All 210 Security Rules

Every rule XploitScan uses, organized by OWASP Top 10 category. Each rule maps to CWE, SOC 2, and ISO 27001 controls.

About our rule set

These rules detect security patterns specific to AI-generated code (Cursor, Bolt, Lovable, Replit) and modern web frameworks (Next.js, Supabase, Clerk, Stripe). They use a two-layer approach: a fast pattern-matching pre-filter plus a Babel-parsed AST layer with taint tracking for data-flow rules (SSRF, prototype pollution, mass assignment, SSTI, and more). Detection quality is scored publicly against a labeled fixture corpus on the benchmark page.

Free plan: 30 core rules covering the most common vulnerabilities. Pro plan: all 210 rules including framework-specific patterns, payment security, and IDE/mobile code.

Note: XploitScan is not a replacement for professional security auditing. Pattern-based scanning cannot catch every vulnerability, especially logic flaws and business-logic issues. For production applications handling sensitive data, we recommend combining automated scanning with penetration testing and manual code review.

A01:2021 — Broken Access Control

19 rules

Rule	Description	CWE
VC003	Missing auth on API routes	CWE-306
VC004	Insecure direct object reference	CWE-639
VC005	Missing CSRF protection	CWE-352
VC010	Missing authorization checks	CWE-862
VC013	Path traversal	CWE-22
VC023	Open redirect	CWE-601
VC029	Missing access control on file operations	CWE-732
VC041	Insecure redirect handling	CWE-601
VC042	Missing role-based access control	CWE-285
VC057	Missing least privilege enforcement	CWE-250
VC070	Insecure file permissions	CWE-732
VC085	Missing privilege escalation protection	CWE-269
VC117	Path traversal	CWE-22
VC127	Insecure HTTP methods	CWE-862
VC158	IDOR / missing ownership check	CWE-639
VC201	AI/RAG: vector-store query without user/tenant filter	CWE-639
VC202	AI/RAG: vector-store upsert without user/tenant metadata	CWE-639
VC206	GraphQL: Apollo Server with csrfPrevention: false	CWE-352
VC210	Auth middleware matcher excludes API routes	CWE-862

A02:2021 — Cryptographic Failures

28 rules

Rule	Description	CWE
VC001	Hardcoded secrets	CWE-798
VC002	Hardcoded passwords	CWE-259
VC014	Sensitive data in source code	CWE-200
VC031	Weak cryptographic algorithm	CWE-327
VC032	HTTP used instead of HTTPS	CWE-319
VC034	Hardcoded encryption keys	CWE-321
VC035	Insecure random number generation	CWE-338
VC043	Insecure password storage	CWE-916
VC049	Insecure API key handling	CWE-798
VC050	Missing data encryption at rest	CWE-311
VC058	Hardcoded database credentials	CWE-798
VC060	Insecure TLS configuration	CWE-326
VC061	Missing certificate validation	CWE-295
VC078	Insecure secrets management	CWE-798
VC079	Missing encryption in transit	CWE-319
VC086	Insecure data storage	CWE-922
VC087	Missing data masking	CWE-200
VC096	Insecure local storage usage	CWE-922
VC107	Missing data encryption for PII	CWE-311
VC119	Hardcoded OAuth client secret	CWE-798
VC122	Deprecated TLS version	CWE-326
VC123	Weak RSA key size	CWE-326
VC124	ECB mode encryption	CWE-327
VC126	Terraform state exposed	CWE-200
VC129	Unencrypted PII in database	CWE-312
VC191	Python: requests called with verify=False (TLS disabled)	CWE-295
VC195	Python: paramiko AutoAddPolicy (accepts unknown SSH host keys)	CWE-295
VC197	Python: PyJWT decode without algorithm allowlist	CWE-347

A03:2021 — Injection

19 rules

Rule	Description	CWE
VC006	SQL injection	CWE-89
VC007	XSS vulnerability	CWE-79
VC012	Missing input sanitization	CWE-20
VC015	Command injection	CWE-78
VC016	Prototype pollution	CWE-1321
VC030	eval() usage	CWE-95
VC080	Insecure database queries	CWE-89
VC100	Insecure XML processing	CWE-611
VC101	Missing input encoding	CWE-116
VC106	Insecure PDF generation	CWE-918
VC116	Insecure AI/LLM integration	CWE-74
VC154	Missing request body validation	CWE-20
VC186	GitHub Actions: expression injection in run block	CWE-78
VC192	Python: Jinja2 Environment with autoescape=False	CWE-79
VC194	Python: Django mark_safe() with non-literal input	CWE-79
VC198	AI/LLM: user input concatenated into model message content	CWE-94
VC199	AI/LLM: system prompt constructed with non-literal content	CWE-94
VC200	AI/LLM: model output rendered as raw HTML (XSS via model)	CWE-79
VC207	AI/LLM: model output passed to a code, command, query, or file sink	CWE-94

A04:2021 — Insecure Design

25 rules

Rule	Description	CWE
VC008	Missing rate limiting	CWE-770
VC028	Insecure file upload	CWE-434
VC036	Missing input length validation	CWE-20
VC051	Insecure WebSocket handling	CWE-1385
VC053	Insecure email handling	CWE-200
VC064	Insecure GraphQL endpoint	CWE-200
VC065	Missing query depth limiting	CWE-400
VC067	Missing API versioning	CWE-1059
VC069	Missing request validation	CWE-20
VC074	Insecure postMessage usage	CWE-345
VC088	Insecure caching	CWE-524
VC089	Missing data retention policy	CWE-212
VC092	Insecure service worker	CWE-349
VC104	Insecure SSR data leakage	CWE-200
VC113	Missing vulnerability disclosure policy	CWE-1059
VC115	Missing security training indicators	CWE-1059
VC130	Missing rate limit on auth	CWE-307
VC155	Missing rate limit on AI/LLM calls	CWE-770
VC156	Missing pagination on list endpoint	CWE-770
VC190	Dockerfile: missing HEALTHCHECK directive	CWE-754
VC193	Python: tempfile.mktemp() — TOCTOU race	CWE-377
VC203	AI/LLM: model call without max_tokens (denial of wallet)	CWE-770
VC204	GraphQL: server has no query depth limit	CWE-770
VC205	GraphQL: server has no query complexity limit	CWE-770
VC209	Webhook handler without idempotency / replay protection	CWE-799

A05:2021 — Security Misconfiguration

34 rules

Rule	Description	CWE
VC009	CORS misconfiguration	CWE-942
VC017	Insecure default configuration	CWE-1188
VC019	Debug mode in production	CWE-489
VC020	Information exposure in error messages	CWE-209
VC024	Missing content security policy	CWE-1021
VC025	Insecure cookie flags	CWE-614
VC026	Missing security headers	CWE-693
VC027	Unsafe regular expressions	CWE-1333
VC038	Missing timeout configuration	CWE-400
VC040	Missing helmet/security middleware	CWE-693
VC056	Insecure DNS configuration	CWE-350
VC059	Missing environment separation	CWE-489
VC066	Insecure GraphQL introspection	CWE-200
VC068	Insecure middleware ordering	CWE-696
VC072	Insecure iframe embedding	CWE-1021
VC073	Missing clickjacking protection	CWE-1021
VC076	Insecure deployment configuration	CWE-16
VC077	Missing container security	CWE-250
VC090	Insecure backup configuration	CWE-530
VC091	Missing cross-origin isolation	CWE-346
VC093	Missing HSTS	CWE-523
VC095	Missing network segmentation	CWE-923
VC097	Missing secure flag on cookies	CWE-614
VC099	Missing secure headers in API responses	CWE-693
VC102	Insecure regex	CWE-1333
VC103	Missing HTTP method restriction	CWE-749
VC105	Missing referrer policy	CWE-200
VC108	Insecure server configuration	CWE-16
VC128	HTTP request smuggling	CWE-444
VC153	Reflected CORS origin with credentials	CWE-942
VC157	Exposed database studio	CWE-16
VC185	GitHub Actions: permissions set to write-all	CWE-732
VC188	Dockerfile: ADD used for local files instead of COPY	CWE-1357
VC196	Python: Django ALLOWED_HOSTS contains wildcard	CWE-20

A06:2021 — Vulnerable Components

8 rules

Rule	Description	CWE
VC039	Outdated dependencies	CWE-1104
VC048	Missing dependency vulnerability check	CWE-1104
VC081	Missing malware scanning	CWE-509
VC082	Insecure third-party scripts	CWE-829
VC083	Missing supply chain security	CWE-1104
VC094	Insecure dependency pinning	CWE-1104
VC114	Insecure third-party integration	CWE-829
VC131	Known vulnerable dependencies	CWE-1104

A07:2021 — Identification & Auth Failures

55 rules

Rule	Description	CWE
VC011	Insecure session management	CWE-384
VC045	JWT misconfiguration	CWE-347
VC046	Missing token expiration	CWE-613
VC047	Insecure token storage	CWE-922
VC052	Missing brute force protection	CWE-307
VC054	Missing multi-factor authentication	CWE-308
VC062	Weak password policy	CWE-521
VC063	Missing account lockout	CWE-307
VC084	Insecure OAuth implementation	CWE-346
VC098	Insecure password reset flow	CWE-640
VC120	Missing OAuth state parameter	CWE-352
VC125	Insecure password reset	CWE-640
VC132	Hardcoded Anthropic API key	CWE-798
VC133	Hardcoded GitHub PAT	CWE-798
VC134	Hardcoded SendGrid API key	CWE-798
VC135	Hardcoded Slack token	CWE-798
VC136	Hardcoded GCP service account key	CWE-798
VC137	Hardcoded Shopify access token	CWE-798
VC138	Hardcoded GitLab token	CWE-798
VC139	Hardcoded Twilio API key	CWE-798
VC140	Hardcoded Mailgun API key	CWE-798
VC141	Hardcoded Datadog API key	CWE-798
VC142	Hardcoded Vercel token	CWE-798
VC143	Hardcoded Supabase service role key	CWE-798
VC144	Hardcoded Vault token	CWE-798
VC145	Hardcoded Pinecone API key	CWE-798
VC146	Secret in URL parameter	CWE-598
VC149	Secret in client bundle config	CWE-798
VC150	Secret in HTML attribute	CWE-615
VC151	Secret in CLI argument	CWE-214
VC159	Hardcoded Cohere API key	CWE-798
VC160	Hardcoded Replicate API token	CWE-798
VC161	Hardcoded Mistral API key	CWE-798
VC162	Hardcoded Together AI API key	CWE-798
VC163	Hardcoded Groq API key	CWE-798
VC164	Hardcoded Fireworks AI API key	CWE-798
VC165	Hardcoded Postmark server token	CWE-798
VC166	Hardcoded Resend API key	CWE-798
VC167	Hardcoded Loops API key	CWE-798
VC168	Hardcoded Cloudflare API token	CWE-798
VC169	Hardcoded Fastly API token	CWE-798
VC170	Hardcoded Netlify access token	CWE-798
VC171	Hardcoded Railway API token	CWE-798
VC172	Hardcoded Fly.io auth token	CWE-798
VC173	Hardcoded Algolia admin API key	CWE-798
VC174	Hardcoded Qdrant API key	CWE-798
VC175	Hardcoded Weaviate API key	CWE-798
VC176	Hardcoded Linear API key	CWE-798
VC177	Hardcoded Notion integration token	CWE-798
VC178	Hardcoded Discord bot token	CWE-798
VC179	Hardcoded Intercom access token	CWE-798
VC180	Hardcoded Sentry auth token	CWE-798
VC181	Hardcoded Better Stack (Logtail) token	CWE-798
VC182	Hardcoded Highlight.io API key	CWE-798
VC183	Hardcoded Plivo auth token	CWE-798

A08:2021 — Software & Data Integrity

10 rules

Rule	Description	CWE
VC021	Insecure deserialization	CWE-502
VC055	Missing code signing	CWE-353
VC071	Missing subresource integrity	CWE-353
VC075	Missing CI/CD security checks	CWE-1127
VC112	Insecure release management	CWE-1127
VC121	Unpinned GitHub Actions	CWE-829
VC152	Missing webhook signature verification	CWE-345
VC184	GitHub Actions: pull_request_target with checkout of PR head	CWE-829
VC187	GitHub Actions: secrets passed to third-party action	CWE-829
VC189	Dockerfile: RUN with unverified shell pipe (curl\|sh)	CWE-494

A09:2021 — Security Logging Failures

11 rules

Rule	Description	CWE
VC018	Missing error handling	CWE-755
VC033	Missing logging for security events	CWE-778
VC037	Insufficient logging	CWE-223
VC044	Missing audit trail	CWE-778
VC109	Missing security monitoring	CWE-778
VC110	Insecure log management	CWE-532
VC111	Missing intrusion detection	CWE-778
VC118	PII in logs	CWE-532
VC147	Secret logged to console	CWE-532
VC148	Secret in error response	CWE-209
VC208	AI/LLM: secret or credential interpolated into a model prompt	CWE-532

A10:2021 — Server-Side Request Forgery

1 rule

Rule	Description	CWE
VC022	Server-side request forgery	CWE-918

Run these rules against your own code

Free, no signup required. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →