Supported Weaknesses

CWE-20

Improper Input Validation

Identifies missing validation, untrusted deserialisation, and unsafe type coercion before data reaches sensitive sinks.

CWE-22

Path Traversal

Tracks file-system access from HTTP handlers, CLIs, and background jobs to prevent arbitrary file reads and writes.

CWE-77

Command Injection

Detects unsanitised command construction in shell runners, build tooling, and deployment scripts.

CWE-78

OS Command Injection

Finds user-controlled data reaching operating system calls (for example exec, Runtime.exec, subprocess, ProcessBuilder).

CWE-79

Cross-Site Scripting (XSS)

Covers reflected and stored variants across templating engines and SPA frameworks.

CWE-89

SQL Injection

Supports ORM and raw-query patterns in Go, Java, JavaScript/TypeScript, Ruby, PHP, Python, and Scala.

CWE-94

Code Injection

Flags dynamic evaluation, template injection, and remote code download scenarios.

CWE-269

Improper Privilege Management

Verifies authorisation guards, middleware ordering, and access control annotations.

CWE-287

Improper Authentication

Detects missing authentication, weak session handling, and uncontrolled login backdoors.

CWE-352

Cross-Site Request Forgery

Validates CSRF mitigations for web, API, and mobile backend endpoints.

CWE-434

Unrestricted File Upload

Ensures upload handlers enforce type, size, and storage-location controls.

CWE-502

Deserialisation of Untrusted Data

Flags unsafe use of native, JSON, XML, and binary deserialisers across languages.

CWE-798

Hard-coded Credentials

Surfaces embedded secrets in application code alongside Secrets & Data Guardrails detections.

CWE-918

Server-Side Request Forgery

Detects pivot chains that reach cloud metadata services, internal control planes, or partner APIs.