rails_template_18f 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (99) hide show
  1. checksums.yaml +7 -0
  2. data/.rspec +3 -0
  3. data/.standard.yml +2 -0
  4. data/CHANGELOG.md +6 -0
  5. data/CODE_OF_CONDUCT.md +84 -0
  6. data/Gemfile +10 -0
  7. data/Gemfile.lock +132 -0
  8. data/LICENSE.md +21 -0
  9. data/README.md +140 -0
  10. data/Rakefile +10 -0
  11. data/bin/console +16 -0
  12. data/bin/setup +8 -0
  13. data/lib/generators/rails_template18f/circleci/circleci_generator.rb +116 -0
  14. data/lib/generators/rails_template18f/circleci/templates/Dockerfile.tt +13 -0
  15. data/lib/generators/rails_template18f/circleci/templates/bin/ci-server-start +8 -0
  16. data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt +413 -0
  17. data/lib/generators/rails_template18f/circleci/templates/docker-compose.ci.yml +26 -0
  18. data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb +137 -0
  19. data/lib/generators/rails_template18f/github_actions/templates/github/actions/run-server/action.yml +28 -0
  20. data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt +20 -0
  21. data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt +33 -0
  22. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml +44 -0
  23. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml +39 -0
  24. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt +53 -0
  25. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt +53 -0
  26. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt +44 -0
  27. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt +47 -0
  28. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt +65 -0
  29. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt +34 -0
  30. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml +79 -0
  31. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml +79 -0
  32. data/lib/rails_template18f/terraform_options.rb +68 -0
  33. data/lib/rails_template18f/version.rb +5 -0
  34. data/lib/rails_template_18f.rb +13 -0
  35. data/rails-template-18f.gemspec +40 -0
  36. data/railsrc +10 -0
  37. data/railsrc-hotwire +8 -0
  38. data/template.rb +506 -0
  39. data/templates/README.md.tt +213 -0
  40. data/templates/app/assets/images/uswds.js +5 -0
  41. data/templates/app/assets/stylesheets/uswds-settings.scss +7 -0
  42. data/templates/app/views/application/_banner_lock_icon.html.erb +19 -0
  43. data/templates/app/views/application/_demo_site_banner.html.erb +3 -0
  44. data/templates/app/views/application/_header.html.erb +26 -0
  45. data/templates/app/views/application/_usa_banner.html.erb +51 -0
  46. data/templates/bin/owasp-scan +49 -0
  47. data/templates/bin/pa11y-scan +10 -0
  48. data/templates/bin/with-server +35 -0
  49. data/templates/browserslistrc +5 -0
  50. data/templates/config/deployment/production.yml +3 -0
  51. data/templates/config/deployment/staging.yml +3 -0
  52. data/templates/config/environments/ci.rb +10 -0
  53. data/templates/config/environments/staging.rb +6 -0
  54. data/templates/config/locales/en.yml.tt +25 -0
  55. data/templates/config/locales/es.yml +19 -0
  56. data/templates/config/locales/fr.yml +22 -0
  57. data/templates/config/locales/zh.yml +16 -0
  58. data/templates/config/newrelic.yml +65 -0
  59. data/templates/doc/adr/0001-record-architecture-decisions.md.tt +21 -0
  60. data/templates/doc/adr/0002-initial-architecture-decisions.md.tt +24 -0
  61. data/templates/doc/adr/0003-security-scans.md.tt +44 -0
  62. data/templates/doc/adr/0004-rails-csp-compliant-script-tag-helpers.md.tt +53 -0
  63. data/templates/doc/compliance/README.md +37 -0
  64. data/templates/doc/compliance/apps/application.boundary.md.tt +80 -0
  65. data/templates/doc/compliance/apps/data.logical.md +21 -0
  66. data/templates/doc/compliance/rendered/apps/.keep +0 -0
  67. data/templates/editorconfig +5 -0
  68. data/templates/env +10 -0
  69. data/templates/githooks/pre-commit.tt +35 -0
  70. data/templates/lib/tasks/cf.rake +9 -0
  71. data/templates/lib/tasks/scanning.rake +63 -0
  72. data/templates/manifest.yml.tt +19 -0
  73. data/templates/pa11yci +9 -0
  74. data/templates/terraform/README.md.tt +148 -0
  75. data/templates/terraform/bootstrap/import.sh +12 -0
  76. data/templates/terraform/bootstrap/main.tf.tt +25 -0
  77. data/templates/terraform/bootstrap/providers.tf +16 -0
  78. data/templates/terraform/bootstrap/run.sh.tt +12 -0
  79. data/templates/terraform/bootstrap/teardown_creds.sh.tt +5 -0
  80. data/templates/terraform/bootstrap/variables.tf +2 -0
  81. data/templates/terraform/create_space_deployer.sh +33 -0
  82. data/templates/terraform/destroy_space_deployer.sh +19 -0
  83. data/templates/terraform/production/main.tf.tt +50 -0
  84. data/templates/terraform/production/providers.tf.tt +17 -0
  85. data/templates/terraform/production/variables.tf +2 -0
  86. data/templates/terraform/shared/database/main.tf.tt +23 -0
  87. data/templates/terraform/shared/database/providers.tf +16 -0
  88. data/templates/terraform/shared/database/variables.tf +42 -0
  89. data/templates/terraform/shared/domain/main.tf.tt +46 -0
  90. data/templates/terraform/shared/domain/providers.tf +16 -0
  91. data/templates/terraform/shared/domain/variables.tf +47 -0
  92. data/templates/terraform/shared/s3/main.tf +27 -0
  93. data/templates/terraform/shared/s3/providers.tf +16 -0
  94. data/templates/terraform/shared/s3/variables.tf +43 -0
  95. data/templates/terraform/staging/main.tf.tt +30 -0
  96. data/templates/terraform/staging/providers.tf.tt +17 -0
  97. data/templates/terraform/staging/variables.tf +2 -0
  98. data/templates/zap.conf +121 -0
  99. metadata +213 -0
data/templates/terraform/destroy_space_deployer.sh ADDED
@@ -0,0 +1,19 @@
1
+ #!/usr/bin/env bash
2
+
3
+ set -e
4
+
5
+ if [[ $# -ne 2 ]]; then
6
+ echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
7
+ exit 1;
8
+ fi
9
+
10
+ space=$1
11
+ service=$2
12
+
13
+ cf target -s $space
14
+
15
+ # destroy service key
16
+ cf delete-service-key $service space-deployer-key -f
17
+
18
+ # destroy service
19
+ cf delete-service $service -f
data/templates/terraform/production/main.tf.tt ADDED
@@ -0,0 +1,50 @@
1
+ locals {
2
+ cf_org_name = "<%= @cloud_gov_organization %>"
3
+ cf_space_name = "<%= @cloud_gov_production_space %>"
4
+ env = "production"
5
+ recursive_delete = false
6
+ }
7
+
8
+ module "database" {
9
+ source = "../shared/database"
10
+
11
+ cf_user = var.cf_user
12
+ cf_password = var.cf_password
13
+ cf_org_name = local.cf_org_name
14
+ cf_space_name = local.cf_space_name
15
+ env = local.env
16
+ recursive_delete = local.recursive_delete
17
+ rds_plan_name = "TKTK-production-rds-plan"
18
+ }
19
+
20
+ <% if !skip_active_storage? %>
21
+ module "s3" {
22
+ source = "../shared/s3"
23
+
24
+ cf_user = var.cf_user
25
+ cf_password = var.cf_password
26
+ cf_org_name = local.cf_org_name
27
+ cf_space_name = local.cf_space_name
28
+ s3_service_name = "<%= app_name %>-s3-${local.env}"
29
+ }
30
+ <% end %>
31
+
32
+ ###########################################################################
33
+ # The following lines need to be commented out for the initial `terraform apply`
34
+ # It can be re-enabled after:
35
+ # 1) the app has first been deployed
36
+ # 2) the route has been manually created by an OrgManager:
37
+ # `cf create-domain <%= @cloud_gov_organization %> TKTK-production-domain-name`
38
+ ###########################################################################
39
+ # module "domain" {
40
+ # source = "../shared/domain"
41
+ #
42
+ # cf_user = var.cf_user
43
+ # cf_password = var.cf_password
44
+ # cf_org_name = local.cf_org_name
45
+ # cf_space_name = local.cf_space_name
46
+ # env = local.env
47
+ # recursive_delete = local.recursive_delete
48
+ # cdn_plan_name = "domain"
49
+ # domain_name = "TKTK-production-domain-name"
50
+ # }
data/templates/terraform/production/providers.tf.tt ADDED
@@ -0,0 +1,17 @@
1
+ terraform {
2
+ required_version = "~> 1.0"
3
+ required_providers {
4
+ cloudfoundry = {
5
+ source = "cloudfoundry-community/cloudfoundry"
6
+ version = "0.15.0"
7
+ }
8
+ }
9
+
10
+ backend "s3" {
11
+ bucket = "TKTK-s3-bucket"
12
+ key = "terraform.tfstate.prod"
13
+ encrypt = "true"
14
+ region = "us-gov-west-1"
15
+ profile = "<%= app_name %>-terraform-backend"
16
+ }
17
+ }
data/templates/terraform/production/variables.tf ADDED
@@ -0,0 +1,2 @@
1
+ variable "cf_password" {}
2
+ variable "cf_user" {}
data/templates/terraform/shared/database/main.tf.tt ADDED
@@ -0,0 +1,23 @@
1
+ ###
2
+ # Target space/org
3
+ ###
4
+
5
+ data "cloudfoundry_space" "space" {
6
+ org_name = var.cf_org_name
7
+ name = var.cf_space_name
8
+ }
9
+
10
+ ###
11
+ # RDS instance
12
+ ###
13
+
14
+ data "cloudfoundry_service" "rds" {
15
+ name = "aws-rds"
16
+ }
17
+
18
+ resource "cloudfoundry_service_instance" "rds" {
19
+ name = "<%= app_name %>-rds-${var.env}"
20
+ space = data.cloudfoundry_space.space.id
21
+ service_plan = data.cloudfoundry_service.rds.service_plans[var.rds_plan_name]
22
+ recursive_delete = var.recursive_delete
23
+ }
data/templates/terraform/shared/database/providers.tf ADDED
@@ -0,0 +1,16 @@
1
+ terraform {
2
+ required_version = "~> 1.0"
3
+ required_providers {
4
+ cloudfoundry = {
5
+ source = "cloudfoundry-community/cloudfoundry"
6
+ version = "0.15.0"
7
+ }
8
+ }
9
+ }
10
+
11
+ provider "cloudfoundry" {
12
+ api_url = var.cf_api_url
13
+ user = var.cf_user
14
+ password = var.cf_password
15
+ app_logs_max = 30
16
+ }
data/templates/terraform/shared/database/variables.tf ADDED
@@ -0,0 +1,42 @@
1
+ variable "cf_api_url" {
2
+ type = string
3
+ description = "cloud.gov api url"
4
+ default = "https://api.fr.cloud.gov"
5
+ }
6
+
7
+ variable "cf_user" {
8
+ type = string
9
+ description = "cloud.gov deployer account user"
10
+ }
11
+
12
+ variable "cf_password" {
13
+ type = string
14
+ description = "secret; cloud.gov deployer account password"
15
+ sensitive = true
16
+ }
17
+
18
+ variable "cf_org_name" {
19
+ type = string
20
+ description = "cloud.gov organization name"
21
+ }
22
+
23
+ variable "cf_space_name" {
24
+ type = string
25
+ description = "cloud.gov space name (staging or prod)"
26
+ }
27
+
28
+ variable "env" {
29
+ type = string
30
+ description = "deployment environment (staging, production)"
31
+ }
32
+
33
+ variable "recursive_delete" {
34
+ type = bool
35
+ description = "when true, deletes service bindings attached to the resource (not recommended for production)"
36
+ default = false
37
+ }
38
+
39
+ variable "rds_plan_name" {
40
+ type = string
41
+ description = "name of the service plan name to create"
42
+ }
data/templates/terraform/shared/domain/main.tf.tt ADDED
@@ -0,0 +1,46 @@
1
+ ###
2
+ # Target space/org
3
+ ###
4
+
5
+ data "cloudfoundry_space" "space" {
6
+ org_name = var.cf_org_name
7
+ name = var.cf_space_name
8
+ }
9
+
10
+ ###
11
+ # Route mapping and CDN instance
12
+ ###
13
+
14
+ data "cloudfoundry_app" "app" {
15
+ name_or_id = "<%= app_name %>-${var.env}"
16
+ space = data.cloudfoundry_space.space.id
17
+ }
18
+
19
+ ###########################################################################
20
+ # Route must be manually created by an OrgManager before terraform is run:
21
+ #
22
+ # cf create-domain <%= @cloud_gov_organization %> TKTK-production-domain-name
23
+ ###########################################################################
24
+ data "cloudfoundry_domain" "origin_url" {
25
+ name = var.domain_name
26
+ }
27
+
28
+ resource "cloudfoundry_route" "origin_route" {
29
+ domain = data.cloudfoundry_domain.origin_url.id
30
+ space = data.cloudfoundry_space.space.id
31
+ target {
32
+ app = data.cloudfoundry_app.app.id
33
+ }
34
+ }
35
+
36
+ data "cloudfoundry_service" "external_domain" {
37
+ name = "external-domain"
38
+ }
39
+
40
+ resource "cloudfoundry_service_instance" "external_domain_instance" {
41
+ name = "<%= app_name %>-domain-${var.env}"
42
+ space = data.cloudfoundry_space.space.id
43
+ service_plan = data.cloudfoundry_service.external_domain.service_plans[var.cdn_plan_name]
44
+ recursive_delete = var.recursive_delete
45
+ json_params = "{\"domains\": \"${var.domain_name}\"}"
46
+ }
data/templates/terraform/shared/domain/providers.tf ADDED
@@ -0,0 +1,16 @@
1
+ terraform {
2
+ required_version = "~> 1.0"
3
+ required_providers {
4
+ cloudfoundry = {
5
+ source = "cloudfoundry-community/cloudfoundry"
6
+ version = "0.15.0"
7
+ }
8
+ }
9
+ }
10
+
11
+ provider "cloudfoundry" {
12
+ api_url = var.cf_api_url
13
+ user = var.cf_user
14
+ password = var.cf_password
15
+ app_logs_max = 30
16
+ }
data/templates/terraform/shared/domain/variables.tf ADDED
@@ -0,0 +1,47 @@
1
+ variable "cf_api_url" {
2
+ type = string
3
+ description = "cloud.gov api url"
4
+ default = "https://api.fr.cloud.gov"
5
+ }
6
+
7
+ variable "cf_user" {
8
+ type = string
9
+ description = "cloud.gov deployer account user"
10
+ }
11
+
12
+ variable "cf_password" {
13
+ type = string
14
+ description = "secret; cloud.gov deployer account password"
15
+ sensitive = true
16
+ }
17
+
18
+ variable "cf_org_name" {
19
+ type = string
20
+ description = "cloud.gov organization name"
21
+ }
22
+
23
+ variable "cf_space_name" {
24
+ type = string
25
+ description = "cloud.gov space name (staging or prod)"
26
+ }
27
+
28
+ variable "env" {
29
+ type = string
30
+ description = "deployment environment (staging, production)"
31
+ }
32
+
33
+ variable "recursive_delete" {
34
+ type = bool
35
+ description = "when true, deletes service bindings attached to the resource (not recommended for production)"
36
+ default = false
37
+ }
38
+
39
+ variable "cdn_plan_name" {
40
+ type = string
41
+ description = "name of the service plan name to create"
42
+ }
43
+
44
+ variable "domain_name" {
45
+ type = string
46
+ description = "DNS name users will be accessing site"
47
+ }
data/templates/terraform/shared/s3/main.tf ADDED
@@ -0,0 +1,27 @@
1
+ ###
2
+ # Target space/org
3
+ ###
4
+
5
+ data "cloudfoundry_space" "space" {
6
+ org_name = var.cf_org_name
7
+ name = var.cf_space_name
8
+ }
9
+
10
+ ###
11
+ # S3 instance
12
+ ###
13
+
14
+ data "cloudfoundry_service" "s3" {
15
+ name = "s3"
16
+ }
17
+
18
+ resource "cloudfoundry_service_instance" "bucket" {
19
+ name = var.s3_service_name
20
+ space = data.cloudfoundry_space.space.id
21
+ service_plan = data.cloudfoundry_service.s3.service_plans[var.s3_plan_name]
22
+ recursive_delete = var.recursive_delete
23
+ }
24
+
25
+ output "bucket_id" {
26
+ value = cloudfoundry_service_instance.bucket.id
27
+ }
data/templates/terraform/shared/s3/providers.tf ADDED
@@ -0,0 +1,16 @@
1
+ terraform {
2
+ required_version = "~> 1.0"
3
+ required_providers {
4
+ cloudfoundry = {
5
+ source = "cloudfoundry-community/cloudfoundry"
6
+ version = "0.15.0"
7
+ }
8
+ }
9
+ }
10
+
11
+ provider "cloudfoundry" {
12
+ api_url = var.cf_api_url
13
+ user = var.cf_user
14
+ password = var.cf_password
15
+ app_logs_max = 30
16
+ }
data/templates/terraform/shared/s3/variables.tf ADDED
@@ -0,0 +1,43 @@
1
+ variable "cf_api_url" {
2
+ type = string
3
+ description = "cloud.gov api url"
4
+ default = "https://api.fr.cloud.gov"
5
+ }
6
+
7
+ variable "cf_user" {
8
+ type = string
9
+ description = "cloud.gov deployer account user"
10
+ }
11
+
12
+ variable "cf_password" {
13
+ type = string
14
+ description = "secret; cloud.gov deployer account password"
15
+ sensitive = true
16
+ }
17
+
18
+ variable "cf_org_name" {
19
+ type = string
20
+ description = "cloud.gov organization name"
21
+ }
22
+
23
+ variable "cf_space_name" {
24
+ type = string
25
+ description = "cloud.gov space name (staging or prod)"
26
+ }
27
+
28
+ variable "recursive_delete" {
29
+ type = bool
30
+ description = "when true, deletes service bindings attached to the resource (not recommended for production)"
31
+ default = false
32
+ }
33
+
34
+ variable "s3_service_name" {
35
+ type = string
36
+ description = "name for the cloud.gov managed service"
37
+ }
38
+
39
+ variable "s3_plan_name" {
40
+ type = string
41
+ description = "name of the service plan to create"
42
+ default = "basic"
43
+ }
data/templates/terraform/staging/main.tf.tt ADDED
@@ -0,0 +1,30 @@
1
+ locals {
2
+ cf_org_name = "<%= @cloud_gov_organization %>"
3
+ cf_space_name = "<%= @cloud_gov_staging_space %>"
4
+ env = "staging"
5
+ recursive_delete = true
6
+ }
7
+
8
+ module "database" {
9
+ source = "../shared/database"
10
+
11
+ cf_user = var.cf_user
12
+ cf_password = var.cf_password
13
+ cf_org_name = local.cf_org_name
14
+ cf_space_name = local.cf_space_name
15
+ env = local.env
16
+ recursive_delete = local.recursive_delete
17
+ rds_plan_name = "micro-psql"
18
+ }
19
+
20
+ <% if !skip_active_storage? %>
21
+ module "s3" {
22
+ source = "../shared/s3"
23
+
24
+ cf_user = var.cf_user
25
+ cf_password = var.cf_password
26
+ cf_org_name = local.cf_org_name
27
+ cf_space_name = local.cf_space_name
28
+ s3_service_name = "<%= app_name %>-s3-${local.env}"
29
+ }
30
+ <% end %>
data/templates/terraform/staging/providers.tf.tt ADDED
@@ -0,0 +1,17 @@
1
+ terraform {
2
+ required_version = "~> 1.0"
3
+ required_providers {
4
+ cloudfoundry = {
5
+ source = "cloudfoundry-community/cloudfoundry"
6
+ version = "0.15.0"
7
+ }
8
+ }
9
+
10
+ backend "s3" {
11
+ bucket = "TKTK-s3-bucket"
12
+ key = "terraform.tfstate.stage"
13
+ encrypt = "true"
14
+ region = "us-gov-west-1"
15
+ profile = "<%= app_name %>-terraform-backend"
16
+ }
17
+ }
data/templates/terraform/staging/variables.tf ADDED
@@ -0,0 +1,2 @@
1
+ variable "cf_password" {}
2
+ variable "cf_user" {}
data/templates/zap.conf ADDED
@@ -0,0 +1,121 @@
1
+ # zap-full-scan rule configuration file
2
+ # Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
3
+ # Active scan rules set to IGNORE will not be run which will speed up the scan
4
+ # Only the rule identifiers are used - the names are just for info
5
+ # You can add your own messages to each rule by appending them after a tab on each line.
6
+ 0 WARN (Directory Browsing - Active/release)
7
+ 10003 WARN (Vulnerable JS Library - Passive/release)
8
+ 10010 FAIL (Cookie No HttpOnly Flag - Passive/release)
9
+ 10011 FAIL (Cookie Without Secure Flag - Passive/release)
10
+ 10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)
11
+ 10016 FAIL (Web Browser XSS Protection Not Enabled)
12
+ 10017 WARN (Cross-Domain JavaScript Source File Inclusion - Passive/release)
13
+ 10019 WARN (Content-Type Header Missing - Passive/release)
14
+ 10020 FAIL (X-Frame-Options Header - Passive/release)
15
+ 10021 WARN (X-Content-Type-Options Header Missing - Passive/release)
16
+ 10023 WARN (Information Disclosure - Debug Error Messages - Passive/release)
17
+ 10024 FAIL (Information Disclosure - Sensitive Information in URL - Passive/release)
18
+ 10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
19
+ 10026 WARN (HTTP Parameter Override - Passive/beta)
20
+ 10027 WARN (Information Disclosure - Suspicious Comments - Passive/release)
21
+ 10028 FAIL (Open Redirect - Passive/beta)
22
+ 10029 WARN (Cookie Poisoning - Passive/beta)
23
+ 10030 WARN (User Controllable Charset - Passive/beta)
24
+ 10031 WARN (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
25
+ 10032 WARN (Viewstate - Passive/release)
26
+ 10033 WARN (Directory Browsing - Passive/beta)
27
+ 10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
28
+ 10035 FAIL (Strict-Transport-Security Header - Passive/beta)
29
+ 10036 WARN (HTTP Server Response Header - Passive/beta)
30
+ 10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
31
+ 10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
32
+ 10039 WARN (X-Backend-Server Header Information Leak - Passive/beta)
33
+ 10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
34
+ 10041 WARN (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
35
+ 10042 WARN (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
36
+ 10043 FAIL (User Controllable JavaScript Event (XSS) - Passive/beta)
37
+ 10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
38
+ 10045 WARN (Source Code Disclosure - /WEB-INF folder - Active/release)
39
+ 10047 WARN (HTTPS Content Available via HTTP - Active/beta)
40
+ 10048 FAIL (Remote Code Execution - Shell Shock - Active/beta)
41
+ 10050 WARN (Retrieved from Cache - Passive/beta)
42
+ 10051 WARN (Relative Path Confusion - Active/beta)
43
+ 10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
44
+ 10053 WARN (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
45
+ 10054 WARN (Cookie without SameSite Attribute - Passive/release)
46
+ 10055 WARN (CSP - Passive/release)
47
+ 10056 WARN (X-Debug-Token Information Leak - Passive/release)
48
+ 10057 WARN (Username Hash Found - Passive/release)
49
+ 10058 FAIL (GET for POST - Active/beta)
50
+ 10061 WARN (X-AspNet-Version Response Header - Passive/release)
51
+ 10062 FAIL (PII Disclosure - Passive/beta)
52
+ 10095 IGNORE (Backup File Disclosure - Active/beta)
53
+ 10096 WARN (Timestamp Disclosure - Passive/release)
54
+ 10097 WARN (Hash Disclosure - Passive/beta)
55
+ 10098 WARN (Cross-Domain Misconfiguration - Passive/release)
56
+ 10104 WARN (User Agent Fuzzer - Active/beta)
57
+ 10105 WARN (Weak Authentication Method - Passive/release)
58
+ 10106 IGNORE (HTTP Only Site - Active/beta)
59
+ 10107 WARN (Httpoxy - Proxy Header Misuse - Active/beta)
60
+ 10108 WARN (Reverse Tabnabbing - Passive/beta)
61
+ 10109 WARN (Modern Web Application - Passive/beta)
62
+ 10202 FAIL (Absence of Anti-CSRF Tokens - Passive/release)
63
+ 2 WARN (Private IP Disclosure - Passive/release)
64
+ 20012 FAIL (Anti-CSRF Tokens Check - Active/beta)
65
+ 20014 WARN (HTTP Parameter Pollution - Active/beta)
66
+ 20015 WARN (Heartbleed OpenSSL Vulnerability - Active/beta)
67
+ 20016 WARN (Cross-Domain Misconfiguration - Active/beta)
68
+ 20017 FAIL (Source Code Disclosure - CVE-2012-1823 - Active/beta)
69
+ 20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
70
+ 20019 WARN (External Redirect - Active/release)
71
+ 3 WARN (Session ID in URL Rewrite - Passive/release)
72
+ 30001 WARN (Buffer Overflow - Active/release)
73
+ 30002 WARN (Format String Error - Active/release)
74
+ 30003 WARN (Integer Overflow Error - Active/beta)
75
+ 40003 WARN (CRLF Injection - Active/release)
76
+ 40008 WARN (Parameter Tampering - Active/release)
77
+ 40009 WARN (Server Side Include - Active/release)
78
+ 40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
79
+ 40013 FAIL (Session Fixation - Active/beta)
80
+ 40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
81
+ 40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
82
+ 40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
83
+ 40018 FAIL (SQL Injection - Active/release)
84
+ 40019 FAIL (SQL Injection - MySQL - Active/beta)
85
+ 40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
86
+ 40021 FAIL (SQL Injection - Oracle - Active/beta)
87
+ 40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
88
+ 40023 FAIL (Possible Username Enumeration - Active/beta)
89
+ 40024 FAIL (SQL Injection - SQLite - Active/beta)
90
+ 40025 FAIL (Proxy Disclosure - Active/beta)
91
+ 40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
92
+ 40027 FAIL (SQL Injection - MsSQL - Active/beta)
93
+ 40028 WARN (ELMAH Information Leak - Active/release)
94
+ 40029 WARN (Trace.axd Information Leak - Active/beta)
95
+ 40032 FAIL (.htaccess Information Leak - Active/release)
96
+ 40034 FAIL (.env Information Leak - Active/beta)
97
+ 40035 FAIL (Hidden File Finder - Active/beta)
98
+ 41 FAIL (Source Code Disclosure - Git - Active/beta)
99
+ 42 WARN (Source Code Disclosure - SVN - Active/beta)
100
+ 43 WARN (Source Code Disclosure - File Inclusion - Active/beta)
101
+ 50000 WARN (Script Active Scan Rules - Active/release)
102
+ 50001 WARN (Script Passive Scan Rules - Passive/release)
103
+ 6 WARN (Path Traversal - Active/release)
104
+ 7 WARN (Remote File Inclusion - Active/release)
105
+ 90001 WARN (Insecure JSF ViewState - Passive/release)
106
+ 90011 WARN (Charset Mismatch - Passive/release)
107
+ 90017 WARN (XSLT Injection - Active/beta)
108
+ 90019 WARN (Server Side Code Injection - Active/release)
109
+ 90020 FAIL (Remote OS Command Injection - Active/release)
110
+ 90021 WARN (XPath Injection - Active/beta)
111
+ 90022 WARN (Application Error Disclosure - Passive/release)
112
+ 90023 WARN (XML External Entity Attack - Active/beta)
113
+ 90024 WARN (Generic Padding Oracle - Active/beta)
114
+ 90025 WARN (Expression Language Injection - Active/beta)
115
+ 90026 WARN (SOAP Action Spoofing - Active/alpha)
116
+ 90027 IGNORE (Cookie Slack Detector - Active/beta)
117
+ 90028 WARN (Insecure HTTP Method - Active/beta)
118
+ 90029 WARN (SOAP XML Injection - Active/alpha)
119
+ 90030 WARN (WSDL File Detection - Passive/alpha)
120
+ 90033 WARN (Loosely Scoped Cookie - Passive/release)
121
+ 90034 WARN (Cloud Metadata Potentially Exposed - Active/beta)