#generic
Rulesets (8)
r2cSelected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.
r2cRules for detecting secrets checked into version control
Grayson HardawaySecurity checks for nginx configuration files.
r2cSelected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.
r2cSecurity checks for lockfiles.
r2cUse Semgrep to scan for supply chain-related issues.
Rules (129)
returntocorpPackages in base images should be up-to-date, removing the need for 'apk upgrade'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers.
returntocorpPackages in base images should be up-to-date, removing the need for 'dnf update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpImages should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning.
returntocorpUsing '--platform' with FROM restricts the image to build on a single platform. Further, this must be the same as the build platform. If you intended to specify the target platform, use the utility 'docker buildx --platform=' instead.
returntocorpPackages in base images should be up-to-date, removing the need for 'yum update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base images should be up-to-date, removing the need for 'zypper update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpMAINTAINER has been deprecated.
returntocorpThis apk command is missing '--no-cache'. This forces apk to use a package index instead of a local package cache, removing the need for '--update' and the deletion of '/var/cache/apk/*'. Add '--no-cache' to your apk command.
returntocorpThis 'dnf install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpThis dnf command does not end with '&& dnf clean all'. Running 'dnf clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpImages should be tagged with an explicit version to produce deterministic container images.
returntocorpThis 'apt-get install' is missing '--no-install-recommends'. This prevents unnecessary packages from being installed, thereby reducing image size. Add '--no-install-recommends'.
returntocorpThis 'yum install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpThis yum command does not end with '&& yum clean all'. Running 'yum clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpThis 'zypper install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpSome commands such as `$CMD` do not make sense in a container. Do not use these.
returntocorp'apt-get' is preferred as an unattended tool for stability. 'apt' is discouraged.
returntocorpPrefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS.
returntocorpThe package cache was not deleted after running 'apt-get update', which increases the size of the image. Remove the package cache by appending '&& apt-get clean' at the end of apt-get command chain.
returntocorpThe package lists were not deleted after running 'apt-get update', which increases the size of the image. Remove the package lists by appending '&& rm -rf /var/lib/apt/lists/*' at the end of apt-get command chain.
returntocorpOnly the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with `SHELL ["/bin/ash"]`.
returntocorpDetected a relative WORKDIR. Use absolute paths. This prevents issues based on assumptions about the WORKDIR of previous containers.
returntocorp'wget' and 'curl' are similar tools. Choose one and do not install the other to decrease image size.
returntocorpUse the SHELL instruction to set the default shell instead of overwriting '/bin/sh'.
returntocorpUse 'WORKDIR' instead of 'RUN cd ...'. Using 'RUN cd ...' may not work as expected in a conatiner.
returntocorpImage aliases must have a unique name, and '$REF' is used twice. Use another name for '$REF'.
returntocorpCOPY instructions cannot copy from its own alias. The '$REF' alias is used before switching to a new image. If you meant to switch to a new image, include a new 'FROM' statement. Otherwise, remove the '--from=$REF' from the COPY statement.
returntocorpDetected an invalid port number. Valid ports are 0 through 65535.
returntocorpThis 'apt-get install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpMultiple ENTRYPOINT instructions were found. Only the last one will take effect.
returntocorpBy not specifying a USER, a programs in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
returntocorpDetected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}".
returntocorpDetected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (`href="/{{link}}"`). You may also consider setting the Content Security Policy (CSP) header.
returntocorpDetected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.
returntocorpDetected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).
returntocorpThe 'baseURL' is invalid. This may cause links to not work if deployed. Include the scheme (e.g., http:// or https://).
returntocorpThe 'baseURL' is set to localhost. This may cause links to not work if deployed.
returntocorpThe alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.
returntocorpThe host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.
returntocorpThe protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.
returntocorpThe $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\s]+'.
returntocorpThe 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.
returntocorpDetected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.
returntocorpDetected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.
returntocorpThis location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.
returntocorpThis server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.
returntocorp'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.
returntocorpAWS Account ID detected. This is a sensitive credential and should not be hardcoded here. Instead, read the value from an environment variable or keep the value in a separate, private file.
returntocorpPrivate Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.
returntocorpUsername and password in URI detected
returntocorpDetected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.
returntocorpDetected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.
returntocorpThis page denies crawlers from indexing the page. Remove the robots 'meta' tag.
returntocorpThis rule has been deprecated.
returntocorpThis rule has been deprecated.
returntocorpDetected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.
returntocorpDetected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.
returntocorpDetected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.
When you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU.
returntocorpDetected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.
returntocorpTranslated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.
returntocorpDetected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.
returntocorpTranslated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.
returntocorpThis rule is deprecated. It will no longer produce findings.
returntocorpDetected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).
returntocorpDetected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.
returntocorpDetected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ $...VAR }}".
returntocorpThe syntax `<%== ... %>` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.
returntocorp'content_tag' exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use 'html_safe' if you must render raw HTML data.
returntocorp'html_safe' renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.
returntocorp'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.
returntocorpDetected a template variable used in 'link_to'. This will generate dynamic data in the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: 'link_to "Here", "/"+@link'. You may also consider setting the Content Security Policy (CSP) header.
returntocorpDetected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "<%= expr %>".
returntocorpDetected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.
returntocorpDetected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).
returntocorpThe ADD command will accept and include files from a URL. This potentially exposes the container to a man-in-the-middle attack. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred.
returntocorpA Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
returntocorpNPM registry authentication token detected
returntocorpSemgrep found a bash reverse shell
returntocorpSpring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.
returntocorpConditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.
returntocorpGitHub Token detected
returntocorpThe Android manifest is configured to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. This flag is ignored on Android 7 (API 24) and above if a Network Security Config is present.
returntocorpManifest uses both `android:usesCleartextTraffic` and Network Security Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API 24) and above if a Network Security Config is present.
returntocorpThe Network Security Config is set to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools="http://schemas.android.com/tools" tools:ignore="InsecureBaseConfiguration"` as parameters to your `<network-security-config>`)
returntocorpYour app uses TLS public key pinning without specifying a backup key. If you are forced to change TLS keys or CAs on short notice, not having a backup pin can lead to connectivity issues until you can push out an update. It is considered best practice to add at least one additional pin as a backup.
returntocorpYour app uses TLS public key pinning without specifying an expiration date. If your users do not update the app to receive new pins in time, expired or replaced certificates can lead to connectivity issues until they install an update. It is considered best practice to set an expiration time, after which the system will default to trusting system CAs and disregard the pin.
returntocorpThe Network Security Config is set to accept user-installed CAs. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools="http://schemas.android.com/tools" tools:ignore="AcceptsUserCertificates"` as parameters to your `<network-security-config>`)
returntocorpThe Network Security Config is set to accept user-installed CAs for the domain `$DOMAIN`. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools="http://schemas.android.com/tools" tools:ignore="AcceptsUserCertificates"` as parameters to your `<network-security-config>`)
returntocorpThis rule has been deprecated, please use https://semgrep.dev/playground/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token instead.
returntocorpUnencoded JSON in HTML context is vulnerable to cross-site scripting, because `</script>` is not properly encoded.
returntocorpThis tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.
returntocorpWeb Forms controls use hidden base64 encoded fields to store state information. If sensitive information is stored there it may be leaked to the client side.
returntocorpThe enableViewStateMac is disabled in configuration file.
returntocorpSemgrep found a bash reverse shell
returntocorp`$1` has been added to the .semgrepignore list of ignored paths. Someone from app-sec may want to audit these changes.
returntocorpWhen performing yarn install, make sure to use the lockfile. Without `--frozen-lockfile`, yarn will update the lockfile rather than using the pinned versions.
returntocorpDetected use of mail_to helper used with the `:encode => :javascript option`. The attacker could specify a malicious name or email value that could lead to a XSS attack. Instead, use `:encode => :hex` or patch to Rails 3.0.4 or 2.3.11.
returntocorpTo ensure reproducible and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it.
returntocorpThis rule has been deprecated.
returntocorpDetected user input flowing into number_to_currency helper. One of the parameters to the helper (unit) is not escaped correctly and could lead to XSS, which in turn could lead to sensitive data being exfiltrated. Instead, sanitize data with the 'html_escape' or 'h' function before passing it into `number_to_currency` or upgrade to Rails 4.0.2 or 3.2.16.
returntocorpASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `<compilation ... />`
returntocorpRails versions 3.0.0 - 3.2.15 and 4.0.0 and 4.0.1 are vulnerable to a DoS attack (CVE-2013-6414). This can cause your service to be taken down for substantial amount of time. Instead, upgrade to 4.0.2 or 3.2.16 or higher.
returntocorpAll versions below 1.2.1 of the 'actionpack_page-caching' gem are vulnerable to arbitrary file write and remote code execution (CVE-2020-8159). Update to version 1.2.1 or greater or remove calls to 'caches_page'.
returntocorpThe render method in Rails versions 3.0.0 - 3.0.20, 3.1.0 - 3.1.12, and 3.2.0 - 3.2.16 are vulnerable to a denial of service attack (CVE-2014-0082), which could lead to service downtime. Upgrade to 3.2.17 or higher instead.
returntocorpRails versions 3.0.0 - 3.0.20, 3.1.0 - 3.1.12, and 3.2.0 - 3.2.16 are vulnerable to a denial of service attack (CVE-2014-0082), which could lead to service downtime. Upgrade to 3.2.17 or higher instead.
returntocorpRails versions 2.3.14 are vulnerable to response splitting, allowing header injection (CVE-2011-3186). Upgrade to 2.3.14 or greater.
returntocorpRails versions 0.0.0 - 2.3.14 and 3.0.0 - 3.0.19 are vulnerable to a Remote Code Execution attack via JSON parsing (CVE-2013-0333). Either use the 'yajl' gem or update to Rails 2.3.16 or greater if using Rails 0.0.0 - 2.3.14 and Rails 3.0.20 or greater if using Rails 3.0.0 - 3.0.19
returntocorpOWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.
returntocorpCookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.
returntocorpThis rule has been deprecated.
returntocorpSession cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.
returntocorpScala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.
returntocorpRaw html content controlled by a variable detected. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Try to avoid using `Html()` or consider properly sanitizing input data.
returntocorpPossibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on.
returntocorpThis rule has been deprecated.
returntocorpFound request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.
returntocorpDetected a form executing a state-changing HTTP method `$METHOD` to route definition `$...ROUTE` without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.
returntocorpSetting an anchor target of `_blank` without the `noopener` or `noreferrer` attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview.
returntocorpASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
returntocorpMark sensitive parameters with the @secure() decorator. This avoids logging the value or displaying it in the Azure portal, Azure CLI, or Azure PowerShell.
returntocorpSpring Boot Actuators "$...ACTUATORS" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.
returntocorpDetects potential Google Maps API keys in code
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.