Skip to content
This documentation applies to Codacy Self-hosted v3.0.0

For the latest updates and improvements, see the latest Cloud documentation instead.

Security Monitor

The Security Monitor provides an overview of all current security alerts.

Security Monitor

Supported languages

The Security Monitor is available for the following languages:

  • Apex
  • C#
  • Java
  • JavaScript
  • Python
  • Ruby
  • Scala
  • PHP
  • C
  • C++
  • Shell script
  • Dockerfile
  • Visual Basic
  • Elixir
  • PowerShell
  • TSQL
  • Groovy

Tools

The Security Monitor displays issues using security patterns from:

Supported categories

  • XSS: XSS enables attackers to inject client-side scripts into web pages viewed by other users.
  • Input validation: Input not validated may originate SQL Injection attacks for instance.
  • File access: An attacker may use special paths to access files that shouldn't be accessible.
  • HTTP: HTTP headers are a common attack vector for malign users.
  • Cookies: An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the browser while the user is browsing.
  • Unexpected behaviour: Assigning values to private APIs might lead to unexpected behaviour.
  • Mass assignment: Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
  • Insecure storage: Storing sensitive data using this APIs isn't safe.
  • Insecure modules/libraries: Consider possible security implications associated with some modules.
  • Visibility: Fields shouldn't have public accessibility.
  • CSRF: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
  • Android: Android specific issues.
  • Malicious code: Exposed internal APIs can be accessed or change changed by malicious code or by accident from another package.
  • Cryptography: Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.
  • Command injection: Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system.
  • Firefox OS: Sensitive APIs of Firefox OS.
  • Auth: Authentication is present in almost all web applications nowadays.
  • DoS: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
  • SQL injection: A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.
  • Routes: Badly configured routes can give unintended access to an attacker.
  • Regex: Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).
  • SSL: Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle attacks are well known and widely used.
  • Other: Other language specific security issues.

Category states

Each security category listed on the left-hand side of the dashboard has one of four states:

State Description
Green Everything is OK for this category. All the security patterns in this category are enabled, and no security issues have been found.
Yellow There are security patterns in this category that are disabled. You should enable the patterns in this category so it's verified.
To enable all security patterns on the repository, click the button More and select Turn on all security patterns.
Red There are security issues identified for this category.
A blue info icon means that Codacy cannot be sure if you have all the security patterns in this category enabled. This happens when you are using configuration files to control which patterns are enabled.

Share your feedback 📢

Did this page help you?

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

We're sorry to hear that. Please let us know what we can improve:

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

If you have a question or need help please contact support@codacy.com.

Last modified October 20, 2020