Property
Language
Severity
Service	appservice
Provider	Azure
Vulnerability Type	omission

Description

The App Service is deployed without authentication enabled, allowing unauthenticated users to access the application. The missing ‘auth_settings’ block in the Terraform configuration leaves the app open to anonymous requests.

Impact

Without authentication, anyone can send requests to the application, potentially exposing sensitive data or functionality to unauthorized users. This increases the risk of data breaches, account compromise, and abuse of application resources.

Property
Language
Severity
Vulnerability Type	omission

Description

Using ‘apt-get dist-upgrade’ in a Dockerfile can upgrade core system components and major OS versions, leading to inconsistent and unpredictable container builds. This practice undermines image stability and reproducibility by introducing uncontrolled changes.

Impact

If exploited, this vulnerability can result in containers running untested or incompatible software versions, increasing the risk of breakage or the introduction of vulnerabilities. It may also lead to unexpected behavior, security regressions, or system instability within deployed containers.

Property
Language
Severity
Vulnerability Type	omission

Description

When ‘apt-get install’ is used without the ‘–no-install-recommends’ flag, unnecessary recommended packages are installed, increasing the size and complexity of the resulting image. This can introduce unneeded software and dependencies into production environments.

Impact

Larger images with surplus packages expand the attack surface, making it easier for attackers to exploit vulnerabilities in unused or unnecessary software. This can lead to increased security risks, longer build times, and compliance issues related to minimal and hardened deployments.

Property
Language
Severity
Vulnerability Type	omission

Description

The code runs ‘apt-get install’ commands without the ‘-y’ flag, which can cause package installations to pause for manual confirmation. This makes automated builds or deployments unreliable and susceptible to hanging during execution.

Impact

If exploited or simply left unaddressed, this issue can halt automated deployment pipelines, leading to failed builds, incomplete updates, or prolonged downtime. Attackers could potentially exploit stalled processes to disrupt services or interfere with the application’s deployment workflow.

Property
Language
Severity
Service	database
Provider	Azure
Vulnerability Type	omission

Description

The security alert policy for Azure SQL Server is configured without any email addresses, meaning threat detection alerts will not be sent to administrators or security teams. This results in a lack of immediate notification when suspicious activity is detected.

Impact

Without email notifications for threat alerts, critical security incidents may go unnoticed, delaying response and mitigation. This increases the risk that attackers can exploit vulnerabilities or exfiltrate data without timely intervention, potentially leading to data breaches or compliance violations.

Property
Language
Severity
Service	athena
Provider	AWS
Vulnerability Type	misconfiguration

Description

The Athena workgroup is not enforcing encryption settings, allowing clients to override and potentially disable encryption for query results. This weakens data protection by making encryption optional rather than mandatory.

Impact

If exploited, clients can bypass required encryption, leading to sensitive query results being stored unencrypted. This increases the risk of data exposure, non-compliance with security policies or regulations, and potential data breaches.

Property
Language
Severity
Service	database
Provider	Azure
Vulnerability Type	omission

Description

Azure SQL Databases are configured without auditing enabled, which means actions and access to the database are not being logged. This lack of auditing makes it difficult to track activity or spot unauthorized or suspicious behavior.

Impact

Without auditing, unauthorized access or malicious actions may go undetected, making it harder to investigate incidents, comply with regulatory requirements, or identify security breaches. This can lead to data exposure, compliance violations, and increased risk of undetected attacks.

Property
Language
Severity
CWE	CWE-289: Authentication Bypass by Alternate Name
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

Variable $VAR is assigned from two different sources: ‘$Y’ and ‘$R’. Make sure this is intended, as this could cause logic bugs if they are treated as they are the same object.

Property
Language	generic
Severity
CWE	CWE-290: Authentication Bypass by Spoofing
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

Using $http_host or $host in Nginx configs without validation allows attackers to send malicious Host headers, which your server may trust as legitimate. This can lead to relying on user-supplied values for important logic or redirects.

Impact

If exploited, attackers could impersonate trusted domains, bypass authentication, or manipulate how your app processes requests, potentially leading to phishing or unauthorized access. This weakens the security of domain-based protections and trust checks.

Property
Language
Severity
CWE	CWE-639: Authorization Bypass Through User-Controlled Key
OWASP	A05:2017 - Broken Access Control
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User-controlled input (like params or cookies) is being passed directly to model find methods without scoping to the current user. This allows attackers to access records they shouldn’t be able to see by simply changing the record ID.

Impact

If exploited, an attacker could read or manipulate sensitive records belonging to other users by guessing or iterating through IDs. This could expose personal, financial, or confidential information, leading to data breaches and loss of user trust.