#json

semgrep

Package dependencies with variant versions may lead to dependency hijack and confusion attacks. Better to specify an exact version or use package-lock.json for a specific version of the package.

semgrep

This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.

semgrep

Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.

json.aws.security.public-s3-policy-statement.public-s3-policy-statement

semgrep

Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.

semgrep

Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.

semgrep

The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.

semgrep

The references in rule metadata should always be a list, even if there's only one.