Built-in Rules

codescan ships with 40+ built-in rules across six categories. Use codescan --list-rules to see the full list including any loaded custom rules.

SECRET — Hardcoded Secrets

ID	Severity	Description
SECRET001	error	Hardcoded password assignment
SECRET002	error	Generic secret / API key assignment
SECRET003	error	AWS access key (`AKIA...`)
SECRET004	error	AWS secret key
SECRET005	error	Generic bearer / auth token
SECRET006	error	Basic Auth credentials in URL
SECRET007	error	Private key PEM header
SECRET008	error	GitHub personal access token
SECRET009	error	Slack webhook URL
SECRET010	error	Stripe secret key
SECRET011	error	Stripe publishable key
SECRET012	warning	Twilio account SID
SECRET013	warning	Twilio auth token
SECRET014	error	Google API key
SECRET015	error	SendGrid API key
SECRET016	error	JWT token literal
SECRET017	warning	Database connection string with credentials
SECRET018	warning	SSH private key header
SECRET019	warning	PGP private key header
SECRET020	warning	Generic `token = "..."` assignment
SECRET021	warning	Generic `key = "..."` assignment
SECRET022	warning	Generic `secret = "..."` assignment
SECRET023	warning	Telegram bot token
SECRET024	error	npm auth token in `.npmrc`

ID	Severity	Description
EXPLOIT001	error	SQL injection via string concatenation
EXPLOIT002	error	OS command injection via string concatenation
EXPLOIT003	error	Path traversal with `../`
EXPLOIT004	error	`eval()` of untrusted input
EXPLOIT005	error	Pickle / unsafe deserialization
EXPLOIT006	warning	XML external entity (XXE) — `FEATURE_EXTERNAL_GENERAL_ENTITIES`
EXPLOIT007	error	YAML `load()` without `Loader` (arbitrary code execution)
EXPLOIT008	warning	Server-side template injection risk
EXPLOIT009	error	`innerHTML` / `outerHTML` assignment (XSS)
EXPLOIT010	error	`document.write()` with untrusted input (XSS)
EXPLOIT011	warning	`exec()` / `execSync()` with variable (command injection)
EXPLOIT012	warning	`child_process.spawn` with shell option
EXPLOIT013	warning	Insecure `subprocess.Popen(shell=True)`
EXPLOIT014	warning	Python `input()` in Python 2 (code execution)
EXPLOIT015	warning	`open()` / file access with user-controlled path
EXPLOIT016	warning	Regex denial of service (ReDoS) pattern
EXPLOIT017	warning	Hardcoded credentials in assert statements
EXPLOIT018	error	Prototype pollution via `__proto__`
EXPLOIT019	warning	`dangerouslySetInnerHTML` (React XSS)
EXPLOIT020	warning	Log injection via unescaped user input
EXPLOIT021	error	Prototype pollution assignment patterns
EXPLOIT022	warning	Unvalidated redirect via user-controlled URL
EXPLOIT023	warning	SSRF risk — HTTP request with user-controlled URL
EXPLOIT024	warning	Mass assignment / object spread with user input

ID	Severity	Description
CRYPTO001	warning	MD5 usage
CRYPTO002	warning	SHA-1 usage
CRYPTO003	error	DES / 3DES usage
CRYPTO004	error	RC4 usage
CRYPTO005	error	ECB cipher mode
CRYPTO006	warning	Weak RSA key size (< 2048 bits)
CRYPTO007	error	Hardcoded cryptographic key or IV
CRYPTO008	error	`Math.random()` for security-sensitive purpose
CRYPTO009	error	`random.random()` for security-sensitive purpose
CRYPTO010	error	TLS/SSL certificate verification disabled
CRYPTO011	warning	Blowfish cipher usage

ID	Severity	Description
UNICODE001	error	Bidirectional control characters (Trojan Source, CVE-2021-42574)
UNICODE002	warning	Zero-width characters in code
UNICODE003	warning	Homoglyph characters (Cyrillic/Greek look-alikes)

ID	Severity	Description
INFRA001	warning	Hardcoded private/RFC-1918 IP address
INFRA002	warning	`TODO`/`FIXME`/`HACK`/`XXX` comment with security implication
INFRA003	info	Debug/verbose logging left in code
INFRA004	info	Plaintext HTTP URL (non-localhost)

ID	Severity	Description
ENTROPY001	warning	High-entropy string near a secret keyword (Shannon entropy ≥ 4.5 bits/char)

bash

# CLI
codescan --skip-rules INFRA004,INFRA003 .

# codescan.toml
[rules]
disabled = ["INFRA004", "INFRA003"]

toml

# codescan.toml
[rules.severity_overrides]
CRYPTO001 = "error"
INFRA004  = "warning"

See Custom Rules for how to write and load your own rule definitions.