Documentation
Security Rules — Overview
The rules engine that powers CodeSentinel.
CodeSentinel ships with 150+ built-in security rules covering the most impactful vulnerability classes. Rules are organised by standard (OWASP, CWE, SANS) and severity.
Severity levels
Severity | CVSS Range | Example |
|---|---|---|
Critical | 9.0 – 10.0 | SQL Injection, Remote Code Execution |
High | 7.0 – 8.9 | XSS, Insecure Deserialization, Path Traversal |
Medium | 4.0 – 6.9 | Missing rate limit, Weak cipher, Insecure cookie |
Low | 0.1 – 3.9 | Verbose error message, Missing security header |
Rule categories
Injection — SQL, command, LDAP, XML injection (OWASP A03)
Broken Access Control — path traversal, privilege escalation (OWASP A01)
Cryptographic Failures — weak algorithms (MD5, SHA1, DES), hardcoded secrets (OWASP A02)
XSS — reflected, stored, and DOM-based cross-site scripting (OWASP A03)
Insecure Design — missing rate limiting, CSRF, open redirect (OWASP A04)
Security Misconfiguration — insecure defaults, verbose errors, debug mode (OWASP A05)
Vulnerable Components — calls to deprecated or known-vulnerable APIs (OWASP A06)
Auth & Session — weak password hashing, insecure session storage (OWASP A07)
Logging & Monitoring — missing audit logs, sensitive data in logs (OWASP A09)
Rule IDs
Every rule has an ID in the format CS followed by a four-digit number (e.g. CS1001). IDs are stable across versions — a rule's ID never changes even if its name or description is updated.