Labsco
cycodehq logo

Cycode

โ˜… 98

from cycodehq

Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning with Cycode.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

Cycode CLI User Guide

The Cycode Command Line Interface (CLI) is an application you can install locally to scan your repositories for secrets, infrastructure as code misconfigurations, software composition analysis vulnerabilities, and static application security testing issues.

This guide walks you through both installation and usage.

Table of Contents

  1. Prerequisites
  2. Installation
    1. Install Cycode CLI
      1. Using the Auth Command
      2. Using the Configure Command
      3. Add to Environment Variables
        1. On Unix/Linux
        2. On Windows
    2. Install Pre-Commit Hook
  3. Cycode CLI Commands
  4. MCP Command
    1. Starting the MCP Server
    2. Available Options
    3. MCP Tools
    4. Usage Examples
    5. Advanced Configuration
  5. Platform Command
    1. Discovering Commands
    2. Examples
    3. Notes & Limitations
  6. Scan Command
    1. Running a Scan
      1. Options
        1. Severity Threshold
        2. Monitor
        3. Cycode Report
        4. Package Vulnerabilities
        5. License Compliance
        6. Lock Restore
        7. Stop on Error
      2. Repository Scan
        1. Branch Option
      3. Path Scan
        1. Terraform Plan Scan
      4. Commit History Scan
        1. Commit Range Option (Diff Scanning)
      5. Pre-Commit Scan
      6. Pre-Push Scan
    2. Scan Results
      1. Show/Hide Secrets
      2. Soft Fail
      3. Example Scan Results
        1. Secrets Result Example
        2. IaC Result Example
        3. SCA Result Example
        4. SAST Result Example
      4. Company Custom Remediation Guidelines
    3. Ignoring Scan Results
      1. Ignoring a Secret Value
      2. Ignoring a Secret SHA Value
      3. Ignoring a Path
      4. Ignoring a Secret, IaC, or SCA Rule
      5. Ignoring a Package
      6. Ignoring via a config file
  7. Report command
    1. Generating SBOM Report
  8. Import command
  9. Scan logs
  10. Syntax Help

Prerequisites

  • The Cycode CLI application requires Python version 3.9 or later. The MCP command is available only for Python 3.10 and above. If you're using an earlier Python version, this command will not be available.
  • Use the cycode auth command to authenticate to Cycode with the CLI
    • Alternatively, you can get a Cycode Client ID and Client Secret Key by following the steps detailed in the Service Account Token and Personal Access Token pages, which contain details on getting these values.

Installation

The following installation steps are applicable to both Windows and UNIX / Linux operating systems.

[!NOTE] The following steps assume the use of python3 and pip3 for Python-related commands; however, some systems may instead use the python and pip commands, depending on your Python environmentโ€™s configuration.

Starting the MCP Server

To start the MCP server, use the following command:

Copy & paste โ€” that's it
cycode mcp

By default, this starts the server using the stdio transport, which is suitable for local integrations and AI applications that can spawn subprocesses.

Available Options

OptionDescription
-t, --transportTransport type for the MCP server: stdio, sse, or streamable-http (default: stdio)
-H, --hostHost address to bind the server (used only for non stdio transport) (default: 127.0.0.1)
-p, --portPort number to bind the server (used only for non stdio transport) (default: 8000)
--helpShow help message and available options

MCP Tools

The MCP server provides the following tools that AI systems can use:

Tool NameDescription
cycode_secret_scanScan for hardcoded secrets
cycode_sca_scanScan for Software Composition Analysis (SCA) - vulnerabilities and license issues
cycode_iac_scanScan for Infrastructure as Code (IaC) misconfigurations
cycode_sast_scanScan for Static Application Security Testing (SAST) - code quality and security flaws
cycode_statusGet Cycode CLI version, authentication status, and configuration information

Each scan tool accepts two mutually exclusive input modes:

  • paths (preferred) โ€” one or more file or directory paths that exist on disk. Directories are scanned recursively. The Cycode engine handles file discovery and filtering, just as cycode scan -t <type> path ./src does from the CLI.
  • files (fallback) โ€” a dictionary mapping file paths to their full content as strings. Use this only when the files are not available on disk (e.g. in-memory edits not yet saved).

[!TIP] Use paths whenever possible. Passing large files (like package-lock.json) as inline content can exceed token limits and slow down the AI client. With paths, the Cycode engine reads files directly from disk.

All scan tools return a JSON object that includes a "summary" field with a human-readable violation count (e.g. "Cycode found 3 violations: 1 CRITICAL, 2 HIGH.") in addition to the full "detections" array.

Usage Examples

Basic Command Examples

Start the MCP server with default settings (stdio transport):

Copy & paste โ€” that's it
cycode mcp

Start the MCP server with explicit stdio transport:

Copy & paste โ€” that's it
cycode mcp -t stdio

Start the MCP server with Server-Sent Events (SSE) transport:

Copy & paste โ€” that's it
cycode mcp -t sse -p 8080

Start the MCP server with streamable HTTP transport on custom host and port:

Copy & paste โ€” that's it
cycode mcp -t streamable-http -H 0.0.0.0 -p 9000

Learn more about MCP Transport types in the MCP Protocol Specification โ€“ Transports.

Configuration Examples

Using MCP with Cursor/VS Code/Claude Desktop/etc (mcp.json)

[!NOTE] For EU Cycode environments, make sure to set the appropriate CYCODE_API_URL and CYCODE_APP_URL values in the environment variables (e.g., https://api.eu.cycode.com and https://app.eu.cycode.com).

Follow this guide to configure the MCP server in your VS Code/GitHub Copilot. Keep in mind that in settings.json, there is an mcp object containing a nested servers sub-object, rather than a standalone mcpServers object.

For stdio transport (direct execution):

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "command": "cycode",
      "args": ["mcp"],
      "env": {
        "CYCODE_CLIENT_ID": "your-cycode-id",
        "CYCODE_CLIENT_SECRET": "your-cycode-secret-key",
        "CYCODE_API_URL": "https://api.cycode.com",
        "CYCODE_APP_URL": "https://app.cycode.com"
      }
    }
  }
}

For stdio transport with pipx installation:

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "command": "pipx",
      "args": ["run", "cycode", "mcp"],
      "env": {
        "CYCODE_CLIENT_ID": "your-cycode-id",
        "CYCODE_CLIENT_SECRET": "your-cycode-secret-key",
        "CYCODE_API_URL": "https://api.cycode.com",
        "CYCODE_APP_URL": "https://app.cycode.com"
      }
    }
  }
}

For stdio transport with uvx installation:

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "command": "uvx",
      "args": ["cycode", "mcp"],
      "env": {
        "CYCODE_CLIENT_ID": "your-cycode-id",
        "CYCODE_CLIENT_SECRET": "your-cycode-secret-key",
        "CYCODE_API_URL": "https://api.cycode.com",
        "CYCODE_APP_URL": "https://app.cycode.com"
      }
    }
  }
}

For SSE transport (Server-Sent Events):

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "url": "http://127.0.0.1:8000/sse"
    }
  }
}

For SSE transport on custom port:

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "url": "http://127.0.0.1:8080/sse"
    }
  }
}

For streamable HTTP transport:

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "url": "http://127.0.0.1:8000/mcp"
    }
  }
}
Running MCP Server in Background

For SSE transport (start server first, then configure client):

Copy & paste โ€” that's it
# Start the MCP server in the background
cycode mcp -t sse -p 8000 &

# Configure in mcp.json
{
  "mcpServers": {
    "cycode": {
      "url": "http://127.0.0.1:8000/sse"
    }
  }
}

For streamable HTTP transport:

Copy & paste โ€” that's it
# Start the MCP server in the background
cycode mcp -t streamable-http -H 127.0.0.2 -p 9000 &

# Configure in mcp.json
{
  "mcpServers": {
    "cycode": {
      "url": "http://127.0.0.2:9000/mcp"
    }
  }
}

Advanced Configuration

Custom Certificates and Timeouts (Proxy Environments)

If your organization uses a corporate proxy or a custom CA bundle for HTTPS inspection, you need to tell Cycode CLI (and the underlying Python TLS stack) where to find the trusted certificate bundle. You can also increase the MCP tool call timeout if scans are being cut short.

Environment VariableDescription
REQUESTS_CA_BUNDLEPath to a custom CA bundle file (.pem or .crt). Used by the requests library for all HTTPS calls made by Cycode CLI.
SSL_CERT_FILEPath to a custom CA bundle file. Used by Python's low-level ssl module. Set this alongside REQUESTS_CA_BUNDLE for full coverage.
MCP_TOOL_TIMEOUTTimeout (in seconds) that MCP clients such as Claude and GitHub Copilot wait for a tool call to complete. Increase this if long-running scans are being cut off before they finish.

[!TIP] Set both REQUESTS_CA_BUNDLE and SSL_CERT_FILE to the same CA bundle path. REQUESTS_CA_BUNDLE covers the HTTP layer; SSL_CERT_FILE covers the lower-level TLS layer. Using only one may still cause certificate errors in some environments.

Example mcp.json configuration with custom certificates and a longer timeout:

Copy & paste โ€” that's it
{
  "mcpServers": {
    "cycode": {
      "command": "cycode",
      "args": ["mcp"],
      "env": {
        "REQUESTS_CA_BUNDLE": "/path/to/your/corporate-ca-bundle.pem",
        "SSL_CERT_FILE": "/path/to/your/corporate-ca-bundle.pem",
        "MCP_TOOL_TIMEOUT": "1800"
      }
    }
  }
}

[!NOTE] The MCP server requires proper Cycode CLI authentication to function. Make sure you have authenticated using cycode auth or configured your credentials before starting the MCP server.

Pre-authorizing Tools for Subagents (Claude Code)

When Claude Code delegates work to background subagents (e.g. to run scans in parallel), those subagents cannot display interactive permission prompts. If the Cycode tools have not been pre-approved, scans will fail silently in subagent contexts.

To pre-authorize the Cycode MCP tools so they work in all contexts including subagents, add them to the allowedTools list in your Claude Code settings (~/.claude/settings.json):

Copy & paste โ€” that's it
{
  "allowedTools": [
    "mcp__cycode__cycode_secret_scan",
    "mcp__cycode__cycode_sca_scan",
    "mcp__cycode__cycode_iac_scan",
    "mcp__cycode__cycode_sast_scan",
    "mcp__cycode__cycode_status"
  ]
}

Once added, Claude Code will not prompt for approval when these tools are called, and they will work correctly inside subagents.

Troubleshooting MCP

If you encounter issues with the MCP server, you can enable debug logging to get more detailed information about what's happening. There are two ways to enable debug logging:

  1. Using the -v or --verbose flag:
Copy & paste โ€” that's it
cycode -v mcp
  1. Using the CYCODE_CLI_VERBOSE environment variable:
Copy & paste โ€” that's it
CYCODE_CLI_VERBOSE=1 cycode mcp

The debug logs will show detailed information about:

  • Server startup and configuration
  • Connection attempts and status
  • Tool execution and results
  • Any errors or warnings that occur

This information can be helpful when:

  • Diagnosing connection issues
  • Understanding why certain tools aren't working
  • Identifying authentication problems
  • Debugging transport-specific issues

MCP Configuration

Platform Command [BETA]

[!WARNING] The platform command is in beta. Commands, arguments, and output formats are generated dynamically from the Cycode API spec and may change between releases without notice. Do not rely on them in production automation yet.

The cycode platform command exposes the Cycode platform's read APIs as CLI commands. It groups endpoints by resource (e.g. projects, violations, workflows) and turns each endpoint's parameters into typed CLI arguments and --option flags.

Copy & paste โ€” that's it
cycode platform projects list --page-size 50
cycode platform violations count
cycode platform workflows view <workflow-id>

The OpenAPI spec is fetched from the Cycode API on first use and cached at ~/.cycode/openapi-spec.json for 24 hours. Unrelated commands (cycode scan, cycode status, etc.) do not trigger a fetch.

[!NOTE] You must be authenticated (cycode auth or CYCODE_CLIENT_ID / CYCODE_CLIENT_SECRET environment variables) for cycode platform to discover and run commands. Other Cycode CLI commands work without authentication.

Discovering Commands

Because commands are generated from the spec, the source of truth for what's available is --help:

Copy & paste โ€” that's it
cycode platform --help                  # list all resource groups
cycode platform projects --help         # list actions on a resource
cycode platform projects list --help    # list options/arguments for an action

Platform Examples

Copy & paste โ€” that's it
# List projects with pagination
cycode platform projects list --page-size 25

# View a single project by ID
cycode platform projects view <project-id>

# Count violations across the tenant
cycode platform violations count

# Filter using query parameters (see `--help` for what each endpoint supports)
cycode platform violations list --severity CRITICAL

All output is JSON by default โ€” pipe it through jq for ad-hoc filtering:

Copy & paste โ€” that's it
cycode platform projects list --page-size 100 | jq '.items[].name'

Exclude Paths From Scans

You can use a .cycodeignore file to tell the Cycode CLI which files and directories to exclude from scans. It works just like a .gitignore file. This helps you focus scans on your relevant code and prevent certain paths from triggering violations locally.

How It Works

  1. Create a file named .cycodeignore in your workfolder.
  2. List the files and directories you want to exclude, using the same patterns as .gitignore.
  3. Place this file in the directory where you plan to run the cycode scan command.

[!WARNING]

  • Invalid files: If the .cycodeignore file contains a syntax error, the CLI scan will fail and return an error.
  • Ignoring paths vs. violations: This file is for excluding paths. It's different from the CLI's capability to ignore specific violations (for example, by using the --ignore-violation flag).

Supported Scanners

  • SAST
  • IaC (comming soon)
  • SCA (comming soon)

Scan Results

Each scan will complete with a message stating if any issues were found or not.

If no issues are found, the scan ends with the following success message:

Good job! No issues were found!!! ๐Ÿ‘๐Ÿ‘๐Ÿ‘

If an issue is found, a violation card appears upon completion instead. In this case you should review the file in question for the specific line highlighted by the result message. Implement any changes required to resolve the issue, then execute the scan again.

Show/Hide Secrets

In the examples below, a secret was found in the file secret_test, located in the subfolder cli. The second part of the message shows the specific line the secret appears in, which in this case is a value assigned to googleApiKey.

Note how the example obscures the actual secret value, replacing most of the secret with asterisks. Scans obscure secrets by default, but you may optionally disable this feature to view the full secret (assuming the machine you are viewing the scan result on is sufficiently secure from prying eyes).

To disable secret obfuscation, add the --show-secret argument to any type of scan.

In the following example, a Path Scan is executed against the cli subdirectory with the option enabled to display any secrets found in full:

cycode scan --show-secret path ./cli

The result would then not be obfuscated.

Soft Fail

In normal operation the CLI will return an exit code of 1 when issues are found in the scan results. Depending on your CI/CD setup this will usually result in an overall failure. If you don't want this to happen, you can use the soft fail feature.

By adding the --soft-fail option to any type of scan, the exit code will be forced to 0 regardless of whether any results are found.

Example Scan Results

Secrets Result Example

Copy & paste โ€” that's it
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Hardcoded generic-password is used โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚                                                                                                                                               Violation 12 of 12 โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ” Details โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ•ญโ”€ ๐Ÿ’ป Code Snippet โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚  Severity    ๐ŸŸ  MEDIUM                             โ”‚ โ”‚   34 };                                                                                               โ”‚ โ”‚
โ”‚ โ”‚  In file     /Users/cycodemacuser/NodeGoat/test/s  โ”‚ โ”‚   35                                                                                                  โ”‚ โ”‚
โ”‚ โ”‚              ecurity/profile-test.js               โ”‚ โ”‚   36 var sutUserName = "user1";                                                                       โ”‚ โ”‚
โ”‚ โ”‚  Secret SHA  b4ea3116d868b7c982ee6812cce61727856b  โ”‚ โ”‚ โฑ 37 var sutUserPassword = "Us*****23";                                                               โ”‚ โ”‚
โ”‚ โ”‚              802b3063cd5aebe7d796988552e0          โ”‚ โ”‚   38                                                                                                  โ”‚ โ”‚
โ”‚ โ”‚  Rule ID     68b6a876-4890-4e62-9531-0e687223579f  โ”‚ โ”‚   39 chrome.setDefaultService(service);                                                               โ”‚ โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚   40                                                                                                  โ”‚ โ”‚
โ”‚                                                        โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ“ Summary โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚ A generic secret or password is an authentication token used to access a computer or application and is assigned to a password variable.                     โ”‚ โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

IaC Result Example

Copy & paste โ€” that's it
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ Enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760. โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚                                                                                                                                              Violation 45 of 110 โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ” Details โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ•ญโ”€ ๐Ÿ’ป Code Snippet โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚  Severity      ๐ŸŸ  MEDIUM                           โ”‚ โ”‚   20 BinaryMediaTypes:                                                                                โ”‚ โ”‚
โ”‚ โ”‚  In file       ...ads-copy/iac/cft/api-gateway/ap  โ”‚ โ”‚   21   - !Ref binaryMediaType1                                                                        โ”‚ โ”‚
โ”‚ โ”‚                i-gateway-rest-api/deploy.yml       โ”‚ โ”‚   22   - !Ref binaryMediaType2                                                                        โ”‚ โ”‚
โ”‚ โ”‚  IaC Provider  CloudFormation                      โ”‚ โ”‚ โฑ 23 MinimumCompressionSize: -1                                                                       โ”‚ โ”‚
โ”‚ โ”‚  Rule ID       33c4b90c-3270-4337-a075-d3109c141b  โ”‚ โ”‚   24 EndpointConfiguration:                                                                           โ”‚ โ”‚
โ”‚ โ”‚                53                                  โ”‚ โ”‚   25   Types:                                                                                         โ”‚ โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚   26     - EDGE                                                                                       โ”‚ โ”‚
โ”‚                                                        โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ“ Summary โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚ This policy validates the proper configuration of content encoding in AWS API Gateway. Specifically, the policy checks for the attribute                     โ”‚ โ”‚
โ”‚ โ”‚ 'minimum_compression_size' in API Gateway REST APIs. Correct configuration of this attribute is important for enabling content encoding of API responses for โ”‚ โ”‚
โ”‚ โ”‚ improved API performance and reduced payload sizes.                                                                                                          โ”‚ โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

SCA Result Example

Copy & paste โ€” that's it
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ [CVE-2019-10795] Prototype Pollution in undefsafe โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚                                                                                                                                             Violation 172 of 195 โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ” Details โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ•ญโ”€ ๐Ÿ’ป Code Snippet โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚  Severity               ๐ŸŸ  MEDIUM                  โ”‚ โ”‚   26758   "integrity": "sha1-5z3T17DXxe2G+6xrCufYxqadUPo=",                                           โ”‚ โ”‚
โ”‚ โ”‚  In file                /Users/cycodemacuser/Node  โ”‚ โ”‚   26759   "dev": true                                                                                 โ”‚ โ”‚
โ”‚ โ”‚                         Goat/package-lock.json     โ”‚ โ”‚   26760 },                                                                                            โ”‚ โ”‚
โ”‚ โ”‚  CVEs                   CVE-2019-10795             โ”‚ โ”‚ โฑ 26761 "undefsafe": {                                                                                โ”‚ โ”‚
โ”‚ โ”‚  Package                undefsafe                  โ”‚ โ”‚   26762   "version": "2.0.2",                                                                         โ”‚ โ”‚
โ”‚ โ”‚  Version                2.0.2                      โ”‚ โ”‚   26763   "resolved": "https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.2.tgz",                   โ”‚ โ”‚
โ”‚ โ”‚  First patched version  Not fixed                  โ”‚ โ”‚   26764   "integrity": "sha1-Il9rngM3Zj4Njnz9aG/Cg2zKznY=",                                           โ”‚ โ”‚
โ”‚ โ”‚  Dependency path        nodemon 1.19.1 ->          โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ”‚ โ”‚                         undefsafe 2.0.2            โ”‚                                                                                                           โ”‚
โ”‚ โ”‚  Rule ID                9c6a8911-e071-4616-86db-4  โ”‚                                                                                                           โ”‚
โ”‚ โ”‚                         943f2e1df81                โ”‚                                                                                                           โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ                                                                                                           โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ“ Summary โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚ undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using โ”‚ โ”‚
โ”‚ โ”‚ a __proto__ payload.                                                                                                                                         โ”‚ โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

SAST Result Example

Copy & paste โ€” that's it
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ [CWE-208: Observable Timing Discrepancy] Observable Timing Discrepancy โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚                                                                                                                                               Violation 24 of 49 โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ” Details โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ•ญโ”€ ๐Ÿ’ป Code Snippet โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚  Severity       ๐ŸŸ  MEDIUM                          โ”‚ โ”‚   173         " including numbers, lowercase and uppercase letters.";                                 โ”‚ โ”‚
โ”‚ โ”‚  In file        /Users/cycodemacuser/NodeGoat/app  โ”‚ โ”‚   174     return false;                                                                               โ”‚ โ”‚
โ”‚ โ”‚                 /routes/session.js                 โ”‚ โ”‚   175 }                                                                                               โ”‚ โ”‚
โ”‚ โ”‚  CWE            CWE-208                            โ”‚ โ”‚ โฑ 176 if (password !== verify) {                                                                      โ”‚ โ”‚
โ”‚ โ”‚  Subcategory    Security                           โ”‚ โ”‚   177     errors.verifyError = "Password must match";                                                 โ”‚ โ”‚
โ”‚ โ”‚  Language       js                                 โ”‚ โ”‚   178     return false;                                                                               โ”‚ โ”‚
โ”‚ โ”‚  Security Tool  Bearer (Powered by Cycode)         โ”‚ โ”‚   179 }                                                                                               โ”‚ โ”‚
โ”‚ โ”‚  Rule ID        19fbca07-a8e7-4fa6-92ac-a36d15509  โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ”‚ โ”‚                 fa9                                โ”‚                                                                                                           โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ                                                                                                           โ”‚
โ”‚ โ•ญโ”€ ๐Ÿ“ Summary โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ โ”‚
โ”‚ โ”‚ Observable Timing Discrepancy occurs when the time it takes for certain operations to complete can be measured and observed by attackers. This vulnerability โ”‚ โ”‚
โ”‚ โ”‚ is particularly concerning when operations involve sensitive information, such as password checks or secret comparisons. If attackers can analyze how long   โ”‚ โ”‚
โ”‚ โ”‚ these operations take, they might be able to deduce confidential details, putting your data at risk.                                                         โ”‚ โ”‚
โ”‚ โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

Company Custom Remediation Guidelines

If your company has set custom remediation guidelines in the relevant policy via the Cycode portal, you'll see a field for โ€œCompany Guidelinesโ€ that contains the remediation guidelines you added. Note that if you haven't added any company guidelines, this field will not appear in the CLI tool.

Ignoring Scan Results

Ignore rules can be added to ignore specific secret values, specific SHA512 values, specific paths, and specific Cycode secret and IaC rule IDs. This will cause the scan to not alert these values. The ignoring rules are written and saved locally in the ./.cycode/config.yaml file.

[!WARNING] Adding values to be ignored should be done with careful consideration of the values, paths, and policies to ensure that the scans will pick up true positives.

The following are the options available for the cycode ignore command:

OptionDescription
--by-value TEXTIgnore a specific value while scanning for secrets. See Ignoring a Secret Value for more details.
--by-sha TEXTIgnore a specific SHA512 representation of a string while scanning for secrets. See Ignoring a Secret SHA Value for more details.
--by-path TEXTAvoid scanning a specific path. Need to specify scan type. See Ignoring a Path for more details.
--by-rule TEXTIgnore scanning a specific secret rule ID/IaC rule ID/SCA rule ID. See Ignoring a Secret or Iac Rule for more details.
--by-package TEXTIgnore scanning a specific package version while running an SCA scan. Expected pattern - name@version. See Ignoring a Package for more details.
--by-cve TEXTIgnore scanning a specific CVE while running an SCA scan. Expected pattern: CVE-YYYY-NNN.
-t, --scan-type [secret|iac|sca|sast]Specify the scan you wish to execute (secret/iac/sca/sast). The default value is secret.
-g, --globalAdd an ignore rule and update it in the global .cycode config file.

Ignoring a Secret Value

To ignore a specific secret value, you will need to use the --by-value flag. This will ignore the given secret value from all future scans. Use the following command to add a secret value to be ignored:

cycode ignore --by-value {{secret-value}}

In the example at the top of this section, the command to ignore a specific secret value is as follows:

cycode ignore --by-value h3110w0r1d!@#$350

In the example above, replace the h3110w0r1d!@#$350 value with your non-masked secret value. See the Cycode scan options for details on how to see secret values in the scan results.

Ignoring a Secret SHA Value

To ignore a specific secret SHA value, you will need to use the --by-sha flag. This will ignore the given secret SHA value from all future scans. Use the following command to add a secret SHA value to be ignored:

cycode ignore --by-sha {{secret-sha-value}}

In the example at the top of this section, the command to ignore a specific secret SHA value is as follows:

cycode ignore --by-sha a44081db3296c84b82d12a35c446a3cba19411dddfa0380134c75f7b3973bff0

In the example above, replace the a44081db3296c84b82d12a35c446a3cba19411dddfa0380134c75f7b3973bff0 value with your secret SHA value.

Ignoring a Path

To ignore a specific path for either secret, IaC, or SCA scans, you will need to use the --by-path flag in conjunction with the -t, --scan-type flag (you must specify the scan type). This will ignore the given path from all future scans for the given scan type. Use the following command to add a path to be ignored:

cycode ignore -t {{scan-type}} --by-path {{path}}

In the example at the top of this section, the command to ignore a specific path for a secret is as follows:

cycode ignore -t secret --by-path ~/home/my-repo/config

In the example above, replace the ~/home/my-repo/config value with your path value.

In the example at the top of this section, the command to ignore a specific path from IaC scans is as follows:

cycode ignore -t iac --by-path ~/home/my-repo/config

In the example above, replace the ~/home/my-repo/config value with your path value.

In the example at the top of this section, the command to ignore a specific path from SCA scans is as follows:

cycode ignore -t sca --by-path ~/home/my-repo/config

In the example above, replace the ~/home/my-repo/config value with your path value.

Ignoring a Secret, IaC, SCA, or SAST Rule

To ignore a specific secret, IaC, SCA, or SAST rule, you will need to use the --by-rule flag in conjunction with the -t, --scan-type flag (you must specify the scan type). This will ignore the given rule ID value from all future scans. Use the following command to add a rule ID value to be ignored:

cycode ignore -t {{scan-type}} --by-rule {{rule-ID}}

In the example at the top of this section, the command to ignore the specific secret rule ID is as follows:

cycode ignore -t secret --by-rule ce3a4de0-9dfc-448b-a004-c538cf8b4710

In the example above, replace the ce3a4de0-9dfc-448b-a004-c538cf8b4710 value with the rule ID you want to ignore.

In the example at the top of this section, the command to ignore the specific IaC rule ID is as follows:

cycode ignore -t iac --by-rule bdaa88e2-5e7c-46ff-ac2a-29721418c59c

In the example above, replace the bdaa88e2-5e7c-46ff-ac2a-29721418c59c value with the rule ID you want to ignore.

In the example at the top of this section, the command to ignore the specific SCA rule ID is as follows:

cycode ignore -t sca --by-rule dc21bc6b-9f4f-46fb-9f92-e4327ea03f6b

In the example above, replace the dc21bc6b-9f4f-46fb-9f92-e4327ea03f6b value with the rule ID you want to ignore.

Ignoring a Package

[!NOTE] This option is only available to the SCA scans.

To ignore a specific package in the SCA scans, you will need to use the --by-package flag in conjunction with the -t, --scan-type flag (you must specify the sca scan type). This will ignore the given package, using the {{package_name}}@{{package_version}} formatting, from all future scans. Use the following command to add a package and version to be ignored:

cycode ignore --scan-type sca --by-package {{package_name}}@{{package_version}}

OR

cycode ignore -t sca --by-package {{package_name}}@{{package_version}}

In the example below, the command to ignore a specific SCA package is as follows:

cycode ignore --scan-type sca --by-package pyyaml@5.3.1

In the example above, replace pyyaml with package name and 5.3.1 with the package version you want to ignore.

Ignoring via a config file

The applied ignoring rules are stored in the configuration file called config.yaml. This file could be easily shared between developers or even committed to remote Git. These files are always located in the .cycode folder. The folder starts with a dot (.), and you should enable the displaying of hidden files to see it.

Path of the config files

By default, all cycode ignore commands save the ignoring rule to the current directory from which CLI has been run.

Example: running ignoring CLI command from /Users/name/projects/backend will create config.yaml in /Users/name/projects/backend/.cycode

Copy & paste โ€” that's it
โžœ  backend  pwd
/Users/name/projects/backend
โžœ  backend  cycode ignore --by-value test-value
โžœ  backend  tree -a
.
โ””โ”€โ”€ .cycode
    โ””โ”€โ”€ config.yaml

2 directories, 1 file

The second option is to save ignoring rules to the global configuration files. The path of the global config is ~/.cycode/config.yaml, where ~ means user`s home directory, for example, /Users/name on macOS.

Saving to the global space could be performed with the -g flag of the cycode ignore command. For example: cycode ignore -g --by-value test-value.

Proper working directory

It is incredibly important to place the .cycode folder and run CLI from the same place. You should double-check it when working with different environments like CI/CD (GitHub Actions, Jenkins, etc.).

You can commit the .cycode folder to the root of your repository. In this scenario, you must run CLI scans from the repository root. If that doesn't fit your requirements, you could temporarily copy the .cycode folder to wherever you want and perform a CLI scan from this folder.

Structure ignoring rules in the config

It's important to understand how CLI stores ignored rules to be able to read these configuration files or even modify them without CLI.

The abstract YAML structure:

Copy & paste โ€” that's it
exclusions:
  {scanTypeName}:
    {ignoringType}:
    - someIgnoringValue1
    - someIgnoringValue2

Possible values of scanTypeName: iac, sca, sast, secret.

Possible values of ignoringType: paths, values, rules, packages, shas, cves.

[!WARNING] Values for "ignore by value" are not stored as plain text! CLI stores sha256 hashes of the values instead. You should put hashes of the string when modifying the configuration file by hand.

Example of real config.yaml:

Copy & paste โ€” that's it
exclusions:
  iac:
    rules:
    - bdaa88e2-5e7c-46ff-ac2a-29721418c59c
  sca:
    packages:
    - pyyaml@5.3.1
  secret:
    paths:
    - /Users/name/projects/build
    rules:
    - ce3a4de0-9dfc-448b-a004-c538cf8b4710
    shas:
    - a44081db3296c84b82d12a35c446a3cba19411dddfa0380134c75f7b3973bff0
    values:
    - a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3
    - 60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752

Report Command

Generating SBOM Report

A software bill of materials (SBOM) is an inventory of all constituent components and software dependencies involved in the development and delivery of an application. Using this command, you can create an SBOM report for your local project or for your repository URI.

The following options are available for use with this command:

OptionDescriptionRequiredDefault
-f, --format [spdx-2.2|spdx-2.3|cyclonedx-1.4]SBOM formatYes
-o, --output-format [JSON]Specify the output file formatNojson
--output-file PATHOutput fileNoautogenerated filename saved to the current directory
--include-vulnerabilitiesInclude vulnerabilitiesNoFalse
--include-dev-dependenciesInclude dev dependenciesNoFalse

The following commands are available for use with this command:

CommandDescription
pathGenerate SBOM report for provided path in the command
repository-urlGenerate SBOM report for provided repository URI in the command

Repository

To create an SBOM report for a repository URI:
cycode report sbom --format <sbom format> --include-vulnerabilities --include-dev-dependencies --output-file </path/to/file> repository_url <repository url>

For example:
cycode report sbom --format spdx-2.3 --include-vulnerabilities --include-dev-dependencies repository_url https://github.com/cycodehq/cycode-cli.git

Local Project

To create an SBOM report for a path:
cycode report sbom --format <sbom format> --include-vulnerabilities --include-dev-dependencies --output-file </path/to/file> path </path/to/project>

For example:
cycode report sbom --format spdx-2.3 --include-vulnerabilities --include-dev-dependencies path /path/to/local/project

The path subcommand supports the following additional options:

OptionDescription
--no-restoreSkip lockfile restoration and scan direct dependencies only. See Lock Restore Option for details.
--gradle-all-sub-projectsRun the Gradle restore command for all sub-projects (use from the root of a multi-project Gradle build).
--maven-settings-fileFor Maven only, allows using a custom settings.xml file when building the dependency tree.

Import Command

Importing SBOM

A software bill of materials (SBOM) is an inventory of all constituent components and software dependencies involved in the development and delivery of an application. Using this command, you can import an SBOM file from your file system into Cycode.

The following options are available for use with this command:

OptionDescriptionRequiredDefault
-n, --name TEXTDisplay name of the SBOMYes
-v, --vendor TEXTName of the entity that provided the SBOMYes
-l, --label TEXTAttach label to the SBOMNo
-o, --owner TEXTEmail address of the Cycode user that serves as point of contact for this SBOMNo
-b, --business-impact [High | Medium | Low]Business ImpactNoMedium

For example:
cycode import sbom --name example-sbom --vendor cycode -label tag1 -label tag2 --owner example@cycode.com /path/to/local/project

Scan Logs

All CLI scans are logged in Cycode. The logs can be found under Settings > CLI Logs.

Syntax Help

You may add the --help argument to any command at any time to see a help message that will display available options and their syntax.

To see general help, simply enter the command:

cycode --help

To see scan options, enter:

cycode scan --help

To see the options available for a specific type of scan, enter:

cycode scan {{option}} --help

For example, to see options available for a Path Scan, you would enter:

cycode scan path --help

To see the options available for the ignore scan function, use this command:

cycode ignore --help

To see the options available for a report, use this command:

cycode report --help

To see the options available for a specific type of report, enter:

cycode scan {{option}} --help