The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:

Security rule for mobile applications

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-798 OWASP:A04 CVSS:9.8 | Hardcoded Credentials detected | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF]
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A04_2021/

Message Components

Component	Purpose	Example
Risk Standards	Security benchmarks	CWE-798 OWASP:A04 CVSS:9.8
Issue Description	Specific vulnerability	`Hardcoded Credentials detected`
Severity & Compliance	Impact assessment	`CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF]`
Fix Instruction	Actionable remediation	`Follow the remediation steps below`
Technical Truth	Official reference	OWASP Top 10

Rule Details

This rule security rule for mobile applications.

OWASP Mobile Top 10: Mobile
CWE: CWE-798
Severity: error

Examples

❌ Incorrect

// Insecure pattern

✅ Correct

// Secure pattern

When Not To Use It

This rule should be enabled for all mobile and web applications to ensure security best practices.

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Why: Cookie strings from variables not traced.

// ❌ NOT DETECTED - Cookie from variable
const cookie = buildCookie(name, value);
res.setHeader('Set-Cookie', cookie);

Mitigation: Use secure cookie libraries.

Framework Abstractions

Why: Framework cookie APIs not analyzed.

// ❌ NOT DETECTED - Framework
app.use(session({ cookie: opts }));

Mitigation: Review framework configurations.

Why: Dynamic attributes not evaluated.

// ❌ NOT DETECTED - Dynamic
const attrs = getAttributes();
res.cookie('name', 'value', attrs);

Mitigation: Ensure secure defaults.

no-hardcoded-session-tokens