6,200+ Security Rules
VEXLIT ships with over 6,200 pre-built security rules covering 225+ unique CWEs across 34 languages. Every rule is tested against real-world vulnerable codebases to minimize false positives.
6,200+
Total Rules
225+
Unique CWEs
34
Languages
6
IaC Formats
OWASP Top 10 Coverage
Every OWASP Top 10 (2021) category is fully covered with dedicated detection rules.
A01 Broken Access Control
Path traversal, IDOR, CORS misconfiguration, privilege escalation
A02 Cryptographic Failures
Weak hashing, hardcoded keys, insecure random, missing encryption
A03 Injection
SQL injection, XSS, command injection, LDAP injection, XPath injection
A04 Insecure Design
Race conditions, mass assignment, insecure deserialization
A05 Security Misconfiguration
Debug mode, default credentials, verbose errors, insecure headers
A06 Vulnerable Components
SCA: known CVEs in dependencies across 12 package ecosystems
A07 Auth Failures
Hardcoded passwords, weak JWT, session fixation, insecure cookies
A08 Data Integrity
Insecure deserialization, prototype pollution, unsafe eval
A09 Logging Failures
Sensitive data in logs, missing audit trails, insecure logging
A10 SSRF
Server-side request forgery, DNS rebinding, URL scheme validation
Language Coverage
Rules are organized into three tiers based on analysis depth.
Tier 1: Full Taint Analysis
Complete data flow tracking with interprocedural analysis, constant propagation, and dead branch elimination.
Tier 2: Enhanced Detection
AST-based analysis with scope tracking, type casting detection, and framework-specific rules.
Tier 3: IaC Security
Infrastructure-as-Code rules for misconfiguration detection with variable resolution and reference chain tracking.
Deep Framework Rules
11 framework-specific rule sets that detect vulnerabilities unique to each framework's patterns.
Spring Boot
SpEL injection, JDBC direct queries, mass assignment via @ModelAttribute
Express.js
eval injection, SSRF via axios/fetch, prototype pollution
Django
Raw SQL, SSTI via Template(), IDOR in querysets
Flask
Jinja2 SSTI, pickle deserialization, unsafe redirects
Ruby on Rails
ActiveRecord injection, render inline XSS, mass assignment
ASP.NET
BinaryFormatter deserialization, XXE, LDAP injection
Next.js
Server Action SSRF, dangerouslySetInnerHTML XSS
FastAPI
SQL injection in raw queries, SSRF via httpx
Gin / Echo (Go)
SQL injection in raw DB queries, SSRF
Laravel
DB::raw injection, Blade XSS via {!! !!}
Symfony
Doctrine DQL injection, Twig SSTI
Severity Levels
Every finding is classified into one of four severity levels based on exploitability and impact.
Critical
Actively exploitable with confirmed data flow from user input to dangerous sink. Requires immediate fix.
High
Potentially exploitable vulnerability pattern. Dangerous pattern detected but data flow not fully confirmed.
Medium
Security-sensitive code pattern that may lead to vulnerabilities under certain conditions.
Low
Best practice violation or low-risk finding. Worth reviewing but unlikely to be directly exploitable.
Customizing Rules
Disable specific rules, override severity levels, or ignore certain paths via vexlit.config.js.
// vexlit.config.js
module.exports = {
rules: {
'VEXLIT-002': false, // Disable a rule
'VEXLIT-019': 'critical', // Override severity
},
ignore: [
'test/',
'**/*.test.ts',
],
};