CodeInspectus's own curated detections: 11 AI-code checks, 19 Opengrep security-baseline rules, and 3 Gitleaks secret rules. The generic engine corpora run alongside these and are not listed here. Plain-English label, then the rule id and CWE for the technical reader.
AI-code checks · engine codeinspectus-ai · 11
| What it catches | Rule id | CWE |
| Hard-coded secret in client-reachable code | ci-ai-client-hardcoded-secret | CWE-798 / 312 |
| Secret compiled into the shipped bundle | ci-ai-secret-in-bundle | CWE-798 / 312 |
| Secret exposed via a client-visible env prefix | ci-ai-public-env-secret | CWE-798 / 312 |
| Supabase service_role key in client code | ci-ai-supabase-service-role-client | CWE-798 / 285 |
| LLM SDK set to allow browser use | ci-ai-llm-key-browser-exposed | CWE-798 / 312 |
| RLS policy USING (true), table fully open | ci-ai-rls-using-true | CWE-863 / 285 |
| Public table created without Row Level Security | ci-ai-rls-missing | CWE-862 / 285 |
| RLS policy tests role instead of user identity | ci-ai-rls-inverted-auth | CWE-863 |
| Supabase Edge Function with no auth check | ci-ai-edge-fn-no-auth | CWE-862 |
| Permissive RLS on storage objects | ci-ai-storage-rls-public | CWE-863 / 285 |
| Potential prompt-injection sink (heuristic) | ci-ai-prompt-injection-sink | CWE-1426 |
Opengrep security-baseline · engine opengrep · 19
| What it catches | Rule id | CWE |
| SQL injection via string-built query (JS/TS) | ci-baseline-sql-injection-string-build | CWE-89 |
| SQL injection via string-built query (Python) | ci-baseline-sql-injection-python | CWE-89 |
| Command injection via shell string (JS/TS) | ci-baseline-command-injection | CWE-77 |
| Command injection via shell=True (Python) | ci-baseline-command-injection-python | CWE-77 |
| Dynamic code evaluation of non-literal (JS/TS) | ci-baseline-dangerous-eval | CWE-94 |
| Dynamic eval/exec of non-literal (Python) | ci-baseline-eval-python | CWE-94 |
| NoSQL injection from request data | ci-baseline-nosql-injection | CWE-943 |
| Path traversal from request input | ci-baseline-path-traversal | CWE-22 |
| DOM XSS via innerHTML/outerHTML sink | ci-baseline-dom-xss-innerhtml | CWE-79 |
| SSRF: outbound request URL from input | ci-baseline-ssrf-request-from-input | CWE-918 |
| Weak hash algorithm (MD5/SHA1) | ci-baseline-weak-hash | CWE-327 |
| Weak or broken cipher (DES/RC4/3DES) | ci-baseline-weak-cipher | CWE-327 |
| Weak hash algorithm (Python) | ci-baseline-weak-hash-python | CWE-327 |
| Math.random() for a security value | ci-baseline-insecure-random-security | CWE-338 |
| JWT verification accepts alg "none" | ci-baseline-jwt-alg-none | CWE-347 |
| CORS wildcard origin with credentials | ci-baseline-cors-wildcard-credentials | CWE-942 |
| Session cookie without httpOnly/secure | ci-baseline-insecure-cookie | CWE-1004 |
| Insecure deserialization (node unserialize) | ci-baseline-insecure-deserialization-node | CWE-502 |
| Insecure deserialization (untrusted loader) | ci-baseline-insecure-deserialization-python | CWE-502 |
Gitleaks secrets · engine gitleaks · 3
| What it catches | Rule id | CWE |
| Stripe live-mode secret key | codeinspectus-stripe-live-secret | CWE-798 |
| Supabase service_role JWT | codeinspectus-supabase-service-role | CWE-798 |
| Anthropic API key | codeinspectus-anthropic-key | CWE-798 |