j/k naviguer • Ctrl+Home début

💚 Code Security Score
📊 Visualization
📋 Parameters
📋 Summary
📁 Top Files
📊 Comparison with baseline
🔍 Detected Issues
📜 Custom Rules
🔬 Fixtures
📦 Dependencies
🗄️ Database Schema
⏱️ SLA by Severity
👤 Findings by Author
📋 ISO 27001 Compliance Matrix
🔰 OWASP ASVS v5.0.0 Compliance
🛡️ NIST CSF 2.0 Compliance
✅ Verified Good Practices
📖 Glossary

StaticCodeAudit — Audit Report - Audit

Generated on 14/05/2026 à 13:14 • v1.0.0 [dc383943] 🇬🇧 English

📂 61 files scanned • 📝 19 902 lines of code • ⏱️ 1002.53s

Code Security Score : 100%

Compliance Score : 20.0%

This score measures source code security only. Formula: 100 ÷ (1 + P ÷ (20 × F)), where P = sum of penalties and F = LOC factor (lines of code ÷ 1,000, minimum 1). Each Security finding costs: CRITICAL (10), HIGH (5), MEDIUM (2), LOW (1). LOC weighting normalizes the score by project size. Non-security categories (Architecture, UI, UX, Maintenance) are not factored in.

📊 Visualization ↑ Table of Contents

Distribution by Severity

Issues by Category

📊 Findings by Language & Severity

Business Code vs Dependencies

🧪 Unit Tests

🔬 Fixtures Validation

⏱️ Audit Timings

📦 Dependencies

🗄️ Database Schema

🔬 Data flow path

📊 Findings par source

📈 Issues Evolution

HIGH / MEDIUM / LOW over 10 audits

🧪 Tests Evolution

Success rate and test count

🗄️ Schema Evolution

Tables, columns and changes over 10 audits

⏱️ Timings Evolution

Total time over 10 audits

Code Security Score

100%

Summary

0 High (HIGH)

0 Medium (MEDIUM)

0 Low (LOW)

Trend

📋 First audit — baseline created

Priority recommendations

P3 Good security level — maintain best practices

📋 Summary ↑ Table of Contents

0

Critical (CRITICAL)

0

High (HIGH)

0

Low (LOW)

182

Verified Good Practices

0

📦 Business code

0

🔗 Dependencies

0%

🧪 Tests (0)

95.7%

🔬 Fixtures (1665)

1002.53s

⏱️ Audit Duration

🔧 Technical Details

📋 Parameters ▶

📋 Project

Name Audit v1.0.0

Description none

Identifier dc383943-933c-4ae4-8eda-90ae425e7f02

Path /Users/mac/Documents/Code/Audit

📋 Audit Scope

Languages python

Scanned extensions python: .py

Analyzed directories sca/

Excluded patterns **/node_modules/** **/__pycache__/** **/.venv/** **/venv/** **/vendor/** **/.git/** **/dist/** **/build/** **/fixtures/** **/benchmarks/** audit-reports/ audit-datas/

Mode Full

Filtered category all

Disabled rules none

Categories ✓ Security (×3) ✓ Architecture (×2) ✓ Interface (×1) ✓ User Experience (×1) ✓ Maintenance (×1)

⚙️ CLI Options

⬜ --quick Quick mode — security only

⬜ --fail-on-high Exit code 1 if HIGH vulnerabilities found

⬜ --sarif SARIF 2.1.0 export (GitHub Code Scanning, GitLab SAST)

⬜ --sbom CycloneDX SBOM generation (dependency inventory)

✅ --lang Report language

⬜ --debug Debug logging (levels: info, detail, trace)

⬜ --with-tests Auto-detect and run project unit tests

⬜ --with-deps Dependency vulnerability scan (pip-audit, npm audit)

⬜ --severity Scan restricted to severity: {levels}

Top 10 Problematic Files

Ranked by severity score (CRITICAL×10, HIGH×5, MEDIUM×2, LOW×1)

No problematic files.

🔍

Detected Issues 0

↑ Table of Contents ▶

💀

Critical (CRITICAL) 0 issue(s)

▶

✅ No issues detected in this category.

🚨

High (HIGH) 0 issue(s)

▶

✅ No issues detected in this category.

⚠️

Medium (MEDIUM) 0 issue(s)

▶

✅ No issues detected in this category.

ℹ️

Low (LOW) 0 issue(s)

▶

✅ No issues detected in this category.

📝

Information (INFO) 0 issue(s)

▶

✅ No issues detected in this category.

📜

Custom Rules 0

↑ Table of Contents ▶

📜

No custom rules configured

Custom rules let you detect patterns specific to your codebase. Create your first rule with:

./run_audit.py . --create-rule

🔬 Fixtures Validation ↑ Table of Contents

Each detection rule is tested against two types of test files (fixtures): vulnerable fixtures contain a known security pattern and must trigger a detection, while clean fixtures contain safe code and must not trigger any alert. This section measures the reliability of every rule.

❌

Some fixtures are not correctly detected

789/811 vulnerable detected, 804/854 clean validated

789

True Positives

Vulnerable fixtures correctly detected by the rule

804

True Negatives

Clean fixtures correctly ignored (no false alert)

22

False Negatives

Vulnerable fixtures missed by the rule (detection failure)

50

False Positives

Clean fixtures incorrectly flagged (false alert)

❌ Detection failures :

taint_graphql_injection.js (vulnerable) - Expected: detected, Actual: ignored
Rule: taint_graphql_injection

taint_log_injection.js (vulnerable) - Expected: detected, Actual: ignored
Rule: Taint Log Injection

taint_cookie_injection.js (vulnerable) - Expected: detected, Actual: ignored
Rule: taint_cookie_injection

taint_xxe.js (vulnerable) - Expected: detected, Actual: ignored
Rule: Taint XXE

taint_path_traversal.js (vulnerable) - Expected: detected, Actual: ignored
Rule: Taint Path Traversal

taint_ldap.js (vulnerable) - Expected: detected, Actual: ignored
Rule: Taint LDAP Injection

taint_rce.js (vulnerable) - Expected: detected, Actual: ignored
Rule: Taint RCE

taint_sqli.js (vulnerable) - Expected: detected, Actual: ignored
Rule: Taint SQL Injection

taint_header_injection.js (vulnerable) - Expected: detected, Actual: ignored
Rule: taint_header_injection

taint_nosql.js (vulnerable) - Expected: detected, Actual: ignored
Rule: taint_nosql

... and 62 more failures

🧪

Detail of 1665 tested fixtures

▶

Fixture	Type	Expected rule	Status
`angularjs_insecure_url_whitelist_clean.js`	Clean	angularjs_insecure_url_whitelist	✗ False positive
`api_key_in_url_clean.js`	Clean	API Key in URL	✓ Clean (expected)
`api_key_in_url_clean.py`	Clean	API Key in URL	✓ Clean (expected)
`arithmetic_extreme_values_clean.java`	Clean	arithmetic_extreme_values	✓ Clean (expected)
`arithmetic_tainted_clean.java`	Clean	arithmetic_tainted	✗ False positive
`arithmetic_uncontrolled_clean.java`	Clean	arithmetic_uncontrolled	✓ Clean (expected)
`array_construction_tainted_clean.java`	Clean	array_construction_tainted	✓ Clean (expected)
`array_index_validation_clean.java`	Clean	array_index_validation	✓ Clean (expected)
`aspnet_debug_enabled_clean.cs`	Clean	aspnet_debug_enabled	✓ Clean (expected)
`aspnet_directory_listing_clean.cs`	Clean	aspnet_directory_listing	✓ Clean (expected)
`aspnet_max_request_length_clean.cs`	Clean	aspnet_max_request_length	✓ Clean (expected)
`assembly_path_injection_clean.cs`	Clean	assembly_path_injection	✓ Clean (expected)
`autoplay_media_clean.html`	Clean	Autoplaying media	✓ Clean (expected)
`bad_tag_filter_clean.js`	Clean	bad_tag_filter	✓ Clean (expected)
`bad_tag_filter_clean.py`	Clean	bad_tag_filter	✓ Clean (expected)
`base64_credentials_clean.py`	Clean	Base64 encoded credentials	✓ Clean (expected)
`base64_eval_clean.js`	Clean	Base64 obfuscated code execution	✓ Clean (expected)
`base64_eval_clean.py`	Clean	Base64 obfuscated code execution	✓ Clean (expected)
`base64_obfuscation_clean.js`	Clean	Suspicious base64 string decoded	✓ Clean (expected)
`batch_query.py`	Clean	Potential N+1 Query	✓ Clean (expected)
`broken_crypto_algorithm_clean.js`	Clean	broken_crypto_algorithm	✓ Clean (expected)
`build_artifact_leak_clean.js`	Clean	build_artifact_leak	✓ Clean (expected)
`button_no_aria_clean.html`	Clean	Button without aria-label	✓ Clean (expected)
`button_with_aria.html`	Clean	Button without aria-label	✓ Clean (expected)
`button_with_text.html`	Clean	Button without aria-label	✓ Clean (expected)
`cache_poisoning_clean.py`	Clean	Cache Poisoning	✓ Clean (expected)
`case_sensitive_middleware_path_clean.js`	Clean	case_sensitive_middleware_path	✗ False positive
`catch_all_exception_clean.py`	Clean	Catch-all exception	✓ Clean (expected)
`catch_all_exception_csharp_clean.cs`	Clean	Generic catch (C#)	✓ Clean (expected)
`catch_all_exception_java_clean.java`	Clean	Generic catch (Java)	✓ Clean (expected)
`catch_all_exception_php_clean.php`	Clean	Generic catch (PHP)	✓ Clean (expected)
`ci_curl_pipe_bash_clean.yml`	Clean	Remote script piped to shell	✓ Clean (expected)
`ci_debug_trace_enabled_clean.yml`	Clean	CI/CD debug logging enabled	✓ Clean (expected)
`ci_docker_privileged_clean.yml`	Clean	Privileged Docker container in CI/CD	✓ Clean (expected)
`ci_insecure_download_clean.yml`	Clean	Insecure HTTP download in CI/CD	✓ Clean (expected)
`ci_netcat_reverse_shell_clean.yml`	Clean	Netcat reverse shell in CI/CD script	✓ Clean (expected)
`class_manipulation.js`	Clean	Inline style in JS	✓ Clean (expected)
`cleartext_cookie_clean.js`	Clean	cleartext_cookie	✓ Clean (expected)
`cleartext_logging_clean.js`	Clean	cleartext_logging	✓ Clean (expected)
`cleartext_storage_class_clean.java`	Clean	cleartext_storage_class	✗ False positive
`cleartext_storage_cookie_clean.java`	Clean	cleartext_storage_cookie	✓ Clean (expected)
`cleartext_storage_csharp_clean.cs`	Clean	cleartext_storage_csharp	✓ Clean (expected)
`cleartext_storage_properties_clean.java`	Clean	cleartext_storage_properties	✓ Clean (expected)
`cleartext_storage_sensitive_clean.js`	Clean	cleartext_storage_sensitive	✓ Clean (expected)
`cleartext_storage_sensitive_clean.py`	Clean	cleartext_storage_sensitive	✓ Clean (expected)
`client_side_auth_clean.js`	Clean	Client-side access control	✓ Clean (expected)
`client_side_ssrf_clean.js`	Clean	client_side_ssrf	✓ Clean (expected)
`command_injection_csharp_clean.cs`	Clean	Command injection (C#)	✓ Clean (expected)
`command_injection_java_broad_clean.java`	Clean	Command Injection (Java)	✗ False positive
`command_injection_java_clean.java`	Clean	Command injection (Java)	✓ Clean (expected)
`command_injection_php_clean.php`	Clean	Command injection (PHP)	✓ Clean (expected)
`comparison_wider_type_clean.java`	Clean	comparison_wider_type	✓ Clean (expected)
`conditional_bypass_clean.js`	Clean	conditional_bypass	✓ Clean (expected)
`conditional_bypass_csharp_clean.cs`	Clean	conditional_bypass_csharp	✓ Clean (expected)
`conditional_bypass_java_clean.java`	Clean	conditional_bypass_java	✓ Clean (expected)
`console_log_residual_clean.js`	Clean	Residual console.log	✓ Clean (expected)
`console_write_csharp_clean.cs`	Clean	Console.Write in production (C#)	✓ Clean (expected)
`cookie_broad_domain_clean.cs`	Clean	cookie_broad_domain	✓ Clean (expected)
`cookie_broad_path_clean.cs`	Clean	cookie_broad_path	✓ Clean (expected)
`cookie_injection_clean.py`	Clean	cookie_injection	✓ Clean (expected)
`correct_tabindex.html`	Clean	Positive tabindex	✓ Clean (expected)
`cors_credentials_wildcard_clean.js`	Clean	CORS wildcard with credentials	✓ Clean (expected)
`cors_permissive_csharp_clean.cs`	Clean	Permissive CORS (C#)	✓ Clean (expected)
`crud_without_ownership_clean.js`	Clean	CRUD without ownership check	✓ Clean (expected)
`cs_deep_nesting_clean 2.cs`	Clean		✓ Clean (expected)
`cs_deep_nesting_clean.cs`	Clean	Excessive nesting depth (C#, 6+ levels)	✓ Clean (expected)
`cs_empty_catch_block_clean 2.cs`	Clean		✓ Clean (expected)
`cs_empty_catch_block_clean.cs`	Clean	Empty catch block (C#)	✓ Clean (expected)
`cs_high_coupling_clean 2.cs`	Clean		✓ Clean (expected)
`cs_high_coupling_clean.cs`	Clean	High coupling — too many C# interfaces (SonarQube S1200)	✓ Clean (expected)
`cs_magic_number_clean 2.cs`	Clean		✓ Clean (expected)
`cs_magic_number_clean.cs`	Clean	Magic number in comparison (C#)	✓ Clean (expected)
`cs_string_format_legacy_clean 2.cs`	Clean		✓ Clean (expected)
`cs_string_format_legacy_clean.cs`	Clean	string.Format() instead of interpolation (C#)	✓ Clean (expected)
`cs_too_many_params_clean 2.cs`	Clean		✓ Clean (expected)
`cs_too_many_params_clean.cs`	Clean	Too many C# method parameters (6+)	✓ Clean (expected)
`csrf_missing_flask_clean 2.py`	Clean		✗ False positive
`csrf_missing_flask_clean.py`	Clean	Missing CSRF protection (Flask)	✓ Clean (expected)
`csv_injection_clean.py`	Clean	CSV Formula Injection	✓ Clean (expected)
`dangerous_eval_clean.py`	Clean	Dangerous Eval/Exec	✓ Clean (expected)
`dangerous_function_java_clean.java`	Clean	dangerous_function_java	✓ Clean (expected)
`data_uri_html_clean.js`	Clean	Data URI with HTML content	✓ Clean (expected)
`data_uri_html_tag_clean.html`	Clean	Data URI HTML in tag	✓ Clean (expected)
`db_connection_string_credentials_clean 2.py`	Clean		✓ Clean (expected)
`db_connection_string_credentials_clean.py`	Clean	DB connection string with credentials (Python)	✓ Clean (expected)
`db_connection_string_credentials_js_clean 2.js`	Clean		✓ Clean (expected)
`db_connection_string_credentials_js_clean.js`	Clean	DB connection string with credentials (JavaScript)	✓ Clean (expected)
`db_error_exposed_csharp_clean 2.cs`	Clean		✓ Clean (expected)
`db_error_exposed_csharp_clean.cs`	Clean	DB error exposed in response (C#)	✓ Clean (expected)
`db_error_exposed_java_clean 2.java`	Clean		✓ Clean (expected)
`db_error_exposed_java_clean.java`	Clean	DB error exposed in response (Java)	✓ Clean (expected)
`db_error_exposed_php_clean 2.php`	Clean		✗ False positive
`db_error_exposed_php_clean.php`	Clean	DB error exposed in response (PHP)	✓ Clean (expected)
`db_error_exposed_python_clean 2.py`	Clean		✓ Clean (expected)
`db_error_exposed_python_clean.py`	Clean	DB error exposed in response (Python)	✓ Clean (expected)
`db_logic_controller_csharp_clean.cs`	Clean	DB logic in controller (C#)	✓ Clean (expected)
`db_logic_controller_java_clean.java`	Clean	DB logic in controller (Java)	✓ Clean (expected)
`db_logic_controller_php_clean.php`	Clean	DB logic in controller (PHP)	✓ Clean (expected)
`db_superuser_connection_csharp_clean 2.cs`	Clean		✓ Clean (expected)
`db_superuser_connection_csharp_clean.cs`	Clean	DB connection as superuser (C#)	✓ Clean (expected)
`db_superuser_connection_java_clean 2.java`	Clean		✓ Clean (expected)
`db_superuser_connection_java_clean.java`	Clean	DB connection as superuser (Java)	✓ Clean (expected)
`db_superuser_connection_python_clean 2.py`	Clean		✓ Clean (expected)
`db_superuser_connection_python_clean.py`	Clean	DB connection as superuser (Python)	✓ Clean (expected)
`db_tls_disabled_java_clean 2.java`	Clean		✓ Clean (expected)
`db_tls_disabled_java_clean.java`	Clean	DB connection without TLS (Java)	✓ Clean (expected)
`db_tls_disabled_js_clean 2.js`	Clean		✓ Clean (expected)
`db_tls_disabled_js_clean.js`	Clean	DB connection without TLS (JavaScript)	✓ Clean (expected)
`db_tls_disabled_python_clean 2.py`	Clean		✗ False positive
`db_tls_disabled_python_clean.py`	Clean	DB connection without TLS (Python)	✓ Clean (expected)
`debug_false.py`	Clean	Debug mode enabled	✓ Clean (expected)
`debug_mode_clean.py`	Clean	Debug mode enabled	✓ Clean (expected)
`default_credentials_clean.py`	Clean	Default Credentials	✓ Clean (expected)
`dependabot_insecure_exec_clean.yml`	Clean	Dependabot insecure external code execution	✓ Clean (expected)
`dependency_confusion_clean.js`	Clean	Dependency Confusion	✓ Clean (expected)
`dependency_confusion_clean.py`	Clean	Dependency Confusion	✓ Clean (expected)
`deprecated_api_clean.py`	Clean	Deprecated API	✓ Clean (expected)
`deprecated_api_csharp_clean.cs`	Clean	Deprecated API (C#)	✓ Clean (expected)
`deprecated_api_java_clean.java`	Clean	Deprecated API (Java)	✓ Clean (expected)
`deprecated_api_javascript_clean.js`	Clean	Deprecated API (JavaScript)	✓ Clean (expected)
`deprecated_api_php_clean.php`	Clean	Deprecated API (PHP)	✓ Clean (expected)
`destructive_without_backup_clean.py`	Clean	Destructive Operation Without Backup	✓ Clean (expected)
`different_kinds_comparison_bypass_clean.js`	Clean	different_kinds_comparison_bypass	✓ Clean (expected)
`disable_certificate_validation_clean.js`	Clean	disable_certificate_validation	✓ Clean (expected)
`django_clean.py`	Clean	@csrf_exempt decorator (Django)	✓ Clean (expected)
`django_csrf_exempt_clean.py`	Clean	@csrf_exempt decorator (Django)	✓ Clean (expected)
`django_debug_enabled_clean.py`	Clean	DEBUG = True (Django)	✓ Clean (expected)
`django_mark_safe_xss_clean.py`	Clean	Django mark_safe() — XSS risk	✓ Clean (expected)
`django_secret_key_weak_clean.py`	Clean	Hardcoded SECRET_KEY (Django)	✓ Clean (expected)
`docker_latest_tag_clean.yml`	Clean	Docker image with :latest tag	✓ Clean (expected)
`dockerfile_copy_all_clean`	Clean	COPY . . in Dockerfile	✓ Clean (expected)
`dockerfile_non_root`	Clean	Dockerfile runs as root	✓ Clean (expected)
`dockerfile_unpinned_base_clean`	Clean	Unpinned base image	✓ Clean (expected)
`dom_clobbering_clean.html`	Clean	DOM Clobbering	✓ Clean (expected)
`dom_manipulation_loop_clean.js`	Clean	DOM manipulation in loop	✓ Clean (expected)
`dom_pseudo_eval_clean.js`	Clean	dom_pseudo_eval	✓ Clean (expected)
`dont_install_root_cert_clean.cs`	Clean	dont_install_root_cert	✓ Clean (expected)
`double_escaping_clean.js`	Clean	double_escaping	✓ Clean (expected)
`dynamic_import_clean.py`	Clean	Dynamic import	✓ Clean (expected)
`ecb_cipher_mode_clean.py`	Clean	Insecure ECB cipher mode	✓ Clean (expected)
`ecb_mode_csharp_clean.cs`	Clean	ecb_mode_csharp	✓ Clean (expected)
`elasticsearch_query_injection_clean 2.py`	Clean		✓ Clean (expected)
`elasticsearch_query_injection_clean.py`	Clean	Elasticsearch query injection (Python)	✓ Clean (expected)
`electron_insecure_content_clean.js`	Clean	electron_insecure_content	✓ Clean (expected)
`electron_node_integration_clean.js`	Clean	electron_node_integration	✓ Clean (expected)
`electron_web_security_disabled_clean.js`	Clean	electron_web_security_disabled	✓ Clean (expected)
`empty_password_config_clean.js`	Clean	empty_password_config	✓ Clean (expected)
`env_aws_key.py`	Clean	Hardcoded secret	✓ Clean (expected)
`env_github_token.py`	Clean	Hardcoded secret	✓ Clean (expected)
`error_suppressor_php_clean.php`	Clean	Error suppressor (PHP @)	✓ Clean (expected)
`eval_injection_php_clean.php`	Clean	Code injection (PHP)	✓ Clean (expected)
`eval_template_literal_clean.js`	Clean	eval() with template literal	✓ Clean (expected)
`event_listeners_cleanup.js`	Clean	Event listeners not cleaned	✓ Clean (expected)
`event_listeners_not_cleaned_clean.js`	Clean	Event listeners not cleaned	✓ Clean (expected)
`exec_relative_path_clean.java`	Clean	exec_relative_path	✓ Clean (expected)
`exec_tainted_environment_clean.java`	Clean	exec_tainted_environment	✓ Clean (expected)
`exec_unescaped_clean.java`	Clean	exec_unescaped	✓ Clean (expected)
`exposed_test_endpoint_clean.py`	Clean	Exposed Test/Debug Endpoint	✓ Clean (expected)
`exposure_private_information_clean.cs`	Clean	exposure_private_information	✓ Clean (expected)
`exposure_transmitted_data_clean.cs`	Clean	exposure_transmitted_data	✓ Clean (expected)
`express_clean.js`	Clean	Missing Helmet middleware (Express)	✓ Clean (expected)
`express_cors_wildcard_clean.js`	Clean	Permissive CORS configuration (Express)	✓ Clean (expected)
`express_no_csrf_clean.js`	Clean	Express without CSRF protection	✓ Clean (expected)
`express_no_helmet_clean.js`	Clean	Missing Helmet middleware (Express)	✓ Clean (expected)
`extract_usage_php_clean.php`	Clean	Variable overwrite (PHP extract)	✓ Clean (expected)
`file_access_to_http_clean.js`	Clean	file_access_to_http	✓ Clean (expected)
`file_inclusion_php_clean.php`	Clean	File inclusion (PHP)	✓ Clean (expected)
`file_short.py`	Clean	File too long	✓ Clean (expected)
`file_too_long_clean.cs`	Clean	File too long	✓ Clean (expected)
`file_too_long_clean.java`	Clean	File too long	✓ Clean (expected)
`file_too_long_clean.php`	Clean	File too long	✓ Clean (expected)
`file_too_long_clean.py`	Clean	File too long	✓ Clean (expected)
`file_upload_no_validation_clean.py`	Clean	File Upload Without Validation	✓ Clean (expected)
`file_upload_validated.py`	Clean	File Upload Without Validation	✓ Clean (expected)
`filesystem_race_condition_clean.js`	Clean	filesystem_race_condition	✓ Clean (expected)
`flask_clean.py`	Clean	Debug mode enabled (Flask)	✓ Clean (expected)
`flask_debug_enabled_clean.py`	Clean	Debug mode enabled (Flask)	✓ Clean (expected)
`flask_secret_key_weak_clean.py`	Clean	Hardcoded secret_key (Flask)	✓ Clean (expected)
`focus_outline_kept.js`	Clean	Focus outline removed	✓ Clean (expected)
`focus_outline_removed_clean.html`	Clean	Focus outline removed	✓ Clean (expected)
`focus_outline_removed_clean.js`	Clean	Focus outline removed	✓ Clean (expected)
`format_string_safe.py`	Clean	Format String Vulnerability	✓ Clean (expected)
`format_string_safe_java.java`	Clean	Format String Vulnerability	✓ Clean (expected)
`format_string_vuln_clean.java`	Clean	Format String Vulnerability	✓ Clean (expected)
`format_string_vuln_clean.py`	Clean	Format String Vulnerability	✓ Clean (expected)
`fstring_in_logging_clean.py`	Clean	F-string in Logging	✓ Clean (expected)
`functionality_untrusted_domain_clean.js`	Clean	functionality_untrusted_domain	✗ False positive
`functionality_untrusted_source_clean.js`	Clean	functionality_untrusted_source	✓ Clean (expected)
`gha_actor_check_bypass_clean.yml`	Clean	Bypassable actor-based security gate	✓ Clean (expected)
`gha_artifact_poisoning_clean.yml`	Clean	Artifact poisoning via workflow_run	✓ Clean (expected)
`gha_cache_poisoning_clean.yml`	Clean	Cache poisoning risk in release workflow	✗ False positive
`gha_confused_deputy_clean.yml`	Clean	Confused deputy auto-merge bypass	✓ Clean (expected)
`gha_credentials_on_disk_clean.yml`	Clean	Git credentials persisted on disk	✓ Clean (expected)
`gha_dangerous_artefact_clean.yml`	Clean	Sensitive files uploaded as artifact	✓ Clean (expected)
`gha_deprecated_commands_clean.yml`	Clean	Deprecated workflow commands	✓ Clean (expected)
`gha_excessive_permissions_clean.txt`	Clean	Excessive workflow permissions	✓ Clean (expected)
`gha_excessive_permissions_clean.yml`	Clean	Excessive workflow permissions	✓ Clean (expected)
`gha_expression_injection_clean.txt`	Clean	GitHub Actions expression injection	✓ Clean (expected)
`gha_expression_injection_clean.yml`	Clean	GitHub Actions expression injection	✓ Clean (expected)
`gha_github_app_no_revoke_clean.yml`	Clean	GitHub App token not revoked after job	✓ Clean (expected)
`gha_github_env_write_clean.yml`	Clean	Untrusted data written to GITHUB_ENV	✓ Clean (expected)
`gha_insecure_commands_env_clean.yml`	Clean	Insecure workflow commands enabled	✓ Clean (expected)
`gha_job_all_secrets_clean.yml`	Clean	All secrets serialized in workflow	✓ Clean (expected)
`gha_local_action_clean.yml`	Clean	Local action usage	✓ Clean (expected)
`gha_missing_permissions_clean.txt`	Clean	Missing permissions block	✓ Clean (expected)
`gha_missing_permissions_clean.yml`	Clean	Missing permissions block	✓ Clean (expected)
`gha_secret_in_log_clean.yml`	Clean	Secret printed in workflow log	✓ Clean (expected)
`gha_secrets_bypass_redaction_clean.yml`	Clean	Secrets redaction bypass via JSON	✓ Clean (expected)
`gha_secrets_without_environment_clean.yml`	Clean	Secrets used without environment gate on risky trigger	✓ Clean (expected)
`gha_self_hosted_runner_clean.yml`	Clean	Self-hosted runner on public repository	✓ Clean (expected)
`gha_unguarded_comment_trigger_clean.txt`	Clean	Unguarded comment trigger	✓ Clean (expected)
`gha_unguarded_comment_trigger_clean.yml`	Clean	Unguarded comment trigger	✓ Clean (expected)
`gha_unsound_condition_clean.yml`	Clean	Unsound if: condition with block scalar	✓ Clean (expected)
`gha_version_comment_missing_clean.yml`	Clean	Pinned action SHA without version comment	✓ Clean (expected)
`gha_workflow_dispatch_inputs_clean.yml`	Clean	workflow_dispatch with user inputs	✓ Clean (expected)
`gitlab_allow_failure_security_clean.yml`	Clean	Security job with allow_failure: true	✗ False positive
`gitlab_double_pipeline_clean.yml`	Clean	GitLab CI duplicate pipeline rules	✗ False positive
`gitlab_script_secrets_echo_clean.yml`	Clean	GitLab CI token printed to log	✓ Clean (expected)
`gitlab_unsafe_variables_clean.yml`	Clean	Unprotected GitLab CI variable	✓ Clean (expected)
`graphql_batching_attack_clean.js`	Clean	GraphQL Batching Attack	✓ Clean (expected)
`graphql_introspection_disabled.js`	Clean	GraphQL Introspection Enabled	✓ Clean (expected)
`graphql_introspection_disabled_python.py`	Clean	GraphQL Introspection Enabled	✓ Clean (expected)
`graphql_introspection_enabled_clean.js`	Clean	GraphQL Introspection Enabled	✓ Clean (expected)
`graphql_introspection_enabled_clean.py`	Clean	GraphQL Introspection Enabled	✓ Clean (expected)
`graphql_no_depth_limit_clean.js`	Clean	GraphQL Without Depth Limit	✓ Clean (expected)
`graphql_no_depth_limit_clean.py`	Clean	GraphQL Without Depth Limit	✓ Clean (expected)
`graphql_with_depth_limit.js`	Clean	GraphQL Without Depth Limit	✓ Clean (expected)
`groovy_injection_clean.java`	Clean	groovy_injection	✓ Clean (expected)
`hardcoded_connection_string_clean.cs`	Clean	hardcoded_connection_string	✓ Clean (expected)
`hardcoded_connection_string_java_clean 2.java`	Clean		✓ Clean (expected)
`hardcoded_connection_string_java_clean.java`	Clean	Hardcoded DB credentials (Java)	✓ Clean (expected)
`hardcoded_connection_string_php_clean 2.php`	Clean		✓ Clean (expected)
`hardcoded_connection_string_php_clean.php`	Clean	Hardcoded DB credentials (PHP)	✓ Clean (expected)
`hardcoded_data_as_code_clean.js`	Clean	hardcoded_data_as_code	✓ Clean (expected)
`hardcoded_encryption_key_clean.cs`	Clean	hardcoded_encryption_key	✓ Clean (expected)
`hardcoded_internal_ip_clean.py`	Clean	Hardcoded Internal IP Address	✓ Clean (expected)
`hardcoded_iv_nonce_clean.py`	Clean	Hardcoded IV/Nonce	✓ Clean (expected)
`hardcoded_secret_cicd_clean.yml`	Clean	Hardcoded secret in CI/CD configuration	✓ Clean (expected)
`hardcoded_secret_clean.js`	Clean	Hardcoded secret	✓ Clean (expected)
`hardcoded_secret_clean.py`	Clean	Hardcoded secret	✓ Clean (expected)
`hardcoded_tmp_path_clean.py`	Clean	Hardcoded /tmp path	✓ Clean (expected)
`hardcoded_ui_string_clean.html`	Clean	Hardcoded UI string	✓ Clean (expected)
`hardcoded_ui_string_clean.js`	Clean	Hardcoded UI string	✓ Clean (expected)
`header_injection_clean.py`	Clean	header_injection	✓ Clean (expected)
`heading_skip_level_clean.html`	Clean	Heading skip level	✓ Clean (expected)
`homebrew_auth_clean.py`	Clean	Homebrew authentication	✓ Clean (expected)
`host_header_poisoning_clean.js`	Clean	host_header_poisoning	✓ Clean (expected)
`hsts_django_clean.py`	Clean	Missing HSTS Header	✓ Clean (expected)
`html_aria_hidden_focusable_clean.html`	Clean	Focusable element hidden with aria-hidden	✓ Clean (expected)
`html_autocomplete_invalid_clean.html`	Clean	Non-standard autocomplete value	✓ Clean (expected)
`html_button_missing_type_clean.html`	Clean	HTML button without type attribute	✓ Clean (expected)
`html_deprecated_tag_clean.html`	Clean	Deprecated HTML tag	✓ Clean (expected)
`html_img_missing_dimensions_clean.html`	Clean	HTML image without dimensions (width/height)	✓ Clean (expected)
`html_inline_style_clean.html`	Clean	Inline CSS style (HTML)	✓ Clean (expected)
`html_input_button_empty_clean.html`	Clean	Button input without label (missing value)	✓ Clean (expected)
`html_invalid_aria_role_clean.html`	Clean	Empty ARIA role attribute	✓ Clean (expected)
`html_invalid_lang_value_clean.html`	Clean	Non-BCP-47 lang attribute value	✓ Clean (expected)
`html_missing_main_landmark_clean.html`	Clean	Missing <main> landmark	✓ Clean (expected)
`html_missing_meta_viewport_clean.html`	Clean	Missing viewport meta tag (HTML)	✓ Clean (expected)
`html_no_lang_clean.html`	Clean	HTML missing lang attribute	✓ Clean (expected)
`html_select_missing_label_clean.html`	Clean	Select without accessible label	✓ Clean (expected)
`html_target_blank_noreferrer_clean.html`	Clean	target="_blank" without rel="noopener noreferrer"	✓ Clean (expected)
`html_th_scope_missing_clean.html`	Clean	Table header without scope attribute	✓ Clean (expected)
`html_video_missing_captions_clean.html`	Clean	Video without caption track	✓ Clean (expected)
`html_viewport_zoom_disabled_clean.html`	Clean	User zoom disabled (viewport)	✓ Clean (expected)
`http_localhost.py`	Clean	HTTP without TLS	✓ Clean (expected)
`http_no_tls_clean.py`	Clean	HTTP without TLS	✓ Clean (expected)
`http_response_splitting_clean.java`	Clean	http_response_splitting	✓ Clean (expected)
`http_smuggling_clean.py`	Clean	HTTP request smuggling	✓ Clean (expected)
`http_to_file_access_clean.js`	Clean	http_to_file_access	✗ False positive
`https_url.py`	Clean	HTTP without TLS	✓ Clean (expected)
`idor_missing_ownership_clean.cs`	Clean	IDOR Missing Ownership	✓ Clean (expected)
`idor_missing_ownership_clean.py`	Clean	IDOR Missing Ownership	✓ Clean (expected)
`iframe_no_title_clean.html`	Clean	Iframe without title	✓ Clean (expected)
`img_decorative_no_role_clean.html`	Clean	Decorative image without role	✓ Clean (expected)
`img_no_alt_clean.html`	Clean	Image without alt text	✓ Clean (expected)
`img_with_alt.html`	Clean	Image without alt text	✓ Clean (expected)
`improper_code_sanitization_clean.js`	Clean	improper_code_sanitization	✓ Clean (expected)
`inappropriate_encoding_clean.cs`	Clean	inappropriate_encoding	✓ Clean (expected)
`incomplete_hostname_regexp_clean.js`	Clean	incomplete_hostname_regexp	✓ Clean (expected)
`incomplete_hostname_regexp_clean.py`	Clean	incomplete_hostname_regexp	✓ Clean (expected)
`incomplete_html_attribute_sanitization_clean.js`	Clean	incomplete_html_attribute_sanitization	✓ Clean (expected)
`incomplete_multichar_sanitization_clean.js`	Clean	incomplete_multichar_sanitization	✓ Clean (expected)
`incomplete_sanitization_clean.js`	Clean	incomplete_sanitization	✓ Clean (expected)
`incomplete_url_sanitization_clean.py`	Clean	incomplete_url_sanitization	✓ Clean (expected)
`incomplete_url_scheme_check_clean.js`	Clean	incomplete_url_scheme_check	✓ Clean (expected)
`incomplete_url_substring_sanitization_clean.js`	Clean	incomplete_url_substring_sanitization	✓ Clean (expected)
`incorrect_suffix_check_clean.js`	Clean	incorrect_suffix_check	✓ Clean (expected)
`indirect_command_injection_clean.js`	Clean	indirect_command_injection	✓ Clean (expected)
`infinite_loop_user_input_clean.java`	Clean	infinite_loop_user_input	✓ Clean (expected)
`inline_event_handler_clean.js`	Clean	Inline event handler	✓ Clean (expected)
`inline_event_handler_html_clean.html`	Clean	Inline event handler in HTML	✓ Clean (expected)
`inline_style_js_clean.js`	Clean	Inline style in JS	✓ Clean (expected)
`input_no_label_clean.html`	Clean	Input without label	✓ Clean (expected)
`input_with_label.html`	Clean	Input without label	✓ Clean (expected)
`insecure_basic_auth_clean.java`	Clean	insecure_basic_auth	✓ Clean (expected)
`insecure_bean_validation_clean.java`	Clean	insecure_bean_validation	✓ Clean (expected)
`insecure_cipher_clean.py`	Clean	Insecure cipher algorithm	✓ Clean (expected)
`insecure_cloud_config_clean.py`	Clean	Insecure Cloud Configuration	✓ Clean (expected)
`insecure_cookie_clean.cs`	Clean	Insecure cookie (missing HttpOnly/Secure)	✗ False positive
`insecure_cookie_clean.java`	Clean	Insecure cookie (missing HttpOnly/Secure)	✓ Clean (expected)
`insecure_cookie_clean.js`	Clean	Insecure cookie (missing HttpOnly/Secure)	✓ Clean (expected)
`insecure_cookie_clean.php`	Clean	Insecure cookie (missing HttpOnly/Secure)	✗ False positive
`insecure_cookie_clean.py`	Clean	Insecure cookie (missing HttpOnly/Secure)	✓ Clean (expected)
`insecure_cookie_flag_clean.java`	Clean	Insecure Cookie Flag	✓ Clean (expected)
`insecure_cookie_no_secure_clean.py`	Clean	Cookie without Secure flag	✓ Clean (expected)
`insecure_db_deserialization_python_clean 2.py`	Clean		✗ False positive
`insecure_db_deserialization_python_clean.py`	Clean	Insecure DB deserialization (Python)	✓ Clean (expected)
`insecure_dependency_http_clean.js`	Clean	insecure_dependency_http	✓ Clean (expected)
`insecure_deserialize_call_clean.py`	Clean	Insecure deserialization call	✓ Clean (expected)
`insecure_download_clean.js`	Clean	insecure_download	✓ Clean (expected)
`insecure_javamail_clean.java`	Clean	insecure_javamail	✓ Clean (expected)
`insecure_ldap_auth_clean.java`	Clean	insecure_ldap_auth	✓ Clean (expected)
`insecure_local_storage_clean.js`	Clean	Insecure Local Storage	✓ Clean (expected)
`insecure_maven_dependency_clean.java`	Clean	insecure_maven_dependency	✓ Clean (expected)
`insecure_random_clean.js`	Clean	Insecure RNG	✓ Clean (expected)
`insecure_sql_connection_clean.cs`	Clean	insecure_sql_connection	✓ Clean (expected)
`insecure_ssl_version_clean.py`	Clean	Insecure SSL/TLS version	✓ Clean (expected)
`insecure_temp_file_clean.js`	Clean	insecure_temp_file	✓ Clean (expected)
`insecure_temp_file_clean.py`	Clean	insecure_temp_file	✓ Clean (expected)
`insufficient_key_size_clean.js`	Clean	Insufficient Cryptographic Key Size	✓ Clean (expected)
`insufficient_key_size_clean.py`	Clean	Insufficient Cryptographic Key Size	✓ Clean (expected)
`insufficient_key_size_csharp_clean.cs`	Clean	insufficient_key_size_csharp	✓ Clean (expected)
`insufficient_key_size_java_clean.java`	Clean	insufficient_key_size_java	✓ Clean (expected)
`insufficient_password_hash_clean.js`	Clean	insufficient_password_hash	✓ Clean (expected)
`java_deep_nesting_clean 2.java`	Clean		✓ Clean (expected)
`java_deep_nesting_clean.java`	Clean	Excessive nesting depth (Java, 6+ levels)	✓ Clean (expected)
`java_empty_catch_block_clean 2.java`	Clean		✗ False positive
`java_empty_catch_block_clean.java`	Clean	Empty catch block (Java)	✓ Clean (expected)
`java_public_field_clean 2.java`	Clean		✓ Clean (expected)
`java_public_field_clean.java`	Clean	Non-constant public field (Java)	✓ Clean (expected)
`java_string_concat_loop_clean 2.java`	Clean		✓ Clean (expected)
`java_string_concat_loop_clean.java`	Clean	String concatenation in loop (Java)	✓ Clean (expected)
`java_too_many_params_clean 2.java`	Clean		✓ Clean (expected)
`java_too_many_params_clean.java`	Clean	Too many Java method parameters (6+)	✓ Clean (expected)
`java_utility_class_constructor_clean 2.java`	Clean		✓ Clean (expected)
`java_utility_class_constructor_clean.java`	Clean	Java utility class without private constructor	✓ Clean (expected)
`javascript_uri_clean.js`	Clean	javascript: URI — XSS	✓ Clean (expected)
`javascript_uri_html_clean.html`	Clean	javascript: URI in HTML attribute	✓ Clean (expected)
`jexl_injection_clean.java`	Clean	jexl_injection	✗ False positive
`jinja2_autoescape_false_clean.py`	Clean	jinja2_autoescape_false	✓ Clean (expected)
`jndi_injection_java_clean.java`	Clean	JNDI Injection (Log4Shell)	✓ Clean (expected)
`js_cognitive_complexity_clean 2.js`	Clean		✓ Clean (expected)
`js_cognitive_complexity_clean.js`	Clean	High cognitive complexity (JavaScript)	✓ Clean (expected)
`js_debugger_statement_clean 2.js`	Clean		✓ Clean (expected)
`js_debugger_statement_clean.js`	Clean	Debugger statement in production (JavaScript)	✓ Clean (expected)
`js_deep_nesting_clean 2.js`	Clean		✓ Clean (expected)
`js_deep_nesting_clean.js`	Clean	Excessive nesting depth (JavaScript, 6+ levels)	✓ Clean (expected)
`js_empty_catch_block_clean 2.js`	Clean		✓ Clean (expected)
`js_empty_catch_block_clean.js`	Clean	Empty catch block (JavaScript)	✓ Clean (expected)
`js_no_var_clean 2.js`	Clean		✓ Clean (expected)
`js_no_var_clean.js`	Clean	Use of var keyword (JavaScript)	✓ Clean (expected)
`js_too_many_params_clean 2.js`	Clean		✓ Clean (expected)
`js_too_many_params_clean.js`	Clean	Too many JavaScript function parameters (6+)	✓ Clean (expected)
`jsx_anchor_href_invalid_clean.jsx`	Clean	JSX link with invalid href (href="#" or javascript:)	✓ Clean (expected)
`jsx_img_missing_alt_clean.jsx`	Clean	JSX image without alt prop (WCAG 1.1.1)	✓ Clean (expected)
`jsx_label_missing_control_clean.jsx`	Clean	JSX label without associated control (missing htmlFor)	✓ Clean (expected)
`jsx_no_access_key_clean.jsx`	Clean	accessKey used (JSX)	✓ Clean (expected)
`jsx_no_autofocus_clean.jsx`	Clean	autoFocus used (JSX)	✓ Clean (expected)
`jsx_tabindex_positive_clean.jsx`	Clean	Positive tabIndex (JSX, WCAG 2.4.3)	✓ Clean (expected)
`jwt_env_secret.py`	Clean	JWT Hardcoded Secret	✓ Clean (expected)
`jwt_hardcoded_secret_clean.py`	Clean	JWT Hardcoded Secret	✓ Clean (expected)
`jwt_missing_verification_clean.js`	Clean	jwt_missing_verification	✓ Clean (expected)
`jwt_none_algorithm_clean.js`	Clean	JWT None Algorithm	✓ Clean (expected)
`jwt_none_algorithm_clean.py`	Clean	JWT None Algorithm	✓ Clean (expected)
`jwt_safe_algorithm.py`	Clean	JWT None Algorithm	✓ Clean (expected)
`jwt_weak_secret_clean.js`	Clean	JWT weak secret	✓ Clean (expected)
`ldap_injection_csharp_clean.cs`	Clean	LDAP injection (C#)	✓ Clean (expected)
`ldap_injection_java_broad_clean.java`	Clean	LDAP Injection (Java)	✗ False positive
`ldap_injection_java_clean.java`	Clean	LDAP injection (Java)	✓ Clean (expected)
`ldap_injection_python_clean.py`	Clean	LDAP injection (Python)	✓ Clean (expected)
`ldap_java_clean.java`	Clean	LDAP injection (Java)	✓ Clean (expected)
`ldap_python_clean.py`	Clean	LDAP injection (Python)	✓ Clean (expected)
`link_no_text_clean.html`	Clean	Link without text	✓ Clean (expected)
`llm_output_to_sink_clean.py`	Clean	LLM Output to Sink	✓ Clean (expected)
`local_time_usage_clean.py`	Clean	Local Time Without Timezone	✓ Clean (expected)
`local_unvalidated_arithmetic_clean.cs`	Clean	local_unvalidated_arithmetic	✗ False positive
`lock_order_inconsistency_clean.java`	Clean	lock_order_inconsistency	✗ False positive
`log4shell_jndi_clean.java`	Clean	Log4Shell (JNDI)	✓ Clean (expected)
`log_forging_csharp_clean.cs`	Clean	log_forging_csharp	✓ Clean (expected)
`log_injection_clean.js`	Clean	Log Injection	✓ Clean (expected)
`log_injection_clean.py`	Clean	Log Injection	✓ Clean (expected)
`log_sanitized.py`	Clean	Log Injection	✓ Clean (expected)
`loop_bound_injection_clean.js`	Clean	loop_bound_injection	✓ Clean (expected)
`manual_createelement_clean.js`	Clean	Manual createElement	✓ Clean (expected)
`mass_assignment_csharp_clean 2.cs`	Clean		✓ Clean (expected)
`mass_assignment_csharp_clean.cs`	Clean	Mass assignment (C#)	✓ Clean (expected)
`mass_assignment_java_clean 2.java`	Clean		✓ Clean (expected)
`mass_assignment_java_clean.java`	Clean	Mass assignment (Java)	✓ Clean (expected)
`mass_assignment_js_clean 2.js`	Clean		✓ Clean (expected)
`mass_assignment_js_clean.js`	Clean	Mass assignment (JavaScript)	✓ Clean (expected)
`mass_assignment_laravel_clean.php`	Clean	Mass assignment (Laravel)	✓ Clean (expected)
`mass_assignment_python_clean 2.py`	Clean		✓ Clean (expected)
`mass_assignment_python_clean.py`	Clean	Mass assignment (Python)	✓ Clean (expected)
`missing_auth_decorator_clean.py`	Clean	Missing Authentication Decorator	✓ Clean (expected)
`missing_authorize_attribute_clean.cs`	Clean	missing_authorize_attribute	✓ Clean (expected)
`missing_change_management_clean.py`	Clean	Missing Change Management	✓ Clean (expected)
`missing_csp_header_clean.py`	Clean	Missing Content-Security-Policy	✓ Clean (expected)
`missing_data_retention_clean.py`	Clean	Missing Data Retention	✓ Clean (expected)
`missing_doctype_clean.html`	Clean	Missing DOCTYPE declaration	✓ Clean (expected)
`missing_global_error_handler_clean.cs`	Clean	missing_global_error_handler	✓ Clean (expected)
`missing_health_check_clean.py`	Clean	Missing Health Check Endpoint	✓ Clean (expected)
`missing_hsts_clean.py`	Clean	Missing HSTS Header	✓ Clean (expected)
`missing_jwt_signature_check_clean.java`	Clean	missing_jwt_signature_check	✓ Clean (expected)
`missing_mfa_csharp_clean.cs`	Clean	Missing MFA (C#)	✓ Clean (expected)
`missing_mfa_java_clean.java`	Clean	Missing MFA (Java)	✗ False positive
`missing_mfa_javascript_clean.js`	Clean	Missing MFA (JavaScript)	✓ Clean (expected)
`missing_mfa_php_clean.php`	Clean	Missing MFA (PHP)	✓ Clean (expected)
`missing_mfa_python_clean.py`	Clean	Missing MFA (Python)	✓ Clean (expected)
`missing_monitoring_clean.py`	Clean	Missing Monitoring/Logging	✓ Clean (expected)
`missing_pkce_oauth_clean.js`	Clean	Missing PKCE (OAuth)	✓ Clean (expected)
`missing_rate_limit_clean.js`	Clean	Missing rate limiting	✓ Clean (expected)
`missing_regexp_anchor_clean.js`	Clean	missing_regexp_anchor	✓ Clean (expected)
`missing_security_docs_clean.py`	Clean	Undocumented Security Function	✓ Clean (expected)
`missing_session_timeout_clean.py`	Clean	Missing Session Timeout	✓ Clean (expected)
`missing_skip_link_clean.html`	Clean	Missing skip navigation link	✓ Clean (expected)
`missing_sri_clean.html`	Clean	Missing Subresource Integrity	✓ Clean (expected)
`missing_timeout_clean.py`	Clean	Missing request timeout	✓ Clean (expected)
`missing_x_frame_options_clean.js`	Clean	missing_x_frame_options	✓ Clean (expected)
`missing_x_frame_options_csharp_clean.cs`	Clean	missing_x_frame_options_csharp	✓ Clean (expected)
`missing_xml_validation_clean.cs`	Clean	missing_xml_validation	✗ False positive
`modern_api.py`	Clean	Deprecated API	✓ Clean (expected)
`mongo_operator_injection_clean.js`	Clean	MongoDB NoSQL injection	✓ Clean (expected)
`mvel_injection_clean.java`	Clean	mvel_injection	✗ False positive
`n_plus_1_query_clean.py`	Clean	Potential N+1 Query	✓ Clean (expected)
`n_plus_1_query_java_clean.java`	Clean	N+1 query (Java)	✓ Clean (expected)
`n_plus_1_query_js_clean 2.js`	Clean		✓ Clean (expected)
`n_plus_1_query_js_clean.js`	Clean	N+1 query (JavaScript)	✓ Clean (expected)
`n_plus_1_query_php_clean 2.php`	Clean		✓ Clean (expected)
`n_plus_1_query_php_clean.php`	Clean	N+1 query (PHP)	✓ Clean (expected)
`netty_response_splitting_clean.java`	Clean	netty_response_splitting	✓ Clean (expected)
`no_autoplay_media.html`	Clean	Autoplaying media	✓ Clean (expected)
`no_default_credentials.py`	Clean	Default Credentials	✓ Clean (expected)
`no_security_questions.py`	Clean	Security Questions Usage	✓ Clean (expected)
`normal_comment.py`	Clean	Unresolved TODO/FIXME	✓ Clean (expected)
`nosql_document_parse_java_clean 2.java`	Clean		✗ False positive
`nosql_document_parse_java_clean.java`	Clean	MongoDB Document.parse injection (Java)	✓ Clean (expected)
`nosql_injection_clean.py`	Clean	nosql_injection	✓ Clean (expected)
`nosql_injection_mongoose_clean.js`	Clean	NoSQL injection via Mongoose $where	✓ Clean (expected)
`nosql_operator_injection_python_clean 2.py`	Clean		✓ Clean (expected)
`nosql_operator_injection_python_clean.py`	Clean	MongoDB operator injection (Python)	✓ Clean (expected)
`npm_lifecycle_script_clean.js`	Clean	Suspicious npm lifecycle script	✓ Clean (expected)
`numeric_cast_tainted_clean.java`	Clean	numeric_cast_tainted	✓ Clean (expected)
`oauth_open_redirect_clean.py`	Clean	OAuth Open Redirect	✓ Clean (expected)
`ognl_injection_clean.java`	Clean	ognl_injection	✓ Clean (expected)
`open_redirect_clean.js`	Clean	Open redirect	✓ Clean (expected)
`open_redirect_csharp_clean.cs`	Clean	Open redirect (C#)	✓ Clean (expected)
`open_redirect_java_clean.java`	Clean	Open redirect (Java)	✓ Clean (expected)
`open_redirect_php_clean.php`	Clean	Open redirect (PHP)	✓ Clean (expected)
`os_system_injection_clean.py`	Clean	Shell execution via os.system/popen	✓ Clean (expected)
`overly_large_regex_range_clean.js`	Clean	overly_large_regex_range	✓ Clean (expected)
`overly_large_regex_range_clean.py`	Clean	overly_large_regex_range	✓ Clean (expected)
`page_no_title_clean.html`	Clean	Page without title	✓ Clean (expected)
`page_with_title.html`	Clean	Page without title	✓ Clean (expected)
`pam_auth_bypass_clean.py`	Clean	pam_auth_bypass	✓ Clean (expected)
`paramiko_no_host_key_clean.py`	Clean	Paramiko no host key verification	✓ Clean (expected)
`parser_without_try_clean.py`	Clean	Parser without error handling	✓ Clean (expected)
`partial_path_traversal_clean.java`	Clean	partial_path_traversal	✓ Clean (expected)
`partial_ssrf_clean.py`	Clean	partial_ssrf	✗ False positive
`password_in_config_file_clean.js`	Clean	password_in_config_file	✓ Clean (expected)
`password_reversible_storage_java_clean 2.java`	Clean		✓ Clean (expected)
`password_reversible_storage_java_clean.java`	Clean	Reversible password storage (Java)	✓ Clean (expected)
`password_reversible_storage_python_clean 2.py`	Clean		✓ Clean (expected)
`password_reversible_storage_python_clean.py`	Clean	Reversible password storage (Python)	✓ Clean (expected)
`path_traversal_csharp_clean.cs`	Clean	Path traversal (C#)	✓ Clean (expected)
`path_traversal_fis_clean.java`	Clean	Path Traversal (FileInputStream)	✗ False positive
`path_traversal_java_clean.java`	Clean	Path traversal (Java)	✓ Clean (expected)
`path_traversal_javascript_clean.js`	Clean	Path traversal (JavaScript)	✓ Clean (expected)
`path_traversal_os_join_clean.py`	Clean	Path traversal via os.path.join	✓ Clean (expected)
`path_traversal_python_clean.py`	Clean	Path traversal (Python)	✓ Clean (expected)
`permissive_file_permissions_clean.py`	Clean	Permissive file permissions	✓ Clean (expected)
`persistent_cookie_clean.cs`	Clean	persistent_cookie	✓ Clean (expected)
`php_deep_nesting_clean 2.php`	Clean		✓ Clean (expected)
`php_deep_nesting_clean.php`	Clean	Excessive nesting depth (PHP, 6+ levels)	✓ Clean (expected)
`php_empty_catch_block_clean 2.php`	Clean		✗ False positive
`php_empty_catch_block_clean.php`	Clean	Empty catch block (PHP)	✓ Clean (expected)
`php_exit_die_clean 2.php`	Clean		✓ Clean (expected)
`php_exit_die_clean.php`	Clean	Use of exit()/die() in PHP	✓ Clean (expected)
`php_public_property_clean 2.php`	Clean		✓ Clean (expected)
`php_public_property_clean.php`	Clean	Non-constant public property (PHP)	✓ Clean (expected)
`php_string_concat_loop_clean 2.php`	Clean		✓ Clean (expected)
`php_string_concat_loop_clean.php`	Clean	String concatenation in loop (PHP)	✓ Clean (expected)
`php_too_many_params_clean 2.php`	Clean		✓ Clean (expected)
`php_too_many_params_clean.php`	Clean	Too many PHP function parameters (6+)	✓ Clean (expected)
`pii_in_tests_clean.py`	Clean	PII in Test Code	✓ Clean (expected)
`pii_in_url_clean.py`	Clean	PII in URL	✓ Clean (expected)
`pii_logged_clean.py`	Clean	PII Logged	✓ Clean (expected)
`pinned_composer.json`	Clean	Unpinned Dependency	✓ Clean (expected)
`pinned_csproj.xml`	Clean	Unpinned Dependency	✓ Clean (expected)
`pinned_package.json`	Clean	Unpinned Dependency	✓ Clean (expected)
`pinned_pom.xml`	Clean	Unpinned Dependency	✓ Clean (expected)
`pinned_pyproject.toml`	Clean	Unpinned Dependency	✓ Clean (expected)
`pinned_requirements.txt`	Clean	Unpinned Dependency	✓ Clean (expected)
`polynomial_redos_java_clean.java`	Clean	polynomial_redos_java	✓ Clean (expected)
`positive_tabindex_clean.html`	Clean	Positive tabindex	✓ Clean (expected)
`postmessage_no_origin_check_clean.js`	Clean	postMessage Without Origin Check	✓ Clean (expected)
`postmessage_origin_check.js`	Clean	postMessage Without Origin Check	✓ Clean (expected)
`predictable_seed_clean.java`	Clean	predictable_seed	✓ Clean (expected)
`predictable_session_clean.py`	Clean	Predictable token/session	✓ Clean (expected)
`private_file_exposure_clean.js`	Clean	private_file_exposure	✓ Clean (expected)
`privilege_escalation_clean.py`	Clean	Privilege Escalation	✓ Clean (expected)
`prompt_injection_llm_clean.js`	Clean	Prompt Injection (LLM)	✓ Clean (expected)
`prompt_injection_llm_clean.py`	Clean	Prompt Injection (LLM)	✓ Clean (expected)
`prototype_pollution_clean.js`	Clean	Prototype pollution	✓ Clean (expected)
`pull_request_target_checkout_clean.txt`	Clean	pull_request_target with fork checkout	✓ Clean (expected)
`pull_request_target_checkout_clean.yml`	Clean	pull_request_target with fork checkout	✗ False positive
`py_bare_except_clean 2.py`	Clean		✓ Clean (expected)
`py_bare_except_clean.py`	Clean	Bare except clause (no exception type)	✓ Clean (expected)
`py_commented_out_code_clean 2.py`	Clean		✓ Clean (expected)
`py_commented_out_code_clean.py`	Clean	Commented-out code (dead code)	✓ Clean (expected)
`py_global_statement_clean 2.py`	Clean		✓ Clean (expected)
`py_global_statement_clean.py`	Clean	Global statement inside function	✓ Clean (expected)
`py_magic_value_comparison_clean 2.py`	Clean		✓ Clean (expected)
`py_magic_value_comparison_clean.py`	Clean	Magic number comparison	✓ Clean (expected)
`py_missing_class_docstring_clean 2.py`	Clean		✓ Clean (expected)
`py_missing_class_docstring_clean.py`	Clean	py_missing_class_docstring	✓ Clean (expected)
`py_too_many_arguments_clean 2.py`	Clean		✗ False positive
`py_too_many_arguments_clean.py`	Clean	Too many function arguments (6+)	✓ Clean (expected)
`py_too_many_nested_blocks_clean 2.py`	Clean		✓ Clean (expected)
`py_too_many_nested_blocks_clean.py`	Clean	Excessive nesting depth (6+ levels)	✓ Clean (expected)
`race_condition_clean.py`	Clean	Race condition (TOCTOU)	✓ Clean (expected)
`race_condition_financial_clean.py`	Clean	Race Condition (Financial)	✓ Clean (expected)
`razor_html_raw_clean.cs`	Clean	XSS via Html.Raw()	✓ Clean (expected)
`redis_eval_injection_js_clean 2.js`	Clean		✓ Clean (expected)
`redis_eval_injection_js_clean.js`	Clean	Redis EVAL injection (JavaScript)	✓ Clean (expected)
`redis_eval_injection_python_clean 2.py`	Clean		✗ False positive
`redis_eval_injection_python_clean.py`	Clean	Redis EVAL injection (Python)	✓ Clean (expected)
`redos_nested_quantifier_clean.py`	Clean	ReDoS nested quantifier	✓ Clean (expected)
`redos_safe.py`	Clean	ReDoS Vulnerable Regex	✓ Clean (expected)
`redos_vulnerable_clean.py`	Clean	ReDoS Vulnerable Regex	✓ Clean (expected)
`regex_dos_clean.js`	Clean	ReDoS — unsafe regex	✓ Clean (expected)
`regex_injection_clean.js`	Clean	regex_injection	✓ Clean (expected)
`regex_injection_csharp_clean.cs`	Clean	regex_injection_csharp	✓ Clean (expected)
`regex_injection_java_clean.java`	Clean	regex_injection_java	✓ Clean (expected)
`regex_redos_js_clean 2.js`	Clean		✗ False positive
`regex_redos_js_clean.js`	Clean	ReDoS via user-controlled RegExp (JavaScript)	✓ Clean (expected)
`remote_property_injection_clean.js`	Clean	remote_property_injection	✓ Clean (expected)
`request_validation_disabled_clean.cs`	Clean	Request validation disabled	✓ Clean (expected)
`request_validation_disabled_clean.py`	Clean	Request validation disabled	✓ Clean (expected)
`resource_exhaustion_clean.js`	Clean	resource_exhaustion	✓ Clean (expected)
`resource_injection_csharp_clean.cs`	Clean	resource_injection_csharp	✓ Clean (expected)
`rsa_without_oaep_clean.java`	Clean	rsa_without_oaep	✓ Clean (expected)
`rsa_without_oaep_csharp_clean.cs`	Clean	rsa_without_oaep_csharp	✓ Clean (expected)
`runtime_checks_bypass_clean.cs`	Clean	runtime_checks_bypass	✓ Clean (expected)
`safe_deserialization.py`	Clean	Unsafe deserialization	✓ Clean (expected)
`safe_exception.py`	Clean	Verbose exception	✓ Clean (expected)
`safe_file_access.py`	Clean	Race condition (TOCTOU)	✓ Clean (expected)
`safe_import.py`	Clean	Dynamic import	✓ Clean (expected)
`safe_no_eval.py`	Clean	Dangerous Eval/Exec	✓ Clean (expected)
`samesite_none_cookie_clean.js`	Clean	samesite_none_cookie	✓ Clean (expected)
`samesite_none_cookie_clean.py`	Clean	samesite_none_cookie	✗ False positive
`sample_cicd_clean.yml`	Clean	pull_request_target with fork checkout	✗ False positive
`sample_csharp_clean.cs`	Clean	SQL injection (C# concatenation)	✓ Clean (expected)
`sample_data_retention_clean.py`	Clean	Missing Data Retention	✓ Clean (expected)
`sample_deprecated_csharp_clean.cs`	Clean	Deprecated API (C#)	✓ Clean (expected)
`sample_deprecated_java_clean.java`	Clean	Deprecated API (Java)	✓ Clean (expected)
`sample_deprecated_js_clean.js`	Clean	Deprecated API (JavaScript)	✓ Clean (expected)
`sample_deprecated_php_clean.php`	Clean	Deprecated API (PHP)	✓ Clean (expected)
`sample_dockerfile_clean`	Clean	Dockerfile runs as root	✓ Clean (expected)
`sample_frontend_xss_clean.jsx`	Clean	XSS via React dangerouslySetInnerHTML	✓ Clean (expected)
`sample_gitlab_clean.yml`	Clean	Unprotected GitLab CI variable	✓ Clean (expected)
`sample_hardcoded_ui_html_clean.html`	Clean	Hardcoded UI string	✓ Clean (expected)
`sample_hardcoded_ui_string_clean.js`	Clean	Hardcoded UI string	✓ Clean (expected)
`sample_java_clean.java`	Clean	SQL injection (Java concatenation)	✓ Clean (expected)
`sample_mfa_csharp_clean.cs`	Clean	Missing MFA (C#)	✓ Clean (expected)
`sample_mfa_java_clean.java`	Clean	Missing MFA (Java)	✓ Clean (expected)
`sample_mfa_js_clean.js`	Clean	Missing MFA (JavaScript)	✓ Clean (expected)
`sample_mfa_php_clean.php`	Clean	Missing MFA (PHP)	✓ Clean (expected)
`sample_mfa_python_clean.py`	Clean	Missing MFA (Python)	✓ Clean (expected)
`sample_orm_js_clean.js`	Clean	SQL injection via Sequelize raw query	✓ Clean (expected)
`sample_orm_python_clean.py`	Clean	SQL injection via Django raw SQL	✓ Clean (expected)
`sample_php_clean.php`	Clean	SQL injection (PHP concatenation)	✓ Clean (expected)
`sample_pii_logged_clean.py`	Clean	PII Logged	✓ Clean (expected)
`sample_svelte_xss_clean.svelte`	Clean	XSS via Svelte {@html} tag	✓ Clean (expected)
`sample_vue_xss_clean.vue`	Clean	XSS via Vue.js v-html directive	✓ Clean (expected)
`script_with_sri.html`	Clean	Missing Subresource Integrity	✓ Clean (expected)
`second_order_command_injection_clean.js`	Clean	second_order_command_injection	✓ Clean (expected)
`secret_example.py`	Clean	Hardcoded secret	✓ Clean (expected)
`secret_in_env.py`	Clean	Hardcoded secret	✓ Clean (expected)
`secret_logged_arg_clean.py`	Clean	Secret logged (argument)	✓ Clean (expected)
`secret_logged_csharp_clean.cs`	Clean	Secret logged (C#)	✓ Clean (expected)
`secret_logged_fstring_clean.py`	Clean	Secret logged (f-string)	✓ Clean (expected)
`secret_logged_java_clean.java`	Clean	Secret logged (Java)	✓ Clean (expected)
`secret_logged_php_clean.php`	Clean	Secret logged (PHP)	✓ Clean (expected)
`secret_masked.py`	Clean	Secret logged (f-string)	✓ Clean (expected)
`secret_not_logged_arg.py`	Clean	Secret logged (argument)	✓ Clean (expected)
`secure_auth.py`	Clean	Homebrew authentication	✓ Clean (expected)
`secure_cookie_java.java`	Clean	Insecure cookie (missing HttpOnly/Secure)	✓ Clean (expected)
`secure_cookie_js.js`	Clean	Insecure cookie (missing HttpOnly/Secure)	✓ Clean (expected)
`secure_cookie_python.py`	Clean	Insecure cookie (missing HttpOnly/Secure)	✓ Clean (expected)
`secure_random.js`	Clean	Insecure RNG	✓ Clean (expected)
`secure_session.py`	Clean	Predictable token/session	✓ Clean (expected)
`security_questions_clean.py`	Clean	Security Questions Usage	✗ False positive
`sensitive_get_query_clean.js`	Clean	sensitive_get_query	✓ Clean (expected)
`server_crash_unhandled_clean.js`	Clean	server_crash_unhandled	✗ False positive
`server_side_auth.js`	Clean	Client-side access control	✓ Clean (expected)
`service_worker_hijack_clean.js`	Clean	Service Worker Hijack	✓ Clean (expected)
`session_fixation_clean.js`	Clean	session_fixation	✓ Clean (expected)
`session_not_abandoned_clean.cs`	Clean	session_not_abandoned	✓ Clean (expected)
`shell_injection_from_env_clean.js`	Clean	shell_injection_from_env	✓ Clean (expected)
`smtp_injection_php_clean.php`	Clean	SMTP Header Injection (PHP)	✓ Clean (expected)
`smtp_injection_python_clean.py`	Clean	SMTP Header Injection (Python)	✓ Clean (expected)
`socket_auth_race_clean.java`	Clean	socket_auth_race	✓ Clean (expected)
`specific_exception.py`	Clean	Catch-all exception	✓ Clean (expected)
`spel_injection_clean.java`	Clean	SpEL injection	✓ Clean (expected)
`spring_actuator_exposed_clean.java`	Clean	Spring Actuator Exposed	✓ Clean (expected)
`spring_cors_permissive_clean.java`	Clean	Permissive CORS configuration	✓ Clean (expected)
`spring_csrf_disabled_clean.java`	Clean	Spring CSRF disabled	✓ Clean (expected)
`sql_injection_concat_clean.py`	Clean	SQL Injection (concat)	✓ Clean (expected)
`sql_injection_concat_csharp_clean.cs`	Clean	SQL injection (C# concatenation)	✓ Clean (expected)
`sql_injection_concat_java_clean.java`	Clean	SQL injection (Java concatenation)	✓ Clean (expected)
`sql_injection_concat_php_clean.php`	Clean	SQL injection (PHP concatenation)	✓ Clean (expected)
`sql_injection_dapper_clean.cs`	Clean	SQL injection via Dapper raw query	✓ Clean (expected)
`sql_injection_dapper_clean.py`	Clean	SQL injection via Dapper raw query	✓ Clean (expected)
`sql_injection_django_raw_clean.py`	Clean	SQL injection via Django raw SQL	✓ Clean (expected)
`sql_injection_doctrine_clean.php`	Clean	SQL injection via Doctrine DQL	✓ Clean (expected)
`sql_injection_format_java_clean.java`	Clean	SQL injection (Java String.format)	✓ Clean (expected)
`sql_injection_format_string_python_clean 2.py`	Clean		✓ Clean (expected)
`sql_injection_format_string_python_clean.py`	Clean	SQL injection via % format string (Python)	✓ Clean (expected)
`sql_injection_fstring_clean.py`	Clean	SQL Injection (f-string)	✓ Clean (expected)
`sql_injection_java_broad_clean.java`	Clean	SQL Injection (Java)	✓ Clean (expected)
`sql_injection_jpa_native_clean.java`	Clean	SQL injection via JPA/Hibernate native query	✓ Clean (expected)
`sql_injection_mybatis_clean.java`	Clean	SQL injection via MyBatis ${} interpolation	✓ Clean (expected)
`sql_injection_prisma_clean.js`	Clean	SQL injection via Prisma $queryRaw	✓ Clean (expected)
`sql_injection_raw_js_clean 2.js`	Clean		✓ Clean (expected)
`sql_injection_raw_js_clean.js`	Clean	SQL injection in raw query (JavaScript)	✓ Clean (expected)
`sql_injection_sequelize_clean.js`	Clean	SQL injection via Sequelize raw query	✓ Clean (expected)
`sql_injection_sqlalchemy_text_clean.py`	Clean	SQL injection via SQLAlchemy text()	✓ Clean (expected)
`sql_injection_string_format_csharp_clean 2.cs`	Clean		✓ Clean (expected)
`sql_injection_string_format_csharp_clean.cs`	Clean	SQL injection via string.Format (C#)	✓ Clean (expected)
`sql_injection_typeorm_clean.js`	Clean	SQL injection via TypeORM raw query	✓ Clean (expected)
`sql_injection_whereraw_php_clean.php`	Clean	SQL injection via Laravel whereRaw/havingRaw	✓ Clean (expected)
`sql_injection_wpdb_clean.php`	Clean	SQL injection via WordPress $wpdb	✓ Clean (expected)
`sql_order_by_injection_python_clean 2.py`	Clean		✓ Clean (expected)
`sql_order_by_injection_python_clean.py`	Clean	ORDER BY injection (Python)	✓ Clean (expected)
`sql_parameterized.py`	Clean	SQL Injection (f-string)	✓ Clean (expected)
`sql_static.py`	Clean	SQL Injection (f-string)	✓ Clean (expected)
`ssl_bypass_csharp_clean.cs`	Clean	SSL/TLS bypass (C#)	✓ Clean (expected)
`ssl_bypass_java_clean.java`	Clean	SSL/TLS bypass (Java)	✓ Clean (expected)
`ssl_no_cert_validation_clean.py`	Clean	SSL cert validation disabled	✓ Clean (expected)
`ssrf_csharp_clean.cs`	Clean	Server-Side Request Forgery (C#)	✓ Clean (expected)
`ssrf_java_clean.java`	Clean	Server-Side Request Forgery (Java)	✓ Clean (expected)
`ssrf_javascript_clean.js`	Clean	Server-Side Request Forgery (JavaScript)	✓ Clean (expected)
`ssrf_pdf_generation_clean.py`	Clean	SSRF via PDF Generation	✓ Clean (expected)
`ssrf_php_clean.php`	Clean	Server-Side Request Forgery (PHP)	✓ Clean (expected)
`ssrf_python_clean.py`	Clean	Server-Side Request Forgery (Python)	✓ Clean (expected)
`ssti_javascript_clean.js`	Clean	Server-Side Template Injection (JavaScript)	✓ Clean (expected)
`ssti_python_clean.py`	Clean	Server-Side Template Injection (Python)	✓ Clean (expected)
`static_initialization_vector_clean.java`	Clean	static_initialization_vector	✓ Clean (expected)
`stored_procedure_dynamic_csharp_clean 2.cs`	Clean		✓ Clean (expected)
`stored_procedure_dynamic_csharp_clean.cs`	Clean	Dynamic stored procedure (C#)	✓ Clean (expected)
`stored_procedure_dynamic_java_clean 2.java`	Clean		✓ Clean (expected)
`stored_procedure_dynamic_java_clean.java`	Clean	Dynamic stored procedure (Java)	✓ Clean (expected)
`stored_procedure_dynamic_php_clean 2.php`	Clean		✓ Clean (expected)
`stored_procedure_dynamic_php_clean.php`	Clean	Dynamic stored procedure (PHP)	✓ Clean (expected)
`stored_xss_clean.js`	Clean	stored_xss	✓ Clean (expected)
`strong_crypto.py`	Clean	Weak cryptographic algorithm	✓ Clean (expected)
`strong_password_policy.py`	Clean	Weak Password Policy	✓ Clean (expected)
`sufficient_key_size.py`	Clean	Insufficient Cryptographic Key Size	✓ Clean (expected)
`svelte_at_html_clean.js`	Clean	Svelte {@html} — XSS risk	✓ Clean (expected)
`svg_inline_html_clean.html`	Clean	Inline SVG in HTML	✓ Clean (expected)
`svg_safe_content.html`	Clean	SVG With Scriptable Content	✓ Clean (expected)
`svg_scriptable_content_clean.html`	Clean	SVG With Scriptable Content	✓ Clean (expected)
`system_out_java_clean.java`	Clean	System.out in production (Java)	✓ Clean (expected)
`taint_codeinj_clean.cs`	Clean	Taint Code Injection	✓ Clean (expected)
`taint_codeinj_clean.java`	Clean	Taint Code Injection	✓ Clean (expected)
`taint_codeinj_clean.js`	Clean	Taint Code Injection	✓ Clean (expected)
`taint_codeinj_clean.php`	Clean	Taint Code Injection	✓ Clean (expected)
`taint_codeinj_clean.py`	Clean	Taint Code Injection	✓ Clean (expected)
`taint_cookie_injection_clean.cs`	Clean	taint_cookie_injection	✓ Clean (expected)
`taint_cookie_injection_clean.java`	Clean	taint_cookie_injection	✗ False positive
`taint_cookie_injection_clean.js`	Clean	taint_cookie_injection	✓ Clean (expected)
`taint_cookie_injection_clean.php`	Clean	taint_cookie_injection	✓ Clean (expected)
`taint_cookie_injection_clean.py`	Clean	taint_cookie_injection	✓ Clean (expected)
`taint_deserialization_clean.cs`	Clean	Taint Deserialization	✓ Clean (expected)
`taint_deserialization_clean.php`	Clean	Taint Deserialization	✓ Clean (expected)
`taint_deserialization_clean.py`	Clean	Taint Deserialization	✓ Clean (expected)
`taint_graphql_injection_clean.cs`	Clean	taint_graphql_injection	✓ Clean (expected)
`taint_graphql_injection_clean.java`	Clean	taint_graphql_injection	✓ Clean (expected)
`taint_graphql_injection_clean.js`	Clean	taint_graphql_injection	✓ Clean (expected)
`taint_graphql_injection_clean.php`	Clean	taint_graphql_injection	✗ False positive
`taint_graphql_injection_clean.py`	Clean	taint_graphql_injection	✗ False positive
`taint_header_injection_clean.cs`	Clean	taint_header_injection	✓ Clean (expected)
`taint_header_injection_clean.java`	Clean	taint_header_injection	✗ False positive
`taint_header_injection_clean.js`	Clean	taint_header_injection	✓ Clean (expected)
`taint_header_injection_clean.php`	Clean	taint_header_injection	✓ Clean (expected)
`taint_header_injection_clean.py`	Clean	taint_header_injection	✓ Clean (expected)
`taint_ldap_clean.cs`	Clean	Taint LDAP Injection	✓ Clean (expected)
`taint_ldap_clean.java`	Clean	Taint LDAP Injection	✓ Clean (expected)
`taint_ldap_clean.js`	Clean	Taint LDAP Injection	✓ Clean (expected)
`taint_ldap_clean.php`	Clean	Taint LDAP Injection	✓ Clean (expected)
`taint_ldap_clean.py`	Clean	Taint LDAP Injection	✓ Clean (expected)
`taint_log_injection_clean.cs`	Clean	Taint Log Injection	✓ Clean (expected)
`taint_log_injection_clean.java`	Clean	Taint Log Injection	✓ Clean (expected)
`taint_log_injection_clean.js`	Clean	Taint Log Injection	✓ Clean (expected)
`taint_log_injection_clean.php`	Clean	Taint Log Injection	✓ Clean (expected)
`taint_log_injection_clean.py`	Clean	Taint Log Injection	✓ Clean (expected)
`taint_nosql_clean.cs`	Clean	taint_nosql	✓ Clean (expected)
`taint_nosql_clean.java`	Clean	taint_nosql	✓ Clean (expected)
`taint_nosql_clean.js`	Clean	taint_nosql	✓ Clean (expected)
`taint_nosql_clean.php`	Clean	taint_nosql	✓ Clean (expected)
`taint_nosql_clean.py`	Clean	taint_nosql	✗ False positive
`taint_open_redirect_clean.cs`	Clean	Taint Open Redirect	✓ Clean (expected)
`taint_open_redirect_clean.java`	Clean	Taint Open Redirect	✗ False positive
`taint_open_redirect_clean.js`	Clean	Taint Open Redirect	✓ Clean (expected)
`taint_open_redirect_clean.php`	Clean	Taint Open Redirect	✓ Clean (expected)
`taint_open_redirect_clean.py`	Clean	Taint Open Redirect	✓ Clean (expected)
`taint_path_traversal_clean.cs`	Clean	Taint Path Traversal	✓ Clean (expected)
`taint_path_traversal_clean.java`	Clean	Taint Path Traversal	✓ Clean (expected)
`taint_path_traversal_clean.js`	Clean	Taint Path Traversal	✓ Clean (expected)
`taint_path_traversal_clean.php`	Clean	Taint Path Traversal	✓ Clean (expected)
`taint_path_traversal_clean.py`	Clean	Taint Path Traversal	✓ Clean (expected)
`taint_rce_clean.cs`	Clean	Taint RCE	✗ False positive
`taint_rce_clean.php`	Clean	Taint RCE	✓ Clean (expected)
`taint_rce_clean.py`	Clean	Taint RCE	✓ Clean (expected)
`taint_smtp_injection_clean.cs`	Clean	taint_smtp_injection	✓ Clean (expected)
`taint_smtp_injection_clean.java`	Clean	taint_smtp_injection	✗ False positive
`taint_smtp_injection_clean.js`	Clean	taint_smtp_injection	✓ Clean (expected)
`taint_smtp_injection_clean.php`	Clean	taint_smtp_injection	✓ Clean (expected)
`taint_smtp_injection_clean.py`	Clean	taint_smtp_injection	✓ Clean (expected)
`taint_sqli_clean.js`	Clean	Taint SQL Injection	✓ Clean (expected)
`taint_sqli_clean.php`	Clean	Taint SQL Injection	✓ Clean (expected)
`taint_sqli_clean.py`	Clean	Taint SQL Injection	✓ Clean (expected)
`taint_ssrf_clean.php`	Clean	Taint SSRF	✓ Clean (expected)
`taint_ssrf_clean.py`	Clean	Taint SSRF	✓ Clean (expected)
`taint_ssti_clean.cs`	Clean	Taint SSTI	✓ Clean (expected)
`taint_ssti_clean.java`	Clean	Taint SSTI	✓ Clean (expected)
`taint_ssti_clean.js`	Clean	Taint SSTI	✓ Clean (expected)
`taint_ssti_clean.php`	Clean	Taint SSTI	✓ Clean (expected)
`taint_ssti_clean.py`	Clean	Taint SSTI	✓ Clean (expected)
`taint_xpathi_clean.cs`	Clean	Taint XPath Injection	✓ Clean (expected)
`taint_xpathi_clean.java`	Clean	Taint XPath Injection	✗ False positive
`taint_xpathi_clean.js`	Clean	Taint XPath Injection	✓ Clean (expected)
`taint_xpathi_clean.php`	Clean	Taint XPath Injection	✓ Clean (expected)
`taint_xpathi_clean.py`	Clean	Taint XPath Injection	✓ Clean (expected)
`taint_xss_clean.cs`	Clean	Taint XSS	✓ Clean (expected)
`taint_xss_clean.java`	Clean	Taint XSS	✓ Clean (expected)
`taint_xss_clean.js`	Clean	Taint XSS	✓ Clean (expected)
`taint_xss_clean.php`	Clean	Taint XSS	✓ Clean (expected)
`taint_xss_clean.py`	Clean	Taint XSS	✓ Clean (expected)
`taint_xxe_clean.cs`	Clean	Taint XXE	✓ Clean (expected)
`taint_xxe_clean.java`	Clean	Taint XXE	✓ Clean (expected)
`taint_xxe_clean.js`	Clean	Taint XXE	✓ Clean (expected)
`taint_xxe_clean.php`	Clean	Taint XXE	✗ False positive
`taint_xxe_clean.py`	Clean	Taint XXE	✓ Clean (expected)
`tainted_format_string_clean.js`	Clean	tainted_format_string	✓ Clean (expected)
`tainted_permissions_check_clean.java`	Clean	tainted_permissions_check	✓ Clean (expected)
`tarfile_unsafe_extract_clean.py`	Clean	Unsafe tar extraction	✓ Clean (expected)
`temp_dir_info_disclosure_clean.java`	Clean	temp_dir_info_disclosure	✓ Clean (expected)
`template_injection_java_clean.java`	Clean	template_injection_java	✓ Clean (expected)
`template_object_injection_clean.js`	Clean	template_object_injection	✗ False positive
`toctou_race_condition_clean.java`	Clean	toctou_race_condition	✓ Clean (expected)
`todo_unresolved_clean.java`	Clean	Unresolved TODO/FIXME	✓ Clean (expected)
`todo_unresolved_clean.js`	Clean	Unresolved TODO/FIXME	✓ Clean (expected)
`todo_unresolved_clean.py`	Clean	Unresolved TODO/FIXME	✓ Clean (expected)
`trust_boundary_java_clean.java`	Clean	Trust Boundary Violation	✓ Clean (expected)
`trust_boundary_python_clean.py`	Clean	Trust boundary violation	✓ Clean (expected)
`type_confusion_parameter_clean.js`	Clean	type_confusion_parameter	✓ Clean (expected)
`type_juggling_php_clean.php`	Clean	Type juggling (PHP)	✓ Clean (expected)
`unbounded_query_clean.py`	Clean	Unbounded Query	✓ Clean (expected)
`unbounded_query_java_clean 2.java`	Clean		✓ Clean (expected)
`unbounded_query_java_clean.java`	Clean	Unbounded query (Java)	✓ Clean (expected)
`unbounded_query_js_clean 2.js`	Clean		✓ Clean (expected)
`unbounded_query_js_clean.js`	Clean	Unbounded query (JavaScript)	✓ Clean (expected)
`unbounded_query_php_clean 2.php`	Clean		✓ Clean (expected)
`unbounded_query_php_clean.php`	Clean	Unbounded query (PHP)	✓ Clean (expected)
`uncontrolled_format_string_clean.cs`	Clean	uncontrolled_format_string	✓ Clean (expected)
`unencrypted_transfer_clean.py`	Clean	Unencrypted Data Transfer	✓ Clean (expected)
`unpinned_action_version_clean.yml`	Clean	Unpinned action version	✓ Clean (expected)
`unrestricted_file_upload_java_clean 2.java`	Clean		✗ False positive
`unrestricted_file_upload_java_clean.java`	Clean	Unrestricted file upload (Java/Spring)	✓ Clean (expected)
`unrestricted_file_upload_js_clean 2.js`	Clean		✗ False positive
`unrestricted_file_upload_js_clean.js`	Clean	Unrestricted file upload (Node.js/Multer)	✓ Clean (expected)
`unrestricted_file_upload_php_clean 2.php`	Clean		✗ False positive
`unrestricted_file_upload_php_clean.php`	Clean	Unrestricted file upload (PHP)	✓ Clean (expected)
`unreviewed_vendor_code_clean.py`	Clean	Unreviewed Vendor Code	✓ Clean (expected)
`unsafe_code_construction_clean.js`	Clean	unsafe_code_construction	✓ Clean (expected)
`unsafe_deserialization_clean.py`	Clean	Unsafe deserialization	✓ Clean (expected)
`unsafe_deserialization_csharp_clean.cs`	Clean	Unsafe deserialization (C#)	✓ Clean (expected)
`unsafe_deserialization_delegate_clean.cs`	Clean	unsafe_deserialization_delegate	✓ Clean (expected)
`unsafe_deserialization_java_clean.java`	Clean	Unsafe deserialization (Java)	✓ Clean (expected)
`unsafe_deserialization_php_clean.php`	Clean	Unsafe deserialization (PHP)	✓ Clean (expected)
`unsafe_dynamic_method_access_clean.js`	Clean	unsafe_dynamic_method_access	✓ Clean (expected)
`unsafe_html_expansion_clean.js`	Clean	unsafe_html_expansion	✓ Clean (expected)
`unsafe_require_clean.js`	Clean	require() with dynamic variable	✓ Clean (expected)
`unsafe_shell_construction_clean.py`	Clean	unsafe_shell_construction	✓ Clean (expected)
`unvalidated_dynamic_method_call_clean.js`	Clean	unvalidated_dynamic_method_call	✓ Clean (expected)
`unvalidated_input_clean.py`	Clean	Unvalidated input (OS injection)	✓ Clean (expected)
`url_forward_injection_clean.java`	Clean	url_forward_injection	✓ Clean (expected)
`use_ssl_socket_clean.java`	Clean	use_ssl_socket	✓ Clean (expected)
`useless_regexp_escape_clean.js`	Clean	useless_regexp_escape	✓ Clean (expected)
`validated_input.py`	Clean	Unvalidated input (OS injection)	✓ Clean (expected)
`verbose_exception_clean.py`	Clean	Verbose exception	✓ Clean (expected)
`verbose_exception_csharp_clean.cs`	Clean	Verbose exception (C#)	✓ Clean (expected)
`verbose_exception_java_clean.java`	Clean	Verbose exception (Java)	✓ Clean (expected)
`verbose_exception_php_clean.php`	Clean	Verbose exception (PHP)	✓ Clean (expected)
`vue_v_html_clean.js`	Clean	Vue.js v-html — XSS risk	✓ Clean (expected)
`vulnerable_dependency_clean.py`	Clean	Vulnerable Dependency	✓ Clean (expected)
`weak_cipher_java_clean.java`	Clean	Weak Cipher (Java)	✓ Clean (expected)
`weak_crypto_clean.py`	Clean	Weak cryptographic algorithm	✓ Clean (expected)
`weak_crypto_csharp_clean.cs`	Clean	Weak cryptography (C#)	✓ Clean (expected)
`weak_crypto_java_clean.java`	Clean	Weak cryptography (Java)	✓ Clean (expected)
`weak_crypto_php_clean.php`	Clean	Weak cryptography (PHP)	✓ Clean (expected)
`weak_password_hash_clean.py`	Clean	Weak Password Hash	✓ Clean (expected)
`weak_password_hash_php_clean 2.php`	Clean		✓ Clean (expected)
`weak_password_hash_php_clean.php`	Clean	Weak password hashing (PHP)	✓ Clean (expected)
`weak_password_policy_clean.py`	Clean	Weak Password Policy	✓ Clean (expected)
`weak_random_csharp_clean.cs`	Clean	Weak random (C#)	✓ Clean (expected)
`weak_random_java_clean.java`	Clean	Weak random (Java)	✓ Clean (expected)
`weak_random_java_util_clean.java`	Clean	Weak Random (Java)	✓ Clean (expected)
`weak_random_php_clean.php`	Clean	Weak random (PHP)	✓ Clean (expected)
`weak_random_python_clean.py`	Clean	Weak random number generator	✓ Clean (expected)
`websocket_no_tls_clean.js`	Clean	WebSocket Without TLS	✓ Clean (expected)
`websocket_no_tls_clean.py`	Clean	WebSocket Without TLS	✓ Clean (expected)
`websocket_no_validation_clean.js`	Clean	WebSocket No Validation	✓ Clean (expected)
`websocket_tls.js`	Clean	WebSocket Without TLS	✓ Clean (expected)
`websocket_tls_python.py`	Clean	WebSocket Without TLS	✓ Clean (expected)
`window_open_noopener_clean.js`	Clean	window.open without noopener	✓ Clean (expected)
`with_doctype.html`	Clean	Missing DOCTYPE declaration	✓ Clean (expected)
`with_skip_link.html`	Clean	Missing skip navigation link	✓ Clean (expected)
`workflow_not_in_codeowners_clean.yml`	Clean	Workflows missing from CODEOWNERS	✓ Clean (expected)
`world_writable_file_read_clean.java`	Clean	world_writable_file_read	✓ Clean (expected)
`xml_bomb_clean.js`	Clean	xml_bomb	✓ Clean (expected)
`xml_bomb_clean.py`	Clean	xml_bomb	✓ Clean (expected)
`xml_injection_csharp_clean.cs`	Clean	xml_injection_csharp	✓ Clean (expected)
`xpath_injection_clean.js`	Clean	xpath_injection	✓ Clean (expected)
`xpath_injection_csharp_clean.cs`	Clean	XPath Injection (C#)	✓ Clean (expected)
`xpath_injection_java_clean.java`	Clean	XPath Injection (Java)	✓ Clean (expected)
`xpath_injection_java_eval_clean.java`	Clean	XPath Injection (Java)	✓ Clean (expected)
`xpath_injection_php_clean.php`	Clean	XPath Injection (PHP)	✓ Clean (expected)
`xpath_injection_python_clean.py`	Clean	XPath Injection (Python)	✓ Clean (expected)
`xslt_injection_clean.java`	Clean	xslt_injection	✓ Clean (expected)
`xss_angular_bypass_clean.js`	Clean	XSS via Angular security bypass	✓ Clean (expected)
`xss_blade_unescaped_clean.php`	Clean	XSS via unescaped Blade output	✓ Clean (expected)
`xss_echo_php_clean.php`	Clean	XSS via echo (PHP)	✓ Clean (expected)
`xss_exception_exposure_clean.js`	Clean	xss_exception_exposure	✓ Clean (expected)
`xss_flask_reflected_clean.py`	Clean	Reflected XSS (Flask)	✓ Clean (expected)
`xss_innerhtml_clean.js`	Clean	XSS via innerHTML	✓ Clean (expected)
`xss_jquery_unsafe_plugin_clean.js`	Clean	xss_jquery_unsafe_plugin	✓ Clean (expected)
`xss_raw_html_clean.cs`	Clean	XSS via Html.Raw()	✓ Clean (expected)
`xss_raw_html_clean.py`	Clean	XSS via Html.Raw()	✓ Clean (expected)
`xss_react_dangerous_clean.js`	Clean	XSS via React dangerouslySetInnerHTML	✓ Clean (expected)
`xss_servlet_response_clean.java`	Clean	XSS Servlet Response	✓ Clean (expected)
`xss_svelte_html_clean.html`	Clean	XSS via Svelte {@html} tag	✓ Clean (expected)
`xss_through_dom_clean.js`	Clean	xss_through_dom	✓ Clean (expected)
`xss_unsafe_html_construction_clean.js`	Clean	xss_unsafe_html_construction	✓ Clean (expected)
`xss_vue_vhtml_clean.html`	Clean	XSS via Vue.js v-html directive	✓ Clean (expected)
`xxe_injection_clean.java`	Clean	XXE injection	✓ Clean (expected)
`xxe_injection_clean.js`	Clean	XXE injection	✓ Clean (expected)
`xxe_injection_csharp_clean.cs`	Clean	XXE injection (C#)	✓ Clean (expected)
`xxe_injection_php_clean.php`	Clean	XXE injection (PHP)	✓ Clean (expected)
`xxe_injection_python_clean.py`	Clean	XXE injection (Python)	✓ Clean (expected)
`xxe_xmldocument_clean.cs`	Clean	xxe_xmldocument	✓ Clean (expected)
`zip_bomb_clean.py`	Clean	Zip bomb vulnerability	✓ Clean (expected)
`zip_slip_clean.java`	Clean	zip_slip	✓ Clean (expected)
`zip_slip_csharp_clean.cs`	Clean	zip_slip_csharp	✓ Clean (expected)
`angularjs_insecure_url_whitelist.js`	Vulnerable	angularjs_insecure_url_whitelist	✓ Detected (expected)
`api_key_in_url.js`	Vulnerable	API Key in URL	✓ Detected (expected)
`api_key_in_url.py`	Vulnerable	API Key in URL	✓ Detected (expected)
`arithmetic_extreme_values.java`	Vulnerable	arithmetic_extreme_values	✓ Detected (expected)
`arithmetic_tainted.java`	Vulnerable	arithmetic_tainted	✓ Detected (expected)
`arithmetic_uncontrolled.java`	Vulnerable	arithmetic_uncontrolled	✓ Detected (expected)
`array_construction_tainted.java`	Vulnerable	array_construction_tainted	✓ Detected (expected)
`array_index_validation.java`	Vulnerable	array_index_validation	✓ Detected (expected)
`aspnet_debug_enabled.cs`	Vulnerable	aspnet_debug_enabled	✓ Detected (expected)
`aspnet_directory_listing.cs`	Vulnerable	aspnet_directory_listing	✓ Detected (expected)
`aspnet_max_request_length.cs`	Vulnerable	aspnet_max_request_length	✓ Detected (expected)
`assembly_path_injection.cs`	Vulnerable	assembly_path_injection	✓ Detected (expected)
`autoplay_media.html`	Vulnerable	Autoplaying media	✓ Detected (expected)
`bad_tag_filter.js`	Vulnerable	bad_tag_filter	✓ Detected (expected)
`bad_tag_filter.py`	Vulnerable	bad_tag_filter	✓ Detected (expected)
`base64_credentials.py`	Vulnerable	Base64 encoded credentials	✓ Detected (expected)
`base64_eval.js`	Vulnerable	Base64 obfuscated code execution	✓ Detected (expected)
`base64_eval.py`	Vulnerable	Base64 obfuscated code execution	✓ Detected (expected)
`base64_obfuscation.js`	Vulnerable	Suspicious base64 string decoded	✓ Detected (expected)
`broken_crypto_algorithm.js`	Vulnerable	broken_crypto_algorithm	✓ Detected (expected)
`build_artifact_leak.js`	Vulnerable	build_artifact_leak	✓ Detected (expected)
`button_no_aria.html`	Vulnerable	Button without aria-label	✓ Detected (expected)
`cache_poisoning.py`	Vulnerable	Cache Poisoning	✓ Detected (expected)
`case_sensitive_middleware_path.js`	Vulnerable	case_sensitive_middleware_path	✓ Detected (expected)
`catch_all_exception.py`	Vulnerable	Catch-all exception	✓ Detected (expected)
`catch_all_exception_csharp.cs`	Vulnerable	Generic catch (C#)	✓ Detected (expected)
`catch_all_exception_java.java`	Vulnerable	Generic catch (Java)	✓ Detected (expected)
`catch_all_exception_php.php`	Vulnerable	Generic catch (PHP)	✓ Detected (expected)
`ci_curl_pipe_bash.yml`	Vulnerable	Remote script piped to shell	✓ Detected (expected)
`ci_debug_trace_enabled.yml`	Vulnerable	CI/CD debug logging enabled	✓ Detected (expected)
`ci_docker_privileged.yml`	Vulnerable	Privileged Docker container in CI/CD	✓ Detected (expected)
`ci_insecure_download.yml`	Vulnerable	Insecure HTTP download in CI/CD	✓ Detected (expected)
`ci_netcat_reverse_shell.yml`	Vulnerable	Netcat reverse shell in CI/CD script	✓ Detected (expected)
`cleartext_cookie.js`	Vulnerable	cleartext_cookie	✓ Detected (expected)
`cleartext_logging.js`	Vulnerable	cleartext_logging	✓ Detected (expected)
`cleartext_storage_class.java`	Vulnerable	cleartext_storage_class	✓ Detected (expected)
`cleartext_storage_cookie.java`	Vulnerable	cleartext_storage_cookie	✓ Detected (expected)
`cleartext_storage_csharp.cs`	Vulnerable	cleartext_storage_csharp	✓ Detected (expected)
`cleartext_storage_properties.java`	Vulnerable	cleartext_storage_properties	✓ Detected (expected)
`cleartext_storage_sensitive.js`	Vulnerable	cleartext_storage_sensitive	✓ Detected (expected)
`cleartext_storage_sensitive.py`	Vulnerable	cleartext_storage_sensitive	✓ Detected (expected)
`client_side_auth.js`	Vulnerable	Client-side access control	✓ Detected (expected)
`client_side_ssrf.js`	Vulnerable	client_side_ssrf	✓ Detected (expected)
`command_injection_csharp.cs`	Vulnerable	Command injection (C#)	✓ Detected (expected)
`command_injection_java.java`	Vulnerable	Command injection (Java)	✓ Detected (expected)
`command_injection_java_broad.java`	Vulnerable	Command Injection (Java)	✓ Detected (expected)
`command_injection_php.php`	Vulnerable	Command injection (PHP)	✓ Detected (expected)
`comparison_wider_type.java`	Vulnerable	comparison_wider_type	✓ Detected (expected)
`conditional_bypass.js`	Vulnerable	conditional_bypass	✓ Detected (expected)
`conditional_bypass_csharp.cs`	Vulnerable	conditional_bypass_csharp	✓ Detected (expected)
`conditional_bypass_java.java`	Vulnerable	conditional_bypass_java	✓ Detected (expected)
`console_log.js`	Vulnerable	Residual console.log	✓ Detected (expected)
`console_log_residual.js`	Vulnerable	Residual console.log	✓ Detected (expected)
`console_write_csharp.cs`	Vulnerable	Console.Write in production (C#)	✓ Detected (expected)
`cookie_broad_domain.cs`	Vulnerable	cookie_broad_domain	✓ Detected (expected)
`cookie_broad_path.cs`	Vulnerable	cookie_broad_path	✓ Detected (expected)
`cookie_injection.py`	Vulnerable	cookie_injection	✓ Detected (expected)
`cors_credentials_wildcard.js`	Vulnerable	CORS wildcard with credentials	✓ Detected (expected)
`cors_permissive_csharp.cs`	Vulnerable	Permissive CORS (C#)	✓ Detected (expected)
`create_element.js`	Vulnerable	Manual createElement	✓ Detected (expected)
`crud_without_ownership.js`	Vulnerable	CRUD without ownership check	✓ Detected (expected)
`cs_deep_nesting 2.cs`	Vulnerable		✓ Detected (expected)
`cs_deep_nesting.cs`	Vulnerable	Excessive nesting depth (C#, 6+ levels)	✓ Detected (expected)
`cs_empty_catch_block 2.cs`	Vulnerable		✓ Detected (expected)
`cs_empty_catch_block.cs`	Vulnerable	Empty catch block (C#)	✓ Detected (expected)
`cs_high_coupling 2.cs`	Vulnerable		✓ Detected (expected)
`cs_high_coupling.cs`	Vulnerable	High coupling — too many C# interfaces (SonarQube S1200)	✓ Detected (expected)
`cs_magic_number 2.cs`	Vulnerable		✓ Detected (expected)
`cs_magic_number.cs`	Vulnerable	Magic number in comparison (C#)	✓ Detected (expected)
`cs_string_format_legacy 2.cs`	Vulnerable		✓ Detected (expected)
`cs_string_format_legacy.cs`	Vulnerable	string.Format() instead of interpolation (C#)	✓ Detected (expected)
`cs_too_many_params 2.cs`	Vulnerable		✓ Detected (expected)
`cs_too_many_params.cs`	Vulnerable	Too many C# method parameters (6+)	✓ Detected (expected)
`csrf_missing_flask 2.py`	Vulnerable		✓ Detected (expected)
`csrf_missing_flask.py`	Vulnerable	Missing CSRF protection (Flask)	✓ Detected (expected)
`csv_injection.py`	Vulnerable	CSV Formula Injection	✓ Detected (expected)
`dangerous_eval.py`	Vulnerable	Dangerous Eval/Exec	✓ Detected (expected)
`dangerous_function_java.java`	Vulnerable	dangerous_function_java	✓ Detected (expected)
`data_uri_html.js`	Vulnerable	Data URI with HTML content	✓ Detected (expected)
`data_uri_html_tag.html`	Vulnerable	Data URI HTML in tag	✓ Detected (expected)
`db_connection_string_credentials 2.py`	Vulnerable		✓ Detected (expected)
`db_connection_string_credentials.py`	Vulnerable	DB connection string with credentials (Python)	✓ Detected (expected)
`db_connection_string_credentials_js 2.js`	Vulnerable		✓ Detected (expected)
`db_connection_string_credentials_js.js`	Vulnerable	DB connection string with credentials (JavaScript)	✓ Detected (expected)
`db_error_exposed_csharp 2.cs`	Vulnerable		✓ Detected (expected)
`db_error_exposed_csharp.cs`	Vulnerable	DB error exposed in response (C#)	✓ Detected (expected)
`db_error_exposed_java 2.java`	Vulnerable		✓ Detected (expected)
`db_error_exposed_java.java`	Vulnerable	DB error exposed in response (Java)	✓ Detected (expected)
`db_error_exposed_php 2.php`	Vulnerable		✓ Detected (expected)
`db_error_exposed_php.php`	Vulnerable	DB error exposed in response (PHP)	✓ Detected (expected)
`db_error_exposed_python 2.py`	Vulnerable		✓ Detected (expected)
`db_error_exposed_python.py`	Vulnerable	DB error exposed in response (Python)	✓ Detected (expected)
`db_logic_controller_csharp.cs`	Vulnerable	DB logic in controller (C#)	✓ Detected (expected)
`db_logic_controller_java.java`	Vulnerable	DB logic in controller (Java)	✓ Detected (expected)
`db_logic_controller_php.php`	Vulnerable	DB logic in controller (PHP)	✓ Detected (expected)
`db_superuser_connection_csharp 2.cs`	Vulnerable		✓ Detected (expected)
`db_superuser_connection_csharp.cs`	Vulnerable	DB connection as superuser (C#)	✓ Detected (expected)
`db_superuser_connection_java 2.java`	Vulnerable		✓ Detected (expected)
`db_superuser_connection_java.java`	Vulnerable	DB connection as superuser (Java)	✓ Detected (expected)
`db_superuser_connection_python 2.py`	Vulnerable		✓ Detected (expected)
`db_superuser_connection_python.py`	Vulnerable	DB connection as superuser (Python)	✓ Detected (expected)
`db_tls_disabled_java 2.java`	Vulnerable		✓ Detected (expected)
`db_tls_disabled_java.java`	Vulnerable	DB connection without TLS (Java)	✓ Detected (expected)
`db_tls_disabled_js 2.js`	Vulnerable		✓ Detected (expected)
`db_tls_disabled_js.js`	Vulnerable	DB connection without TLS (JavaScript)	✓ Detected (expected)
`db_tls_disabled_python 2.py`	Vulnerable		✓ Detected (expected)
`db_tls_disabled_python.py`	Vulnerable	DB connection without TLS (Python)	✓ Detected (expected)
`debug_mode.py`	Vulnerable	Debug mode enabled	✓ Detected (expected)
`default_credentials.py`	Vulnerable	Default Credentials	✓ Detected (expected)
`dependabot_insecure_exec.yml`	Vulnerable	Dependabot insecure external code execution	✓ Detected (expected)
`dependency_confusion.js`	Vulnerable	Dependency Confusion	✓ Detected (expected)
`dependency_confusion.py`	Vulnerable	Dependency Confusion	✓ Detected (expected)
`deprecated_api.py`	Vulnerable	Deprecated API	✓ Detected (expected)
`deprecated_api_csharp.cs`	Vulnerable	Deprecated API (C#)	✓ Detected (expected)
`deprecated_api_java.java`	Vulnerable	Deprecated API (Java)	✓ Detected (expected)
`deprecated_api_javascript.js`	Vulnerable	Deprecated API (JavaScript)	✓ Detected (expected)
`deprecated_api_php.php`	Vulnerable	Deprecated API (PHP)	✓ Detected (expected)
`destructive_without_backup.py`	Vulnerable	Destructive Operation Without Backup	✓ Detected (expected)
`different_kinds_comparison_bypass.js`	Vulnerable	different_kinds_comparison_bypass	✓ Detected (expected)
`disable_certificate_validation.js`	Vulnerable	disable_certificate_validation	✓ Detected (expected)
`django_csrf_exempt.py`	Vulnerable	@csrf_exempt decorator (Django)	✓ Detected (expected)
`django_debug_enabled.py`	Vulnerable	DEBUG = True (Django)	✓ Detected (expected)
`django_mark_safe_xss.py`	Vulnerable	Django mark_safe() — XSS risk	✓ Detected (expected)
`django_secret_key_weak.py`	Vulnerable	Hardcoded SECRET_KEY (Django)	✓ Detected (expected)
`django_vulnerable.py`	Vulnerable	@csrf_exempt decorator (Django)	✓ Detected (expected)
`docker_latest_tag.yml`	Vulnerable	Docker image with :latest tag	✓ Detected (expected)
`dockerfile_copy_all`	Vulnerable	COPY . . in Dockerfile	✓ Detected (expected)
`dockerfile_root_user`	Vulnerable	Dockerfile runs as root	✓ Detected (expected)
`dockerfile_unpinned_base`	Vulnerable	Unpinned base image	✓ Detected (expected)
`dom_clobbering.html`	Vulnerable	DOM Clobbering	✓ Detected (expected)
`dom_in_loop.js`	Vulnerable	DOM manipulation in loop	✓ Detected (expected)
`dom_manipulation_loop.js`	Vulnerable	DOM manipulation in loop	✓ Detected (expected)
`dom_pseudo_eval.js`	Vulnerable	dom_pseudo_eval	✓ Detected (expected)
`dont_install_root_cert.cs`	Vulnerable	dont_install_root_cert	✓ Detected (expected)
`double_escaping.js`	Vulnerable	double_escaping	✓ Detected (expected)
`dynamic_import.py`	Vulnerable	Dynamic import	✓ Detected (expected)
`ecb_cipher_mode.py`	Vulnerable	Insecure ECB cipher mode	✓ Detected (expected)
`ecb_mode_csharp.cs`	Vulnerable	ecb_mode_csharp	✓ Detected (expected)
`elasticsearch_query_injection 2.py`	Vulnerable		✓ Detected (expected)
`elasticsearch_query_injection.py`	Vulnerable	Elasticsearch query injection (Python)	✓ Detected (expected)
`electron_insecure_content.js`	Vulnerable	electron_insecure_content	✓ Detected (expected)
`electron_node_integration.js`	Vulnerable	electron_node_integration	✓ Detected (expected)
`electron_web_security_disabled.js`	Vulnerable	electron_web_security_disabled	✓ Detected (expected)
`empty_password_config.js`	Vulnerable	empty_password_config	✓ Detected (expected)
`error_suppressor_php.php`	Vulnerable	Error suppressor (PHP @)	✓ Detected (expected)
`eval_injection_php.php`	Vulnerable	Code injection (PHP)	✓ Detected (expected)
`eval_template_literal.js`	Vulnerable	eval() with template literal	✓ Detected (expected)
`event_listeners_not_cleaned.js`	Vulnerable	Event listeners not cleaned	✓ Detected (expected)
`event_listeners_orphan.js`	Vulnerable	Event listeners not cleaned	✓ Detected (expected)
`exec_relative_path.java`	Vulnerable	exec_relative_path	✓ Detected (expected)
`exec_tainted_environment.java`	Vulnerable	exec_tainted_environment	✓ Detected (expected)
`exec_unescaped.java`	Vulnerable	exec_unescaped	✓ Detected (expected)
`exposed_test_endpoint.py`	Vulnerable	Exposed Test/Debug Endpoint	✓ Detected (expected)
`exposure_private_information.cs`	Vulnerable	exposure_private_information	✓ Detected (expected)
`exposure_transmitted_data.cs`	Vulnerable	exposure_transmitted_data	✓ Detected (expected)
`express_cors_wildcard.js`	Vulnerable	Permissive CORS configuration (Express)	✓ Detected (expected)
`express_no_csrf.js`	Vulnerable	Express without CSRF protection	✓ Detected (expected)
`express_no_helmet.js`	Vulnerable	Missing Helmet middleware (Express)	✓ Detected (expected)
`express_vulnerable.js`	Vulnerable	Missing Helmet middleware (Express)	✓ Detected (expected)
`extract_usage_php.php`	Vulnerable	Variable overwrite (PHP extract)	✓ Detected (expected)
`file_access_to_http.js`	Vulnerable	file_access_to_http	✓ Detected (expected)
`file_inclusion_php.php`	Vulnerable	File inclusion (PHP)	✓ Detected (expected)
`file_too_long.cs`	Vulnerable	File too long	✓ Detected (expected)
`file_too_long.java`	Vulnerable	File too long	✓ Detected (expected)
`file_too_long.php`	Vulnerable	File too long	✓ Detected (expected)
`file_too_long.py`	Vulnerable	File too long	✓ Detected (expected)
`file_upload_no_validation.py`	Vulnerable	File Upload Without Validation	✓ Detected (expected)
`filesystem_race_condition.js`	Vulnerable	filesystem_race_condition	✓ Detected (expected)
`fixme_comment.py`	Vulnerable	Unresolved TODO/FIXME	✓ Detected (expected)
`flask_debug_enabled.py`	Vulnerable	Debug mode enabled (Flask)	✓ Detected (expected)
`flask_secret_key_weak.py`	Vulnerable	Hardcoded secret_key (Flask)	✓ Detected (expected)
`flask_vulnerable.py`	Vulnerable	Debug mode enabled (Flask)	✓ Detected (expected)
`focus_outline_removed.js`	Vulnerable	Focus outline removed	✓ Detected (expected)
`format_string_vuln.java`	Vulnerable	Format String Vulnerability	✓ Detected (expected)
`format_string_vuln.py`	Vulnerable	Format String Vulnerability	✓ Detected (expected)
`fstring_in_logging.py`	Vulnerable	F-string in Logging	✓ Detected (expected)
`functionality_untrusted_domain.js`	Vulnerable	functionality_untrusted_domain	✓ Detected (expected)
`functionality_untrusted_source.js`	Vulnerable	functionality_untrusted_source	✓ Detected (expected)
`gha_actor_check_bypass.yml`	Vulnerable	Bypassable actor-based security gate	✓ Detected (expected)
`gha_artifact_poisoning.yml`	Vulnerable	Artifact poisoning via workflow_run	✓ Detected (expected)
`gha_cache_poisoning.yml`	Vulnerable	Cache poisoning risk in release workflow	✓ Detected (expected)
`gha_confused_deputy.yml`	Vulnerable	Confused deputy auto-merge bypass	✓ Detected (expected)
`gha_credentials_on_disk.yml`	Vulnerable	Git credentials persisted on disk	✓ Detected (expected)
`gha_dangerous_artefact.yml`	Vulnerable	Sensitive files uploaded as artifact	✓ Detected (expected)
`gha_deprecated_commands.yml`	Vulnerable	Deprecated workflow commands	✓ Detected (expected)
`gha_excessive_permissions.yml`	Vulnerable	Excessive workflow permissions	✓ Detected (expected)
`gha_expression_injection.yml`	Vulnerable	GitHub Actions expression injection	✓ Detected (expected)
`gha_github_app_no_revoke.yml`	Vulnerable	GitHub App token not revoked after job	✓ Detected (expected)
`gha_github_env_write.yml`	Vulnerable	Untrusted data written to GITHUB_ENV	✓ Detected (expected)
`gha_insecure_commands_env.yml`	Vulnerable	Insecure workflow commands enabled	✓ Detected (expected)
`gha_job_all_secrets.yml`	Vulnerable	All secrets serialized in workflow	✓ Detected (expected)
`gha_local_action.yml`	Vulnerable	Local action usage	✓ Detected (expected)
`gha_missing_permissions.yml`	Vulnerable	Missing permissions block	✓ Detected (expected)
`gha_secret_in_log.yml`	Vulnerable	Secret printed in workflow log	✓ Detected (expected)
`gha_secrets_bypass_redaction.yml`	Vulnerable	Secrets redaction bypass via JSON	✓ Detected (expected)
`gha_secrets_without_environment.yml`	Vulnerable	Secrets used without environment gate on risky trigger	✓ Detected (expected)
`gha_self_hosted_runner.yml`	Vulnerable	Self-hosted runner on public repository	✓ Detected (expected)
`gha_unguarded_comment_trigger.yml`	Vulnerable	Unguarded comment trigger	✓ Detected (expected)
`gha_unsound_condition.yml`	Vulnerable	Unsound if: condition with block scalar	✓ Detected (expected)
`gha_version_comment_missing.yml`	Vulnerable	Pinned action SHA without version comment	✓ Detected (expected)
`gha_workflow_dispatch_inputs.yml`	Vulnerable	workflow_dispatch with user inputs	✓ Detected (expected)
`gitlab_allow_failure_security.yml`	Vulnerable	Security job with allow_failure: true	✓ Detected (expected)
`gitlab_double_pipeline.yml`	Vulnerable	GitLab CI duplicate pipeline rules	✓ Detected (expected)
`gitlab_script_secrets_echo.yml`	Vulnerable	GitLab CI token printed to log	✓ Detected (expected)
`gitlab_unsafe_variables.yml`	Vulnerable	Unprotected GitLab CI variable	✓ Detected (expected)
`graphql_batching_attack.js`	Vulnerable	GraphQL Batching Attack	✓ Detected (expected)
`graphql_introspection.js`	Vulnerable	GraphQL Introspection Enabled	✓ Detected (expected)
`graphql_introspection_enabled.js`	Vulnerable	GraphQL Introspection Enabled	✓ Detected (expected)
`graphql_introspection_enabled.py`	Vulnerable	GraphQL Introspection Enabled	✓ Detected (expected)
`graphql_introspection_python.py`	Vulnerable	GraphQL Introspection Enabled	✓ Detected (expected)
`graphql_no_depth_limit.js`	Vulnerable	GraphQL Without Depth Limit	✓ Detected (expected)
`graphql_no_depth_limit.py`	Vulnerable	GraphQL Without Depth Limit	✓ Detected (expected)
`groovy_injection.java`	Vulnerable	groovy_injection	✓ Detected (expected)
`hack_comment.js`	Vulnerable	Unresolved TODO/FIXME	✓ Detected (expected)
`hardcoded_api_key.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_aws_key.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_connection_string.cs`	Vulnerable	hardcoded_connection_string	✓ Detected (expected)
`hardcoded_connection_string_java 2.java`	Vulnerable		✓ Detected (expected)
`hardcoded_connection_string_java.java`	Vulnerable	Hardcoded DB credentials (Java)	✓ Detected (expected)
`hardcoded_connection_string_php 2.php`	Vulnerable		✓ Detected (expected)
`hardcoded_connection_string_php.php`	Vulnerable	Hardcoded DB credentials (PHP)	✓ Detected (expected)
`hardcoded_data_as_code.js`	Vulnerable	hardcoded_data_as_code	✓ Detected (expected)
`hardcoded_encryption_key.cs`	Vulnerable	hardcoded_encryption_key	✓ Detected (expected)
`hardcoded_github_token.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_internal_ip.py`	Vulnerable	Hardcoded Internal IP Address	✓ Detected (expected)
`hardcoded_iv_nonce.py`	Vulnerable	Hardcoded IV/Nonce	✓ Detected (expected)
`hardcoded_password.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_pem_key.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_secret.js`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_secret.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_secret_cicd.yml`	Vulnerable	Hardcoded secret in CI/CD configuration	✓ Detected (expected)
`hardcoded_slack_token.py`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_stripe_key.js`	Vulnerable	Hardcoded secret	✓ Detected (expected)
`hardcoded_tmp_path.py`	Vulnerable	Hardcoded /tmp path	✓ Detected (expected)
`hardcoded_ui_string.js`	Vulnerable	Hardcoded UI string	✓ Detected (expected)
`header_injection.py`	Vulnerable	header_injection	✓ Detected (expected)
`heading_skip_level.html`	Vulnerable	Heading skip level	✓ Detected (expected)
`homebrew_auth.py`	Vulnerable	Homebrew authentication	✓ Detected (expected)
`host_header_poisoning.js`	Vulnerable	host_header_poisoning	✓ Detected (expected)
`html_aria_hidden_focusable.html`	Vulnerable	Focusable element hidden with aria-hidden	✓ Detected (expected)
`html_autocomplete_invalid.html`	Vulnerable	Non-standard autocomplete value	✓ Detected (expected)
`html_button_missing_type.html`	Vulnerable	HTML button without type attribute	✓ Detected (expected)
`html_deprecated_tag.html`	Vulnerable	Deprecated HTML tag	✓ Detected (expected)
`html_img_missing_dimensions.html`	Vulnerable	HTML image without dimensions (width/height)	✓ Detected (expected)
`html_inline_style.html`	Vulnerable	Inline CSS style (HTML)	✓ Detected (expected)
`html_input_button_empty.html`	Vulnerable	Button input without label (missing value)	✓ Detected (expected)
`html_invalid_aria_role.html`	Vulnerable	Empty ARIA role attribute	✓ Detected (expected)
`html_invalid_lang_value.html`	Vulnerable	Non-BCP-47 lang attribute value	✓ Detected (expected)
`html_missing_main_landmark.html`	Vulnerable	Missing <main> landmark	✓ Detected (expected)
`html_missing_meta_viewport.html`	Vulnerable	Missing viewport meta tag (HTML)	✓ Detected (expected)
`html_no_lang.html`	Vulnerable	HTML missing lang attribute	✓ Detected (expected)
`html_select_missing_label.html`	Vulnerable	Select without accessible label	✓ Detected (expected)
`html_target_blank_noreferrer.html`	Vulnerable	target="_blank" without rel="noopener noreferrer"	✓ Detected (expected)
`html_th_scope_missing.html`	Vulnerable	Table header without scope attribute	✓ Detected (expected)
`html_video_missing_captions.html`	Vulnerable	Video without caption track	✓ Detected (expected)
`html_viewport_zoom_disabled.html`	Vulnerable	User zoom disabled (viewport)	✓ Detected (expected)
`http_no_tls.py`	Vulnerable	HTTP without TLS	✓ Detected (expected)
`http_response_splitting.java`	Vulnerable	http_response_splitting	✓ Detected (expected)
`http_smuggling.py`	Vulnerable	HTTP request smuggling	✓ Detected (expected)
`http_to_file_access.js`	Vulnerable	http_to_file_access	✓ Detected (expected)
`http_without_tls.py`	Vulnerable	HTTP without TLS	✓ Detected (expected)
`idor_missing_ownership.cs`	Vulnerable	IDOR Missing Ownership	✓ Detected (expected)
`idor_missing_ownership.py`	Vulnerable	IDOR Missing Ownership	✓ Detected (expected)
`iframe_no_title.html`	Vulnerable	Iframe without title	✓ Detected (expected)
`img_decorative_no_role.html`	Vulnerable	Decorative image without role	✓ Detected (expected)
`img_no_alt.html`	Vulnerable	Image without alt text	✓ Detected (expected)
`improper_code_sanitization.js`	Vulnerable	improper_code_sanitization	✓ Detected (expected)
`inappropriate_encoding.cs`	Vulnerable	inappropriate_encoding	✓ Detected (expected)
`incomplete_hostname_regexp.js`	Vulnerable	incomplete_hostname_regexp	✓ Detected (expected)
`incomplete_hostname_regexp.py`	Vulnerable	incomplete_hostname_regexp	✓ Detected (expected)
`incomplete_html_attribute_sanitization.js`	Vulnerable	incomplete_html_attribute_sanitization	✓ Detected (expected)
`incomplete_multichar_sanitization.js`	Vulnerable	incomplete_multichar_sanitization	✓ Detected (expected)
`incomplete_sanitization.js`	Vulnerable	incomplete_sanitization	✓ Detected (expected)
`incomplete_url_sanitization.py`	Vulnerable	incomplete_url_sanitization	✓ Detected (expected)
`incomplete_url_scheme_check.js`	Vulnerable	incomplete_url_scheme_check	✓ Detected (expected)
`incomplete_url_substring_sanitization.js`	Vulnerable	incomplete_url_substring_sanitization	✓ Detected (expected)
`incorrect_suffix_check.js`	Vulnerable	incorrect_suffix_check	✓ Detected (expected)
`indirect_command_injection.js`	Vulnerable	indirect_command_injection	✓ Detected (expected)
`infinite_loop_user_input.java`	Vulnerable	infinite_loop_user_input	✓ Detected (expected)
`inline_event_handler.js`	Vulnerable	Inline event handler	✓ Detected (expected)
`inline_event_handler_html.html`	Vulnerable	Inline event handler in HTML	✓ Detected (expected)
`inline_style_js.js`	Vulnerable	Inline style in JS	✓ Detected (expected)
`input_no_label.html`	Vulnerable	Input without label	✓ Detected (expected)
`insecure_basic_auth.java`	Vulnerable	insecure_basic_auth	✓ Detected (expected)
`insecure_bean_validation.java`	Vulnerable	insecure_bean_validation	✓ Detected (expected)
`insecure_cipher.py`	Vulnerable	Insecure cipher algorithm	✓ Detected (expected)
`insecure_cloud_config.py`	Vulnerable	Insecure Cloud Configuration	✓ Detected (expected)
`insecure_cookie.cs`	Vulnerable	Insecure cookie (missing HttpOnly/Secure)	✓ Detected (expected)
`insecure_cookie.java`	Vulnerable	Insecure cookie (missing HttpOnly/Secure)	✓ Detected (expected)
`insecure_cookie.js`	Vulnerable	Insecure cookie (missing HttpOnly/Secure)	✓ Detected (expected)
`insecure_cookie.php`	Vulnerable	Insecure cookie (missing HttpOnly/Secure)	✓ Detected (expected)
`insecure_cookie.py`	Vulnerable	Insecure cookie (missing HttpOnly/Secure)	✓ Detected (expected)
`insecure_cookie_flag.java`	Vulnerable	Insecure Cookie Flag	✓ Detected (expected)
`insecure_cookie_js.js`	Vulnerable	insecure_cookie_js	✗ Missed
`insecure_cookie_no_secure.py`	Vulnerable	Cookie without Secure flag	✓ Detected (expected)
`insecure_db_deserialization_python 2.py`	Vulnerable		✓ Detected (expected)
`insecure_db_deserialization_python.py`	Vulnerable	Insecure DB deserialization (Python)	✓ Detected (expected)
`insecure_dependency_http.js`	Vulnerable	insecure_dependency_http	✓ Detected (expected)
`insecure_deserialize_call.py`	Vulnerable	Insecure deserialization call	✓ Detected (expected)
`insecure_download.js`	Vulnerable	insecure_download	✓ Detected (expected)
`insecure_javamail.java`	Vulnerable	insecure_javamail	✓ Detected (expected)
`insecure_ldap_auth.java`	Vulnerable	insecure_ldap_auth	✓ Detected (expected)
`insecure_local_storage.js`	Vulnerable	Insecure Local Storage	✓ Detected (expected)
`insecure_maven_dependency.java`	Vulnerable	insecure_maven_dependency	✓ Detected (expected)
`insecure_random.js`	Vulnerable	Insecure RNG	✓ Detected (expected)
`insecure_sql_connection.cs`	Vulnerable	insecure_sql_connection	✓ Detected (expected)
`insecure_ssl_version.py`	Vulnerable	Insecure SSL/TLS version	✓ Detected (expected)
`insecure_temp_file.js`	Vulnerable	insecure_temp_file	✓ Detected (expected)
`insecure_temp_file.py`	Vulnerable	insecure_temp_file	✓ Detected (expected)
`insufficient_key_size.js`	Vulnerable	Insufficient Cryptographic Key Size	✓ Detected (expected)
`insufficient_key_size.py`	Vulnerable	Insufficient Cryptographic Key Size	✓ Detected (expected)
`insufficient_key_size_csharp.cs`	Vulnerable	insufficient_key_size_csharp	✓ Detected (expected)
`insufficient_key_size_java.java`	Vulnerable	insufficient_key_size_java	✓ Detected (expected)
`insufficient_password_hash.js`	Vulnerable	insufficient_password_hash	✓ Detected (expected)
`java_deep_nesting 2.java`	Vulnerable		✓ Detected (expected)
`java_deep_nesting.java`	Vulnerable	Excessive nesting depth (Java, 6+ levels)	✓ Detected (expected)
`java_empty_catch_block 2.java`	Vulnerable		✓ Detected (expected)
`java_empty_catch_block.java`	Vulnerable	Empty catch block (Java)	✓ Detected (expected)
`java_public_field 2.java`	Vulnerable		✓ Detected (expected)
`java_public_field.java`	Vulnerable	Non-constant public field (Java)	✓ Detected (expected)
`java_string_concat_loop 2.java`	Vulnerable		✓ Detected (expected)
`java_string_concat_loop.java`	Vulnerable	String concatenation in loop (Java)	✓ Detected (expected)
`java_too_many_params 2.java`	Vulnerable		✓ Detected (expected)
`java_too_many_params.java`	Vulnerable	Too many Java method parameters (6+)	✓ Detected (expected)
`java_utility_class_constructor 2.java`	Vulnerable		✓ Detected (expected)
`java_utility_class_constructor.java`	Vulnerable	Java utility class without private constructor	✓ Detected (expected)
`javascript_uri.js`	Vulnerable	javascript: URI — XSS	✓ Detected (expected)
`javascript_uri_html.html`	Vulnerable	javascript: URI in HTML attribute	✓ Detected (expected)
`jexl_injection.java`	Vulnerable	jexl_injection	✓ Detected (expected)
`jinja2_autoescape_false.py`	Vulnerable	jinja2_autoescape_false	✓ Detected (expected)
`jndi_injection_java.java`	Vulnerable	JNDI Injection (Log4Shell)	✓ Detected (expected)
`js_cognitive_complexity 2.js`	Vulnerable		✓ Detected (expected)
`js_cognitive_complexity.js`	Vulnerable	High cognitive complexity (JavaScript)	✓ Detected (expected)
`js_debugger_statement 2.js`	Vulnerable		✓ Detected (expected)
`js_debugger_statement.js`	Vulnerable	Debugger statement in production (JavaScript)	✓ Detected (expected)
`js_deep_nesting 2.js`	Vulnerable		✓ Detected (expected)
`js_deep_nesting.js`	Vulnerable	Excessive nesting depth (JavaScript, 6+ levels)	✓ Detected (expected)
`js_empty_catch_block 2.js`	Vulnerable		✓ Detected (expected)
`js_empty_catch_block.js`	Vulnerable	Empty catch block (JavaScript)	✓ Detected (expected)
`js_no_var 2.js`	Vulnerable		✓ Detected (expected)
`js_no_var.js`	Vulnerable	Use of var keyword (JavaScript)	✓ Detected (expected)
`js_too_many_params 2.js`	Vulnerable		✓ Detected (expected)
`js_too_many_params.js`	Vulnerable	Too many JavaScript function parameters (6+)	✓ Detected (expected)
`jsx_anchor_href_invalid.jsx`	Vulnerable	JSX link with invalid href (href="#" or javascript:)	✓ Detected (expected)
`jsx_img_missing_alt.jsx`	Vulnerable	JSX image without alt prop (WCAG 1.1.1)	✓ Detected (expected)
`jsx_label_missing_control.jsx`	Vulnerable	JSX label without associated control (missing htmlFor)	✓ Detected (expected)
`jsx_no_access_key.jsx`	Vulnerable	accessKey used (JSX)	✓ Detected (expected)
`jsx_no_autofocus.jsx`	Vulnerable	autoFocus used (JSX)	✓ Detected (expected)
`jsx_tabindex_positive.jsx`	Vulnerable	Positive tabIndex (JSX, WCAG 2.4.3)	✓ Detected (expected)
`jwt_hardcoded_secret.py`	Vulnerable	JWT Hardcoded Secret	✓ Detected (expected)
`jwt_missing_verification.js`	Vulnerable	jwt_missing_verification	✓ Detected (expected)
`jwt_none_algorithm.js`	Vulnerable	JWT None Algorithm	✓ Detected (expected)
`jwt_none_algorithm.py`	Vulnerable	JWT None Algorithm	✓ Detected (expected)
`jwt_weak_secret.js`	Vulnerable	JWT weak secret	✓ Detected (expected)
`ldap_injection_csharp.cs`	Vulnerable	LDAP injection (C#)	✓ Detected (expected)
`ldap_injection_java.java`	Vulnerable	LDAP injection (Java)	✓ Detected (expected)
`ldap_injection_java_broad.java`	Vulnerable	LDAP Injection (Java)	✓ Detected (expected)
`ldap_injection_python.py`	Vulnerable	LDAP injection (Python)	✓ Detected (expected)
`link_no_text.html`	Vulnerable	Link without text	✓ Detected (expected)
`llm_output_to_sink.py`	Vulnerable	LLM Output to Sink	✓ Detected (expected)
`local_time_usage.py`	Vulnerable	Local Time Without Timezone	✓ Detected (expected)
`local_unvalidated_arithmetic.cs`	Vulnerable	local_unvalidated_arithmetic	✓ Detected (expected)
`lock_order_inconsistency.java`	Vulnerable	lock_order_inconsistency	✓ Detected (expected)
`log4shell_jndi.java`	Vulnerable	Log4Shell (JNDI)	✓ Detected (expected)
`log_forging_csharp.cs`	Vulnerable	log_forging_csharp	✓ Detected (expected)
`log_injection.js`	Vulnerable	Log Injection	✓ Detected (expected)
`log_injection.py`	Vulnerable	Log Injection	✓ Detected (expected)
`loop_bound_injection.js`	Vulnerable	loop_bound_injection	✓ Detected (expected)
`manual_createelement.js`	Vulnerable	Manual createElement	✓ Detected (expected)
`mass_assignment_csharp 2.cs`	Vulnerable		✓ Detected (expected)
`mass_assignment_csharp.cs`	Vulnerable	Mass assignment (C#)	✓ Detected (expected)
`mass_assignment_java 2.java`	Vulnerable		✓ Detected (expected)
`mass_assignment_java.java`	Vulnerable	Mass assignment (Java)	✓ Detected (expected)
`mass_assignment_js 2.js`	Vulnerable		✓ Detected (expected)
`mass_assignment_js.js`	Vulnerable	Mass assignment (JavaScript)	✓ Detected (expected)
`mass_assignment_laravel.php`	Vulnerable	Mass assignment (Laravel)	✓ Detected (expected)
`mass_assignment_python 2.py`	Vulnerable		✓ Detected (expected)
`mass_assignment_python.py`	Vulnerable	Mass assignment (Python)	✓ Detected (expected)
`missing_auth_decorator.py`	Vulnerable	Missing Authentication Decorator	✓ Detected (expected)
`missing_authorize_attribute.cs`	Vulnerable	missing_authorize_attribute	✓ Detected (expected)
`missing_change_management.py`	Vulnerable	Missing Change Management	✓ Detected (expected)
`missing_csp_header.py`	Vulnerable	Missing Content-Security-Policy	✓ Detected (expected)
`missing_data_retention.py`	Vulnerable	Missing Data Retention	✓ Detected (expected)
`missing_doctype.html`	Vulnerable	Missing DOCTYPE declaration	✓ Detected (expected)
`missing_global_error_handler.cs`	Vulnerable	missing_global_error_handler	✓ Detected (expected)
`missing_health_check.py`	Vulnerable	Missing Health Check Endpoint	✓ Detected (expected)
`missing_hsts.py`	Vulnerable	Missing HSTS Header	✓ Detected (expected)
`missing_hsts_django.py`	Vulnerable	Missing HSTS Header	✓ Detected (expected)
`missing_jwt_signature_check.java`	Vulnerable	missing_jwt_signature_check	✓ Detected (expected)
`missing_mfa_csharp.cs`	Vulnerable	Missing MFA (C#)	✓ Detected (expected)
`missing_mfa_java.java`	Vulnerable	Missing MFA (Java)	✓ Detected (expected)
`missing_mfa_javascript.js`	Vulnerable	Missing MFA (JavaScript)	✓ Detected (expected)
`missing_mfa_php.php`	Vulnerable	Missing MFA (PHP)	✓ Detected (expected)
`missing_mfa_python.py`	Vulnerable	Missing MFA (Python)	✓ Detected (expected)
`missing_monitoring.py`	Vulnerable	Missing Monitoring/Logging	✓ Detected (expected)
`missing_pkce_oauth.js`	Vulnerable	Missing PKCE (OAuth)	✓ Detected (expected)
`missing_rate_limit.js`	Vulnerable	Missing rate limiting	✓ Detected (expected)
`missing_regexp_anchor.js`	Vulnerable	missing_regexp_anchor	✓ Detected (expected)
`missing_security_docs.py`	Vulnerable	Undocumented Security Function	✓ Detected (expected)
`missing_session_timeout.py`	Vulnerable	Missing Session Timeout	✓ Detected (expected)
`missing_skip_link.html`	Vulnerable	Missing skip navigation link	✓ Detected (expected)
`missing_sri.html`	Vulnerable	Missing Subresource Integrity	✓ Detected (expected)
`missing_timeout.py`	Vulnerable	Missing request timeout	✓ Detected (expected)
`missing_x_frame_options.js`	Vulnerable	missing_x_frame_options	✓ Detected (expected)
`missing_x_frame_options_csharp.cs`	Vulnerable	missing_x_frame_options_csharp	✓ Detected (expected)
`missing_xml_validation.cs`	Vulnerable	missing_xml_validation	✓ Detected (expected)
`mongo_operator_injection.js`	Vulnerable	MongoDB NoSQL injection	✓ Detected (expected)
`mvel_injection.java`	Vulnerable	mvel_injection	✓ Detected (expected)
`n1_query.py`	Vulnerable	Potential N+1 Query	✓ Detected (expected)
`n_plus_1_query.py`	Vulnerable	Potential N+1 Query	✓ Detected (expected)
`n_plus_1_query_java.java`	Vulnerable	N+1 query (Java)	✓ Detected (expected)
`n_plus_1_query_js 2.js`	Vulnerable		✓ Detected (expected)
`n_plus_1_query_js.js`	Vulnerable	N+1 query (JavaScript)	✓ Detected (expected)
`n_plus_1_query_php 2.php`	Vulnerable		✓ Detected (expected)
`n_plus_1_query_php.php`	Vulnerable	N+1 query (PHP)	✓ Detected (expected)
`netty_response_splitting.java`	Vulnerable	netty_response_splitting	✓ Detected (expected)
`nosql_document_parse_java 2.java`	Vulnerable		✓ Detected (expected)
`nosql_document_parse_java.java`	Vulnerable	MongoDB Document.parse injection (Java)	✓ Detected (expected)
`nosql_injection.py`	Vulnerable	nosql_injection	✓ Detected (expected)
`nosql_injection_mongoose.js`	Vulnerable	NoSQL injection via Mongoose $where	✓ Detected (expected)
`nosql_operator_injection_python 2.py`	Vulnerable		✓ Detected (expected)
`nosql_operator_injection_python.py`	Vulnerable	MongoDB operator injection (Python)	✓ Detected (expected)
`npm_lifecycle_script.js`	Vulnerable	Suspicious npm lifecycle script	✓ Detected (expected)
`numeric_cast_tainted.java`	Vulnerable	numeric_cast_tainted	✓ Detected (expected)
`oauth_open_redirect.py`	Vulnerable	OAuth Open Redirect	✓ Detected (expected)
`ognl_injection.java`	Vulnerable	ognl_injection	✓ Detected (expected)
`open_redirect.js`	Vulnerable	Open redirect	✓ Detected (expected)
`open_redirect_csharp.cs`	Vulnerable	Open redirect (C#)	✓ Detected (expected)
`open_redirect_java.java`	Vulnerable	Open redirect (Java)	✓ Detected (expected)
`open_redirect_php.php`	Vulnerable	Open redirect (PHP)	✓ Detected (expected)
`os_system_injection.py`	Vulnerable	Shell execution via os.system/popen	✓ Detected (expected)
`overly_large_regex_range.js`	Vulnerable	overly_large_regex_range	✓ Detected (expected)
`overly_large_regex_range.py`	Vulnerable	overly_large_regex_range	✓ Detected (expected)
`page_no_title.html`	Vulnerable	Page without title	✓ Detected (expected)
`pam_auth_bypass.py`	Vulnerable	pam_auth_bypass	✓ Detected (expected)
`paramiko_no_host_key.py`	Vulnerable	Paramiko no host key verification	✓ Detected (expected)
`parser_without_try.py`	Vulnerable	Parser without error handling	✓ Detected (expected)
`partial_path_traversal.java`	Vulnerable	partial_path_traversal	✓ Detected (expected)
`partial_ssrf.py`	Vulnerable	partial_ssrf	✓ Detected (expected)
`password_in_config_file.js`	Vulnerable	password_in_config_file	✓ Detected (expected)
`password_reversible_storage_java 2.java`	Vulnerable		✓ Detected (expected)
`password_reversible_storage_java.java`	Vulnerable	Reversible password storage (Java)	✓ Detected (expected)
`password_reversible_storage_python 2.py`	Vulnerable		✓ Detected (expected)
`password_reversible_storage_python.py`	Vulnerable	Reversible password storage (Python)	✓ Detected (expected)
`path_traversal_csharp.cs`	Vulnerable	Path traversal (C#)	✓ Detected (expected)
`path_traversal_fis.java`	Vulnerable	Path Traversal (FileInputStream)	✓ Detected (expected)
`path_traversal_java.java`	Vulnerable	Path traversal (Java)	✓ Detected (expected)
`path_traversal_javascript.js`	Vulnerable	Path traversal (JavaScript)	✓ Detected (expected)
`path_traversal_os_join.py`	Vulnerable	Path traversal via os.path.join	✓ Detected (expected)
`path_traversal_python.py`	Vulnerable	Path traversal (Python)	✓ Detected (expected)
`permissive_file_permissions.py`	Vulnerable	Permissive file permissions	✓ Detected (expected)
`persistent_cookie.cs`	Vulnerable	persistent_cookie	✓ Detected (expected)
`php_deep_nesting 2.php`	Vulnerable		✓ Detected (expected)
`php_deep_nesting.php`	Vulnerable	Excessive nesting depth (PHP, 6+ levels)	✓ Detected (expected)
`php_empty_catch_block 2.php`	Vulnerable		✓ Detected (expected)
`php_empty_catch_block.php`	Vulnerable	Empty catch block (PHP)	✓ Detected (expected)
`php_exit_die 2.php`	Vulnerable		✓ Detected (expected)
`php_exit_die.php`	Vulnerable	Use of exit()/die() in PHP	✓ Detected (expected)
`php_public_property 2.php`	Vulnerable		✓ Detected (expected)
`php_public_property.php`	Vulnerable	Non-constant public property (PHP)	✓ Detected (expected)
`php_string_concat_loop 2.php`	Vulnerable		✓ Detected (expected)
`php_string_concat_loop.php`	Vulnerable	String concatenation in loop (PHP)	✓ Detected (expected)
`php_too_many_params 2.php`	Vulnerable		✓ Detected (expected)
`php_too_many_params.php`	Vulnerable	Too many PHP function parameters (6+)	✓ Detected (expected)
`pii_in_tests.py`	Vulnerable	PII in Test Code	✓ Detected (expected)
`pii_in_url.py`	Vulnerable	PII in URL	✓ Detected (expected)
`pii_logged.py`	Vulnerable	PII Logged	✓ Detected (expected)
`polynomial_redos_java.java`	Vulnerable	polynomial_redos_java	✓ Detected (expected)
`positive_tabindex.html`	Vulnerable	Positive tabindex	✓ Detected (expected)
`postmessage_no_origin_check.js`	Vulnerable	postMessage Without Origin Check	✓ Detected (expected)
`predictable_seed.java`	Vulnerable	predictable_seed	✓ Detected (expected)
`predictable_session.py`	Vulnerable	Predictable token/session	✓ Detected (expected)
`private_file_exposure.js`	Vulnerable	private_file_exposure	✓ Detected (expected)
`privilege_escalation.py`	Vulnerable	Privilege Escalation	✓ Detected (expected)
`prompt_injection_llm.js`	Vulnerable	Prompt Injection (LLM)	✗ Missed
`prompt_injection_llm.py`	Vulnerable	Prompt Injection (LLM)	✓ Detected (expected)
`prototype_pollution.js`	Vulnerable	Prototype pollution	✓ Detected (expected)
`pull_request_target_checkout.yml`	Vulnerable	pull_request_target with fork checkout	✓ Detected (expected)
`py_bare_except 2.py`	Vulnerable		✓ Detected (expected)
`py_bare_except.py`	Vulnerable	Bare except clause (no exception type)	✓ Detected (expected)
`py_commented_out_code 2.py`	Vulnerable		✓ Detected (expected)
`py_commented_out_code.py`	Vulnerable	Commented-out code (dead code)	✓ Detected (expected)
`py_global_statement 2.py`	Vulnerable		✓ Detected (expected)
`py_global_statement.py`	Vulnerable	Global statement inside function	✓ Detected (expected)
`py_magic_value_comparison 2.py`	Vulnerable		✓ Detected (expected)
`py_magic_value_comparison.py`	Vulnerable	Magic number comparison	✓ Detected (expected)
`py_missing_class_docstring 2.py`	Vulnerable		✓ Detected (expected)
`py_missing_class_docstring.py`	Vulnerable	py_missing_class_docstring	✓ Detected (expected)
`py_too_many_arguments 2.py`	Vulnerable		✓ Detected (expected)
`py_too_many_arguments.py`	Vulnerable	Too many function arguments (6+)	✓ Detected (expected)
`py_too_many_nested_blocks 2.py`	Vulnerable		✓ Detected (expected)
`py_too_many_nested_blocks.py`	Vulnerable	Excessive nesting depth (6+ levels)	✓ Detected (expected)
`race_condition.py`	Vulnerable	Race condition (TOCTOU)	✓ Detected (expected)
`race_condition_financial.py`	Vulnerable	Race Condition (Financial)	✓ Detected (expected)
`razor_html_raw.cs`	Vulnerable	XSS via Html.Raw()	✓ Detected (expected)
`redis_eval_injection_js 2.js`	Vulnerable		✓ Detected (expected)
`redis_eval_injection_js.js`	Vulnerable	Redis EVAL injection (JavaScript)	✓ Detected (expected)
`redis_eval_injection_python 2.py`	Vulnerable		✓ Detected (expected)
`redis_eval_injection_python.py`	Vulnerable	Redis EVAL injection (Python)	✓ Detected (expected)
`redos_nested_quantifier.py`	Vulnerable	ReDoS nested quantifier	✓ Detected (expected)
`redos_vulnerable.py`	Vulnerable	ReDoS Vulnerable Regex	✓ Detected (expected)
`regex_dos.js`	Vulnerable	ReDoS — unsafe regex	✓ Detected (expected)
`regex_injection.js`	Vulnerable	regex_injection	✓ Detected (expected)
`regex_injection_csharp.cs`	Vulnerable	regex_injection_csharp	✓ Detected (expected)
`regex_injection_java.java`	Vulnerable	regex_injection_java	✓ Detected (expected)
`regex_redos_js 2.js`	Vulnerable		✓ Detected (expected)
`regex_redos_js.js`	Vulnerable	ReDoS via user-controlled RegExp (JavaScript)	✓ Detected (expected)
`remote_property_injection.js`	Vulnerable	remote_property_injection	✓ Detected (expected)
`request_validation_disabled.cs`	Vulnerable	Request validation disabled	✓ Detected (expected)
`request_validation_disabled.py`	Vulnerable	Request validation disabled	✓ Detected (expected)
`resource_exhaustion.js`	Vulnerable	resource_exhaustion	✓ Detected (expected)
`resource_injection_csharp.cs`	Vulnerable	resource_injection_csharp	✓ Detected (expected)
`rsa_without_oaep.java`	Vulnerable	rsa_without_oaep	✓ Detected (expected)
`rsa_without_oaep_csharp.cs`	Vulnerable	rsa_without_oaep_csharp	✓ Detected (expected)
`runtime_checks_bypass.cs`	Vulnerable	runtime_checks_bypass	✓ Detected (expected)
`samesite_none_cookie.js`	Vulnerable	samesite_none_cookie	✓ Detected (expected)
`samesite_none_cookie.py`	Vulnerable	samesite_none_cookie	✓ Detected (expected)
`sample_cicd_vulnerable.yml`	Vulnerable	pull_request_target with fork checkout	✓ Detected (expected)
`sample_csharp.cs`	Vulnerable	SQL injection (C# concatenation)	✓ Detected (expected)
`sample_data_retention.py`	Vulnerable	Missing Data Retention	✓ Detected (expected)
`sample_deprecated_csharp.cs`	Vulnerable	Deprecated API (C#)	✓ Detected (expected)
`sample_deprecated_java.java`	Vulnerable	Deprecated API (Java)	✓ Detected (expected)
`sample_deprecated_js.js`	Vulnerable	Deprecated API (JavaScript)	✓ Detected (expected)
`sample_deprecated_php.php`	Vulnerable	Deprecated API (PHP)	✓ Detected (expected)
`sample_dockerfile`	Vulnerable	Dockerfile runs as root	✓ Detected (expected)
`sample_frontend_xss.jsx`	Vulnerable	XSS via React dangerouslySetInnerHTML	✓ Detected (expected)
`sample_gitlab_vulnerable.yml`	Vulnerable	Unprotected GitLab CI variable	✓ Detected (expected)
`sample_hardcoded_ui_html.html`	Vulnerable	Hardcoded UI string	✓ Detected (expected)
`sample_hardcoded_ui_string.js`	Vulnerable	Hardcoded UI string	✓ Detected (expected)
`sample_java.java`	Vulnerable	SQL injection (Java concatenation)	✓ Detected (expected)
`sample_mfa_csharp.cs`	Vulnerable	Missing MFA (C#)	✓ Detected (expected)
`sample_mfa_java.java`	Vulnerable	Missing MFA (Java)	✓ Detected (expected)
`sample_mfa_js.js`	Vulnerable	Missing MFA (JavaScript)	✓ Detected (expected)
`sample_mfa_php.php`	Vulnerable	Missing MFA (PHP)	✓ Detected (expected)
`sample_mfa_python.py`	Vulnerable	Missing MFA (Python)	✓ Detected (expected)
`sample_orm_js.js`	Vulnerable	SQL injection via Sequelize raw query	✓ Detected (expected)
`sample_orm_python.py`	Vulnerable	SQL injection via Django raw SQL	✓ Detected (expected)
`sample_php.php`	Vulnerable	SQL injection (PHP concatenation)	✓ Detected (expected)
`sample_pii_logged.py`	Vulnerable	PII Logged	✓ Detected (expected)
`sample_svelte_xss.svelte`	Vulnerable	XSS via Svelte {@html} tag	✓ Detected (expected)
`sample_vue_xss.vue`	Vulnerable	XSS via Vue.js v-html directive	✓ Detected (expected)
`second_order_command_injection.js`	Vulnerable	second_order_command_injection	✓ Detected (expected)
`secret_logged.py`	Vulnerable	Secret logged (f-string)	✓ Detected (expected)
`secret_logged_arg.py`	Vulnerable	Secret logged (argument)	✓ Detected (expected)
`secret_logged_csharp.cs`	Vulnerable	Secret logged (C#)	✓ Detected (expected)
`secret_logged_fstring.py`	Vulnerable	Secret logged (f-string)	✓ Detected (expected)
`secret_logged_java.java`	Vulnerable	Secret logged (Java)	✓ Detected (expected)
`secret_logged_php.php`	Vulnerable	Secret logged (PHP)	✓ Detected (expected)
`security_questions.py`	Vulnerable	Security Questions Usage	✓ Detected (expected)
`sensitive_get_query.js`	Vulnerable	sensitive_get_query	✓ Detected (expected)
`server_crash_unhandled.js`	Vulnerable	server_crash_unhandled	✓ Detected (expected)
`service_worker_hijack.js`	Vulnerable	Service Worker Hijack	✓ Detected (expected)
`session_fixation.js`	Vulnerable	session_fixation	✓ Detected (expected)
`session_not_abandoned.cs`	Vulnerable	session_not_abandoned	✓ Detected (expected)
`shell_injection_from_env.js`	Vulnerable	shell_injection_from_env	✓ Detected (expected)
`smtp_injection_php.php`	Vulnerable	SMTP Header Injection (PHP)	✓ Detected (expected)
`smtp_injection_python.py`	Vulnerable	SMTP Header Injection (Python)	✓ Detected (expected)
`socket_auth_race.java`	Vulnerable	socket_auth_race	✓ Detected (expected)
`spel_injection.java`	Vulnerable	SpEL injection	✓ Detected (expected)
`spring_actuator_exposed.java`	Vulnerable	Spring Actuator Exposed	✓ Detected (expected)
`spring_cors_permissive.java`	Vulnerable	Permissive CORS configuration	✓ Detected (expected)
`spring_csrf_disabled.java`	Vulnerable	Spring CSRF disabled	✓ Detected (expected)
`sql_injection_concat.py`	Vulnerable	SQL Injection (concat)	✓ Detected (expected)
`sql_injection_concat_csharp.cs`	Vulnerable	SQL injection (C# concatenation)	✓ Detected (expected)
`sql_injection_concat_java.java`	Vulnerable	SQL injection (Java concatenation)	✓ Detected (expected)
`sql_injection_concat_php.php`	Vulnerable	SQL injection (PHP concatenation)	✓ Detected (expected)
`sql_injection_dapper.cs`	Vulnerable	SQL injection via Dapper raw query	✓ Detected (expected)
`sql_injection_dapper.py`	Vulnerable	SQL injection via Dapper raw query	✓ Detected (expected)
`sql_injection_django_raw.py`	Vulnerable	SQL injection via Django raw SQL	✓ Detected (expected)
`sql_injection_doctrine.php`	Vulnerable	SQL injection via Doctrine DQL	✓ Detected (expected)
`sql_injection_format_java.java`	Vulnerable	SQL injection (Java String.format)	✓ Detected (expected)
`sql_injection_format_string_python 2.py`	Vulnerable		✓ Detected (expected)
`sql_injection_format_string_python.py`	Vulnerable	SQL injection via % format string (Python)	✓ Detected (expected)
`sql_injection_fstring.py`	Vulnerable	SQL Injection (f-string)	✓ Detected (expected)
`sql_injection_java_broad.java`	Vulnerable	SQL Injection (Java)	✓ Detected (expected)
`sql_injection_jpa_native.java`	Vulnerable	SQL injection via JPA/Hibernate native query	✓ Detected (expected)
`sql_injection_mybatis.java`	Vulnerable	SQL injection via MyBatis ${} interpolation	✓ Detected (expected)
`sql_injection_prisma.js`	Vulnerable	SQL injection via Prisma $queryRaw	✓ Detected (expected)
`sql_injection_raw_js 2.js`	Vulnerable		✓ Detected (expected)
`sql_injection_raw_js.js`	Vulnerable	SQL injection in raw query (JavaScript)	✓ Detected (expected)
`sql_injection_sequelize.js`	Vulnerable	SQL injection via Sequelize raw query	✓ Detected (expected)
`sql_injection_sqlalchemy_text.py`	Vulnerable	SQL injection via SQLAlchemy text()	✓ Detected (expected)
`sql_injection_string_format_csharp 2.cs`	Vulnerable		✓ Detected (expected)
`sql_injection_string_format_csharp.cs`	Vulnerable	SQL injection via string.Format (C#)	✓ Detected (expected)
`sql_injection_typeorm.js`	Vulnerable	SQL injection via TypeORM raw query	✓ Detected (expected)
`sql_injection_whereraw_php.php`	Vulnerable	SQL injection via Laravel whereRaw/havingRaw	✓ Detected (expected)
`sql_injection_wpdb.php`	Vulnerable	SQL injection via WordPress $wpdb	✓ Detected (expected)
`sql_order_by_injection_python 2.py`	Vulnerable		✓ Detected (expected)
`sql_order_by_injection_python.py`	Vulnerable	ORDER BY injection (Python)	✓ Detected (expected)
`ssl_bypass_csharp.cs`	Vulnerable	SSL/TLS bypass (C#)	✓ Detected (expected)
`ssl_bypass_java.java`	Vulnerable	SSL/TLS bypass (Java)	✓ Detected (expected)
`ssl_no_cert_validation.py`	Vulnerable	SSL cert validation disabled	✓ Detected (expected)
`ssrf_csharp.cs`	Vulnerable	Server-Side Request Forgery (C#)	✓ Detected (expected)
`ssrf_java.java`	Vulnerable	Server-Side Request Forgery (Java)	✓ Detected (expected)
`ssrf_javascript.js`	Vulnerable	Server-Side Request Forgery (JavaScript)	✓ Detected (expected)
`ssrf_pdf_generation.py`	Vulnerable	SSRF via PDF Generation	✓ Detected (expected)
`ssrf_php.php`	Vulnerable	Server-Side Request Forgery (PHP)	✓ Detected (expected)
`ssrf_python.py`	Vulnerable	Server-Side Request Forgery (Python)	✓ Detected (expected)
`ssti_javascript.js`	Vulnerable	Server-Side Template Injection (JavaScript)	✓ Detected (expected)
`ssti_python.py`	Vulnerable	Server-Side Template Injection (Python)	✓ Detected (expected)
`static_initialization_vector.java`	Vulnerable	static_initialization_vector	✓ Detected (expected)
`stored_procedure_dynamic_csharp 2.cs`	Vulnerable		✓ Detected (expected)
`stored_procedure_dynamic_csharp.cs`	Vulnerable	Dynamic stored procedure (C#)	✓ Detected (expected)
`stored_procedure_dynamic_java 2.java`	Vulnerable		✓ Detected (expected)
`stored_procedure_dynamic_java.java`	Vulnerable	Dynamic stored procedure (Java)	✓ Detected (expected)
`stored_procedure_dynamic_php 2.php`	Vulnerable		✓ Detected (expected)
`stored_procedure_dynamic_php.php`	Vulnerable	Dynamic stored procedure (PHP)	✓ Detected (expected)
`stored_xss.js`	Vulnerable	stored_xss	✓ Detected (expected)
`style_inline.js`	Vulnerable	Inline style in JS	✓ Detected (expected)
`svelte_at_html.js`	Vulnerable	Svelte {@html} — XSS risk	✓ Detected (expected)
`svg_inline.html`	Vulnerable	Inline SVG in HTML	✓ Detected (expected)
`svg_scriptable_content.html`	Vulnerable	SVG With Scriptable Content	✓ Detected (expected)
`system_out_java.java`	Vulnerable	System.out in production (Java)	✓ Detected (expected)
`taint_codeinj.cs`	Vulnerable	Taint Code Injection	✓ Detected (expected)
`taint_codeinj.java`	Vulnerable	Taint Code Injection	✗ Missed
`taint_codeinj.js`	Vulnerable	Taint Code Injection	✗ Missed
`taint_codeinj.php`	Vulnerable	Taint Code Injection	✓ Detected (expected)
`taint_codeinj.py`	Vulnerable	Taint Code Injection	✓ Detected (expected)
`taint_cookie_injection.cs`	Vulnerable	taint_cookie_injection	✓ Detected (expected)
`taint_cookie_injection.java`	Vulnerable	taint_cookie_injection	✓ Detected (expected)
`taint_cookie_injection.js`	Vulnerable	taint_cookie_injection	✗ Missed
`taint_cookie_injection.php`	Vulnerable	taint_cookie_injection	✓ Detected (expected)
`taint_cookie_injection.py`	Vulnerable	taint_cookie_injection	✓ Detected (expected)
`taint_deserialization.cs`	Vulnerable	Taint Deserialization	✓ Detected (expected)
`taint_deserialization.java`	Vulnerable	Taint Deserialization	✓ Detected (expected)
`taint_deserialization.js`	Vulnerable	Taint Deserialization	✗ Missed
`taint_deserialization.php`	Vulnerable	Taint Deserialization	✓ Detected (expected)
`taint_deserialization.py`	Vulnerable	Taint Deserialization	✓ Detected (expected)
`taint_graphql_injection.cs`	Vulnerable	taint_graphql_injection	✓ Detected (expected)
`taint_graphql_injection.java`	Vulnerable	taint_graphql_injection	✓ Detected (expected)
`taint_graphql_injection.js`	Vulnerable	taint_graphql_injection	✗ Missed
`taint_graphql_injection.php`	Vulnerable	taint_graphql_injection	✓ Detected (expected)
`taint_graphql_injection.py`	Vulnerable	taint_graphql_injection	✓ Detected (expected)
`taint_header_injection.cs`	Vulnerable	taint_header_injection	✓ Detected (expected)
`taint_header_injection.java`	Vulnerable	taint_header_injection	✓ Detected (expected)
`taint_header_injection.js`	Vulnerable	taint_header_injection	✗ Missed
`taint_header_injection.php`	Vulnerable	taint_header_injection	✓ Detected (expected)
`taint_header_injection.py`	Vulnerable	taint_header_injection	✓ Detected (expected)
`taint_ldap.cs`	Vulnerable	Taint LDAP Injection	✓ Detected (expected)
`taint_ldap.java`	Vulnerable	Taint LDAP Injection	✓ Detected (expected)
`taint_ldap.js`	Vulnerable	Taint LDAP Injection	✗ Missed
`taint_ldap.php`	Vulnerable	Taint LDAP Injection	✓ Detected (expected)
`taint_ldap.py`	Vulnerable	Taint LDAP Injection	✓ Detected (expected)
`taint_log_injection.cs`	Vulnerable	Taint Log Injection	✓ Detected (expected)
`taint_log_injection.java`	Vulnerable	Taint Log Injection	✓ Detected (expected)
`taint_log_injection.js`	Vulnerable	Taint Log Injection	✗ Missed
`taint_log_injection.php`	Vulnerable	Taint Log Injection	✓ Detected (expected)
`taint_log_injection.py`	Vulnerable	Taint Log Injection	✓ Detected (expected)
`taint_nosql.cs`	Vulnerable	taint_nosql	✓ Detected (expected)
`taint_nosql.java`	Vulnerable	taint_nosql	✓ Detected (expected)
`taint_nosql.js`	Vulnerable	taint_nosql	✗ Missed
`taint_nosql.php`	Vulnerable	taint_nosql	✓ Detected (expected)
`taint_nosql.py`	Vulnerable	taint_nosql	✓ Detected (expected)
`taint_open_redirect.cs`	Vulnerable	Taint Open Redirect	✓ Detected (expected)
`taint_open_redirect.java`	Vulnerable	Taint Open Redirect	✓ Detected (expected)
`taint_open_redirect.js`	Vulnerable	Taint Open Redirect	✗ Missed
`taint_open_redirect.php`	Vulnerable	Taint Open Redirect	✓ Detected (expected)
`taint_open_redirect.py`	Vulnerable	Taint Open Redirect	✓ Detected (expected)
`taint_path_traversal.cs`	Vulnerable	Taint Path Traversal	✓ Detected (expected)
`taint_path_traversal.java`	Vulnerable	Taint Path Traversal	✓ Detected (expected)
`taint_path_traversal.js`	Vulnerable	Taint Path Traversal	✗ Missed
`taint_path_traversal.php`	Vulnerable	Taint Path Traversal	✓ Detected (expected)
`taint_path_traversal.py`	Vulnerable	Taint Path Traversal	✓ Detected (expected)
`taint_rce.cs`	Vulnerable	Taint RCE	✓ Detected (expected)
`taint_rce.java`	Vulnerable	Taint RCE	✓ Detected (expected)
`taint_rce.js`	Vulnerable	Taint RCE	✗ Missed
`taint_rce.php`	Vulnerable	Taint RCE	✓ Detected (expected)
`taint_rce.py`	Vulnerable	Taint RCE	✓ Detected (expected)
`taint_smtp_injection.cs`	Vulnerable	taint_smtp_injection	✓ Detected (expected)
`taint_smtp_injection.java`	Vulnerable	taint_smtp_injection	✗ Missed
`taint_smtp_injection.js`	Vulnerable	taint_smtp_injection	✗ Missed
`taint_smtp_injection.php`	Vulnerable	taint_smtp_injection	✓ Detected (expected)
`taint_smtp_injection.py`	Vulnerable	taint_smtp_injection	✓ Detected (expected)
`taint_sqli.cs`	Vulnerable	Taint SQL Injection	✓ Detected (expected)
`taint_sqli.java`	Vulnerable	Taint SQL Injection	✓ Detected (expected)
`taint_sqli.js`	Vulnerable	Taint SQL Injection	✗ Missed
`taint_sqli.php`	Vulnerable	Taint SQL Injection	✓ Detected (expected)
`taint_sqli.py`	Vulnerable	Taint SQL Injection	✓ Detected (expected)
`taint_ssrf.cs`	Vulnerable	Taint SSRF	✓ Detected (expected)
`taint_ssrf.java`	Vulnerable	Taint SSRF	✓ Detected (expected)
`taint_ssrf.js`	Vulnerable	Taint SSRF	✗ Missed
`taint_ssrf.php`	Vulnerable	Taint SSRF	✓ Detected (expected)
`taint_ssrf.py`	Vulnerable	Taint SSRF	✓ Detected (expected)
`taint_ssti.cs`	Vulnerable	Taint SSTI	✓ Detected (expected)
`taint_ssti.java`	Vulnerable	Taint SSTI	✓ Detected (expected)
`taint_ssti.js`	Vulnerable	Taint SSTI	✗ Missed
`taint_ssti.php`	Vulnerable	Taint SSTI	✓ Detected (expected)
`taint_ssti.py`	Vulnerable	Taint SSTI	✓ Detected (expected)
`taint_xpathi.cs`	Vulnerable	Taint XPath Injection	✓ Detected (expected)
`taint_xpathi.java`	Vulnerable	Taint XPath Injection	✓ Detected (expected)
`taint_xpathi.js`	Vulnerable	Taint XPath Injection	✗ Missed
`taint_xpathi.php`	Vulnerable	Taint XPath Injection	✓ Detected (expected)
`taint_xpathi.py`	Vulnerable	Taint XPath Injection	✓ Detected (expected)
`taint_xss.cs`	Vulnerable	Taint XSS	✓ Detected (expected)
`taint_xss.java`	Vulnerable	Taint XSS	✓ Detected (expected)
`taint_xss.js`	Vulnerable	Taint XSS	✗ Missed
`taint_xss.php`	Vulnerable	Taint XSS	✓ Detected (expected)
`taint_xss.py`	Vulnerable	Taint XSS	✓ Detected (expected)
`taint_xxe.cs`	Vulnerable	Taint XXE	✓ Detected (expected)
`taint_xxe.java`	Vulnerable	Taint XXE	✓ Detected (expected)
`taint_xxe.js`	Vulnerable	Taint XXE	✗ Missed
`taint_xxe.php`	Vulnerable	Taint XXE	✓ Detected (expected)
`taint_xxe.py`	Vulnerable	Taint XXE	✓ Detected (expected)
`tainted_format_string.js`	Vulnerable	tainted_format_string	✓ Detected (expected)
`tainted_permissions_check.java`	Vulnerable	tainted_permissions_check	✓ Detected (expected)
`tarfile_unsafe_extract.py`	Vulnerable	Unsafe tar extraction	✓ Detected (expected)
`temp_dir_info_disclosure.java`	Vulnerable	temp_dir_info_disclosure	✓ Detected (expected)
`template_injection_java.java`	Vulnerable	template_injection_java	✓ Detected (expected)
`template_object_injection.js`	Vulnerable	template_object_injection	✓ Detected (expected)
`toctou_race_condition.java`	Vulnerable	toctou_race_condition	✓ Detected (expected)
`todo_comment.py`	Vulnerable	Unresolved TODO/FIXME	✓ Detected (expected)
`todo_unresolved.java`	Vulnerable	Unresolved TODO/FIXME	✓ Detected (expected)
`todo_unresolved.js`	Vulnerable	Unresolved TODO/FIXME	✓ Detected (expected)
`todo_unresolved.py`	Vulnerable	Unresolved TODO/FIXME	✓ Detected (expected)
`trust_boundary_java.java`	Vulnerable	Trust Boundary Violation	✓ Detected (expected)
`trust_boundary_python.py`	Vulnerable	Trust boundary violation	✓ Detected (expected)
`type_confusion_parameter.js`	Vulnerable	type_confusion_parameter	✓ Detected (expected)
`type_juggling_php.php`	Vulnerable	Type juggling (PHP)	✓ Detected (expected)
`unbounded_query.py`	Vulnerable	Unbounded Query	✓ Detected (expected)
`unbounded_query_java 2.java`	Vulnerable		✓ Detected (expected)
`unbounded_query_java.java`	Vulnerable	Unbounded query (Java)	✓ Detected (expected)
`unbounded_query_js 2.js`	Vulnerable		✓ Detected (expected)
`unbounded_query_js.js`	Vulnerable	Unbounded query (JavaScript)	✓ Detected (expected)
`unbounded_query_php 2.php`	Vulnerable		✓ Detected (expected)
`unbounded_query_php.php`	Vulnerable	Unbounded query (PHP)	✓ Detected (expected)
`uncontrolled_format_string.cs`	Vulnerable	uncontrolled_format_string	✓ Detected (expected)
`unencrypted_transfer.py`	Vulnerable	Unencrypted Data Transfer	✓ Detected (expected)
`unpinned_action_version.yml`	Vulnerable	Unpinned action version	✓ Detected (expected)
`unpinned_composer.json`	Vulnerable	Unpinned Dependency	✓ Detected (expected)
`unpinned_csproj.xml`	Vulnerable	Unpinned Dependency	✓ Detected (expected)
`unpinned_package.json`	Vulnerable	Unpinned Dependency	✓ Detected (expected)
`unpinned_pom.xml`	Vulnerable	Unpinned Dependency	✓ Detected (expected)
`unpinned_requirements.txt`	Vulnerable	Unpinned Dependency	✓ Detected (expected)
`unrestricted_file_upload_java 2.java`	Vulnerable		✓ Detected (expected)
`unrestricted_file_upload_java.java`	Vulnerable	Unrestricted file upload (Java/Spring)	✓ Detected (expected)
`unrestricted_file_upload_js 2.js`	Vulnerable		✓ Detected (expected)
`unrestricted_file_upload_js.js`	Vulnerable	Unrestricted file upload (Node.js/Multer)	✓ Detected (expected)
`unrestricted_file_upload_php 2.php`	Vulnerable		✓ Detected (expected)
`unrestricted_file_upload_php.php`	Vulnerable	Unrestricted file upload (PHP)	✓ Detected (expected)
`unreviewed_vendor_code.py`	Vulnerable	Unreviewed Vendor Code	✓ Detected (expected)
`unsafe_code_construction.js`	Vulnerable	unsafe_code_construction	✓ Detected (expected)
`unsafe_deserialization.py`	Vulnerable	Unsafe deserialization	✓ Detected (expected)
`unsafe_deserialization_csharp.cs`	Vulnerable	Unsafe deserialization (C#)	✓ Detected (expected)
`unsafe_deserialization_delegate.cs`	Vulnerable	unsafe_deserialization_delegate	✓ Detected (expected)
`unsafe_deserialization_java.java`	Vulnerable	Unsafe deserialization (Java)	✓ Detected (expected)
`unsafe_deserialization_php.php`	Vulnerable	Unsafe deserialization (PHP)	✓ Detected (expected)
`unsafe_dynamic_method_access.js`	Vulnerable	unsafe_dynamic_method_access	✓ Detected (expected)
`unsafe_html_expansion.js`	Vulnerable	unsafe_html_expansion	✓ Detected (expected)
`unsafe_require.js`	Vulnerable	require() with dynamic variable	✓ Detected (expected)
`unsafe_shell_construction.py`	Vulnerable	unsafe_shell_construction	✓ Detected (expected)
`unvalidated_dynamic_method_call.js`	Vulnerable	unvalidated_dynamic_method_call	✓ Detected (expected)
`unvalidated_input.py`	Vulnerable	Unvalidated input (OS injection)	✓ Detected (expected)
`url_forward_injection.java`	Vulnerable	url_forward_injection	✓ Detected (expected)
`use_ssl_socket.java`	Vulnerable	use_ssl_socket	✓ Detected (expected)
`useless_regexp_escape.js`	Vulnerable	useless_regexp_escape	✓ Detected (expected)
`verbose_exception.py`	Vulnerable	Verbose exception	✓ Detected (expected)
`verbose_exception_csharp.cs`	Vulnerable	Verbose exception (C#)	✓ Detected (expected)
`verbose_exception_java.java`	Vulnerable	Verbose exception (Java)	✓ Detected (expected)
`verbose_exception_php.php`	Vulnerable	Verbose exception (PHP)	✓ Detected (expected)
`vue_v_html.js`	Vulnerable	Vue.js v-html — XSS risk	✓ Detected (expected)
`vulnerable_package.json`	Vulnerable	Vulnerable Dependency	✓ Detected (expected)
`vulnerable_pyproject.toml`	Vulnerable	Vulnerable Dependency	✓ Detected (expected)
`vulnerable_requirements.txt`	Vulnerable	Vulnerable Dependency	✓ Detected (expected)
`weak_cipher_java.java`	Vulnerable	Weak Cipher (Java)	✓ Detected (expected)
`weak_crypto.py`	Vulnerable	Weak cryptographic algorithm	✓ Detected (expected)
`weak_crypto_csharp.cs`	Vulnerable	Weak cryptography (C#)	✓ Detected (expected)
`weak_crypto_java.java`	Vulnerable	Weak cryptography (Java)	✓ Detected (expected)
`weak_crypto_php.php`	Vulnerable	Weak cryptography (PHP)	✓ Detected (expected)
`weak_password_hash.py`	Vulnerable	Weak Password Hash	✓ Detected (expected)
`weak_password_hash_php 2.php`	Vulnerable		✓ Detected (expected)
`weak_password_hash_php.php`	Vulnerable	Weak password hashing (PHP)	✓ Detected (expected)
`weak_password_policy.py`	Vulnerable	Weak Password Policy	✓ Detected (expected)
`weak_random_csharp.cs`	Vulnerable	Weak random (C#)	✓ Detected (expected)
`weak_random_java.java`	Vulnerable	Weak random (Java)	✓ Detected (expected)
`weak_random_java_util.java`	Vulnerable	Weak Random (Java)	✓ Detected (expected)
`weak_random_php.php`	Vulnerable	Weak random (PHP)	✓ Detected (expected)
`weak_random_python.py`	Vulnerable	Weak random number generator	✓ Detected (expected)
`websocket_no_tls.js`	Vulnerable	WebSocket Without TLS	✓ Detected (expected)
`websocket_no_tls.py`	Vulnerable	WebSocket Without TLS	✓ Detected (expected)
`websocket_no_validation.js`	Vulnerable	WebSocket No Validation	✓ Detected (expected)
`window_open_noopener.js`	Vulnerable	window.open without noopener	✓ Detected (expected)
`workflow_not_in_codeowners.yml`	Vulnerable	Workflows missing from CODEOWNERS	✓ Detected (expected)
`world_writable_file_read.java`	Vulnerable	world_writable_file_read	✓ Detected (expected)
`xml_bomb.js`	Vulnerable	xml_bomb	✓ Detected (expected)
`xml_bomb.py`	Vulnerable	xml_bomb	✓ Detected (expected)
`xml_injection_csharp.cs`	Vulnerable	xml_injection_csharp	✓ Detected (expected)
`xpath_injection.js`	Vulnerable	xpath_injection	✓ Detected (expected)
`xpath_injection_csharp.cs`	Vulnerable	XPath Injection (C#)	✓ Detected (expected)
`xpath_injection_java.java`	Vulnerable	XPath Injection (Java)	✓ Detected (expected)
`xpath_injection_java_eval.java`	Vulnerable	XPath Injection (Java)	✓ Detected (expected)
`xpath_injection_php.php`	Vulnerable	XPath Injection (PHP)	✓ Detected (expected)
`xpath_injection_python.py`	Vulnerable	XPath Injection (Python)	✓ Detected (expected)
`xslt_injection.java`	Vulnerable	xslt_injection	✓ Detected (expected)
`xss_angular_bypass.js`	Vulnerable	XSS via Angular security bypass	✓ Detected (expected)
`xss_blade_unescaped.php`	Vulnerable	XSS via unescaped Blade output	✓ Detected (expected)
`xss_echo_php.php`	Vulnerable	XSS via echo (PHP)	✓ Detected (expected)
`xss_exception_exposure.js`	Vulnerable	xss_exception_exposure	✓ Detected (expected)
`xss_flask_reflected.py`	Vulnerable	Reflected XSS (Flask)	✓ Detected (expected)
`xss_innerhtml.js`	Vulnerable	XSS via innerHTML	✓ Detected (expected)
`xss_jquery_unsafe_plugin.js`	Vulnerable	xss_jquery_unsafe_plugin	✓ Detected (expected)
`xss_raw_html.cs`	Vulnerable	XSS via Html.Raw()	✓ Detected (expected)
`xss_raw_html.py`	Vulnerable	XSS via Html.Raw()	✓ Detected (expected)
`xss_react_dangerous.js`	Vulnerable	XSS via React dangerouslySetInnerHTML	✓ Detected (expected)
`xss_servlet_response.java`	Vulnerable	XSS Servlet Response	✓ Detected (expected)
`xss_through_dom.js`	Vulnerable	xss_through_dom	✓ Detected (expected)
`xss_unsafe_html_construction.js`	Vulnerable	xss_unsafe_html_construction	✓ Detected (expected)
`xxe_injection.java`	Vulnerable	XXE injection	✓ Detected (expected)
`xxe_injection.js`	Vulnerable	XXE injection	✓ Detected (expected)
`xxe_injection_csharp.cs`	Vulnerable	XXE injection (C#)	✓ Detected (expected)
`xxe_injection_php.php`	Vulnerable	XXE injection (PHP)	✓ Detected (expected)
`xxe_injection_python.py`	Vulnerable	XXE injection (Python)	✓ Detected (expected)
`xxe_xmldocument.cs`	Vulnerable	xxe_xmldocument	✓ Detected (expected)
`zip_bomb.py`	Vulnerable	Zip bomb vulnerability	✓ Detected (expected)
`zip_slip.java`	Vulnerable	zip_slip	✓ Detected (expected)
`zip_slip_csharp.cs`	Vulnerable	zip_slip_csharp	✓ Detected (expected)

📋

ISO 27001 Compliance Matrix 44/93

↑ Table of Contents ▶

This matrix shows which Annex A controls are testable by static code analysis. It does not certify full compliance with ISO 27001 — organizational, physical and procedural controls require separate assessment.

Annex A Coverage 44/93 controls covered (47%)

📋 Overall Coverage

📊 Coverage by Theme

🕸️ Maturity Profile

📊 Controls Status

🏢 Organizational Controls (A.5) 10/37 ▶

Control	Name	Status	Rules	Findings
A.5.1	Policies for information security	Covered	1	—
A.5.10	Acceptable use of information and other associated assets	Not applicable	0	—
A.5.11	Return of assets	Not applicable	0	—
A.5.12	Classification of information	Not applicable	0	—
A.5.13	Labelling of information	Not applicable	0	—
A.5.14	Information transfer	Covered	1	—
A.5.15	Access control	Covered	1	—
A.5.16	Identity management	Not applicable	0	—
A.5.17	Authentication information	Not applicable	0	—
A.5.18	Access rights	Covered	1	—
A.5.19	Information security in supplier relationships	Not applicable	0	—
A.5.2	Information security roles and responsibilities	Not applicable	0	—
A.5.20	Addressing information security within supplier agreements	Not applicable	0	—
A.5.21	Managing information security in the ICT supply chain	Covered	5	—
A.5.22	Monitoring, review and change management of supplier services	Not applicable	0	—
A.5.23	Information security for use of cloud services	Covered	1	—
A.5.24	Information security incident management planning and preparation	Not applicable	0	—
A.5.25	Assessment and decision on information security events	Not applicable	0	—
A.5.26	Response to information security incidents	Not applicable	0	—
A.5.27	Learning from information security incidents	Not applicable	0	—
A.5.28	Collection of evidence	Not applicable	0	—
A.5.29	Information security during disruption	Not applicable	0	—
A.5.3	Segregation of duties	Not applicable	0	—
A.5.30	ICT readiness for business continuity	Not applicable	0	—
A.5.31	Legal, statutory, regulatory and contractual requirements	Not applicable	0	—
A.5.32	Intellectual property rights	Covered	1	—
A.5.33	Protection of records	Covered	1	—
A.5.34	Privacy and protection of PII	Covered	2	—
A.5.35	Independent review of information security	Not applicable	0	—
A.5.36	Compliance with policies, rules and standards for information security	Not applicable	0	—
A.5.37	Documented operating procedures	Covered	1	—
A.5.4	Management responsibilities	Not applicable	0	—
A.5.5	Contact with authorities	Not applicable	0	—
A.5.6	Contact with special interest groups	Not applicable	0	—
A.5.7	Threat intelligence	Not applicable	0	—
A.5.8	Information security in project management	Not applicable	0	—
A.5.9	Inventory of information and other associated assets	Not applicable	0	—

👥 People Controls (A.6) 0/8 ▶

Control	Name	Status	Rules	Findings
A.6.1	Screening	Not applicable	0	—
A.6.2	Terms and conditions of employment	Not applicable	0	—
A.6.3	Information security awareness, education and training	Not applicable	0	—
A.6.4	Disciplinary process	Not applicable	0	—
A.6.5	Responsibilities after termination or change of employment	Not applicable	0	—
A.6.6	Confidentiality or non-disclosure agreements	Not applicable	0	—
A.6.7	Remote working	Not applicable	0	—
A.6.8	Information security event reporting	Not applicable	0	—

🏗️ Physical Controls (A.7) 0/14 ▶

Control	Name	Status	Rules	Findings
A.7.1	Physical security perimeters	Not applicable	0	—
A.7.10	Storage media	Not applicable	0	—
A.7.11	Supporting utilities	Not applicable	0	—
A.7.12	Cabling security	Not applicable	0	—
A.7.13	Equipment maintenance	Not applicable	0	—
A.7.14	Secure disposal or re-use of equipment	Not applicable	0	—
A.7.2	Physical entry	Not applicable	0	—
A.7.3	Securing offices, rooms and facilities	Not applicable	0	—
A.7.4	Physical security monitoring	Not applicable	0	—
A.7.5	Protecting against physical and environmental threats	Not applicable	0	—
A.7.6	Working in secure areas	Not applicable	0	—
A.7.7	Clear desk and clear screen	Not applicable	0	—
A.7.8	Equipment siting and protection	Not applicable	0	—
A.7.9	Security of assets off-premises	Not applicable	0	—

💻 Technological Controls (A.8) 34/34 ▶

Control	Name	Status	Rules	Findings
A.8.1	User endpoint devices	Covered	1	—
A.8.10	Information deletion	Covered	1	—
A.8.11	Data masking	Covered	1	—
A.8.12	Data leakage prevention	Covered	16	—
A.8.13	Information backup	Covered	1	—
A.8.14	Redundancy of information processing facilities	Covered	1	—
A.8.15	Logging	Covered	9	—
A.8.16	Monitoring activities	Covered	1	—
A.8.17	Clock synchronization	Covered	1	—
A.8.18	Use of privileged utility programs	Covered	1	—
A.8.19	Installation of software on operational systems	Covered	2	—
A.8.2	Privileged access rights	Covered	4	—
A.8.20	Networks security	Covered	9	—
A.8.21	Security of network services	Covered	1	—
A.8.22	Segregation of networks	Covered	1	—
A.8.23	Web filtering	Covered	1	—
A.8.24	Use of cryptography	Covered	14	—
A.8.25	Secure development life cycle	Covered	13	—
A.8.26	Application security requirements	Covered	61	—
A.8.27	Secure system architecture and engineering principles	Covered	5	—
A.8.28	Secure coding	Covered	119	—
A.8.29	Security testing in development and acceptance	Covered	2	—
A.8.3	Information access restriction	Covered	9	—
A.8.30	Outsourced development	Covered	1	—
A.8.31	Separation of development, test and production environments	Covered	4	—
A.8.32	Change management	Covered	2	—
A.8.33	Test information	Covered	1	—
A.8.34	Protection of information systems during audit testing	Covered	1	—
A.8.4	Access to source code	Covered	1	—
A.8.5	Secure authentication	Covered	4	—
A.8.6	Capacity management	Covered	1	—
A.8.7	Protection against malware	Covered	6	—
A.8.8	Management of technical vulnerabilities	Covered	9	—
A.8.9	Configuration management	Covered	15	—

🔰

OWASP ASVS v5.0.0 Compliance 44/348

↑ Table of Contents ▶

This matrix shows which ASVS requirements are testable by static code analysis (~24% SAST ceiling). It does not certify full ASVS compliance — runtime, infrastructure and procedural requirements need separate assessment.

ASVS Coverage 44/348 requirements covered (13%)

🔰 Overall Coverage

📊 Coverage by Chapter

🕸️ Coverage Profile

📊 Requirements Status

🛡️ V1 — Encoding, Sanitization and Sandboxing 16/30 ▶

Requirement	Name	Level	Status	Rules	Findings
1.2.1	Verify that output encoding for HTML contexts prevents XSS	L1	Covered	8	—
1.2.10	Verify that CSV injection is prevented	L2	Covered	1	—
1.2.2	Verify that output encoding for JavaScript contexts prevents XSS	L1	Not applicable	0	—
1.2.3	Verify that output encoding for URL contexts prevents injection	L1	Not applicable	0	—
1.2.4	Verify that SQL queries use parameterized queries or ORM	L1	Covered	18	—
1.2.5	Verify that OS command injection is prevented	L1	Covered	3	—
1.2.6	Verify that LDAP injection is prevented	L1	Covered	3	—
1.2.7	Verify that XML Path Language — Query language for XML documents; injection can allow unauthorized data access.">XPath or XML injection is prevented	L1	Covered	4	—
1.3.10	Verify that format string vulnerabilities are prevented	L2	Covered	1	—
1.3.11	Verify that SMTP header injection is prevented	L2	Covered	2	—
1.3.12	Verify that ReDoS is prevented in regex patterns	L2	Covered	1	—
1.3.2	Verify that dynamic code execution features are not used with untrusted data	L1	Covered	2	—
1.3.4	Verify that XML-based vector image format for the web.">SVG scriptable content is handled safely	L1	Covered	1	—
1.3.6	Verify that SSRF protections are implemented	L1	Covered	5	—
1.3.7	Verify that template injection is prevented	L1	Covered	3	—
1.3.8	Verify that API used for directory services; exploited in Log4Shell (CVE-2021-44228) for RCE.">JNDI injection is prevented	L1	Covered	1	—
1.5.1	Verify that XML parsers are configured to prevent XXE	L1	Covered	3	—
1.5.2	Verify that deserialization of untrusted data is avoided	L1	Covered	4	—

✅ V2 — Validation and Business Logic 0/13 ▶

Not applicable

🌐 V3 — Web Frontend Security 11/31 ▶

Requirement	Name	Level	Status	Rules	Findings
3.3.1	Verify that cookies have Secure attribute set	L1	Covered	1	—
3.4.1	Verify that HSTS header is set	L1	Covered	1	—
3.4.2	Verify that CORS policy is restrictive	L1	Covered	3	—
3.4.3	Verify that CSP header is configured	L1	Covered	1	—
3.4.4	Verify that X-Content-Type-Options is set to nosniff	L1	Covered	1	—
3.4.5	Verify that Referrer-Policy header is configured	L2	Covered	1	—
3.4.6	Verify that clickjacking protection is implemented	L1	Covered	1	—
3.5.1	Verify that CSRF protections are enabled	L1	Covered	2	—
3.5.5	Verify that postMessage origin is validated	L2	Covered	1	—
3.6.1	Verify that SRI is used for external scripts	L2	Covered	1	—
3.7.2	Verify that open redirect vulnerabilities are prevented	L1	Covered	3	—

🔌 V4 — API and Web Service Security 3/16 ▶

Requirement	Name	Level	Status	Rules	Findings
4.3.1	Verify that GraphQL has depth and cost limits	L2	Covered	1	—
4.3.2	Verify that GraphQL introspection is disabled in production	L2	Covered	1	—
4.4.1	Verify that WebSocket connections use SSL).">TLS	L1	Covered	1	—

📁 V5 — File Handling 2/13 ▶

Requirement	Name	Level	Status	Rules	Findings
5.2.2	Verify that file uploads are validated for type and size	L1	Covered	1	—
5.3.2	Verify that path traversal is prevented	L1	Covered	4	—

🔑 V6 — Authentication 4/48 ▶

Requirement	Name	Level	Status	Rules	Findings
6.2.1	Verify that passwords have a minimum length of 8 characters	L1	Covered	1	—
6.3.2	Verify that default credentials are not used	L1	Covered	1	—
6.3.3	Verify that MFA is available for sensitive operations	L2	Covered	5	—
6.4.2	Verify that security questions are not used for authentication	L1	Covered	1	—

🔒 V7 — Session Management 0/20 ▶

Not applicable

👤 V8 — Authorization 0/14 ▶

Not applicable

🎟️ V9 — Self-contained Tokens 2/7 ▶

Requirement	Name	Level	Status	Rules	Findings
9.1.2	Verify that JWT none algorithm is rejected	L1	Covered	1	—
9.1.3	Verify that JWT signing keys are not hardcoded	L1	Covered	1	—

🔗 V10 — OAuth and OIDC 0/35 ▶

Not applicable

🔐 V11 — Cryptography 4/25 ▶

Requirement	Name	Level	Status	Rules	Findings
11.2.3	Verify that key sizes meet minimum requirements	L1	Covered	1	—
11.3.1	Verify that strong cryptographic algorithms are used	L1	Covered	4	—
11.3.2	Verify that deprecated algorithms are not used	L1	Covered	2	—
11.4.1	Verify that strong hash functions are used	L1	Not applicable	0	—
11.5.1	Verify that cryptographically secure random generators are used	L1	Covered	4	—

📡 V12 — Secure Communication 1/12 ▶

Requirement	Name	Level	Status	Rules	Findings
12.2.1	Verify that all connections use SSL).">TLS	L1	Covered	2	—

⚙️ V13 — Configuration 0/21 ▶

Not applicable

💾 V14 — Data Protection 0/13 ▶

Not applicable

🏗️ V15 — Secure Coding and Architecture 0/21 ▶

Not applicable

📝 V16 — Security Logging and Error Handling 1/17 ▶

Requirement	Name	Level	Status	Rules	Findings
16.3.2	Verify that log injection is prevented	L2	Covered	1	—

📹 V17 — WebRTC 0/12 ▶

Not applicable

🛡️

NIST CSF 2.0 Compliance 0/17

↑ Table of Contents ▶

Coverage indicates which CSF subcategories are checked by SCA rules. Findings indicate detected issues that should be addressed for compliance.

CSF Subcategories Coverage 0/17 subcategories covered (0.0%)

📋 Overall Coverage

📊 Coverage by Function

🕸️ Function Profile

📊 Subcategories Status

🏛️ GV — Govern 0/1 ▶

ID	Subcategory	Status	Rules	Findings
GV.SC-05	Supply chain risk assessment is performed	Not applicable	4	—

🔍 ID — Identify 0/1 ▶

ID	Subcategory	Status	Rules	Findings
ID.RA-01	Vulnerabilities in assets are identified, validated, and recorded	Not applicable	1	—

🛡️ PR — Protect 0/14 ▶

ID	Subcategory	Status	Rules	Findings
PR.AA-01	Identities and credentials are managed	Not applicable	5	—
PR.AA-03	Users, services, and hardware are authenticated	Not applicable	6	—
PR.AA-04	Identity assertions are protected, conveyed, and verified	Not applicable	2	—
PR.AA-05	Access permissions, entitlements, and authorizations are managed	Not applicable	7	—
PR.DS-01	Data-at-rest is protected	Not applicable	13	—
PR.DS-02	Data-in-transit is protected	Not applicable	9	—
PR.DS-10	Confidentiality, integrity, and availability of data are protected	Not applicable	41	—
PR.IR-01	Networks and environments are protected	Not applicable	14	—
PR.IR-02	Technology assets are managed to ensure availability	Not applicable	6	—
PR.PS-01	Configuration management practices are established	Not applicable	4	—
PR.PS-02	Software is maintained, replaced, and removed	Not applicable	7	—
PR.PS-04	Log records are generated and made available	Not applicable	4	—
PR.PS-05	Installation and execution of unauthorized software is prevented	Not applicable	4	—
PR.PS-06	Secure software development practices are used	Not applicable	32	—

📡 DE — Detect 0/1 ▶

ID	Subcategory	Status	Rules	Findings
DE.CM-09	Computing hardware and software are monitored	Not applicable	3	—

✅

Verified Good Practices 182

↑ Table of Contents ▶

This section lists positive findings from the audit. Each item represents a verified security or architecture good practice in your code.

🛡️

✅ Security & OWASP 156 passed check(s)

▶

Prevents arbitrary code execution via malicious assembly loading.

Prevents sensitive data exposure via plaintext file storage.

Reduces attack surface and strengthens application security.

Prevents authentication bypass via user-controlled request parameter checks.

Prevents database reconnaissance and internal structure disclosure that enables targeted SQL injection attacks.

Prevents weakening of system-wide TLS trust by adding application-specific certificates to the root store.

Prevents data pattern leakage via ECB mode deterministic encryption.

Prevents excessive data exposure of private user information in API responses.

Prevents accidental exposure of sensitive data in API responses.

Prevents database credential exposure via hardcoded connection strings in source code.

Prevents encryption key exposure via source code and compiled assembly decompilation.

Ensures all SQL Server communications are encrypted and the server certificate is validated.

Ensures RSA keys meet minimum cryptographic strength requirements.

Prevents buffer overflow via unvalidated pointer arithmetic in unsafe code.

Ensures all sensitive controller actions require authentication before access is granted.

Prevents ReDoS attacks via user-controlled regular expression patterns.

Prevents unauthorized resource loading and code execution via user-controlled resource identifiers.

Prevents padding oracle attacks against RSA-encrypted data.

Ensures deserialized values undergo the same runtime validation as user-supplied input.

Prevents session fixation by invalidating the pre-login session after successful authentication.

Reduces attack surface and strengthens application security (CWE-89, OWASP A03).

Eliminates SQL injection via string.Format() by enforcing parameterized query usage.

Eliminates dynamic SQL injection vectors in stored procedure calls by enforcing parameterized execution.

Prevents format string injection that can cause exceptions and bypass security mechanisms.

Prevents arbitrary code execution via malicious serialized .NET objects.

Prevents XML injection attacks via user-controlled XML content.

Prevents XXE attacks via external entity resolution in XmlDocument.

Prevents path traversal attacks via malicious archive entry names.

Prevents denial-of-service via user-controlled array size allocation.

Prevents out-of-bounds array access via user-controlled index values.

Prevents sensitive data exposure via heap dumps and JVM memory inspection.

Prevents sensitive data exposure via cookie content visible to clients and intermediaries.

Prevents credential exposure via source code and compiled class file decompilation.

Prevents authentication bypass via user-controlled security conditions.

Prevents OS command injection by using ProcessBuilder with explicit argument arrays.

Prevents database reconnaissance that enables targeted SQL injection and data extraction attacks.

Encrypts all data in transit between the Java application and the database, preventing credential theft and data interception.

Prevents command injection via externally controlled environment variables.

Prevents shell command injection via metacharacter injection in concatenated command strings.

Prevents arbitrary code execution via Groovy script injection.

Prevents database credential exposure via source code and version control history.

Prevents HTTP Response Splitting attacks via CRLF injection in header values.

Prevents denial-of-service via user-controlled loop termination conditions.

Prevents credential interception by ensuring authentication credentials are transmitted only over encrypted HTTPS.

Prevents EL injection via Bean Validation constraint message expressions.

Ensures SMTP credentials are transmitted only over encrypted connections.

Prevents LDAP credential interception over unencrypted network connections.

Prevents man-in-the-middle attacks replacing Maven artifacts with malicious code.

Ensures asymmetric keys meet minimum cryptographic strength requirements.

Prevents arbitrary code execution via JEXL expression injection.

Ensures JWT signature is cryptographically verified before trusting the claims.

Prevents arbitrary code execution via MVEL expression injection.

Prevents HTTP Response Splitting via CRLF injection in Netty HTTP headers.

Prevents NoSQL injection that bypasses authentication and authorization filters via injected query operators.

Prevents remote code execution via OGNL expression injection (Struts2-style attacks).

Prevents path traversal bypass via directory name prefix matching without separator.

One-way hashing with a strong KDF makes stored passwords practically irrecoverable even after a database breach.

Prevents denial-of-service via catastrophically backtracking regular expressions.

Ensures SecureRandom is seeded with true entropy, making generated values cryptographically unpredictable.

Ensures each encryption operation uses a unique IV, preventing pattern analysis and GCM authentication key exposure.

Eliminates stored procedure injection by enforcing parameterized procedure calls.

Prevents privilege escalation via user-controlled permission check arguments.

Prevents server-side template injection leading to arbitrary code execution.

Prevents web shell uploads and arbitrary code execution via unrestricted file upload (CWE-434).

Prevents unauthorized access to internal application resources via RequestDispatcher forwarding.

Ensures all socket communication is encrypted with TLS, preventing network eavesdropping.

Prevents content injection via world-writable files being modified between write permission grant and read operation.

Prevents remote code execution via malicious XSLT extension functions.

Prevents XXE attacks enabling local file read, SSRF, and denial-of-service.

Prevents resource loading from attacker-controlled domains via overly broad URL whitelists.

Replaces broken/obsolete ciphers with a modern, secure encryption algorithm.

Prevents source code exposure via build artifact source maps in production deployments.

Protects sensitive data at rest against unauthorized filesystem access.

Prevents client-side request forgery via DOM-derived request URLs.

Prevents authorization bypass via user-controlled security conditions.

Ensures all database communications are encrypted and the server identity is verified, preventing man-in-the-middle attacks.

Prevents security check bypass via attacker-controlled comparison of different request data kinds.

Ensures TLS certificate chain is validated, preventing man-in-the-middle attacks.

Prevents code injection via string-based setTimeout/setInterval usage.

Prevents MITM injection of malicious scripts via mixed HTTP/HTTPS content in Electron.

Prevents XSS in renderer from escalating to OS-level code execution via Node.js API access.

Maintains browser security boundaries preventing arbitrary cross-origin requests in Electron apps.

Ensures all services require authentication, preventing unauthorized access.

Prevents code injection via compromised or replaced external script sources.

Prevents man-in-the-middle injection of malicious scripts via external resource loading.

Prevents obfuscated backdoor code from hiding malicious intent via data encoding.

Reduces attack surface and strengthens application security (CWE-798, OWASP A07).

Prevents account takeover via Host header poisoning in transactional emails.

Prevents arbitrary file write via unvalidated HTTP response data.

Prevents code injection bypass via insufficient sanitization before eval.

Prevents XSS via HTML attribute injection including javascript: URIs and event handler injection.

Prevents XSS bypass via case variations of dangerous HTML/JavaScript sequences.

Ensures all occurrences of dangerous characters are replaced, not just the first.

Prevents XSS via alternative executable URL schemes bypassing incomplete scheme checks.

Prevents OS command injection via shell metacharacter injection in command strings.

Prevents man-in-the-middle attacks replacing npm dependencies with malicious code.

Prevents man-in-the-middle attacks replacing downloaded executables with malicious code.

Eliminates TOCTOU race condition on temporary file creation.

Ensures password hashes are computationally expensive to reverse, resisting brute-force attacks.

Ensures JWT signature is always cryptographically verified before trusting the payload.

Prevents denial-of-service via attacker-controlled loop iteration counts.

Prevents credential exposure via version control and configuration file leaks.

Prevents exposure of source code, secrets, and internal application files via static serving.

Prevents arbitrary Lua code injection into Redis, protecting data integrity and access controls.

Prevents ReDoS attacks and regex-based validation bypass.

Prevents prototype pollution and resource exhaustion via user-supplied object properties.

Prevents denial-of-service through unbounded memory allocation or CPU iteration.

Prevents second-order command injection via database-stored values used in shell commands.

Prevents denial-of-service via malformed input causing unhandled exceptions.

Prevents session fixation attacks by issuing a new session ID after login.

Prevents command injection via attacker-controlled environment variables.

Eliminates SQL injection in raw database calls by delegating value escaping to the database driver.

Prevents stored XSS by ensuring database-retrieved content is not rendered as raw HTML.

Prevents type confusion attacks that bypass security checks via unexpected parameter types.

Prevents unrestricted file upload attacks that could lead to remote code execution or web shell access (CWE-434).

Prevents arbitrary code execution via dynamic Function construction from user input.

Prevents remote code execution via dynamic method invocation with user-controlled property names.

Prevents XSS via unsafe regex-based HTML tag expansion.

Prevents arbitrary global function invocation via user-controlled property access.

Prevents XML bomb and XXE denial-of-service attacks.

Prevents XPath injection enabling authentication bypass and unauthorized XML data extraction.

Prevents XSS via jQuery's .html() method with user-controlled content.

Prevents DOM-based XSS via attacker-controlled browser properties.

Prevents XSS from HTML constructed with user-controlled server data.

Eliminates stored procedure injection by enforcing parameterized calls in PHP.

Prevents PHP web shell uploads and arbitrary code execution via unrestricted file upload (CWE-434).

Ensures password hashes are computationally expensive to crack, making offline brute-force and dictionary attacks impractical (CWE-916).

Reduces attack surface and strengthens application security (CWE-94, OWASP A03).

Prevents credential exposure via source code and version control history.

Prevents attackers from using error messages to perform database reconnaissance and plan targeted attacks.

Encrypts all data in transit between the application and the database, preventing credential theft and data interception.

Reduces attack surface and strengthens application security (CWE-215, OWASP A05).

Prevents unauthorized data extraction and DoS via crafted Elasticsearch query DSL injections.

Prevents HTTP Response Splitting, cache poisoning and XSS via header injection.

Reduces attack surface and strengthens application security (CWE-287, OWASP A07).

Reduces attack surface and strengthens application security (CWE-444, OWASP A04).

Prevents remote code execution via malicious payloads injected into database storage.

Reduces attack surface and strengthens application security (CWE-502, OWASP A08).

Prevents XSS attacks by ensuring all template variables are HTML-escaped by default.

Prevents NoSQL injection allowing authentication bypass and unauthorized data access.

Prevents server-side JavaScript execution and operator injection that bypass MongoDB authentication and authorization.

Ensures account status (expiry, lock) is checked after password verification.

Prevents SSRF attacks against internal services and cloud metadata endpoints.

One-way hashing ensures that stored passwords cannot be recovered even if the database is breached.

Reduces attack surface and strengthens application security (CWE-22, OWASP A01).

Prevents arbitrary Lua code execution and unauthorized access to Redis data via script injection.

Reduces attack surface and strengthens application security (CWE-400, OWASP A06).

Reduces attack surface and strengthens application security (CWE-312, OWASP A09).

Eliminates SQL injection via Python string formatting by delegating value escaping to the database driver.

Prevents ORDER BY injection that enables blind SQL injection and data extraction via crafted sort values.

Reduces attack surface and strengthens application security (CWE-501, OWASP A04).

Prevents OS command injection via shell metacharacter injection.

Reduces attack surface and strengthens application security (CWE-20, OWASP A03).

Reduces attack surface and strengthens application security (CWE-327, OWASP A02).

Reduces attack surface and strengthens application security (CWE-79, OWASP A03).

Reduces attack surface and strengthens application security (CWE-611, OWASP A05).

🔔

✅ User Experience 6 passed check(s)

▶

Compliance with WCAG 1.3.1 and 4.1.2 — keyboard navigation remains coherent and predictable for all users.

Compliance with WCAG 1.3.1 and 4.1.2 — all form controls have an accessible name understandable by assistive technologies.

Compliance with WCAG 1.2.2 — Captions (Prerecorded) — all synchronized media has captions for deaf and hard-of-hearing users.

Compliance with WCAG 1.4.4 — Resize text — ensures users can scale content up to 200% without loss of functionality.

Compliance with WCAG 1.1.1 — Non-text Content — all images have a textual alternative accessible to assistive technologies.

Compliance with WCAG 1.3.1 and 4.1.2 — clicking the label focuses the associated input, and screen readers announce the label when the input is focused.

♻️

✅ Maintenance & DRY 3 passed check(s)

▶

Every error is visible and traceable — production debugging becomes possible and monitoring alerts can fire.

Reduces technical debt and improves code quality.

Fixture coverage: 95.7% — all rules validated by test cases.

🗄️

✅ PostgreSQL Schema 1 passed check(s)

▶

Enables database schema analysis and drift detection.

⚙️

✅ CI/CD Pipelines 16 passed check(s)

▶

Prevents arbitrary code execution from compromised or hijacked remote resources in the CI/CD pipeline (OWASP CI-CD-09).

Prevents container escape attacks and limits the blast radius of a compromised CI/CD job to the container rather than the host.

Detects potential reverse shells and data exfiltration channels embedded in CI/CD pipeline scripts.

Prevents execution of unverified external code during automated dependency updates, protecting the CI/CD pipeline from supply chain attacks.

Ensures published artifacts are built from source only, preventing supply chain attacks via cache poisoning (OWASP CI-CD-09).

Prevents auto-merge bypass attacks where an attacker impersonates a trusted bot to merge malicious code automatically.

Eliminates environment injection risk introduced by the deprecated workflow command API.

Strengthens CI/CD pipeline security and reliability.

Ensures GitHub App tokens follow the principle of least privilege by being automatically invalidated as soon as the workflow job finishes.

Prevents environment variable injection attacks that could affect all subsequent steps in the workflow.

Eliminates the attack surface introduced by insecure workflow commands without disabling modern alternatives.

Limits the blast radius of a compromised workflow step to only the secrets explicitly referenced, following the principle of least privilege.

Prevents secret leakage in CI/CD logs accessible to all repository contributors.

Ensures security vulnerabilities block the pipeline and cannot be silently ignored in production deployments.

Prevents credential leakage in CI/CD job logs that could be exploited for unauthorized repository or container registry access.

Eliminates credential exposure in version control history and CI/CD logs (OWASP CI-CD-04, CWE-798).

📖 Glossary ↑ Table of Contents

Acronyms and technical terms used in this report.

Acronym	Meaning	Description
API	Application Programming Interface	Communication interface between software systems.
ARIA	Accessible Rich Internet Applications	HTML attributes that improve accessibility for assistive technologies.
ASVS	Application Security Verification Standard	OWASP standard defining security requirements for web applications across 3 verification levels (L1/L2/L3).
CI/CD	Continuous Integration / Continuous Deployment	Automated pipeline that builds, tests and deploys code on every change.
CLI	Command Line Interface	Text-based interface used to interact with a program via a terminal.
CORS	Cross-Origin Resource Sharing	Security mechanism controlling HTTP requests between different domains.
CSP	Content Security Policy	HTTP header restricting allowed content sources on a web page.
CSRF	Cross-Site Request Forgery	Attack that forces an authenticated user to perform unwanted actions.
CSS	Cascading Style Sheets	Language for styling and formatting web pages.
CVE	Common Vulnerabilities and Exposures	Unique identifier for a known security vulnerability.
CVSS	Common Vulnerability Scoring System	Vulnerability severity rating system (score from 0 to 10).
CWE	Common Weakness Enumeration	Standardized catalog of software weakness types.
DOM	Document Object Model	Tree representation of an HTML document in memory.
DRY	Don't Repeat Yourself	Design principle that avoids code duplication.
Fixture	Test Fixture	Code sample (vulnerable or clean) used to validate that a detection rule fires correctly.
GDPR	General Data Protection Regulation	European regulation on personal data protection.
HSTS	HTTP Strict Transport Security	HTTP header that forces browsers to use HTTPS only, preventing downgrade attacks.
HTML	HyperText Markup Language	Markup language for structuring web pages.
HTTP/HTTPS	HyperText Transfer Protocol (Secure)	Web communication protocol. HTTPS adds encryption via TLS.
i18n	Internationalization	Adapting software to support multiple languages and regions.
IDOR	Insecure Direct Object Reference	Access control flaw where an attacker can access resources by manipulating identifiers.
ISO 27001	ISO/IEC 27001:2022	International standard for information security management systems (ISMS). Annex A defines 93 controls across 4 themes.
JNDI	Java Naming and Directory Interface	Java API used for directory services; exploited in Log4Shell (CVE-2021-44228) for RCE.
JS	JavaScript	Programming language primarily used for web development.
JSON	JavaScript Object Notation	Lightweight data interchange format.
JWT	JSON Web Token	Signed authentication token in JSON format, used for sessions.
LDAP	Lightweight Directory Access Protocol	Protocol for accessing and maintaining directory services (user accounts, etc.).
MD5	Message Digest 5	Obsolete and insecure hashing algorithm — should no longer be used.
MFA	Multi-Factor Authentication	Authentication requiring two or more verification factors (password + OTP, etc.).
NoSQL	Not only SQL	Non-relational databases (MongoDB, Redis, etc.) vulnerable to injection if queries are unsanitised.
ORM	Object-Relational Mapping	Abstraction layer between object code and relational databases.
OWASP	Open Web Application Security Project	Global reference for web application security best practices.
PII	Personally Identifiable Information	Any data that can identify an individual (name, email, SSN, etc.). Must be protected under GDPR.
RCE	Remote Code Execution	Critical vulnerability allowing an attacker to execute arbitrary code on the server.
RGPD	Règlement Général sur la Protection des Données	European data protection regulation (French name for GDPR).
SARIF	Static Analysis Results Interchange Format	Standardized JSON format (OASIS) for exchanging static analysis results between tools and CI/CD systems.
SAST	Static Application Security Testing	Source code security analysis without running the application.
SBOM	Software Bill of Materials	Comprehensive inventory of software components and dependencies in a project (CycloneDX format).
SCA	Static Code Audit	Abbreviation for StaticCodeAudit, the tool that generated this report.
SHA-1	Secure Hash Algorithm 1	Obsolete hashing algorithm — vulnerable to collision attacks.
SLA	Service Level Agreement	Commitment defining maximum resolution times per severity (e.g. CRITICAL: 24h, HIGH: 72h).
SMTP	Simple Mail Transfer Protocol	Standard protocol for sending emails; injection vulnerabilities can allow email spoofing.
SQL	Structured Query Language	Query language for relational databases.
SSH	Secure Shell	Cryptographic protocol for secure remote access to servers.
SSL	Secure Sockets Layer	Deprecated predecessor of TLS. Its use indicates an outdated and insecure configuration.
SSRF	Server-Side Request Forgery	Attack forcing a server to make requests to internal resources.
SSTI	Server-Side Template Injection	Injection of malicious code into a server-side template engine, potentially leading to RCE.
SVG	Scalable Vector Graphics	XML-based vector image format for the web.
Taint	Taint Analysis	Data-flow tracking technique that follows untrusted input (source) to sensitive operations (sink) to detect injection vulnerabilities.
TLS	Transport Layer Security	Network communication encryption protocol (successor to SSL).
TOCTOU	Time-of-Check to Time-of-Use	Race condition vulnerability between checking and using a resource.
URL	Uniform Resource Locator	Web address that identifies a resource on a network (e.g. https://example.com/path).
WCAG	Web Content Accessibility Guidelines	W3C web accessibility guidelines — international standard.
XML	eXtensible Markup Language	Structured data format widely used in configuration files, APIs, and document exchange.
XPath	XML Path Language	Query language for XML documents; injection can allow unauthorized data access.
XSS	Cross-Site Scripting	Injection of malicious scripts into a web page viewed by other users.
XXE	XML External Entity	XML injection attack that exploits external entity processing to read files or trigger SSRF.