Skip to main content
Compliance issues are security weaknesses that may not be directly exploitable but weaken your security posture and violate security best practices.

Secrets & Credentials

Hardcoded Secrets (hardcoded-secrets)

Severity: High Credentials, API keys, or tokens embedded in source code. 
// Vulnerable
const apiKey = "sk-1234567890abcdef";
const dbPassword = "supersecret123";

// Fixed - use environment variables
const apiKey = process.env.API_KEY;
const dbPassword = process.env.DB_PASSWORD;
Risk: Credential exposure if code is leaked or shared. Detection: Vidoc identifies patterns matching:
  • API keys (AWS, GCP, Stripe, etc.)
  • Database credentials
  • JWT secrets
  • OAuth tokens
  • Private keys

Cryptography

Weak Cryptography (weak-cryptography)

Severity: Medium Use of deprecated or weak cryptographic algorithms. 
// Vulnerable
crypto.createHash('md5').update(data).digest();
crypto.createCipheriv('des', key, iv);

// Fixed
crypto.createHash('sha256').update(data).digest();
crypto.createCipheriv('aes-256-gcm', key, iv);
Weak algorithms:
  • MD5, SHA1 (for security purposes)
  • DES, 3DES, RC4
  • RSA keys < 2048 bits
  • ECDSA keys < 256 bits

Weak Randomness (weak-randomness)

Severity: Medium Using non-cryptographic random number generators for security purposes. 
// Vulnerable
const token = Math.random().toString(36);

// Fixed
const token = crypto.randomBytes(32).toString('hex');
Risk: Predictable values can be guessed by attackers.

Transport Security

Insecure Transport (insecure-transport)

Severity: Medium Data transmitted without encryption. 
// Vulnerable
const url = 'http://api.example.com/data';

// Fixed
const url = 'https://api.example.com/data';
Issues detected:
  • HTTP URLs for sensitive data
  • Disabled SSL/TLS verification
  • Weak TLS versions (TLS 1.0, 1.1)
  • Missing HSTS headers

Information Disclosure

Information Disclosure (information-disclosure)

Severity: Medium Code that may expose sensitive information. 
// Vulnerable - detailed error messages
app.use((err, req, res, next) => {
  res.status(500).json({ error: err.stack });
});

// Fixed
app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).json({ error: 'Internal server error' });
});
Types:
  • Stack traces in responses
  • Debug information in production
  • Verbose error messages
  • Internal paths exposed
  • Version information disclosure

Configuration

Misconfiguration (misconfiguration)

Severity: Varies Insecure default settings or missing security configurations. Examples:
  • Debug mode in production
  • Default credentials
  • Excessive permissions
  • Missing security headers
  • Disabled security features
// Vulnerable
app.use(cors()); // Allows all origins

// Fixed
app.use(cors({
  origin: ['https://example.com'],
  credentials: true
}));

Excessive Privileges (excessive-privileges)

Severity: Medium Code running with more permissions than necessary. Examples:
  • Running as root/admin unnecessarily
  • Overly broad IAM policies
  • File permissions too permissive

Supply Chain

Supply Chain Risk (supply-chain-risk)

Severity: Varies Risks from third-party dependencies. Detection includes:
  • Known vulnerable packages
  • Typosquatting package names
  • Packages with known malicious versions
  • Outdated dependencies with security patches
Mitigation:
  • Keep dependencies updated
  • Use lockfiles
  • Review new dependencies
  • Use security scanning for packages

Timing & Side Channels

Timing Side Channel (timing-side-channel)

Severity: Low Code vulnerable to timing attacks. 
// Vulnerable - timing attack on password comparison
if (password === storedPassword) { /* ... */ }

// Fixed - constant-time comparison
crypto.timingSafeEqual(
  Buffer.from(password),
  Buffer.from(storedPassword)
);
Risk: Attackers can deduce secrets by measuring response times.

Memory Safety

Memory Safety (memory-safety)

Severity: High Memory-related vulnerabilities in languages like C/C++. Types:
  • Buffer overflows
  • Use-after-free
  • Double-free
  • Memory leaks with sensitive data

Summary Table

CategoryTypical SeverityKey Risk
Hardcoded SecretsHighCredential exposure
Weak CryptographyMediumBroken encryption
Weak RandomnessMediumPredictable values
Insecure TransportMediumData interception
Information DisclosureMediumData leakage
MisconfigurationVariesSecurity bypass
Supply Chain RiskVariesCompromised dependencies
Timing Side ChannelLowSecret disclosure

Attack Vulnerabilities

Exploitable threats

Security Overview

All categories

Issues

View findings

How It Works

Detection explained