Security Rules Reference

All rules detected by VeeStack analysis engine

🔒 Security Rules

SEC-001CRITICAL

Code Injection via eval()

Use of eval() with user input can lead to code injection.

Fix: Use JSON.parse() or safer alternatives.

SEC-002CRITICAL

SQL Injection Risk

String concatenation in SQL queries allows injection.

Fix: Use parameterized queries or ORM.

SEC-003HIGH

Hardcoded Secret

API keys, passwords, or tokens found in code.

Fix: Use environment variables or secret managers.

SEC-004HIGH

Insecure Dependency

Package with known vulnerability detected.

Fix: Update to patched version or find alternative.

SEC-005MEDIUM

Missing Input Validation

User input used without validation.

Fix: Add validation with libraries like Zod or Joi.

SEC-006HIGH

Prototype Pollution

Object merge with user-controlled keys.

Fix: Use Object.create(null) or validate keys.

SEC-007HIGH

XSS Vulnerability

Unescaped user input rendered in HTML.

Fix: Use proper escaping or sanitization.

SEC-008MEDIUM

Insecure Random Number

Math.random() used for security purposes.

Fix: Use crypto.randomBytes() or Web Crypto API.

🏗️ Architecture Rules

ARCH-001MEDIUM

Circular Dependency

Circular import detected between modules.

Fix: Refactor to break the cycle.

ARCH-002LOW

Deep Nesting

Directory depth exceeds 5 levels.

Fix: Flatten structure or use feature folders.

ARCH-003MEDIUM

Large File

File exceeds 500 lines.

Fix: Split into smaller modules.

ARCH-004LOW

Missing TypeScript

JavaScript files in TypeScript project.

Fix: Migrate to TypeScript for type safety.

ARCH-005LOW

Unused Dependency

Package listed but not imported.

Fix: Remove from package.json.

Suppressing Rules

To suppress a specific rule on a line:

// veestack-disable-line SEC-001

eval(userInput);

← CLI Commands CI/CD Integration →