CryptographyRules
require-authenticated-encryption
TODO: Add description for this rule.
Description
TODO: Add description for this rule.
OWASP Mapping
- OWASP Top 10: A02:2021 - Cryptographic Failures
- CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-327 OWASP:A04 CVSS:7.5 | Broken Cryptographic Algorithm detected | HIGH [PCI-DSS,HIPAA,ISO27001,NIST-CSF]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A04_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-327 OWASP:A04 CVSS:7.5 |
| Issue Description | Specific vulnerability | Broken Cryptographic Algorithm detected |
| Severity & Compliance | Impact assessment | HIGH [PCI-DSS,HIPAA,ISO27001,NIST-CSF] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
TODO: Add rule details.
Examples
❌ Incorrect
// TODO: Add incorrect example✅ Correct
// TODO: Add correct exampleOptions
This rule has no options.
When Not To Use It
TODO: Add when not to use.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Credentials from Config
Why: Config values not traced.
// ❌ NOT DETECTED - From config
const password = config.dbPassword;Mitigation: Use proper secrets management.
Environment Variables
Why: Env var content not analyzed.
// ❌ NOT DETECTED - Env var
const secret = process.env.API_KEY;Mitigation: Never hardcode or expose secrets.
Dynamic Credential Access
Why: Dynamic property access not traced.
// ❌ NOT DETECTED - Dynamic
const cred = credentials[type];Mitigation: Audit all credential access patterns.