Detection Rule Reference
Technical reference for scanner rule families, confidence semantics, and expected remediation priority.
Rule Families
Secrets
Hardcoded tokens, credentials, API keys, and private material exposure.
Cryptography
Weak algorithms, insecure modes, and incorrect crypto usage patterns.
Code Patterns
Unsafe deserialization, injection patterns, and high-risk API misuse.
Dependencies
Direct and transitive package risk with version and CVE context.
IaC / Containers
Insecure infrastructure and container configuration anti-patterns.
Compliance Mapping
Controls mapped to common frameworks for reporting workflows.
Confidence And Severity Model
- Confidence reflects certainty that the pattern is a true issue.
- Severity reflects potential impact if exploitable.
- Policy decisions should combine both, not severity alone.
- Low-confidence high-severity findings typically require human review before automatic blocking.
Remediation Priority Guidance
- Critical exploitable issues in reachable paths.
- Credential exposure and cryptographic misuse in active services.
- High-severity dependency issues with known exploitability.
- Configuration and hygiene findings that reduce attack surface over time.
Known Limitations
- Static analysis cannot guarantee runtime exploitability by itself.
- Dependency metadata may lag zero-day disclosure windows.
- Custom framework abstractions can reduce rule confidence until tuned.
- Generated code and vendored third-party code may require policy exceptions.