Active Debug Code

Property
Languagephp
Severitylow
CWECWE-489: Active Debug Code
OWASPA05:2021 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Enabling the APP_DEBUG setting in Laravel exposes detailed error messages and sensitive configuration details. This should never be set to ’true’ in production environments, as it can reveal information useful to attackers.

Impact

If exploited, attackers could view stack traces, environment variables, and other confidential data, potentially leading to further attacks such as credential theft or server compromise. This can severely undermine the security and integrity of the application.

Active Debug Code

Property
Languagepython
Severityhigh
CWECWE-489: Active Debug Code
OWASPA06:2017 - Security Misconfiguration
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelHigh

Description

The Flask application is running with debug mode enabled (‘debug=True’). This exposes sensitive error messages and internal application details that should not be visible in production environments.

Impact

If exploited, attackers can access detailed debug information, including stack traces and environment variables, which may reveal secrets or allow code execution. This can lead to data breaches, compromise of the server, or further attacks against your application and infrastructure.

Active Debug Code

Property
Languagepython
Severitylow
CWECWE-489: Active Debug Code
OWASPA05:2021 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Hardcoded variable TESTING detected. Use environment variables or config files instead

Active Debug Code

Property
Languagepython
Severitylow
CWECWE-489: Active Debug Code
OWASPA05:2021 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The DEBUG setting is being hardcoded in the Flask application code instead of being managed through the FLASK_DEBUG environment variable. This can lead to accidentally running the app in debug mode in production or making it hard to control debug settings securely.

Impact

If DEBUG is enabled in production, sensitive error messages and internal information may be exposed to users or attackers, increasing the risk of information leaks and exploitation. Hardcoding also makes it harder to enforce secure configurations across environments.

Active Debug Code

Property
Languagepython
Severitylow
CWECWE-489: Active Debug Code
OWASPA05:2021 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Hardcoded variable ENV detected. Set this by using FLASK_ENV environment variable

Active Debug Code

Property
Languagepython
Severitylow
CWECWE-489: Active Debug Code
OWASPA05:2021 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The application’s DEBUG setting is hardcoded in the source code instead of being configured through environment variables. This can make it easy to accidentally run the app in debug mode in production, exposing sensitive information.

Impact

If DEBUG mode is enabled in production, attackers could access detailed error messages or the interactive debugger, revealing sensitive data or internal application logic. This increases the risk of information leakage and potential exploitation.

ADD instead of COPY

Property
Languageterraform
Severitylow

Description

Using the ADD command in Dockerfiles when only file copying is needed introduces unnecessary risk, as ADD can automatically extract tar archives and process remote URLs. This behavior may unintentionally expose the build to zip-based vulnerabilities or unwanted file content.

Impact

An attacker could craft malicious tar files that, when extracted by ADD, overwrite critical files or place unexpected files in the image, potentially leading to code execution or privilege escalation within containers. This increases the attack surface and can compromise the security of containerized applications.

All container images must start with a GCR domain

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

Container images are being used from registries outside of trusted Google Container Registry (GCR) domains, increasing the risk of running unverified or malicious images. The code does not enforce that images originate from approved GCR sources.

Impact

Using images from untrusted sources can lead to the deployment of compromised or vulnerable containers, potentially allowing attackers to gain unauthorized access, execute arbitrary code, or compromise the security and integrity of the Kubernetes environment.

All container images must start with an ECR domain

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

Container images are being pulled from registries outside of Amazon Elastic Container Registry (ECR), allowing untrusted or potentially malicious sources. This bypasses controls that ensure images are vetted and originate from trusted repositories.

Impact

Using images from untrusted registries increases the risk of introducing malware, vulnerabilities, or unauthorized code into the environment. Attackers could exploit this to compromise workloads, exfiltrate data, or disrupt services.

All container images must start with the *.azurecr.io domain

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

Container images are being pulled from registries outside of the trusted *.azurecr.io Azure Container Registry domain, increasing the risk of using unverified or potentially malicious images.

Impact

If untrusted container registries are used, attackers could supply compromised or vulnerable images, leading to unauthorized access, data breaches, or control over the containerized environment. This weakens supply chain integrity and exposes the infrastructure to malware or exploitation.