OWASP Top 10 Coverage

What this means in our system

Evaluated through static analysis patterns. Focused on common misconfigurations and unsafe defaults in authorization logic.

What triggers a verdict

• High-confidence findings result in a BLOCKED verdict
• Lower-confidence findings result in REVIEW

What is not covered

• Business logic authorization flaws
• Runtime environment misconfigurations

What this means in our system

Evaluated through secret detection (TruffleHog) and pattern matching for weak cryptographic implementations.

What triggers a verdict

• Exposed secrets (API keys, passwords) → BLOCKED
• Weak hashing algorithms detected → REVIEW

What is not covered

• TLS/SSL configuration analysis
• Key management practices

What this means in our system

Evaluated through Semgrep rules targeting SQL injection, command injection, and NoSQL injection patterns.

What triggers a verdict

• String concatenation in database queries → BLOCKED
• Unsanitized user input in shell commands → BLOCKED

What is not covered

• LDAP injection
• XML injection
• Template injection (limited coverage)

What this means in our system

Limited coverage. Evaluated through detection of missing security headers and unsafe default configurations.

What triggers a verdict

• Missing CORS configuration → REVIEW
• Debug mode enabled in production → REVIEW

What is not covered

• Architectural design flaws
• Threat modeling gaps
• Business logic vulnerabilities

What this means in our system

Evaluated through pattern detection of insecure configurations in application code.

What triggers a verdict

• Hardcoded credentials → BLOCKED
• Verbose error messages in production → REVIEW

What is not covered

• Server/infrastructure configuration
• Cloud provider settings

What this means in our system

Evaluated through npm audit for JavaScript/Node.js projects. Checks against the npm advisory database.

What triggers a verdict

• Critical CVE in dependencies → BLOCKED
• High severity CVE → REVIEW
• Moderate/low CVE → CLEAR (with notes)

What is not covered

• Non-JavaScript dependencies (Python pip, Ruby gems, etc.)
• Transitive dependency analysis beyond npm

What this means in our system

Limited coverage. Evaluated through detection of weak authentication patterns in code.

What triggers a verdict

• Hardcoded passwords → BLOCKED
• JWT without signature verification → REVIEW

What is not covered

• Password policy enforcement
• Session management logic
• Rate limiting implementation

What this means in our system

Limited coverage. Evaluated through detection of insecure deserialization patterns.

What triggers a verdict

• Unsafe deserialization (eval, pickle) → BLOCKED

What is not covered

• CI/CD pipeline security
• Supply chain attacks
• Code signing verification

What this means in our system

Not actively evaluated. This category requires runtime analysis which is outside static analysis scope.

What triggers a verdict

No automated detection for this category.

What is not covered

• Log implementation quality
• Monitoring infrastructure
• Alerting configuration

What this means in our system

Evaluated through Semgrep rules detecting URL fetching with user-controlled input.

What triggers a verdict

• User input directly in fetch/request URLs → REVIEW

What is not covered

• Complex redirect chains
• DNS rebinding attacks