Loading...

Pricing Docs Blog About

Sign In Scan Now

Rule catalog

Every check Sekrd runs, grouped by OWASP Top 10 2021 category. Every rule is mapped to a MITRE CWE, an OWASP ASVS 4.0 requirement, and at least one authoritative reference (OWASP cheat sheet, MDN, RFC, or vendor documentation).

This catalog is what distinguishes a security scanner from a regex tool. Findings from Sekrd cite these entries so auditors and engineers can verify the reasoning independently.

CWE filter:

Showing 99 of 99 rules

A01:2021 — Broken Access Control

cookie-no-samesiteCWE-1275ASVS V3.4.3

firebase-firestore-publicCWE-284ASVS V4.1.1

Firestore collection publicly readable

firebase-rtdb-publicCWE-284ASVS V4.1.1

Firebase Realtime Database publicly readable

firebase-rtdb-read-openCWE-284ASVS V4.1.1

Realtime Database allows public read access

firebase-rtdb-test-modeCWE-284ASVS V4.1.1

Realtime Database rules in test mode (allow all)

firebase-rtdb-write-openCWE-284ASVS V4.1.1

Realtime Database allows public write access

firebase-rules-openCWE-284ASVS V4.1.1

firebase-storage-publicCWE-284ASVS V4.1.1

Firebase Cloud Storage bucket publicly listable

form-no-csrfCWE-352ASVS V13.2.3

idor-sequential-idCWE-639ASVS V4.2.1

Potential IDOR via sequential IDs

js-clientside-auth-guardCWE-602ASVS V1.4.1

Client-side only auth guard detected — bypassable via dev tools

js-clientside-role-checkCWE-602ASVS V1.4.1

Role/permission check in client JavaScript — privilege escalation risk

js-internal-urlsCWE-200ASVS V14.3.3

js-postmessage-no-originCWE-346ASVS V13.1.5

postMessage listener without origin validation

missing-referrer-policyCWE-200ASVS V14.4.6

Missing Referrer-Policy header

network-influxdb-exposedCWE-200ASVS V1.14.1

InfluxDB admin port exposed

network-zookeeper-exposedCWE-200ASVS V1.14.1

ZooKeeper port exposed

open-redirectCWE-601ASVS V5.1.5

Open redirect

open-redirect-jsCWE-601ASVS V5.1.5

Open redirect (JavaScript)

supabase-rls-bypassCWE-284ASVS V4.1.1

unprotected-api-endpointCWE-306ASVS V1.4.1

wordpress-rest-api-openCWE-284

WordPress REST API fully accessible

A02:2021 — Cryptographic Failures

cookie-no-secureCWE-614ASVS V3.4.1

dmarc-policy-noneCWE-290

DMARC policy set to 'none' — not enforcing

dockerfile-secret-in-envCWE-798ASVS V2.10.1

Secret baked into image via ENV/ARG

hsts-no-subdomainsCWE-319ASVS V9.1.2

HSTS missing includeSubDomains directive

infra-no-dmarcCWE-290ASVS V14.2.1

No DMARC record — email spoofing not blocked

infra-no-spfCWE-290ASVS V14.2.1

No SPF record — email spoofing possible

js-auth-token-localstorageCWE-922ASVS V3.1.1

Auth token stored in localStorage — XSS leads to account takeover

js-pii-in-storageCWE-312ASVS V3.1.1

PII stored in browser storage

missing-hstsCWE-319ASVS V9.1.2

Missing Strict-Transport-Security (HSTS) header

secret-high-entropyCWE-200ASVS V2.10.1

High-entropy token detected

secret-pattern-matchCWE-798ASVS V2.10.1

Potential secret detected in client code

site-not-httpsCWE-319ASVS V9.1.1

Site not using HTTPS

stripe-live-secret-in-clientCWE-798ASVS V14.3.2

Stripe live secret key exposed in client code

tls-1-0-supportedCWE-327ASVS V9.1.3

Server supports TLS 1.0 — deprecated and insecure

tls-1-1-supportedCWE-327ASVS V9.1.3

Server supports TLS 1.1 — deprecated

tls-cert-expiredCWE-295ASVS V9.1.1

TLS certificate has expired

tls-cert-validation-failedCWE-295ASVS V9.1.1

TLS certificate validation failed

A03:2021 — Injection

csp-unsafe-evalCWE-95ASVS V14.4.1

CSP allows 'unsafe-eval'

csp-unsafe-inlineCWE-79ASVS V14.4.1

CSP allows 'unsafe-inline' in script-src

js-document-writeCWE-79ASVS V5.3.3

document.write() used — DOM manipulation risk

js-eval-dynamicCWE-95ASVS V5.3.7

js-innerhtml-dynamicCWE-79ASVS V5.3.3

sqli-error-basedCWE-89ASVS V5.3.4

SQL injection (error-based)

xss-reflectedCWE-79ASVS V5.3.3

Reflected XSS

A04:2021 — Insecure Design

dockerfile-no-healthcheckCWE-754ASVS V1.14.3

Dockerfile has no HEALTHCHECK

exfil-chainCWE-799

Data exfiltration chain: exposed user data + no rate limiting

no-rate-limitCWE-307ASVS V2.2.1

No rate limiting on sensitive endpoint

A05:2021 — Security Misconfiguration

cors-reflected-credsCWE-942ASVS V14.5.3

CORS reflects arbitrary origin with credentials

cors-reflected-originCWE-942ASVS V14.5.3

CORS reflects arbitrary origin

cors-wildcard-credsCWE-942ASVS V14.5.3

CORS wildcard with credentials

csp-broad-script-srcCWE-693ASVS V14.4.1

CSP script-src allows overly broad sources

csp-no-object-srcCWE-693ASVS V14.4.1

CSP missing object-src restriction

csp-report-onlyCWE-693ASVS V14.4.1

CSP is report-only, not enforced

dockerfile-apt-no-recommendsCWE-1037ASVS V14.2.5

apt-get install without --no-install-recommends

dockerfile-no-userCWE-250ASVS V14.2.1

Dockerfile has no USER directive

dockerfile-root-userCWE-250ASVS V14.2.1

Container runs as root

dockerfile-sudoCWE-269ASVS V14.2.1

Dockerfile invokes sudo

env-file-exposedCWE-538ASVS V14.3.2

.env file publicly accessible

error-page-leakCWE-209ASVS V7.4.1

Error page leaks implementation details

js-sourcemap-exposedCWE-540ASVS V14.3.2

JavaScript source map exposed

js-sourcemap-referenceCWE-540ASVS V14.3.2

Source map reference found in JavaScript

missing-coopCWE-1021ASVS V14.4.7

Missing Cross-Origin-Opener-Policy header

missing-corpCWE-1021ASVS V14.4.7

Missing Cross-Origin-Resource-Policy header

missing-cspCWE-693ASVS V14.4.1

No Content-Security-Policy header

missing-permissions-policyCWE-693ASVS V14.4.5

Missing Permissions-Policy header

missing-x-content-type-optionsCWE-116ASVS V14.4.4

Missing X-Content-Type-Options: nosniff

missing-xfoCWE-1021ASVS V14.4.7

Missing X-Frame-Options header

network-elasticsearch-exposedCWE-284ASVS V1.14.1

Elasticsearch HTTP API exposed to the public internet

network-kafka-exposedCWE-284ASVS V1.14.1

Kafka broker port exposed

network-memcached-exposedCWE-306ASVS V1.14.1

Memcached port exposed to the public internet

network-mysql-exposedCWE-284ASVS V1.14.1

MySQL port exposed to the public internet

network-postgresql-exposedCWE-284ASVS V1.14.1

PostgreSQL port exposed to the public internet

network-rabbitmq-amqp-exposedCWE-284ASVS V1.14.1

RabbitMQ AMQP broker exposed

network-rabbitmq-mgmt-exposedCWE-284ASVS V1.14.1

RabbitMQ management UI exposed

server-version-disclosedCWE-200ASVS V14.3.1

Server software version disclosed

via-header-disclosedCWE-200ASVS V14.3.1

Proxy software disclosed in Via header

A06:2021 — Vulnerable and Outdated Components

dockerfile-latest-tagCWE-1104ASVS V14.2.5

Dockerfile uses :latest tag

dockerfile-no-tagCWE-1104ASVS V14.2.5

Dockerfile base image has no explicit tag

vulnerable-dependencyCWE-1395ASVS V14.2.1

Vulnerable dependency

A07:2021 — Identification and Authentication Failures

cookie-no-httponlyCWE-1004ASVS V3.4.2

network-couchdb-exposedCWE-284ASVS V1.14.1

CouchDB admin port exposed

network-mongodb-exposedCWE-306ASVS V1.14.1

MongoDB port exposed to the public internet

network-neo4j-exposedCWE-521ASVS V1.14.1

Neo4j Browser port exposed

network-redis-exposedCWE-306ASVS V1.14.1

Redis port exposed to the public internet

supabase-email-confirm-offCWE-287ASVS V2.2.7

Email confirmation disabled

supabase-phone-confirm-offCWE-287ASVS V2.2.7

Phone confirmation disabled

wordpress-bruteforce-chainCWE-307

WordPress brute-force attack chain: admin username + exposed login

wordpress-login-exposedCWE-284

WordPress login page publicly accessible

wordpress-user-enumCWE-203

WordPress user enumeration via REST API

A08:2021 — Software and Data Integrity Failures

dockerfile-add-remote-urlCWE-829ASVS V14.2.3

Dockerfile uses ADD for remote URL

dockerfile-curl-pipe-bashCWE-494ASVS V14.2.3

Dockerfile pipes remote script into shell

N/A — configuration

supabase-signup-disabled

Public signup is disabled

N/A — regulatory

compliance-no-cookie-consent

compliance-no-cookie-policy

No cookie policy page found

compliance-no-data-deletion

compliance-no-privacy-policy

compliance-tracker-no-consent

Analytics tracker loaded without cookie consent

sekrd

Deep security audit for AI-built apps. Don't ship until you're sekrd.

Product

Free Scan
Pricing
Documentation
Blog

Company

About
Support
Terms of Service
Privacy Policy

Connect

GitHub
Telegram

© 2026 Sekrd. All rights reserved.

Don't ship until you're sekrd.