ovecc security
The security-only view of the findings: hardcoded secrets (provider patterns + entropy), dynamic eval, OS command execution, weak crypto, permissive CORS, and tainted source→sink flows from HTTP routes to dangerous sinks. Deterministic, offline, no LLM.
Usage: ovecc security [OPTIONS]
Example
$ ovecc security
Security findings: 13 (scanned the indexed repository)
secrets 1, insecure 2, weak-crypto 1, cors 1, tainted-flows 8
[Critical] Hardcoded secret: Stripe secret key
Evidence: src/services/billing.ts:5 (Stripe secret key)
[Critical] Potential tainted flow: POST /admin/eval -> eval (eval)
Evidence: src/routes/api.ts:55 (sink: eval)
Evidence: src/routes/api.ts:54 (source: POST /admin/eval)
[High] Dynamic code execution: eval
Evidence: src/routes/api.ts:55 (eval)
[High] OS command execution: execSync
Evidence: src/routes/api.ts:60 (execSync)
[High] Potential tainted flow: POST /billing/charge -> invoices (writes)
Evidence: src/services/billing.ts:18 (sink: writes)
Evidence: src/routes/api.ts:29 (source: POST /billing/charge)
[Medium] Permissive CORS configuration: Access-Control-Allow-Origin: *
Evidence: src/routes/api.ts:12 (Access-Control-Allow-Origin: *)
[Medium] Weak hash algorithm: MD5
Evidence: src/utils/auth.ts:4 (MD5)
The header line always states what was scanned and the per-category counts, so an empty result is meaningful.
Options
| Option | Effect |
|---|---|
--severity <level> | Only findings at or above this severity |
--fail-on <medium|high|any> | Exit 1 when a finding crosses the threshold |
Plus the global options.
Notes
- Taint findings cite both ends: the sink line and the source route, plus the propagation path in the JSON description. They are reachability over-approximations and say so — see the security guide for how to read them.
- Inline arrow route handlers are analyzed (they get a synthetic
<VERB /path handler>symbol), so idiomatic Express code stays connected to the taint graph. - Findings in test code are down-ranked to Low, not hidden.
- Well-known documentation placeholder keys are deliberately not flagged as secrets.
CI
ovecc security --fail-on high # exit 1 on any High/Critical code finding
ovecc violations --format sarif # includes the security findings for code scanning
Related
- Security analysis guide — detector coverage table, taint rules
audit— vulnerable dependencies (separate command)