocket#Upgrader)\n",
                "text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
              "id": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
              "name": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
              },
              "help": {
                "markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination"
              },
              "help": {
                "markdown": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
                "text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
              "id": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
              "name": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data."
              },
              "help": {
                "markdown": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv)\n - [https://csrc.nist.gov/publications/detail/sp/800-38a/final](https://csrc.nist.gov/publications/detail/sp/800-38a/final)\n",
                "text": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
              "id": "php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
              "name": "php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-329: Generation of Predictable IV with CBC Mode",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach)."
              },
              "help": {
                "markdown": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage)\n - [https://gorm.io/docs/security.html#SQL-injection-Methods](https://gorm.io/docs/security.html#SQL-injection-Methods)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage",
              "id": "go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage",
              "name": "go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User input is passed to a function that executes a shell command. This can lead to remote code execution."
              },
              "help": {
                "markdown": "User input is passed to a function that executes a shell command. This can lead to remote code execution.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "User input is passed to a function that executes a shell command. This can lead to remote code execution.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec",
              "id": "php.lang.security.injection.tainted-exec.tainted-exec",
              "name": "php.lang.security.injection.tainted-exec.tainted-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-exec.tainted-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default",
              "id": "python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default",
              "name": "python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite",
              "id": "python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite",
              "name": "python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1275: Sensitive Cookie with Improper SameSite Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."
              },
              "help": {
                "markdown": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n",
                "text": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version",
              "id": "python.lang.security.insecure-uuid-version.insecure-uuid-version",
              "name": "python.lang.security.insecure-uuid-version.insecure-uuid-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-330: Use of Insufficiently Random Values",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher."
              },
              "help": {
                "markdown": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
                "text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "id": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "name": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure web app is using the latest version of TLS encryption"
              },
              "help": {
                "markdown": "Ensure web app is using the latest version of TLS encryption\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure web app is using the latest version of TLS encryption\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version",
              "id": "terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version",
              "name": "terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks."
              },
              "help": {
                "markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
                "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
              "id": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
              "name": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."
              },
              "help": {
                "markdown": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n",
                "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
              "id": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
              "name": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method."
              },
              "help": {
                "markdown": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n",
                "text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
              "id": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
              "name": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
              },
              "help": {
                "markdown": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln](https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/write](https://developer.mozilla.org/en-US/docs/Web/API/Document/write)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML)\n",
                "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
              "id": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
              "name": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."
              },
              "help": {
                "markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
                "text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
              "id": "kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
              "name": "kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-287: Improper Authentication",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."
              },
              "help": {
                "markdown": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
              "id": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
              "name": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature.  Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
              },
              "help": {
                "markdown": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature.  Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature.  Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
              "id": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
              "name": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead."
              },
              "help": {
                "markdown": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection)\n - [https://github.com/argoproj/argo-workflows/issues/5061](https://github.com/argoproj/argo-workflows/issues/5061)\n - [https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370](https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370)\n",
                "text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
              "id": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
              "name": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 – Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this."
              },
              "help": {
                "markdown": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n",
                "text": "Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccompProfile: unconfined' to prevent this.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
              "id": "yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
              "name": "yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-284: Improper Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/cursor.html#cursor.execute](https://www.psycopg.org/docs/cursor.html#cursor.execute)\n - [https://www.psycopg.org/docs/cursor.html#cursor.executemany](https://www.psycopg.org/docs/cursor.html#cursor.executemany)\n - [https://www.psycopg.org/docs/cursor.html#cursor.mogrify](https://www.psycopg.org/docs/cursor.html#cursor.mogrify)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
              "id": "python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
              "name": "python.aws-lambda.security.psycopg-sqli.psycopg-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.psycopg-sqli.psycopg-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."
              },
              "help": {
                "markdown": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
                "text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
              "id": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
              "name": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs."
              },
              "help": {
                "markdown": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.csv-writer-injection.csv-writer-injection)\n - [https://github.com/raphaelm/defusedcsv](https://github.com/raphaelm/defusedcsv)\n - [https://owasp.org/www-community/attacks/CSV_Injection](https://owasp.org/www-community/attacks/CSV_Injection)\n - [https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities](https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities)\n",
                "text": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.csv-writer-injection.csv-writer-injection",
              "id": "python.django.security.injection.csv-writer-injection.csv-writer-injection",
              "name": "python.django.security.injection.csv-writer-injection.csv-writer-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.csv-writer-injection.csv-writer-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure bucket logs access."
              },
              "help": {
                "markdown": "Ensure bucket logs access.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging)\n - [https://docs.bridgecrew.io/docs/google-cloud-policy-index](https://docs.bridgecrew.io/docs/google-cloud-policy-index)\n",
                "text": "Ensure bucket logs access.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging",
              "id": "terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging",
              "name": "terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-778: Insufficient Logging",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A09:2021 - Security Logging and Monitoring Failures",
                  "OWASP-A09:2025 - Security Logging & Alerting Failures",
                  "OWASP-A10:2017 - Insufficient Logging & Monitoring",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need."
              },
              "help": {
                "markdown": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
                "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
              "id": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
              "name": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.code.user-exec-format-string.user-exec-format-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."
              },
              "help": {
                "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n",
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "id": "python.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "name": "python.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'."
              },
              "help": {
                "markdown": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
                "text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
              "id": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
              "name": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-297: Improper Validation of Certificate with Host Mismatch",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting."
              },
              "help": {
                "markdown": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only)\n - [https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https](https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https)\n",
                "text": "By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
              "id": "terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
              "name": "terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website."
              },
              "help": {
                "markdown": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n",
                "text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect",
              "id": "javascript.express.security.audit.express-open-redirect.express-open-redirect",
              "name": "javascript.express.security.audit.express-open-redirect.express-open-redirect",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli)\n - [https://github.com/brianmario/mysql2](https://github.com/brianmario/mysql2)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
              "id": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
              "name": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure."
              },
              "help": {
                "markdown": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled",
              "id": "python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled",
              "name": "python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic."
              },
              "help": {
                "markdown": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission)\n - [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)\n",
                "text": "The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
              "id": "terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
              "name": "terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."
              },
              "help": {
                "markdown": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n",
                "text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment",
              "id": "csharp.dotnet.security.audit.mass-assignment.mass-assignment",
              "name": "csharp.dotnet.security.audit.mass-assignment.mass-assignment",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables."
              },
              "help": {
                "markdown": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled)\n - [https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/](https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/)\n",
                "text": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled",
              "id": "python.flask.security.audit.debug-enabled.debug-enabled",
              "name": "python.flask.security.audit.debug-enabled.debug-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-489: Active Debug Code",
                  "HIGH CONFIDENCE",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.audit.debug-enabled.debug-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
              "id": "java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
              "name": "java.lang.security.audit.crypto.no-null-cipher.no-null-cipher",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. "
              },
              "help": {
                "markdown": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions)\n - [https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)\n - [https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups)\n",
                "text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
              "id": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
              "name": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-269: Improper Privilege Management",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Deserializing into `interface{}` allows arbitrary data structures and types, which can lead to security vulnerabilities (CWE-502). Use a concrete struct type instead."
              },
              "help": {
                "markdown": "Deserializing into `interface{}` allows arbitrary data structures and types, which can lead to security vulnerabilities (CWE-502). Use a concrete struct type instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n",
                "text": "Deserializing into `interface{}` allows arbitrary data structures and types, which can lead to security vulnerabilities (CWE-502). Use a concrete struct type instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface",
              "id": "go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface",
              "name": "go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "HIGH CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure that MySQL server enables infrastructure encryption"
              },
              "help": {
                "markdown": "Ensure that MySQL server enables infrastructure encryption\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure that MySQL server enables infrastructure encryption\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled",
              "id": "terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled",
              "name": "terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'."
              },
              "help": {
                "markdown": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n",
                "text": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
              "id": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
              "name": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-300: Channel Accessible by Non-Endpoint",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli",
              "id": "ruby.aws-lambda.security.pg-sqli.pg-sqli",
              "name": "ruby.aws-lambda.security.pg-sqli.pg-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.aws-lambda.security.pg-sqli.pg-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML."
              },
              "help": {
                "markdown": "Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
              "id": "python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
              "name": "python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code."
              },
              "help": {
                "markdown": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be  loaded in $RES.render or use an allow list for the existing application."
              },
              "help": {
                "markdown": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be  loaded in $RES.render or use an allow list for the existing application.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection)\n - [http://expressjs.com/en/4x/api.html#res.render](http://expressjs.com/en/4x/api.html#res.render)\n",
                "text": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be  loaded in $RES.render or use an allow list for the existing application.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection",
              "id": "javascript.express.security.audit.res-render-injection.res-render-injection",
              "name": "javascript.express.security.audit.res-render-injection.res-render-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-706: Use of Incorrectly-Resolved Name or Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.res-render-injection.res-render-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0"
              },
              "help": {
                "markdown": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n",
                "text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
              "id": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
              "name": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1333: Inefficient Regular Expression Complexity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration."
              },
              "help": {
                "markdown": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug)\n - [https://docs.scala-lang.org/overviews/compiler-options/index.html](https://docs.scala-lang.org/overviews/compiler-options/index.html)\n",
                "text": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug",
              "id": "scala.lang.security.audit.scalac-debug.scalac-debug",
              "name": "scala.lang.security.audit.scalac-debug.scalac-debug",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-489: Active Debug Code",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.scalac-debug.scalac-debug"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key."
              },
              "help": {
                "markdown": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n",
                "text": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
              "id": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
              "name": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-276: Incorrect Default Permissions",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Allowing an attacker to manipulate the session may lead to unintended behavior."
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."
              },
              "help": {
                "markdown": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n",
                "text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection",
              "id": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
              "name": "yaml.github-actions.security.run-shell-injection.run-shell-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."
              },
              "help": {
                "markdown": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n",
                "text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
              "id": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
              "name": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively."
              },
              "help": {
                "markdown": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex)\n - [https://brakemanscanner.org/docs/warning_types/format_validation/](https://brakemanscanner.org/docs/warning_types/format_validation/)\n - [https://github.com/presidentbeef/brakeman/blob/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3/app/models/account.rb](https://github.com/presidentbeef/brakeman/blob/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3/app/models/account.rb)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/account.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/account.rb)\n",
                "text": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex",
              "id": "ruby.rails.security.brakeman.check-validation-regex.check-validation-regex",
              "name": "ruby.rails.security.brakeman.check-validation-regex.check-validation-regex",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-185: Incorrect Regular Expression",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-validation-regex.check-validation-regex"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."
              },
              "help": {
                "markdown": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n",
                "text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session",
              "id": "php.lang.security.injection.tainted-session.tainted-session",
              "name": "php.lang.security.injection.tainted-session.tainted-session",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-284: Improper Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found 'x-openai-isConsequential: false' in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the 'Always Allow' option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the 'Always Allow' button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security  and user friction and then make a risk-based decision about this function."
              },
              "help": {
                "markdown": "Found 'x-openai-isConsequential: false' in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the 'Always Allow' option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the 'Always Allow' button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security  and user friction and then make a risk-based decision about this function.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false)\n - [https://platform.openai.com/docs/actions/consequential-flag](https://platform.openai.com/docs/actions/consequential-flag)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf](https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf)\n",
                "text": "Found 'x-openai-isConsequential: false' in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the 'Always Allow' option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the 'Always Allow' button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security  and user friction and then make a risk-based decision about this function.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
              "id": "yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
              "name": "yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')",
                  "HIGH CONFIDENCE",
                  "OWASP-A04:2021 Insecure Design",
                  "OWASP-LLM08:2023 - Excessive Agency",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can."
              },
              "help": {
                "markdown": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
              "id": "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
              "name": "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."
              },
              "help": {
                "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n",
                "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
              "id": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
              "name": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."
              },
              "help": {
                "markdown": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
                "text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
              "id": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
              "name": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi."
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
              "id": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
              "name": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."
              },
              "help": {
                "markdown": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n",
                "text": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec",
              "id": "ruby.lang.security.dangerous-exec.dangerous-exec",
              "name": "ruby.lang.security.dangerous-exec.dangerous-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities."
              },
              "help": {
                "markdown": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit)\n - [https://developer.wordpress.org/reference/functions/wp_safe_remote_get/](https://developer.wordpress.org/reference/functions/wp_safe_remote_get/)\n - [https://developer.wordpress.org/reference/functions/wp_remote_get/](https://developer.wordpress.org/reference/functions/wp_remote_get/)\n - [https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/)\n",
                "text": "Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
              "id": "php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
              "name": "php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
              },
              "help": {
                "markdown": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args",
              "id": "python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args",
              "name": "python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot"
              },
              "help": {
                "markdown": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only",
              "id": "terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only",
              "name": "terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"
              },
              "help": {
                "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
              "id": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
              "name": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings."
              },
              "help": {
                "markdown": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n - [https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code](https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code)\n",
                "text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
              "id": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
              "name": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.play.security.tainted-slick-sqli.tainted-slick-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used."
              },
              "help": {
                "markdown": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb)\n",
                "text": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion",
              "id": "ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion",
              "name": "ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-650: Trusting HTTP Permission Methods on the Server Side",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
              "id": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
              "name": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."
              },
              "help": {
                "markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
                "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
              "id": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
              "name": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported."
              },
              "help": {
                "markdown": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode=\"ENCRYPTED_ONLY\"` is the most secure value that is supported.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
              "id": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
              "name": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message."
              },
              "help": {
                "markdown": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
                "text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
              "id": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
              "name": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-345: Insufficient Verification of Data Authenticity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk."
              },
              "help": {
                "markdown": "Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include)\n - [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion)\n - [https://github.com/presidentbeef/brakeman/blob/f74cb53ead47f0af821d98b5b41e16d63100c240/test/apps/rails2/app/views/home/test_render.html.erb](https://github.com/presidentbeef/brakeman/blob/f74cb53ead47f0af821d98b5b41e16d63100c240/test/apps/rails2/app/views/home/test_render.html.erb)\n",
                "text": "Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include",
              "id": "ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include",
              "name": "ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."
              },
              "help": {
                "markdown": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
              "id": "terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
              "name": "terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"
              },
              "help": {
                "markdown": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n",
                "text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
              "id": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
              "name": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-287: Improper Authentication",
                  "MEDIUM CONFIDENCE",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Semgrep found a bash reverse shell"
              },
              "help": {
                "markdown": "Semgrep found a bash reverse shell\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Semgrep found a bash reverse shell\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell",
              "id": "generic.ci.security.bash-reverse-shell.bash_reverse_shell",
              "name": "generic.ci.security.bash-reverse-shell.bash_reverse_shell",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Database instance has no logging. Missing logs can cause missing important event information."
              },
              "help": {
                "markdown": "Database instance has no logging. Missing logs can cause missing important event information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Database instance has no logging. Missing logs can cause missing important event information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
              "id": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
              "name": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured."
              },
              "help": {
                "markdown": "Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n",
                "text": "Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml",
              "id": "java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml",
              "name": "java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need."
              },
              "help": {
                "markdown": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
                "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec",
              "id": "python.django.security.injection.code.user-exec.user-exec",
              "name": "python.django.security.injection.code.user-exec.user-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.code.user-exec.user-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters."
              },
              "help": {
                "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host",
              "id": "java.spring.security.injection.tainted-url-host.tainted-url-host",
              "name": "java.spring.security.injection.tainted-url-host.tainted-url-host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected subprocess function with argument tainted by an `event` object.  If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using 'shlex.split()' for this purpose."
              },
              "help": {
                "markdown": "Detected subprocess function with argument tainted by an `event` object.  If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using 'shlex.split()' for this purpose.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
                "text": "Detected subprocess function with argument tainted by an `event` object.  If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using 'shlex.split()' for this purpose.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
              "id": "python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
              "name": "python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped."
              },
              "help": {
                "markdown": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
              "id": "go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
              "name": "go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."
              },
              "help": {
                "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
                "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
              "id": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
              "name": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-345: Insufficient Verification of Data Authenticity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries."
              },
              "help": {
                "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n",
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
              "id": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
              "name": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
              "id": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
              "name": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users."
              },
              "help": {
                "markdown": "`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request)\n - [https://www.php.net/manual/en/function.htmlentities.php](https://www.php.net/manual/en/function.htmlentities.php)\n - [https://www.php.net/manual/en/reserved.variables.request.php](https://www.php.net/manual/en/reserved.variables.request.php)\n - [https://www.php.net/manual/en/reserved.variables.post.php](https://www.php.net/manual/en/reserved.variables.post.php)\n - [https://www.php.net/manual/en/reserved.variables.get.php](https://www.php.net/manual/en/reserved.variables.get.php)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
                "text": "`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request",
              "id": "php.lang.security.injection.echoed-request.echoed-request",
              "name": "php.lang.security.injection.echoed-request.echoed-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.echoed-request.echoed-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts."
              },
              "help": {
                "markdown": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active)\n - [https://cwe.mitre.org/data/definitions/778.html](https://cwe.mitre.org/data/definitions/778.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode)\n - [https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html)\n",
                "text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
              "id": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
              "name": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-778: Insufficient Logging",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A09:2021 Security Logging and Monitoring Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
              },
              "help": {
                "markdown": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
                "text": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
              "id": "python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
              "name": "python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."
              },
              "help": {
                "markdown": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n",
                "text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
              "id": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
              "name": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
                "text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
              "id": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
              "name": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context."
              },
              "help": {
                "markdown": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust)\n - [https://angular.io/api/platform-browser/DomSanitizer](https://angular.io/api/platform-browser/DomSanitizer)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
                "text": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
              "id": "typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
              "name": "typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs."
              },
              "help": {
                "markdown": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process",
              "id": "javascript.aws-lambda.security.detect-child-process.detect-child-process",
              "name": "javascript.aws-lambda.security.detect-child-process.detect-child-process",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.detect-child-process.detect-child-process"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."
              },
              "help": {
                "markdown": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection)\n - [https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac](https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac)\n",
                "text": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
              "id": "python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
              "name": "python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files."
              },
              "help": {
                "markdown": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing)\n - [https://github.com/OWASP/Go-SCP](https://github.com/OWASP/Go-SCP)\n - [https://cwe.mitre.org/data/definitions/548.html](https://cwe.mitre.org/data/definitions/548.html)\n",
                "text": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing",
              "id": "go.lang.security.audit.net.fs-directory-listing.fs-directory-listing",
              "name": "go.lang.security.audit.net.fs-directory-listing.fs-directory-listing",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-548: Exposure of Information Through Directory Listing",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.fs-directory-listing.fs-directory-listing"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "GCM IV/nonce is reused: encryption can be totally useless"
              },
              "help": {
                "markdown": "GCM IV/nonce is reused: encryption can be totally useless\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "GCM IV/nonce is reused: encryption can be totally useless\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
              "id": "java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
              "name": "java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-323: Reusing a Nonce, Key Pair in Encryption",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."
              },
              "help": {
                "markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n",
                "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
              "id": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
              "name": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements."
              },
              "help": {
                "markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection)\n - [https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data](https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data)\n",
                "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
              "id": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
              "name": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value."
              },
              "help": {
                "markdown": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-secrets.check-secrets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb](https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb)\n",
                "text": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-secrets.check-secrets",
              "id": "ruby.rails.security.brakeman.check-secrets.check-secrets",
              "name": "ruby.rails.security.brakeman.check-secrets.check-secrets",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-secrets.check-secrets"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'."
              },
              "help": {
                "markdown": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n",
                "text": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
              "id": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
              "name": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-300: Channel Accessible by Non-Endpoint",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`"
              },
              "help": {
                "markdown": "Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-before-filter.check-before-filter)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-before-filter.check-before-filter",
              "id": "ruby.rails.security.brakeman.check-before-filter.check-before-filter",
              "name": "ruby.rails.security.brakeman.check-before-filter.check-before-filter",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-284: Improper Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-before-filter.check-before-filter"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."
              },
              "help": {
                "markdown": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n",
                "text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
              "id": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
              "name": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`."
              },
              "help": {
                "markdown": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql)\n - [https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode=\"TRUSTED_CLIENT_CERTIFICATE_REQUIRED\"`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
              "id": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
              "name": "terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)"
              },
              "help": {
                "markdown": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off)\n - [https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/](https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/)\n",
                "text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
              "id": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
              "name": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."
              },
              "help": {
                "markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
                "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests",
              "id": "python.flask.security.injection.ssrf-requests.ssrf-requests",
              "name": "python.flask.security.injection.ssrf-requests.ssrf-requests",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.ssrf-requests.ssrf-requests"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values."
              },
              "help": {
                "markdown": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
              "id": "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
              "name": "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
              "id": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
              "name": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default",
              "id": "python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default",
              "name": "python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The Shai-hulud backdoor creates a purposefully vulnerable github action with the name `discussion.yaml`."
              },
              "help": {
                "markdown": "The Shai-hulud backdoor creates a purposefully vulnerable github action with the name `discussion.yaml`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor)\n - [https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains)\n",
                "text": "The Shai-hulud backdoor creates a purposefully vulnerable github action with the name `discussion.yaml`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor",
              "id": "yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor",
              "name": "yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-509: Replicating Malicious Code (Virus or Worm)",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."
              },
              "help": {
                "markdown": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n",
                "text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
              "id": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
              "name": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so."
              },
              "help": {
                "markdown": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
              "id": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
              "name": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher."
              },
              "help": {
                "markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/dsa](https://www.pycryptodome.org/src/public_key/dsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n",
                "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
              "id": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
              "name": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`."
              },
              "help": {
                "markdown": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
              "id": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
              "name": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-454: External Initialization of Trusted Variables or Data Stores",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
              },
              "help": {
                "markdown": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link)\n - [https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)\n",
                "text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link",
              "id": "html.security.plaintext-http-link.plaintext-http-link",
              "name": "html.security.plaintext-http-link.plaintext-http-link",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: html.security.plaintext-http-link.plaintext-http-link"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."
              },
              "help": {
                "markdown": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
              "id": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
              "name": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."
              },
              "help": {
                "markdown": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n",
                "text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
              "id": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
              "name": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."
              },
              "help": {
                "markdown": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n",
                "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
              "id": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
              "name": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."
              },
              "help": {
                "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string",
              "id": "php.lang.security.injection.tainted-sql-string.tainted-sql-string",
              "name": "php.lang.security.injection.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory."
              },
              "help": {
                "markdown": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
                "text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
              "id": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
              "name": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
              },
              "help": {
                "markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
              "id": "python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
              "name": "python.lang.security.dangerous-spawn-process.dangerous-spawn-process",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-spawn-process.dangerous-spawn-process"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "'$VAR' is the empty string and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the password to None or call 'set_unusable_password()'."
              },
              "help": {
                "markdown": "'$VAR' is the empty string and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the password to None or call 'set_unusable_password()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n",
                "text": "'$VAR' is the empty string and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the password to None or call 'set_unusable_password()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string",
              "id": "python.django.security.passwords.password-empty-string.password-empty-string",
              "name": "python.django.security.passwords.password-empty-string.password-empty-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-521: Weak Password Requirements",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.passwords.password-empty-string.password-empty-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Do not use `math/rand`. Use `crypto/rand` instead."
              },
              "help": {
                "markdown": "Do not use `math/rand`. Use `crypto/rand` instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n",
                "text": "Do not use `math/rand`. Use `crypto/rand` instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used",
              "id": "go.lang.security.audit.crypto.math_random.math-random-used",
              "name": "go.lang.security.audit.crypto.math_random.math-random-used",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."
              },
              "help": {
                "markdown": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
                "text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
              "id": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
              "name": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."
              },
              "help": {
                "markdown": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n",
                "text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
              "id": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
              "name": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."
              },
              "help": {
                "markdown": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n",
                "text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
              "id": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
              "name": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1333: Inefficient Regular Expression Complexity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries."
              },
              "help": {
                "markdown": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb)\n",
                "text": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql",
              "id": "ruby.rails.security.brakeman.check-sql.check-sql",
              "name": "ruby.rails.security.brakeman.check-sql.check-sql",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-sql.check-sql"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead."
              },
              "help": {
                "markdown": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\n",
                "text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
              "id": "csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
              "name": "csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-295: Improper Certificate Validation",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used."
              },
              "help": {
                "markdown": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\n",
                "text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
              "id": "csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
              "name": "csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-613: Insufficient Session Expiration",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
              },
              "help": {
                "markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
              "id": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
              "name": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-269: Improper Privilege Management",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket."
              },
              "help": {
                "markdown": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html)\n",
                "text": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
              "id": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
              "name": "json.aws.security.public-s3-policy-statement.public-s3-policy-statement",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: json.aws.security.public-s3-policy-statement.public-s3-policy-statement"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."
              },
              "help": {
                "markdown": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n",
                "text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
              "id": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
              "name": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "RSA keys should be at least 2048 bits based on NIST recommendation."
              },
              "help": {
                "markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
                "text": "RSA keys should be at least 2048 bits based on NIST recommendation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
              "id": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
              "name": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML."
              },
              "help": {
                "markdown": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n",
                "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property",
              "id": "typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property",
              "name": "typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables."
              },
              "help": {
                "markdown": "Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data)\n - [https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes](https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes)\n",
                "text": "Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data",
              "id": "php.lang.security.deserialization.extract-user-data",
              "name": "php.lang.security.deserialization.extract-user-data",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.deserialization.extract-user-data"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of eval with user-controllable input detected. This can lead  to attackers running arbitrary code. Ensure external data does not  reach here, otherwise this is a security vulnerability. Consider  other ways to do this without eval."
              },
              "help": {
                "markdown": "Use of eval with user-controllable input detected. This can lead  to attackers running arbitrary code. Ensure external data does not  reach here, otherwise this is a security vulnerability. Consider  other ways to do this without eval.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Use of eval with user-controllable input detected. This can lead  to attackers running arbitrary code. Ensure external data does not  reach here, otherwise this is a security vulnerability. Consider  other ways to do this without eval.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval",
              "id": "ruby.lang.security.no-eval.ruby-eval",
              "name": "ruby.lang.security.no-eval.ruby-eval",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.no-eval.ruby-eval"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."
              },
              "help": {
                "markdown": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n",
                "text": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
              "id": "python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
              "name": "python.django.security.injection.email.xss-html-email-body.xss-html-email-body",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.email.xss-html-email-body.xss-html-email-body"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
              },
              "help": {
                "markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
              "id": "ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
              "name": "ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE."
              },
              "help": {
                "markdown": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)\n",
                "text": "The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
              "id": "terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
              "name": "terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-345: Insufficient Verification of Data Authenticity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "In $METHOD, $X is used to construct a SQL query via string concatenation."
              },
              "help": {
                "markdown": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation",
              "id": "java.jboss.security.session_sqli.find-sql-string-concatenation",
              "name": "java.jboss.security.session_sqli.find-sql-string-concatenation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."
              },
              "help": {
                "markdown": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
              "id": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
              "name": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities."
              },
              "help": {
                "markdown": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
                "text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
              "id": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
              "name": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "In Kubernetes, each pod runs in its own isolated environment with its own  set of security policies. However, certain container images may contain  `setuid` or `setgid` binaries that could allow an attacker to perform  privilege escalation and gain access to sensitive resources. To mitigate  this risk, it's recommended to add a `securityContext` to the container in  the pod, with the parameter `allowPrivilegeEscalation` set to `false`.  This will prevent the container from running any privileged processes and  limit the impact of any potential attacks.  In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."
              },
              "help": {
                "markdown": "In Kubernetes, each pod runs in its own isolated environment with its own  set of security policies. However, certain container images may contain  `setuid` or `setgid` binaries that could allow an attacker to perform  privilege escalation and gain access to sensitive resources. To mitigate  this risk, it's recommended to add a `securityContext` to the container in  the pod, with the parameter `allowPrivilegeEscalation` set to `false`.  This will prevent the container from running any privileged processes and  limit the impact of any potential attacks.  In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n",
                "text": "In Kubernetes, each pod runs in its own isolated environment with its own  set of security policies. However, certain container images may contain  `setuid` or `setgid` binaries that could allow an attacker to perform  privilege escalation and gain access to sensitive resources. To mitigate  this risk, it's recommended to add a `securityContext` to the container in  the pod, with the parameter `allowPrivilegeEscalation` set to `false`.  This will prevent the container from running any privileged processes and  limit the impact of any potential attacks.  In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
              "id": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
              "name": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library."
              },
              "help": {
                "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://golang.org/doc/database/sql-injection](https://golang.org/doc/database/sql-injection)\n - [https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/](https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/)\n",
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string",
              "id": "go.lang.security.injection.tainted-sql-string.tainted-sql-string",
              "name": "go.lang.security.injection.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.injection.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`."
              },
              "help": {
                "markdown": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)\n",
                "text": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
              "id": "javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
              "name": "javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it."
              },
              "help": {
                "markdown": "Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n",
                "text": "Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
              "id": "go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
              "name": "go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-345: Insufficient Verification of Data Authenticity",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\n",
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli",
              "id": "javascript.aws-lambda.security.pg-sqli.pg-sqli",
              "name": "javascript.aws-lambda.security.pg-sqli.pg-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.pg-sqli.pg-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
              },
              "help": {
                "markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n",
                "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
              "id": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
              "name": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."
              },
              "help": {
                "markdown": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n",
                "text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.distributed.security.require-encryption",
              "id": "python.distributed.security.require-encryption",
              "name": "python.distributed.security.require-encryption",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.distributed.security.require-encryption"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."
              },
              "help": {
                "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg",
              "id": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
              "name": "javascript.jose.security.jwt-none-alg.jwt-none-alg",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "
              },
              "help": {
                "markdown": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
                "text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf",
              "id": "javascript.express.security.audit.express-ssrf.express-ssrf",
              "name": "javascript.express.security.audit.express-ssrf.express-ssrf",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli)\n - [https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql](https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
              "id": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
              "name": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege."
              },
              "help": {
                "markdown": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
                "text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
              "id": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
              "name": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability."
              },
              "help": {
                "markdown": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call",
              "id": "python.lang.security.dangerous-system-call.dangerous-system-call",
              "name": "python.lang.security.dangerous-system-call.dangerous-system-call",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-system-call.dangerous-system-call"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format",
              "id": "go.lang.security.injection.raw-html-format.raw-html-format",
              "name": "go.lang.security.injection.raw-html-format.raw-html-format",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.injection.raw-html-format.raw-html-format"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t"
              },
              "help": {
                "markdown": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
              "id": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
              "name": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."
              },
              "help": {
                "markdown": "Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n",
                "text": "Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service",
              "id": "yaml.docker-compose.security.privileged-service.privileged-service",
              "name": "yaml.docker-compose.security.privileged-service.privileged-service",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project."
              },
              "help": {
                "markdown": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public)\n - [https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html](https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html)\n",
                "text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
              "id": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
              "name": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-306: Missing Authentication for Critical Function",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead."
              },
              "help": {
                "markdown": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
              "id": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
              "name": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set \"security_policy\" equal to \"TLS_1_2\"."
              },
              "help": {
                "markdown": "Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set \"security_policy\" equal to \"TLS_1_2\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set \"security_policy\" equal to \"TLS_1_2\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version",
              "id": "terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version",
              "name": "terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
              "id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
              "name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User controlled data in a HTML string may result in XSS"
              },
              "help": {
                "markdown": "User controlled data in a HTML string may result in XSS\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n",
                "text": "User controlled data in a HTML string may result in XSS\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat",
              "id": "javascript.browser.security.raw-html-concat.raw-html-concat",
              "name": "javascript.browser.security.raw-html-concat.raw-html-concat",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions."
              },
              "help": {
                "markdown": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n",
                "text": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled",
              "id": "python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled",
              "name": "python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-116: Improper Encoding or Escaping of Output",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next."
              },
              "help": {
                "markdown": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
              "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
              "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem."
              },
              "help": {
                "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n",
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password",
              "id": "ruby.lang.security.md5-used-as-password.md5-used-as-password",
              "name": "ruby.lang.security.md5-used-as-password.md5-used-as-password",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.md5-used-as-password.md5-used-as-password"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format)\n - [https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format",
              "id": "python.flask.security.injection.raw-html-concat.raw-html-format",
              "name": "python.flask.security.injection.raw-html-concat.raw-html-format",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.raw-html-concat.raw-html-format"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
              "id": "terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
              "name": "terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`."
              },
              "help": {
                "markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n",
                "text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role",
              "id": "json.aws.security.wildcard-assume-role.wildcard-assume-role",
              "name": "json.aws.security.wildcard-assume-role.wildcard-assume-role",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging  sensitive information."
              },
              "help": {
                "markdown": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging  sensitive information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n",
                "text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging  sensitive information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
              "id": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
              "name": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-532: Insertion of Sensitive Information into Log File",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A09:2021 - Security Logging and Monitoring Failures",
                  "OWASP-A09:2025 - Security Logging & Alerting Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block."
              },
              "help": {
                "markdown": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer](https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)\n",
                "text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
              "id": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
              "name": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."
              },
              "help": {
                "markdown": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n",
                "text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
              "id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
              "name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
              },
              "help": {
                "markdown": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
              "id": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
              "name": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\", \"TLSv1.2_2021\", \"TLSv1.2_2025\" or \"TLSv1.3_2025\"`."
              },
              "help": {
                "markdown": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\", \"TLSv1.2_2021\", \"TLSv1.2_2025\" or \"TLSv1.3_2025\"`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\", \"TLSv1.2_2021\", \"TLSv1.2_2025\" or \"TLSv1.3_2025\"`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
              "id": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
              "name": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."
              },
              "help": {
                "markdown": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n",
                "text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command",
              "id": "java.spring.security.injection.tainted-system-command.tainted-system-command",
              "name": "java.spring.security.injection.tainted-system-command.tainted-system-command",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
              "id": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
              "name": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
              "id": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
              "name": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions."
              },
              "help": {
                "markdown": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n",
                "text": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled",
              "id": "python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled",
              "name": "python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-116: Improper Encoding or Escaping of Output",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."
              },
              "help": {
                "markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection",
              "id": "python.django.security.injection.command.subprocess-injection.subprocess-injection",
              "name": "python.django.security.injection.command.subprocess-injection.subprocess-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.command.subprocess-injection.subprocess-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."
              },
              "help": {
                "markdown": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n",
                "text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
              "id": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
              "name": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"
              },
              "help": {
                "markdown": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n",
                "text": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
              "id": "javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
              "name": "javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'."
              },
              "help": {
                "markdown": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
              "id": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
              "name": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."
              },
              "help": {
                "markdown": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n",
                "text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
              "id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
              "name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead."
              },
              "help": {
                "markdown": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
              "id": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
              "name": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n",
                "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli",
              "id": "javascript.aws-lambda.security.knex-sqli.knex-sqli",
              "name": "javascript.aws-lambda.security.knex-sqli.knex-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.aws-lambda.security.knex-sqli.knex-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"."
              },
              "help": {
                "markdown": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n",
                "text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
              "id": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
              "name": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-706: Use of Incorrectly-Resolved Name or Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie."
              },
              "help": {
                "markdown": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n",
                "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
              "id": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
              "name": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."
              },
              "help": {
                "markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection",
              "id": "python.flask.security.injection.subprocess-injection.subprocess-injection",
              "name": "python.flask.security.injection.subprocess-injection.subprocess-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed."
              },
              "help": {
                "markdown": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
                "text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
              "id": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
              "name": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info."
              },
              "help": {
                "markdown": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html)\n",
                "text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
              "id": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
              "name": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
              },
              "help": {
                "markdown": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n",
                "text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
              "id": "python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
              "name": "python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
              },
              "help": {
                "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "id": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "name": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation."
              },
              "help": {
                "markdown": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n - [https://portswigger.net/web-security/host-header](https://portswigger.net/web-security/host-header)\n",
                "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used",
              "id": "generic.nginx.security.request-host-used.request-host-used",
              "name": "generic.nginx.security.request-host-used.request-host-used",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-290: Authentication Bypass by Spoofing",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.request-host-used.request-host-used"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
              },
              "help": {
                "markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash",
              "id": "php.lang.security.audit.sha224-hash.sha224-hash",
              "name": "php.lang.security.audit.sha224-hash.sha224-hash",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.audit.sha224-hash.sha224-hash"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks.  These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead  the Python documentation recommends using `defusedxml`."
              },
              "help": {
                "markdown": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks.  These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead  the Python documentation recommends using `defusedxml`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse)\n - [https://docs.python.org/3/library/xml.html](https://docs.python.org/3/library/xml.html)\n - [https://github.com/tiran/defusedxml](https://github.com/tiran/defusedxml)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n",
                "text": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks.  These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead  the Python documentation recommends using `defusedxml`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
              "id": "python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
              "name": "python.lang.security.use-defused-xml-parse.use-defused-xml-parse",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.use-defused-xml-parse.use-defused-xml-parse"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."
              },
              "help": {
                "markdown": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n",
                "text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
              "id": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
              "name": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."
              },
              "help": {
                "markdown": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
              "id": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
              "name": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption."
              },
              "help": {
                "markdown": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://cwe.mitre.org/data/definitions/310.html](https://cwe.mitre.org/data/definitions/310.html)\n",
                "text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key",
              "id": "python.cryptography.security.empty-aes-key.empty-aes-key",
              "name": "python.cryptography.security.empty-aes-key.empty-aes-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-310: Cryptographic Issues",
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A6:2017 misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.empty-aes-key.empty-aes-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized."
              },
              "help": {
                "markdown": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write",
              "id": "python.django.security.injection.request-data-write.request-data-write",
              "name": "python.django.security.injection.request-data-write.request-data-write",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.request-data-write.request-data-write"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block."
              },
              "help": {
                "markdown": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version)\n",
                "text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
              "id": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
              "name": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`."
              },
              "help": {
                "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\n",
                "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "id": "java.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "name": "java.lang.security.audit.md5-used-as-password.md5-used-as-password",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.md5-used-as-password.md5-used-as-password"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n",
                "text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
              "id": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
              "name": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command."
              },
              "help": {
                "markdown": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec)\n - [https://www.stackhawk.com/blog/php-command-injection/](https://www.stackhawk.com/blog/php-command-injection/)\n - [https://brightsec.com/blog/code-injection-php/](https://brightsec.com/blog/code-injection-php/)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n",
                "text": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec",
              "id": "php.lang.security.tainted-exec.tainted-exec",
              "name": "php.lang.security.tainted-exec.tainted-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.tainted-exec.tainted-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`."
              },
              "help": {
                "markdown": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n",
                "text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
              "id": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
              "name": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Basic authentication is considered weak and should be avoided.  Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."
              },
              "help": {
                "markdown": "Basic authentication is considered weak and should be avoided.  Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n",
                "text": "Basic authentication is considered weak and should be avoided.  Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
              "id": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
              "name": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-287: Improper Authentication",
                  "HIGH CONFIDENCE",
                  "OWASP-A04:2021 Insecure Design",
                  "OWASP-A07:2021 Identification and Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on <apex:outputText> tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."
              },
              "help": {
                "markdown": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on <apex:outputText> tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n",
                "text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on <apex:outputText> tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
              "id": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
              "name": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."
              },
              "help": {
                "markdown": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n",
                "text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
              "id": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
              "name": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')",
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure"
              },
              "help": {
                "markdown": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\n",
                "text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
              "id": "csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
              "name": "csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing."
              },
              "help": {
                "markdown": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n",
                "text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
              "id": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
              "name": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-73: External Control of File Name or Path",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-res-sendfile.express-res-sendfile"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
              "id": "python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
              "name": "python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"
              },
              "help": {
                "markdown": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n",
                "text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
              "id": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
              "name": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."
              },
              "help": {
                "markdown": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n",
                "text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
              "id": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
              "name": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within."
              },
              "help": {
                "markdown": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
                "text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format",
              "id": "javascript.express.security.injection.raw-html-format.raw-html-format",
              "name": "javascript.express.security.injection.raw-html-format.raw-html-format",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.injection.raw-html-format.raw-html-format"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5",
              "id": "java.lang.security.audit.crypto.use-of-md5.use-of-md5",
              "name": "java.lang.security.audit.crypto.use-of-md5.use-of-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
              "id": "python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
              "name": "python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
              },
              "help": {
                "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
                "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
              "id": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
              "name": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket."
              },
              "help": {
                "markdown": "'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated)\n - [https://docs.python.org/3/library/ssl.html#ssl.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket)\n",
                "text": "'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
              "id": "python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
              "name": "python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts."
              },
              "help": {
                "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/arkadiyt/ssrf_filter](https://github.com/arkadiyt/ssrf_filter)\n",
                "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host",
              "id": "ruby.rails.security.injection.tainted-url-host.tainted-url-host",
              "name": "ruby.rails.security.injection.tainted-url-host.tainted-url-host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.injection.tainted-url-host.tainted-url-host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."
              },
              "help": {
                "markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
                "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "id": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "name": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."
              },
              "help": {
                "markdown": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n",
                "text": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
              "id": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
              "name": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed."
              },
              "help": {
                "markdown": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n",
                "text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
              "id": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
              "name": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false."
              },
              "help": {
                "markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n",
                "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
              "id": "java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
              "name": "java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need."
              },
              "help": {
                "markdown": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n",
                "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval",
              "id": "python.django.security.injection.code.user-eval.user-eval",
              "name": "python.django.security.injection.code.user-eval.user-eval",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.code.user-eval.user-eval"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Calling assert with user input is equivalent to eval'ing."
              },
              "help": {
                "markdown": "Calling assert with user input is equivalent to eval'ing.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.assert-use.assert-use)\n - [https://www.php.net/manual/en/function.assert](https://www.php.net/manual/en/function.assert)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php)\n",
                "text": "Calling assert with user input is equivalent to eval'ing.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.assert-use.assert-use",
              "id": "php.lang.security.assert-use.assert-use",
              "name": "php.lang.security.assert-use.assert-use",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.assert-use.assert-use"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."
              },
              "help": {
                "markdown": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n",
                "text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
              "id": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
              "name": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your <script> and <link> tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/"
              },
              "help": {
                "markdown": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your <script> and <link> tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs)\n - [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)\n - [https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/](https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/)\n",
                "text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your <script> and <link> tags pointing to CDN content to ensure the resources have not been compromised. A crossorigin attribute should also be added. For a more thorough explanation along with explicit instructions on remediating, follow the directions from Mozilla here: https://developer.mozilla.org/en-US/blog/securing-cdn-using-sri-why-how/\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
              "id": "generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
              "name": "generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-346: Origin Validation Error",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."
              },
              "help": {
                "markdown": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n",
                "text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
              "id": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
              "name": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1220: Insufficient Granularity of Access Control",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "S3 bucket with public read-write access detected."
              },
              "help": {
                "markdown": "S3 bucket with public read-write access detected.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl)\n",
                "text": "S3 bucket with public read-write access detected.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
              "id": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
              "name": "terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."
              },
              "help": {
                "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5",
              "id": "kotlin.lang.security.use-of-md5.use-of-md5",
              "name": "kotlin.lang.security.use-of-md5.use-of-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user data flowing into exec. This is code injection and should be avoided."
              },
              "help": {
                "markdown": "Detected user data flowing into exec. This is code injection and should be avoided.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n",
                "text": "Detected user data flowing into exec. This is code injection and should be avoided.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection",
              "id": "python.flask.security.injection.user-exec.exec-injection",
              "name": "python.flask.security.injection.user-exec.exec-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."
              },
              "help": {
                "markdown": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n",
                "text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
              "id": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
              "name": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead."
              },
              "help": {
                "markdown": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n",
                "text": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization",
              "id": "ruby.lang.security.bad-deserialization.bad-deserialization",
              "name": "ruby.lang.security.bad-deserialization.bad-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.bad-deserialization.bad-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
              },
              "help": {
                "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
                "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
              "id": "csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
              "name": "csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication."
              },
              "help": {
                "markdown": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster)\n - [https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster](https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster)\n",
                "text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
              "id": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
              "name": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information."
              },
              "help": {
                "markdown": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect)\n - [https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/](https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/)\n - [https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231](https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231)\n",
                "text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect",
              "id": "python.django.security.injection.open-redirect.open-redirect",
              "name": "python.django.security.injection.open-redirect.open-redirect",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.open-redirect.open-redirect"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead."
              },
              "help": {
                "markdown": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\n",
                "text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
              "id": "java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
              "name": "java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct."
              },
              "help": {
                "markdown": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n",
                "text": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
              "id": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
              "name": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616)."
              },
              "help": {
                "markdown": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally",
              "id": "python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally",
              "name": "python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead."
              },
              "help": {
                "markdown": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5)\n - [https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575](https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575)\n",
                "text": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
              "id": "ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
              "name": "ruby.lang.security.weak-hashes-md5.weak-hashes-md5",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.weak-hashes-md5.weak-hashes-md5"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation."
              },
              "help": {
                "markdown": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/643.html](https://cwe.mitre.org/data/definitions/643.html)\n",
                "text": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection",
              "id": "csharp.dotnet.security.audit.xpath-injection.xpath-injection",
              "name": "csharp.dotnet.security.audit.xpath-injection.xpath-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.dotnet.security.audit.xpath-injection.xpath-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."
              },
              "help": {
                "markdown": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n",
                "text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
              "id": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
              "name": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`."
              },
              "help": {
                "markdown": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include)\n - [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion)\n - [https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60](https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60)\n",
                "text": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
              "id": "ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
              "name": "ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."
              },
              "help": {
                "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n",
                "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
              "id": "csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
              "name": "csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
              "id": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
              "name": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured."
              },
              "help": {
                "markdown": "Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n",
                "text": "Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled",
              "id": "java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled",
              "name": "java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
              "id": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
              "name": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."
              },
              "help": {
                "markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n",
                "text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context",
              "id": "python.lang.security.unverified-ssl-context.unverified-ssl-context",
              "name": "python.lang.security.unverified-ssl-context.unverified-ssl-context",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-295: Improper Certificate Validation",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
              },
              "help": {
                "markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
              "id": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
              "name": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616)."
              },
              "help": {
                "markdown": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally",
              "id": "python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally",
              "name": "python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`."
              },
              "help": {
                "markdown": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
              "id": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
              "name": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."
              },
              "help": {
                "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n",
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string",
              "id": "python.flask.security.injection.tainted-sql-string.tainted-sql-string",
              "name": "python.flask.security.injection.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-704: Incorrect Type Conversion or Cast",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."
              },
              "help": {
                "markdown": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
              "id": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
              "name": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."
              },
              "help": {
                "markdown": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n",
                "text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
              "id": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
              "name": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."
              },
              "help": {
                "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n",
                "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.tainted-sql-string.tainted-sql-string",
              "id": "scala.lang.security.audit.tainted-sql-string.tainted-sql-string",
              "name": "scala.lang.security.audit.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: scala.lang.security.audit.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."
              },
              "help": {
                "markdown": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n",
                "text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
              "id": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
              "name": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument."
              },
              "help": {
                "markdown": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to)\n - [https://brakemanscanner.org/docs/warning_types/link_to/](https://brakemanscanner.org/docs/warning_types/link_to/)\n - [https://brakemanscanner.org/docs/warning_types/link_to_href/](https://brakemanscanner.org/docs/warning_types/link_to_href/)\n",
                "text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
              "id": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
              "name": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher."
              },
              "help": {
                "markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf](https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n",
                "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
              "id": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
              "name": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly."
              },
              "help": {
                "markdown": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
              "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
              "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands."
              },
              "help": {
                "markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec",
              "id": "python.lang.security.dangerous-os-exec.dangerous-os-exec",
              "name": "python.lang.security.dangerous-os-exec.dangerous-os-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-os-exec.dangerous-os-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "File name based on user input risks server-side request forgery."
              },
              "help": {
                "markdown": "File name based on user input risks server-side request forgery.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n",
                "text": "File name based on user input risks server-side request forgery.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename",
              "id": "php.lang.security.injection.tainted-filename.tainted-filename",
              "name": "php.lang.security.injection.tainted-filename.tainted-filename",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization."
              },
              "help": {
                "markdown": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n",
                "text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
              "id": "java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
              "name": "java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A8:2017 Insecure Deserialization",
                  "OWASP-A8:2021 Software and Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."
              },
              "help": {
                "markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n",
                "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe",
              "id": "javascript.express.security.express-expat-xxe.express-expat-xxe",
              "name": "javascript.express.security.express-expat-xxe.express-expat-xxe",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-611: Improper Restriction of XML External Entity Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A04:2017 - XML External Entities (XXE)",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."
              },
              "help": {
                "markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n",
                "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash",
              "id": "go.lang.security.audit.crypto.sha224-hash.sha224-hash",
              "name": "go.lang.security.audit.crypto.sha224-hash.sha224-hash",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.sha224-hash.sha224-hash"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code."
              },
              "help": {
                "markdown": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
              "id": "python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
              "name": "python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."
              },
              "help": {
                "markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher",
              "id": "kotlin.lang.security.no-null-cipher.no-null-cipher",
              "name": "kotlin.lang.security.no-null-cipher.no-null-cipher",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`"
              },
              "help": {
                "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli)\n - [https://pypi.org/project/PyMySQL/#id4](https://pypi.org/project/PyMySQL/#id4)\n",
                "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
              "id": "python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
              "name": "python.aws-lambda.security.pymysql-sqli.pymysql-sqli",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.pymysql-sqli.pymysql-sqli"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."
              },
              "help": {
                "markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user",
              "id": "dockerfile.security.missing-user.missing-user",
              "name": "dockerfile.security.missing-user.missing-user",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: dockerfile.security.missing-user.missing-user"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation."
              },
              "help": {
                "markdown": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n",
                "text": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
              "id": "php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
              "name": "php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code."
              },
              "help": {
                "markdown": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n",
                "text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
              "id": "python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
              "name": "python.lang.security.dangerous-code-run.dangerous-interactive-code-run",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.dangerous-code-run.dangerous-interactive-code-run"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help  reduce the potential impact of configuration errors and security vulnerabilities."
              },
              "help": {
                "markdown": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help  reduce the potential impact of configuration errors and security vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n",
                "text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help  reduce the potential impact of configuration errors and security vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
              "id": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
              "name": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs."
              },
              "help": {
                "markdown": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret)\n - [https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n",
                "text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
              "id": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
              "name": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 – Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities"
              },
              "help": {
                "markdown": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection)\n - [https://pptr.dev/api/puppeteer.page](https://pptr.dev/api/puppeteer.page)\n",
                "text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
              "id": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
              "name": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"
              },
              "help": {
                "markdown": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n",
                "text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
              "id": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
              "name": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it."
              },
              "help": {
                "markdown": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key)\n - [https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/](https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/)\n - [https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d](https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d)\n",
                "text": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
              "id": "go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
              "name": "go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-322: Key Exchange without Entity Authentication",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format",
              "id": "ruby.rails.security.injection.raw-html-format.raw-html-format",
              "name": "ruby.rails.security.injection.raw-html-format.raw-html-format",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.injection.raw-html-format.raw-html-format"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Callable based on user input risks remote code execution."
              },
              "help": {
                "markdown": "Callable based on user input risks remote code execution.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable)\n - [https://www.php.net/manual/en/language.types.callable.php](https://www.php.net/manual/en/language.types.callable.php)\n",
                "text": "Callable based on user input risks remote code execution.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable",
              "id": "php.lang.security.injection.tainted-callable.tainted-callable",
              "name": "php.lang.security.injection.tainted-callable.tainted-callable",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-callable.tainted-callable"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "When running containers in Kubernetes, it's important to ensure that they  are properly secured to prevent privilege escalation attacks.  One potential vulnerability is when a container is allowed to run  applications as the root user, which could allow an attacker to gain  access to sensitive resources. To mitigate this risk, it's recommended to  add a `securityContext` to the container, with the parameter `runAsNonRoot`  set to `true`. This will ensure that the container runs as a non-root user,  limiting the damage that could be caused by any potential attacks. By  adding a `securityContext` to the container in your Kubernetes pod, you can  help to ensure that your containerized applications are more secure and  less vulnerable to privilege escalation attacks."
              },
              "help": {
                "markdown": "When running containers in Kubernetes, it's important to ensure that they  are properly secured to prevent privilege escalation attacks.  One potential vulnerability is when a container is allowed to run  applications as the root user, which could allow an attacker to gain  access to sensitive resources. To mitigate this risk, it's recommended to  add a `securityContext` to the container, with the parameter `runAsNonRoot`  set to `true`. This will ensure that the container runs as a non-root user,  limiting the damage that could be caused by any potential attacks. By  adding a `securityContext` to the container in your Kubernetes pod, you can  help to ensure that your containerized applications are more secure and  less vulnerable to privilege escalation attacks.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value)\n - [https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user)\n",
                "text": "When running containers in Kubernetes, it's important to ensure that they  are properly secured to prevent privilege escalation attacks.  One potential vulnerability is when a container is allowed to run  applications as the root user, which could allow an attacker to gain  access to sensitive resources. To mitigate this risk, it's recommended to  add a `securityContext` to the container, with the parameter `runAsNonRoot`  set to `true`. This will ensure that the container runs as a non-root user,  limiting the damage that could be caused by any potential attacks. By  adding a `securityContext` to the container in your Kubernetes pod, you can  help to ensure that your containerized applications are more secure and  less vulnerable to privilege escalation attacks.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value",
              "id": "yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value",
              "name": "yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to."
              },
              "help": {
                "markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n",
                "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
              "id": "ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
              "name": "ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."
              },
              "help": {
                "markdown": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n",
                "text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
              "id": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
              "name": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-548: Exposure of Information Through Directory Listing",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead."
              },
              "help": {
                "markdown": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
              "id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
              "name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"
              },
              "help": {
                "markdown": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n",
                "text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file",
              "id": "ruby.rails.security.brakeman.check-send-file.check-send-file",
              "name": "ruby.rails.security.brakeman.check-send-file.check-send-file",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-73: External Control of File Name or Path",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2."
              },
              "help": {
                "markdown": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options)\n - [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service)\n",
                "text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
              "id": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
              "name": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1390: Weak Authentication",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data.  Ensure that any exported activities do not have privileged access to your application's control plane."
              },
              "help": {
                "markdown": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data.  Ensure that any exported activities do not have privileged access to your application's control plane.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.android.security.exported_activity.exported_activity)\n - [https://cwe.mitre.org/data/definitions/926.html](https://cwe.mitre.org/data/definitions/926.html)\n",
                "text": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data.  Ensure that any exported activities do not have privileged access to your application's control plane.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.android.security.exported_activity.exported_activity",
              "id": "java.android.security.exported_activity.exported_activity",
              "name": "java.android.security.exported_activity.exported_activity",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-926: Improper Export of Android Application Components",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A5:2021 Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.android.security.exported_activity.exported_activity"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure that the expiration date is set on all keys"
              },
              "help": {
                "markdown": "Ensure that the expiration date is set on all keys\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure that the expiration date is set on all keys\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date",
              "id": "terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date",
              "name": "terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers."
              },
              "help": {
                "markdown": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx)\n - [https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities](https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities)\n - [https://x.com/shoucccc/status/1757777764646859121](https://x.com/shoucccc/status/1757777764646859121)\n",
                "text": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
              "id": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
              "name": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-682: Incorrect Calculation",
                  "HIGH CONFIDENCE",
                  "OWASP-A7:2021 Identification and Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file."
              },
              "help": {
                "markdown": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n",
                "text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
              "id": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
              "name": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."
              },
              "help": {
                "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg",
              "id": "python.jwt.security.jwt-none-alg.jwt-python-none-alg",
              "name": "python.jwt.security.jwt-none-alg.jwt-python-none-alg",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.jwt.security.jwt-none-alg.jwt-python-none-alg"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'."
              },
              "help": {
                "markdown": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n",
                "text": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
              "id": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
              "name": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-521: Weak Password Requirements",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`."
              },
              "help": {
                "markdown": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
              "id": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
              "name": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-320: CWE CATEGORY: Key Management Errors",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."
              },
              "help": {
                "markdown": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n",
                "text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection",
              "id": "yaml.github-actions.security.github-script-injection.github-script-injection",
              "name": "yaml.github-actions.security.github-script-injection.github-script-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."
              },
              "help": {
                "markdown": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n",
                "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
              "id": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
              "name": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
              "id": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
              "name": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."
              },
              "help": {
                "markdown": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n",
                "text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context",
              "id": "java.lang.security.audit.weak-ssl-context.weak-ssl-context",
              "name": "java.lang.security.audit.weak-ssl-context.weak-ssl-context",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."
              },
              "help": {
                "markdown": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n",
                "text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket",
              "id": "json.aws.security.public-s3-bucket.public-s3-bucket",
              "name": "json.aws.security.public-s3-bucket.public-s3-bucket",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS."
              },
              "help": {
                "markdown": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version)\n - [https://www.ietf.org/rfc/rfc5246.txt](https://www.ietf.org/rfc/rfc5246.txt)\n",
                "text": "Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `\"ELBSecurityPolicy-TLS13-1-2-Res-2021-06\"`, or include a default action to redirect to HTTPS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
              "id": "terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
              "name": "terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."
              },
              "help": {
                "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n",
                "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "id": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "name": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true."
              },
              "help": {
                "markdown": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version)\n - [https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm](https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm)\n",
                "text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
              "id": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
              "name": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "RSA keys should be at least 2048 bits"
              },
              "help": {
                "markdown": "RSA keys should be at least 2048 bits\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n",
                "text": "RSA keys should be at least 2048 bits\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
              "id": "go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
              "name": "go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input."
              },
              "help": {
                "markdown": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb)\n",
                "text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
              "id": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
              "name": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Make sure that unverified user data can not reach `$VM`."
              },
              "help": {
                "markdown": "Make sure that unverified user data can not reach `$VM`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "Make sure that unverified user data can not reach `$VM`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection",
              "id": "javascript.express.security.express-vm-injection.express-vm-injection",
              "name": "javascript.express.security.express-vm-injection.express-vm-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-vm-injection.express-vm-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."
              },
              "help": {
                "markdown": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n",
                "text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
              "id": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
              "name": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."
              },
              "help": {
                "markdown": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n",
                "text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
              "id": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
              "name": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-328: Use of Weak Hash",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."
              },
              "help": {
                "markdown": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
              "id": "python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
              "name": "python.aws-lambda.security.tainted-code-exec.tainted-code-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.tainted-code-exec.tainted-code-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."
              },
              "help": {
                "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
                "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string",
              "id": "java.spring.security.injection.tainted-html-string.tainted-html-string",
              "name": "java.spring.security.injection.tainted-html-string.tainted-html-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided."
              },
              "help": {
                "markdown": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://cwe.mitre.org/data/definitions/942.html](https://cwe.mitre.org/data/definitions/942.html)\n",
                "text": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors",
              "id": "python.fastapi.security.wildcard-cors.wildcard-cors",
              "name": "python.fastapi.security.wildcard-cors.wildcard-cors",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.fastapi.security.wildcard-cors.wildcard-cors"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."
              },
              "help": {
                "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
                "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
              "id": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
              "name": "javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "HIGH CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."
              },
              "help": {
                "markdown": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
              "id": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
              "name": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-319: Cleartext Transmission of Sensitive Information",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."
              },
              "help": {
                "markdown": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n",
                "text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting",
              "id": "java.lang.security.audit.http-response-splitting.http-response-splitting",
              "name": "java.lang.security.audit.http-response-splitting.http-response-splitting",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application."
              },
              "help": {
                "markdown": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
              "id": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
              "name": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."
              },
              "help": {
                "markdown": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n",
                "text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve",
              "id": "python.lang.security.deserialization.pickle.avoid-shelve",
              "name": "python.lang.security.deserialization.pickle.avoid-shelve",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-shelve"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls."
              },
              "help": {
                "markdown": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
              "id": "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
              "name": "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-501: Trust Boundary Violation",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."
              },
              "help": {
                "markdown": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n",
                "text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
              "id": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
              "name": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-913: Improper Control of Dynamically-Managed Code Resources",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk."
              },
              "help": {
                "markdown": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n",
                "text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml",
              "id": "java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml",
              "name": "java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege."
              },
              "help": {
                "markdown": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html)\n",
                "text": "Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
              "id": "terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
              "name": "terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"
              },
              "help": {
                "markdown": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n",
                "text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
              "id": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
              "name": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "User-controlled data from a request is passed to 'extra()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."
              },
              "help": {
                "markdown": "User-controlled data from a request is passed to 'extra()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra)\n",
                "text": "User-controlled data from a request is passed to 'extra()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
              "id": "python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
              "name": "python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities."
              },
              "help": {
                "markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n",
                "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
              "id": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
              "name": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-918: Server-Side Request Forgery (SSRF)",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES."
              },
              "help": {
                "markdown": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\n",
                "text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
              "id": "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
              "name": "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."
              },
              "help": {
                "markdown": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n",
                "text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.require-request.require-request",
              "id": "javascript.express.security.require-request.require-request",
              "name": "javascript.express.security.require-request.require-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-706: Use of Incorrectly-Resolved Name or Reference",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.require-request.require-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Username and password in URI detected"
              },
              "help": {
                "markdown": "Username and password in URI detected\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri)\n - [https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go](https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go)\n",
                "text": "Username and password in URI detected\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri",
              "id": "generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri",
              "name": "generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-798: Use of Hard-coded Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A07:2021 - Identification and Authentication Failures",
                  "OWASP-A07:2025 - Authentication Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil."
              },
              "help": {
                "markdown": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization)\n - [https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html](https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n",
                "text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
              "id": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
              "name": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true."
              },
              "help": {
                "markdown": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb)\n",
                "text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false",
              "id": "ruby.lang.security.force-ssl-false.force-ssl-false",
              "name": "ruby.lang.security.force-ssl-false.force-ssl-false",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-311: Missing Encryption of Sensitive Data",
                  "HIGH CONFIDENCE",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: ruby.lang.security.force-ssl-false.force-ssl-false"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker."
              },
              "help": {
                "markdown": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
                "text": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default",
              "id": "python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default",
              "name": "python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."
              },
              "help": {
                "markdown": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n",
                "text": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
              "id": "python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
              "name": "python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."
              },
              "help": {
                "markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
              "id": "java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
              "name": "java.lang.security.audit.crypto.ecb-cipher.ecb-cipher",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "HIGH CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead."
              },
              "help": {
                "markdown": "Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n",
                "text": "Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
              "id": "python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
              "name": "python.lang.security.audit.subprocess-shell-true.subprocess-shell-true",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure that App service enables detailed error messages"
              },
              "help": {
                "markdown": "Ensure that App service enables detailed error messages\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n",
                "text": "Ensure that App service enables detailed error messages\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled",
              "id": "terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled",
              "name": "terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-778: Insufficient Logging",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A09:2021 - Security Logging and Monitoring Failures",
                  "OWASP-A09:2025 - Security Logging & Alerting Failures",
                  "OWASP-A10:2017 - Insufficient Logging & Monitoring",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t"
              },
              "help": {
                "markdown": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1",
              "id": "terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1",
              "name": "terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."
              },
              "help": {
                "markdown": "Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec)\n - [https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec](https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
                "text": "Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
              "id": "python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
              "name": "python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "note"
              },
              "fullDescription": {
                "text": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file."
              },
              "help": {
                "markdown": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
              "id": "python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
              "name": "python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."
              },
              "help": {
                "markdown": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n",
                "text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
              "id": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
              "name": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."
              },
              "help": {
                "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n",
                "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string",
              "id": "java.lang.security.audit.formatted-sql-string.formatted-sql-string",
              "name": "java.lang.security.audit.formatted-sql-string.formatted-sql-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'."
              },
              "help": {
                "markdown": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves)\n",
                "text": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
              "id": "python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
              "name": "python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Running flask app with host 0.0.0.0 could expose the server publicly."
              },
              "help": {
                "markdown": "Running flask app with host 0.0.0.0 could expose the server publicly.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "Running flask app with host 0.0.0.0 could expose the server publicly.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
              "id": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
              "name": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-668: Exposure of Resource to Wrong Sphere",
                  "HIGH CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with 'render_template()'."
              },
              "help": {
                "markdown": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with 'render_template()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n",
                "text": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with 'render_template()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
              "id": "python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
              "name": "python.flask.security.audit.directly-returned-format-string.directly-returned-format-string",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function"
              },
              "help": {
                "markdown": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n",
                "text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
              "id": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
              "name": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-668: Exposure of Resource to Wrong Sphere",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list."
              },
              "help": {
                "markdown": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n",
                "text": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection",
              "id": "python.flask.security.injection.os-system-injection.os-system-injection",
              "name": "python.flask.security.injection.os-system-injection.os-system-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.os-system-injection.os-system-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Make sure that unverified user data can not reach `sandbox`."
              },
              "help": {
                "markdown": "Make sure that unverified user data can not reach `sandbox`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n",
                "text": "Make sure that unverified user data can not reach `sandbox`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
              "id": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
              "name": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS."
              },
              "help": {
                "markdown": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n",
                "text": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
              "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
              "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-522: Insufficiently Protected Credentials",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2017 - Broken Authentication",
                  "OWASP-A04:2021 - Insecure Design",
                  "OWASP-A06:2025 - Insecure Design",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."
              },
              "help": {
                "markdown": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n",
                "text": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
              "id": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
              "name": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2017 - Injection",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Detects potential Google Maps API keys in code"
              },
              "help": {
                "markdown": "Detects potential Google Maps API keys in code\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\n",
                "text": "Detects potential Google Maps API keys in code\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
              "id": "generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
              "name": "generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A3:2017 Sensitive Data Exposure",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks."
              },
              "help": {
                "markdown": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n",
                "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open",
              "id": "python.flask.security.injection.path-traversal-open.path-traversal-open",
              "name": "python.flask.security.injection.path-traversal-open.path-traversal-open",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A01:2021 - Broken Access Control",
                  "OWASP-A01:2025 - Broken Access Control",
                  "OWASP-A05:2017 - Broken Access Control",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: python.flask.security.injection.path-traversal-open.path-traversal-open"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The package `net/http/cgi` is on the import blocklist.  The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead."
              },
              "help": {
                "markdown": "The package `net/http/cgi` is on the import blocklist.  The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used)\n - [https://godoc.org/golang.org/x/crypto/sha3](https://godoc.org/golang.org/x/crypto/sha3)\n",
                "text": "The package `net/http/cgi` is on the import blocklist.  The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used",
              "id": "go.lang.security.audit.crypto.bad_imports.insecure-module-used",
              "name": "go.lang.security.audit.crypto.bad_imports.insecure-module-used",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: go.lang.security.audit.crypto.bad_imports.insecure-module-used"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "Ensure MySQL is using the latest version of TLS encryption"
              },
              "help": {
                "markdown": "Ensure MySQL is using the latest version of TLS encryption\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n",
                "text": "Ensure MySQL is using the latest version of TLS encryption\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version",
              "id": "terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version",
              "name": "terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-326: Inadequate Encryption Strength",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2021 - Cryptographic Failures",
                  "OWASP-A03:2017 - Sensitive Data Exposure",
                  "OWASP-A04:2025 - Cryptographic Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users."
              },
              "help": {
                "markdown": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request)\n - [https://www.php.net/manual/en/function.htmlentities.php](https://www.php.net/manual/en/function.htmlentities.php)\n - [https://www.php.net/manual/en/reserved.variables.request.php](https://www.php.net/manual/en/reserved.variables.request.php)\n - [https://www.php.net/manual/en/reserved.variables.post.php](https://www.php.net/manual/en/reserved.variables.post.php)\n - [https://www.php.net/manual/en/reserved.variables.get.php](https://www.php.net/manual/en/reserved.variables.get.php)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n",
                "text": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request",
              "id": "php.lang.security.injection.printed-request.printed-request",
              "name": "php.lang.security.injection.printed-request.printed-request",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A03:2021 - Injection",
                  "OWASP-A05:2025 - Injection",
                  "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: php.lang.security.injection.printed-request.printed-request"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure"
              },
              "help": {
                "markdown": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n",
                "text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
              "id": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
              "name": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "HIGH CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization"
              }
            },
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`."
              },
              "help": {
                "markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n",
                "text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
              "id": "terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
              "name": "terraform.aws.security.wildcard-assume-role.wildcard-assume-role",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-250: Execution with Unnecessary Privileges",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A02:2025 - Security Misconfiguration",
                  "OWASP-A05:2021 - Security Misconfiguration",
                  "OWASP-A06:2017 - Security Misconfiguration",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: terraform.aws.security.wildcard-assume-role.wildcard-assume-role"
              }
            },
            {
              "defaultConfiguration": {
                "level": "warning"
              },
              "fullDescription": {
                "text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure"
              },
              "help": {
                "markdown": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\n",
                "text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"
              },
              "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
              "id": "csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
              "name": "csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-502: Deserialization of Untrusted Data",
                  "MEDIUM CONFIDENCE",
                  "OWASP-A08:2017 - Insecure Deserialization",
                  "OWASP-A08:2021 - Software and Data Integrity Failures",
                  "OWASP-A08:2025 - Software or Data Integrity Failures",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization"
              }
            }
          ],
          "semanticVersion": "1.94.0"
        }
      }
    },
    {
      "invocations": [
        {
          "executionSuccessful": true,
          "toolExecutionNotifications": [
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line supabase/functions/portal-repair/index.ts:80:\n `satisfies RepairReport` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/services/PropertyChangeTracker.ts:171:\n `new:` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line video/scripts/capture.ts:43:\n `import(\"@playwright/test\").` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line supabase/functions/spot-check-accounts/index.ts:517:\n `satisfies SpotCheckResponse` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/components/dashboard/rollback-panel/utils.ts:15:\n `}` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line supabase/functions/analyze-properties/index.ts:281:\n `import(\"./types.ts\").` was unexpected"
              }
            },
            {
              "descriptor": {
                "id": "Syntax error"
              },
              "level": "warning",
              "message": {
                "text": "Syntax error at line src/pages/PortalAnalysis.tsx:244:\n `import(\"@/components/portal-analysis/HubSpotTierIndicator\").` was unexpected"
              }
            }
          ]
        }
      ],
      "results": [],
      "tool": {
        "driver": {
          "name": "Semgrep OSS",
          "rules": [
            {
              "defaultConfiguration": {
                "level": "error"
              },
              "fullDescription": {
                "text": "Never use `select('*')` on `portal_credentials`. Select only the columns\nyou need (e.g., `access_token`, `refresh_token`, `token_expires_at`,\nor `id`). See `.claude/rules/security.md`.\n"
              },
              "help": {
                "markdown": "Never use `select('*')` on `portal_credentials`. Select only the columns\nyou need (e.g., `access_token`, `refresh_token`, `token_expires_at`,\nor `id`). See `.claude/rules/security.md`.\n\n\n<b>References:</b>\n - [https://github.com/nordscope-fi/portalpilot/blob/main/.claude/rules/security.md](https://github.com/nordscope-fi/portalpilot/blob/main/.claude/rules/security.md)\n",
                "text": "Never use `select('*')` on `portal_credentials`. Select only the columns\nyou need (e.g., `access_token`, `refresh_token`, `token_expires_at`,\nor `id`). See `.claude/rules/security.md`.\n"
              },
              "id": "semgrep.portalpilot-no-select-star-portal-credentials",
              "name": "semgrep.portalpilot-no-select-star-portal-credentials",
              "properties": {
                "precision": "very-high",
                "tags": [
                  "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "security"
                ]
              },
              "shortDescription": {
                "text": "Semgrep Finding: semgrep.portalpilot-no-select-star-portal-credentials"
              }
            }
          ],
          "semanticVersion": "1.94.0"
        }
      }
    }
  ],
  "version": "2.1.0",
  "commitSha": "2b10af68e06bd99722bc06027115b570efdb6146",
  "redactionVersion": "1.0"
}