| ID | Area | Finding | Severity |
|---|---|---|---|
| INF-001 | Infra | no-rollbackNo automated rollback on failed deploy.github/workflows/ci.yml | High |
| SEC-001 | Security | private key block exposed in client bundlelib/insecurity.ts:21 | High |
| SEC-006 | Security | semgrep.yaml.github-actions.security.gha-curl-pipe-shell.gha-curl-pipe-shellA `run:` step pipes the output of `curl` or `wget` directly into a shell interpreter. This is the "curl | bash" install pattern — if the remote server is compromised or the URL is hijacked, an attacker can execute arbitrary code in your CI runner. Consider downloading the file first, verifying its checksum or signature, and then executing it..github/workflows/ci.yml:358 | High |
| SEC-013 | Security | semgrep.yaml.github-actions.security.run-shell-injection.run-shell-injectionUsing variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR"..github/workflows/update-challenges-ebook.yml:22 | High |
| SEC-014 | Security | semgrep.yaml.github-actions.security.run-shell-injection.run-shell-injectionUsing variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR"..github/workflows/update-challenges-www-legacy.yml:27 | High |
| SEC-015 | Security | semgrep.yaml.github-actions.security.run-shell-injection.run-shell-injectionUsing variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR"..github/workflows/update-challenges-www-legacy.yml:36 | High |
| SEC-016 | Security | semgrep.yaml.github-actions.security.run-shell-injection.run-shell-injectionUsing variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR"..github/workflows/update-challenges-www.yml:27 | High |
| SEC-017 | Security | semgrep.yaml.github-actions.security.run-shell-injection.run-shell-injectionUsing variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR"..github/workflows/update-challenges-www.yml:36 | High |
| SEC-019 | Security | semgrep.javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injectionDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.data/static/codefixes/dbSchemaChallenge_1.ts:5 | High |
| SEC-020 | Security | semgrep.javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injectionDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.data/static/codefixes/dbSchemaChallenge_3.ts:11 | High |
| SEC-022 | Security | semgrep.javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injectionDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.data/static/codefixes/unionSqlInjectionChallenge_1.ts:6 | High |
| SEC-023 | Security | semgrep.javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injectionDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.data/static/codefixes/unionSqlInjectionChallenge_3.ts:10 | High |
| SEC-024 | Security | semgrep.generic.secrets.security.detected-generic-secret.detected-generic-secretGeneric Secret detecteddata/static/users.yml:151 | High |
| SEC-026 | Security | semgrep.generic.secrets.security.detected-jwt-token.detected-jwt-tokenJWT token detectedfrontend/src/app/app.guard.spec.ts:46 | High |
| SEC-027 | Security | semgrep.generic.secrets.security.detected-jwt-token.detected-jwt-tokenJWT token detectedfrontend/src/app/last-login-ip/last-login-ip.component.spec.ts:72 | High |
| SEC-028 | Security | semgrep.generic.secrets.security.detected-jwt-token.detected-jwt-tokenJWT token detectedfrontend/src/app/last-login-ip/last-login-ip.component.spec.ts:78 | High |
| SEC-037 | Security | semgrep.javascript.express.security.audit.remote-property-injection.remote-property-injectionBracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.routes/currentUser.ts:31 | High |
| SEC-041 | Security | semgrep.javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injectionDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.routes/login.ts:34 | High |
| SEC-044 | Security | semgrep.javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injectionDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.routes/search.ts:23 | High |
| SEC-045 | Security | semgrep.javascript.browser.security.eval-detected.eval-detectedDetected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.routes/userProfile.ts:61 | High |
| SEC-054 | Security | MA2Route appears to be missing authenticationroutes/dataErasure.ts:74 POST / | High |
| SEC-056 | Security | F11XML parser without entity-expansion protection (XXE)lib/xml.ts:38 | High |
| SEC-057 | Security | J9JWT library pinned to known-CVE version (jsonwebtoken < 9.0.0)package.json:132 jsonwebtoken < 9.0.0 | High |
| SEC-060 | Security | J2PyJWT decode without explicit algorithms listroutes/verify.ts:114 jwt.decode(...) | High |
| ARC-001 | Architecture | auth-duplicatedAuth logic duplicated across servicesfrontend/src/hacking-instructor/helpers/helpers.ts | Medium |
| INF-002 | Infra | dockerfile-floating-tagDockerfile pins floating tag gcr.io/distroless/nodejs24-debian13Dockerfile: FROM gcr.io/distroless/nodejs24-debian13 | Medium |
| INF-003 | Infra | dockerfile-floating-tagDockerfile pins floating tag alpinetest/smoke/Dockerfile: FROM alpine | Medium |
| INF-004 | Infra | dockerfile-runs-as-rootDockerfile final stage runs as roottest/smoke/Dockerfile: no USER directive | Medium |
| OBS-001 | Observability | no-request-idNo request-id propagation across services(no request-id header found in source) | Medium |
| SEC-002 | Security | Secret detected by trufflehog (JWT)test/api/user.test.ts:282 | Medium |
| SEC-003 | Security | Secret detected by trufflehog (JWT)test/server/currentUser.unit.test.ts:31 | Medium |
| SEC-004 | Security | Secret detected by trufflehog (PrivateKey)lib/insecurity.ts:21 | Medium |
| SEC-005 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/ci.yml:188 | Medium |
| SEC-007 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/codeql-analysis.yml:23 | Medium |
| SEC-008 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/codeql-analysis.yml:34 | Medium |
| SEC-009 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/codeql-analysis.yml:36 | Medium |
| SEC-010 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/image_actions.yml:30 | Medium |
| SEC-011 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/image_actions.yml:33 | Medium |
| SEC-012 | Security | semgrep.yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tagGitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`..github/workflows/image_actions.yml:42 | Medium |
| SEC-018 | Security | semgrep.package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-ageThis .npmrc does not set a minimum release age or sets it too low. Newly published packages can be malicious or unstable. Add `min-release-age = 7` to wait 7 days before resolving newly published package versions. Added in: v11.10 Reference: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/.npmrc:1 | Medium |
| SEC-025 | Security | semgrep.package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-ageThis .npmrc does not set a minimum release age or sets it too low. Newly published packages can be malicious or unstable. Add `min-release-age = 7` to wait 7 days before resolving newly published package versions. Added in: v11.10 Reference: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/frontend/.npmrc:1 | Medium |
| SEC-029 | Security | semgrep.javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loopPossibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.frontend/src/hacking-instructor/helpers/helpers.ts:49 | Medium |
| SEC-030 | Security | semgrep.javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexpRegExp() called with a `challengeKey` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.lib/codingChallenges.ts:76 | Medium |
| SEC-031 | Security | semgrep.javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexpRegExp() called with a `challengeKey` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.lib/codingChallenges.ts:78 | Medium |
| SEC-032 | Security | semgrep.javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-keyDetected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.lib/insecurity.ts:42 | Medium |
| SEC-033 | Security | semgrep.javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secretA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).lib/insecurity.ts:54 | Medium |
| SEC-034 | Security | semgrep.javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-keyDetected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.lib/insecurity.ts:150 | Medium |
| SEC-035 | Security | semgrep.javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usageDetected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.routes/b2bOrder.ts:23 | Medium |
| SEC-036 | Security | semgrep.javascript.browser.security.eval-detected.eval-detectedDetected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.routes/captcha.ts:22 | Medium |
| SEC-038 | Security | semgrep.javascript.express.security.audit.express-res-sendfile.express-res-sendfileThe application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.routes/fileServer.ts:33 | Medium |
| SEC-039 | Security | semgrep.javascript.express.security.audit.express-res-sendfile.express-res-sendfileThe application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.routes/keyServer.ts:14 | Medium |
| SEC-040 | Security | semgrep.javascript.express.security.audit.express-res-sendfile.express-res-sendfileThe application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.routes/logfileServer.ts:14 | Medium |
| SEC-042 | Security | semgrep.javascript.express.security.audit.express-res-sendfile.express-res-sendfileThe application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.routes/quarantineServer.ts:14 | Medium |
| SEC-043 | Security | semgrep.javascript.express.security.audit.express-open-redirect.express-open-redirectThe application redirects to a URL specified by user-supplied input `query` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.routes/redirect.ts:19 | Medium |
| SEC-046 | Security | semgrep.javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tagCannot determine what 'subs' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure 'subs' is not externally controlled, or sanitize this data.routes/videoHandler.ts:57 | Medium |
| SEC-047 | Security | semgrep.javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tagCannot determine what 'subs' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure 'subs' is not externally controlled, or sanitize this data.routes/videoHandler.ts:71 | Medium |
| SEC-049 | Security | semgrep.javascript.express.security.audit.express-check-directory-listing.express-check-directory-listingDirectory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.server.ts:269 | Medium |
| SEC-050 | Security | semgrep.javascript.express.security.audit.express-check-directory-listing.express-check-directory-listingDirectory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.server.ts:273 | Medium |
| SEC-051 | Security | semgrep.javascript.express.security.audit.express-check-directory-listing.express-check-directory-listingDirectory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.server.ts:277 | Medium |
| SEC-052 | Security | semgrep.javascript.express.security.audit.express-check-directory-listing.express-check-directory-listingDirectory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.server.ts:281 | Medium |
| SEC-053 | Security | semgrep.javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescapeDetected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.views/promotionVideo.pug:75 | Medium |
| SEC-055 | Security | A6Swagger / OpenAPI UI may be exposed in productionserver.ts:26 | Medium |
| SEC-058 | Security | J4JWT decode without audience or issuer verificationlib/insecurity.ts:189 jwt.verify(...) | Medium |
| SEC-059 | Security | J4JWT decode without audience or issuer verificationroutes/verify.ts:114 jwt.decode(...) | Medium |
| SEC-061 | Security | L1Potential audit log gap on delete actionserver.ts:371 DELETE /api/Products/:id | Medium |
| SEC-062 | Security | L1Potential audit log gap on delete actionserver.ts:390 DELETE /api/Recycles/:id | Medium |
| SEC-063 | Security | L1Potential audit log gap on delete actionserver.ts:429 DELETE /api/Quantitys/:id | Medium |
| SEC-064 | Security | L1Potential audit log gap on delete actionserver.ts:441 DELETE /api/Cards/:id | Medium |
| SEC-065 | Security | L1Potential audit log gap on delete actionserver.ts:451 DELETE /api/Addresss/:id | Medium |
| SEC-066 | Security | L4Potential audit log gap on login actionserver.ts:596 POST /rest/user/login | Medium |
| SEC-067 | Security | L3Potential audit log gap on password-change actionserver.ts:597 GET /rest/user/change-password | Medium |
| SEC-068 | Security | L3Potential audit log gap on password-change actionserver.ts:598 POST /rest/user/reset-password | Medium |
| CI-001 | CI/CD | node-version-skewProduction and preview use different node versions.github/workflows/ci.yml | Low |
| SEC-021 | Security | semgrep.javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitizationDetected a call to `replaceAll()` in an attempt to HTML escape the string `tableData[i].description`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.data/static/codefixes/restfulXssChallenge_2.ts:46 | Low |
| SEC-048 | Security | semgrep.javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstringDetected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.server.ts:157 | Low |
The deploy pipeline has no rollback path. A bad release stays live until someone notices and manually intervenes.
A privileged credential appears in code that is bundled and shipped to the browser. Anyone who loads the app can read it and use it to bypass row-level security.
semgrep rule yaml.github-actions.security.gha-curl-pipe-shell.gha-curl-pipe-shell matched. A `run:` step pipes the output of `curl` or `wget` directly into a shell interpreter. This is the "curl | bash" install pattern — if the remote server is compromised or the URL is hijacked, an attacker can execute arbitrary code in your CI runner. Consider downloading the file first, verifying its checksum or signature, and then executing it.
semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection matched. Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection matched. Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection matched. Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection matched. Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection matched. Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
semgrep rule javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection matched. Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
semgrep rule javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection matched. Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
semgrep rule javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection matched. Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
semgrep rule javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection matched. Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
semgrep rule generic.secrets.security.detected-generic-secret.detected-generic-secret matched. Generic Secret detected
semgrep rule generic.secrets.security.detected-jwt-token.detected-jwt-token matched. JWT token detected
semgrep rule generic.secrets.security.detected-jwt-token.detected-jwt-token matched. JWT token detected
semgrep rule generic.secrets.security.detected-jwt-token.detected-jwt-token matched. JWT token detected
semgrep rule javascript.express.security.audit.remote-property-injection.remote-property-injection matched. Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.
semgrep rule javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection matched. Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
semgrep rule javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection matched. Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
semgrep rule javascript.browser.security.eval-detected.eval-detected matched. Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
POST / is handled by (unknown handler) but no authentication middleware, guard, decorator, dependency or authorization annotation was detected.
An XML parser is used without disabling external-entity expansion. Attacker-supplied XML can read local files (file:///etc/passwd) or make outbound requests via XXE / billion-laughs.
The pinned version of `jsonwebtoken` is vulnerable to CVE-2022-23529. This makes the JWT verifier silently accept forged tokens.
`jwt.decode(...)` is called without an `algorithms=[...]` argument. On PyJWT < 2.0 this silently accepts the token's declared algorithm — including `none` if the attacker chooses.
Token verification appears reimplemented in multiple places. Each copy drifts, and a fix in one is missed in the others.
Base image `gcr.io/distroless/nodejs24-debian13` uses a floating tag. Rebuilds pull a different image as upstream publishes, so the build is not reproducible and a compromised upstream tag silently lands in production.
Base image `alpine` uses a floating tag. Rebuilds pull a different image as upstream publishes, so the build is not reproducible and a compromised upstream tag silently lands in production.
The image runs as root (no USER directive). A container-escape bug compounds to host root; a vulnerable process running as a low-privilege UID does not.
Requests carry no correlation id, so a single user action cannot be traced across services when something fails in production.
trufflehog matched detector JWT. The credential was checked against the live service and was NOT confirmed valid.
trufflehog matched detector JWT. The credential was checked against the live service and was NOT confirmed valid.
trufflehog matched detector PrivateKey. The credential was checked against the live service and was NOT confirmed valid.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag matched. GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
semgrep rule package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-age matched. This .npmrc does not set a minimum release age or sets it too low. Newly published packages can be malicious or unstable. Add `min-release-age = 7` to wait 7 days before resolving newly published package versions. Added in: v11.10 Reference: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/
semgrep rule package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-age matched. This .npmrc does not set a minimum release age or sets it too low. Newly published packages can be malicious or unstable. Add `min-release-age = 7` to wait 7 days before resolving newly published package versions. Added in: v11.10 Reference: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/
semgrep rule javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop matched. Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
semgrep rule javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp matched. RegExp() called with a `challengeKey` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
semgrep rule javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp matched. RegExp() called with a `challengeKey` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
semgrep rule javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key matched. Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
semgrep rule javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret matched. A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
semgrep rule javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key matched. Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
semgrep rule javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage matched. Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.
semgrep rule javascript.browser.security.eval-detected.eval-detected matched. Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
semgrep rule javascript.express.security.audit.express-res-sendfile.express-res-sendfile matched. The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
semgrep rule javascript.express.security.audit.express-res-sendfile.express-res-sendfile matched. The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
semgrep rule javascript.express.security.audit.express-res-sendfile.express-res-sendfile matched. The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
semgrep rule javascript.express.security.audit.express-res-sendfile.express-res-sendfile matched. The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
semgrep rule javascript.express.security.audit.express-open-redirect.express-open-redirect matched. The application redirects to a URL specified by user-supplied input `query` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.
semgrep rule javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag matched. Cannot determine what 'subs' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure 'subs' is not externally controlled, or sanitize this data.
semgrep rule javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag matched. Cannot determine what 'subs' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure 'subs' is not externally controlled, or sanitize this data.
semgrep rule javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing matched. Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
semgrep rule javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing matched. Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
semgrep rule javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing matched. Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
semgrep rule javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing matched. Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
semgrep rule javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape matched. Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.
An interactive API documentation UI is registered without a visible environment gate. Production exposure of Swagger UI gives attackers an enumerable API surface.
jwt.verify(...) is called without `audience` / `aud` AND `issuer` / `iss` parameters. Tokens minted for a different service or by a different identity provider can be replayed against this verifier.
jwt.decode(...) is called without `audience` / `aud` AND `issuer` / `iss` parameters. Tokens minted for a different service or by a different identity provider can be replayed against this verifier.
The route DELETE /api/Products/:id is a sensitive action (delete), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route DELETE /api/Recycles/:id is a sensitive action (delete), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route DELETE /api/Quantitys/:id is a sensitive action (delete), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route DELETE /api/Cards/:id is a sensitive action (delete), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route DELETE /api/Addresss/:id is a sensitive action (delete), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route POST /rest/user/login is a sensitive action (login), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route GET /rest/user/change-password is a sensitive action (password-change), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
The route POST /rest/user/reset-password is a sensitive action (password-change), and the handler file does not call any recognised audit-logging pattern. SOC 2 CC7.2 / ISO 27001 A.12.4 / HIPAA §164.312(b) all require audit records for privileged actions.
Different runtime versions across environments means preview can pass while production breaks. Pin one version everywhere.
semgrep rule javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization matched. Detected a call to `replaceAll()` in an attempt to HTML escape the string `tableData[i].description`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.
semgrep rule javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring matched. Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.