Check Library

Every security check Fendix runs, with detection logic, default severity, and whether it requires active probing.

Black-box Checks

HTTP scanner — sends real requests to your API.

Check	What It Detects	Severity	Active
Security Headers	Missing HSTS, CSP, X-Content-Type-Options, X-Frame-Options, server version disclosure	MEDIUM - INFO	-
CORS	Wildcard origins with credentials, reflected origins, permissive methods	CRITICAL - LOW	-
Authentication	Missing auth, malformed JWT accepted, expired JWT accepted, alg:none bypass	CRITICAL	-
Data Exposure	Passwords/secrets/tokens in responses, stack traces, internal IPs, sequential IDs	CRITICAL - INFO	-
Rate Limiting	No rate limiting detected on endpoints	MEDIUM	-
IDOR	Broken access control — one user accessing another user's resources	HIGH	-
SQL Injection	Time-based blind SQLi (MySQL SLEEP, Postgres pg_sleep, MSSQL WAITFOR DELAY)	HIGH	--enable-active
Command Injection	Echo canary detection — safe, non-destructive payload	CRITICAL	--enable-active
Header Injection	CRLF injection in response headers via %0d%0a Set-Cookie probe	HIGH	--enable-active

Static analysis — analyzes source code without making network requests.

Check	What It Detects
Secrets	AWS keys, private keys, hardcoded passwords, API keys, JWT secrets, DB URLs, bearer tokens
Semgrep Rules	Missing auth decorators (Flask/Django/FastAPI), SQL string concatenation, exec/eval with user input, subprocess shell=True, hardcoded JWT secrets
Spec Parser	Missing security schemes in OpenAPI spec, API keys in query params, unauthenticated endpoints, HTTP instead of HTTPS, weak auth schemes
AST Analysis	Python and JavaScript security-relevant patterns via AST parsing (os.system, eval, innerHTML, document.write, SQL template literals)
Dependencies	Known CVEs in PyPI and npm packages via pip-audit and npm audit

How Fendix severities map to SARIF 2.1.0 levels for CI/CD integration.