Security Rules
79 rules across 13 categories. Every finding includes a plain-English explanation and a suggested fix.
Secrets
Hardcoded credentials, API keys, and tokens that should be in environment variables.
| Rule | Severity |
|---|---|
AWS access key ID secrets/aws-access-key | critical |
AWS secret access key secrets/aws-secret-key | critical |
Stripe secret key secrets/stripe-secret-key | critical |
GitHub personal access token secrets/github-token | critical |
OpenAI API key secrets/openai-api-key | critical |
Supabase service role key secrets/supabase-service-role | critical |
Private key (RSA, EC, etc.) secrets/private-key | critical |
JWT signing secret secrets/jwt-secret | critical |
Database connection string with credentials secrets/database-url | critical |
SendGrid API key secrets/sendgrid-api-key | critical |
Slack webhook URL secrets/slack-webhook | critical |
Generic API key pattern secrets/generic-api-key | high |
Hardcoded password secrets/generic-password | high |
Default credentials in code secrets/default-credentials | critical |
Injection
SQL injection, command injection, and other code injection vectors.
| Rule | Severity |
|---|---|
SQL query built with string concatenation injection/sql-string-concat | critical |
User input passed to shell command injection/command-injection | critical |
Dynamic code execution with eval() injection/eval-usage | critical |
Unsanitized file path from user input injection/path-traversal | high |
Object merge with unvalidated user input injection/prototype-pollution | high |
XSS
Cross-site scripting vulnerabilities that allow attackers to inject client-side scripts.
| Rule | Severity |
|---|---|
Setting innerHTML with dynamic content xss/innerhtml-usage | high |
Using dangerouslySetInnerHTML in React xss/dangerously-set-html | high |
Using document.write() with dynamic content xss/document-write | medium |
Unescaped user input in template xss/unescaped-output | medium |
Auth
Authentication weaknesses that could let attackers bypass login or forge sessions.
| Rule | Severity |
|---|---|
JWT verified with hardcoded secret auth/hardcoded-jwt-verify | high |
CORS allows all origins (*) auth/cors-wildcard | high |
Authorization
Missing or broken access control checks that could let users access resources they shouldn't.
| Rule | Severity |
|---|---|
Data access without ownership verification authz/missing-ownership-check | high |
Admin check only on frontend authz/admin-check-frontend-only | critical |
Delete endpoint without authentication authz/delete-without-auth | critical |
Role/permission taken from client request authz/role-from-client | critical |
Sequential IDs expose data to enumeration authz/idor-sequential-id | medium |
Crypto
Weak or insecure cryptographic implementations.
| Rule | Severity |
|---|---|
Using MD5 or SHA1 for security purposes crypto/weak-algorithm | high |
Math.random() used for security-sensitive values crypto/math-random | high |
Config
Configuration files that expose sensitive data or enable debug modes in production.
| Rule | Severity |
|---|---|
.env file committed to version control config/env-file-committed | critical |
Debug mode enabled in production config config/debug-mode-enabled | medium |
Insecure NextAuth.js configuration config/insecure-nextauth-config | high |
PII
Personally identifiable information leaked through logs, storage, or API responses.
| Rule | Severity |
|---|---|
Email addresses logged to console pii/email-in-logs | medium |
Sensitive data in console.log pii/console-log-sensitive | medium |
Sensitive data stored without encryption pii/unencrypted-storage | high |
BaaS
Backend-as-a-Service misconfigurations for Supabase, Firebase, and similar platforms.
| Rule | Severity |
|---|---|
Supabase service key used on client baas/supabase-service-key-client | critical |
Supabase RLS policy bypassed baas/supabase-rls-bypass | high |
Supabase table without Row Level Security baas/supabase-rls-disabled | critical |
Anon key used for server-side mutations baas/supabase-anon-key-server-mutation | high |
Supabase storage bucket without access policies baas/supabase-storage-no-policy | high |
Direct query to auth.users table baas/supabase-auth-users-direct | medium |
Supabase auth with unvalidated redirect URL baas/supabase-insecure-redirect | high |
Firebase rules allow all reads/writes baas/firebase-rules-allow-all | critical |
Storage bucket publicly accessible baas/storage-bucket-public | high |
LLM / AI
Security issues specific to LLM-powered applications and AI integrations.
| Rule | Severity |
|---|---|
System prompt exposed to client llm/system-prompt-exposed | high |
Unsanitized user input in LLM prompt llm/user-input-to-prompt | critical |
AI API key hardcoded in source llm/api-key-hardcoded | critical |
AI API key leaks to browser via env prefix llm/api-key-client-env | critical |
LLM output used without validation llm/no-output-validation | medium |
LLM tool call executed without validation llm/tool-call-no-validation | high |
RAG retrieval vulnerable to prompt injection llm/rag-injection | high |
System prompt leaks through LLM output llm/prompt-leak-via-output | medium |
LLM output executed as code llm/output-as-code | critical |
Headers
Missing or misconfigured HTTP security headers and server-side request issues.
| Rule | Severity |
|---|---|
Missing Content Security Policy headers/missing-csp | medium |
Missing Strict-Transport-Security header headers/missing-hsts | medium |
Missing X-Frame-Options header headers/missing-x-frame-options | medium |
Server-side request to user-provided URL headers/ssrf-unvalidated-url | high |
Redirect to unvalidated URL headers/open-redirect | high |
Missing Referrer-Policy header headers/missing-referrer-policy | low |
Missing X-Content-Type-Options header headers/missing-x-content-type-options | low |
Missing Permissions-Policy header headers/missing-permissions-policy | low |
CORS allows credentials with wildcard origin headers/cors-credentials-wildcard | critical |
Cookie set without Secure/HttpOnly flags headers/cookie-missing-secure | high |
Auth route without rate limiting headers/rate-limit-missing-auth-route | high |
Server request may reach cloud metadata endpoint headers/ssrf-cloud-metadata | critical |
Server request may reach internal IP range headers/ssrf-internal-ip | high |
Dependencies
Dependency risks from unpinned versions, typosquatting, and suspicious install scripts.
| Rule | Severity |
|---|---|
Unpinned dependency versions deps/unpinned-versions | medium |
Package name similar to popular package deps/typosquatting-risk | medium |
Package runs scripts on install deps/postinstall-script | high |
Potentially AI-hallucinated package name deps/slopsquatting-risk | high |
Remote code fetched and executed deps/eval-fetched-code | critical |
CDN script without Subresource Integrity deps/cdn-no-integrity | medium |
Client Security
Client-side security patterns — token storage, error exposure, file uploads, and CSRF protection.
| Rule | Severity |
|---|---|
Auth token stored in localStorage (XSS risk) client/jwt-in-localstorage | high |
Error stack trace sent to client client/error-stack-exposed | medium |
File upload without type or size validation client/file-upload-no-validation | high |
State-changing endpoint without CSRF protection client/missing-csrf-state-change | medium |
False positive?
Suppress any rule by ID. It won't block CI or clutter your reports.
See Configuration for details on .shipsafeignore.