Skip to main content

ovecc security

The security-only view of the findings: hardcoded secrets (provider patterns + entropy), dynamic eval, OS command execution, weak crypto, permissive CORS, and tainted source→sink flows from HTTP routes to dangerous sinks. Deterministic, offline, no LLM.

Usage: ovecc security [OPTIONS]

Example

$ ovecc security
Security findings: 13 (scanned the indexed repository)
secrets 1, insecure 2, weak-crypto 1, cors 1, tainted-flows 8

[Critical] Hardcoded secret: Stripe secret key
Evidence: src/services/billing.ts:5 (Stripe secret key)

[Critical] Potential tainted flow: POST /admin/eval -> eval (eval)
Evidence: src/routes/api.ts:55 (sink: eval)
Evidence: src/routes/api.ts:54 (source: POST /admin/eval)

[High] Dynamic code execution: eval
Evidence: src/routes/api.ts:55 (eval)

[High] OS command execution: execSync
Evidence: src/routes/api.ts:60 (execSync)

[High] Potential tainted flow: POST /billing/charge -> invoices (writes)
Evidence: src/services/billing.ts:18 (sink: writes)
Evidence: src/routes/api.ts:29 (source: POST /billing/charge)

[Medium] Permissive CORS configuration: Access-Control-Allow-Origin: *
Evidence: src/routes/api.ts:12 (Access-Control-Allow-Origin: *)

[Medium] Weak hash algorithm: MD5
Evidence: src/utils/auth.ts:4 (MD5)

The header line always states what was scanned and the per-category counts, so an empty result is meaningful.

Options

OptionEffect
--severity <level>Only findings at or above this severity
--fail-on <medium|high|any>Exit 1 when a finding crosses the threshold

Plus the global options.

Notes

  • Taint findings cite both ends: the sink line and the source route, plus the propagation path in the JSON description. They are reachability over-approximations and say so — see the security guide for how to read them.
  • Inline arrow route handlers are analyzed (they get a synthetic <VERB /path handler> symbol), so idiomatic Express code stays connected to the taint graph.
  • Findings in test code are down-ranked to Low, not hidden.
  • Well-known documentation placeholder keys are deliberately not flagged as secrets.

CI

ovecc security --fail-on high # exit 1 on any High/Critical code finding
ovecc violations --format sarif # includes the security findings for code scanning