Rules

14 Security Rules

Comprehensive coverage of AWS Lambda and Middy security patterns for serverless applications.

All Rules

Legend: Type-unaware Type-awareRecommendedFixableSuggestionsWarns

Rule	🧠	💼	🔧	💡	⚠️	Docs
no-env-logging Detect logging of process.env which may expose secrets	🟢
no-error-swallowing Detect empty catch blocks and missing error logging	🟢
no-exposed-debug-endpoints Detect debug endpoints without authentication in Lambda handlers	🟢
no-exposed-error-details Detect Lambda handlers exposing internal error details in responses	🟢
no-hardcoded-credentials-sdk Detects hardcoded AWS credentials in SDK client configurations	🟢
no-missing-authorization-check Security rule for lambda-security. This rule is part of eslint-plugin-lambda-security and provides LLM-optimized error messages.	🟢
no-overly-permissive-iam-policy Security rule for lambda-security. This rule is part of eslint-plugin-lambda-security and provides LLM-optimized error messages.	🟢
no-permissive-cors-middy Detects permissive CORS configurations in Middy middleware	🟢
no-permissive-cors-response Detects permissive CORS headers in Lambda API Gateway responses	🟢
no-secrets-in-env Detects secrets defined directly in environment variable configurations	🟢
no-unbounded-batch-processing Detect processing batch records without size validation	🟢
no-unvalidated-event-body Detect Lambda handlers using event body without validation	🟢
no-user-controlled-requests Detect HTTP requests with user-controlled URLs (SSRF)	🟢
require-timeout-handling Require timeout handling in Lambda handlers with external calls	🟢

Showing 14 of 14 rules

Rules preventing permissive CORS responses and enforcing security headers.

Rules requiring validation of event body and user-controlled input.

Rules detecting hardcoded SDK credentials and secrets in environment variables.

Rules preventing error swallowing and exposed error details.

Rules requiring timeout handling and preventing unbounded batch processing.