Docs
Check Library
Every security check Fendix runs, with detection logic, default severity, and whether it requires active probing.
Black-box Checks
HTTP scanner — sends real requests to your API.
| Check | What It Detects | Severity | Active |
|---|---|---|---|
| Security Headers | Missing HSTS, CSP, X-Content-Type-Options, X-Frame-Options, server version disclosure | MEDIUM - INFO | - |
| CORS | Wildcard origins with credentials, reflected origins, permissive methods | CRITICAL - LOW | - |
| Authentication | Missing auth, malformed JWT accepted, expired JWT accepted, alg:none bypass | CRITICAL | - |
| Data Exposure | Passwords/secrets/tokens in responses, stack traces, internal IPs, sequential IDs | CRITICAL - INFO | - |
| Rate Limiting | No rate limiting detected on endpoints | MEDIUM | - |
| IDOR | Broken access control — one user accessing another user's resources | HIGH | - |
| SQL Injection | Time-based blind, error-based, and boolean probes (MySQL, Postgres, MSSQL, SQLite, Oracle); evidence notes (in=query|header|body) | HIGH | --enable-active |
| Command Injection | Echo canary detection — safe, non-destructive payload | CRITICAL | --enable-active |
| Header Injection | CRLF injection in response headers via %0d%0a Set-Cookie probe | HIGH | --enable-active |
White-box Checks
Static analysis — analyzes source code without making network requests.
| Check | What It Detects |
|---|---|
| Secrets | AWS/GitHub/npm/Stripe/OpenAI keys, GCP SA JSON blobs, GCP API keys (AIza…), Slack (xoxa/b/p/r/s), Anthropic, .env NAME=value leaks, bearer tokens — plus Semgrep overlays |
| Semgrep Rules | Missing auth decorators (Flask/Django/FastAPI), SQL string concatenation, exec/eval with user input, subprocess shell=True, hardcoded JWT secrets |
| Spec Parser | Missing security schemes in OpenAPI spec, API keys in query params, unauthenticated endpoints, HTTP instead of HTTPS, weak auth schemes |
| AST Analysis | Python/JS AST: pickle/yaml unsafe load, SSRF, open redirects, trusting client-controlled auth headers, weak password hashing — plus subprocess/eval/HTML/SQL literals |
| Dependencies | Known CVEs in PyPI (pip-audit), npm (npm audit), and Go modules (govulncheck) — primary paths against the real OSV/CVE databases; curated offline list as fallback |
SARIF Severity Mapping
How Fendix severities map to SARIF 2.1.0 levels for CI/CD integration.
| Fendix Severity | SARIF Level |
|---|---|
| CRITICAL | error |
| HIGH | error |
| MEDIUM | warning |
| LOW | note |
| INFO | note |