14CHECK LIBRARY
Check Library
Every security check Fendix runs, with detection logic, default severity, and whether it requires active probing.
Black-box Checks
HTTP scanner — sends real requests to your API.
| Check | What It Detects | Severity | Active |
|---|---|---|---|
| Security Headers | Missing HSTS, CSP, X-Content-Type-Options, X-Frame-Options, server version disclosure | MEDIUM - INFO | - |
| CORS | Wildcard origins with credentials, reflected origins, permissive methods | CRITICAL - LOW | - |
| Authentication | Missing auth, malformed JWT accepted, expired JWT accepted, alg:none bypass | CRITICAL | - |
| Data Exposure | Passwords/secrets/tokens in responses, stack traces, internal IPs, sequential IDs, AND (v0.11+) exposed config files at well-known paths — .env, .git/HEAD, .htaccess, .npmrc, .aws/credentials, etc. — flagged CRITICAL with CWE-538 when a 2xx response is served | CRITICAL - INFO | - |
| Rate Limiting | No rate limiting detected on endpoints | MEDIUM | - |
| Cookie Flags | Cookies missing Secure / HttpOnly / SameSite attributes (CWE-1004/614/1275) — new in v0.18 | MEDIUM - LOW | - |
| IDOR | Broken access control — one user accessing another user's resources | HIGH | - |
| SQL Injection | Time-based blind, error-based, and boolean probes (MySQL, Postgres, MSSQL, SQLite, Oracle); evidence notes (in=query|header|body) | HIGH | --enable-active |
| Command Injection | Echo canary detection — safe, non-destructive payload | CRITICAL | --enable-active |
| Header Injection | CRLF injection in response headers via %0d%0a Set-Cookie probe | HIGH | --enable-active |
| Open Redirect | User-controlled redirect target sends the browser off-site (CWE-601) — new in v0.18 | MEDIUM | --enable-active |
| Reflected XSS | Payload reflected unescaped into the response, executing in the browser (CWE-79) — new in v0.18 | HIGH | --enable-active |
| SSRF | In-band server-side request forgery — server fetches an attacker-supplied URL, confirmed in the response (CWE-918) — new in v0.18 | CRITICAL | --enable-active |
| Host Header Injection | Poisoned Host / X-Forwarded-Host reflected into links, redirects, or cache keys (CWE-644/601) — new in v0.18 | MEDIUM | --enable-active |
| GraphQL Introspection | Schema introspection left enabled, exposing the full type graph (CWE-200) — new in v0.18 | LOW | --enable-active |
| HTTP Method Tampering | Unsafe or override HTTP methods accepted (e.g. PUT/DELETE/TRACE, X-HTTP-Method-Override) (CWE-650/693/285) — new in v0.18 | MEDIUM | --enable-active |
White-box Checks
Static analysis — analyzes source code without making network requests.
| Check | What It Detects |
|---|---|
| Secrets | AWS/GitHub/npm/Stripe/OpenAI keys, GCP SA JSON blobs, GCP API keys (AIza…), Slack (xoxa/b/p/r/s), Anthropic, .env NAME=value leaks, bearer tokens — plus Semgrep overlays |
| Semgrep Rules | 24-rule bundled pack (v0.14+; was 9 in v0.9). auth: missing Flask/Django/FastAPI decorators; injection: Django raw SQL, Flask render_template_string SSTI, subprocess(shell=True), pickle.loads, yaml.load unsafe; secrets: GCP SA JSON, AWS key, Slack webhook, PEM key; crypto: MD5/SHA1 for passwords, DES/3DES/RC4 ciphers, random module for token generation |
| Textscan (Go/JS/IaC) | Unified regex SAST engine (v0.12+). Go: SQL concat injection, exec.Command shell invocation, MD5/SHA1 for passwords, hardcoded AWS key. JS/TS: eval/innerHTML/document.write with non-literal, child_process.exec, require with variable path, hardcoded AWS key. IaC: Dockerfile FROM missing privilege drop, ADD vs COPY, :latest pin; Kubernetes privileged/hostNetwork/allowPrivilegeEscalation/runAsUser=0 |
| Spec Parser | Missing security schemes in OpenAPI spec, API keys in query params, unauthenticated endpoints, HTTP instead of HTTPS, weak auth schemes |
| AST Analysis | Python/JS AST: pickle/yaml unsafe load, SSRF, open redirects, trusting client-controlled auth headers, weak password hashing, subprocess/eval/HTML/SQL literals — plus reachable XSS via Markup/mark_safe/render_template_string (v0.8), reachable command-injection via os.system/subprocess(shell=True)/os.popen (v0.8), and reachable path-traversal via open/Path/send_file/send_from_directory (v0.11). The engine has 7 reachable taint-chain sink classes total — SQLi, SSRF, open-redirect, XSS, path-traversal, and command-injection counted as three distinct shell sinks. Reachable findings carry a taint_chain proving intra-function dataflow from a request source to the sink. Proven Path v1 (v0.16) extends this for Django/Flask/FastAPI: route-table extraction binds the HTTP route to its handler so the chain spans route → handler → source → sink across files, exported as SARIF codeFlows/threadFlows (GitHub renders the step-through inline), and every finding carries a source_tier provenance tag (native_go / tree_sitter_sidecar / semgrep_shim) |
| Dependencies | Known CVEs in Go modules (in-process via golang.org/x/vuln — same call-graph reachability as the upstream govulncheck binary), PyPI (OSV.dev /v1/query per pinned ==, 24h local cache), and npm (OSV.dev against package-lock.json v2/v3, scoped-package aware, 24h cache) — all native in-process scanners (no binary deps required). As of v0.16, poetry.lock and Pipfile.lock are parsed as the full resolved closure so transitive Python CVEs are caught, not just direct requirements.txt pins. As of v0.9 the embedded Python distribution is no longer bundled; the legacy Python deps.py path is opt-in via --python-engine. Disable native scanners with --no-native-deps |
SARIF Severity Mapping
How Fendix severities map to SARIF 2.1.0 levels for CI/CD integration.
| Fendix Severity | SARIF Level |
|---|---|
| CRITICAL | error |
| HIGH | error |
| MEDIUM | warning |
| LOW | note |
| INFO | note |