CodeFrog OWASP Top 10 Coverage

CodeFrog provides comprehensive security testing capabilities mapped to the OWASP Top 10 vulnerabilities. This page compares CodeFrog's coverage against both the OWASP Top 10 2021 (current) and the newly released OWASP Top 10 2025 Release Candidate.

Note: CodeFrog's security testing includes Secrets Scanning (Gitleaks), Static Analysis (OpenGrep/Semgrep), OSV Scanner for vulnerable dependencies, and Web Security Scanner for HTTP-based security checks. Coverage is based on automated testing capabilities and does not include manual security reviews or penetration testing.

What's Changed: OWASP 2021 → 2025

2021 Ranking	2025 Ranking	Category	Change
A01:2021	A01:2025	Broken Access Control	No change (includes SSRF from A10:2021)
A02:2021	A04:2025	Cryptographic Failures	Moved down 2 positions
A03:2021	A05:2025	Injection	Moved down 2 positions
A04:2021	A06:2025	Insecure Design	Moved down 2 positions
A05:2021	A02:2025	Security Misconfiguration	Moved up 3 positions
A06:2021	A03:2025	Vulnerable & Outdated Components → Software Supply Chain Failures	Expanded scope, moved up 3 positions
A07:2021	A07:2025	Identification & Authentication Failures → Authentication Failures	Name change, same position
A08:2021	A08:2025	Software & Data Integrity Failures	No change
A09:2021	A09:2025	Security Logging & Monitoring Failures → Logging & Alerting Failures	Name change, same position
A10:2021	A10:2025	Server-Side Request Forgery (SSRF) → Mishandling of Exceptional Conditions	NEW: SSRF moved to A01, new category added

CodeFrog Coverage: OWASP Top 10 2025

A01:2025 — Broken Access Control

Partial

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data.

CodeFrog Coverage:

Semgrep/OpenGrep: Detects missing or weak authorization checks in code patterns (language/rules dependent)
Web Scanner: Checks for permissive CORS configurations combined with credentials
SSRF Detection: Semgrep rules for unvalidated/tainted URL fetches (now part of A01 in 2025)

Not Covered: Runtime authorization testing, role-based access control validation, dynamic privilege escalation testing

A02:2025 — Security Misconfiguration

Strong

Security misconfiguration is the most commonly seen issue, often resulting from insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages.

CodeFrog Coverage:

Web Security Scanner: Comprehensive checks for security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
CORS Analysis: Evaluates Access-Control-Allow-* headers and security interactions
HTTP Methods: Detects dangerous methods (TRACE, PUT, DELETE) enabled on production servers
Directory Listing: Identifies exposed directory listings
Sensitive Files: Probes for exposed configuration files (.env, .git, phpinfo.php, etc.)

Not Covered: Cloud storage configuration, database security settings, infrastructure-level misconfigurations

A03:2025 — Software Supply Chain Failures

Strong

Expanded from "Vulnerable and Outdated Components" to include broader supply chain compromises. This category covers vulnerabilities in dependencies, build systems, and distribution infrastructure.

CodeFrog Coverage:

OSV Scanner: Scans package manifests and lockfiles (npm, PyPI, Pub, Composer, etc.) against osv.dev database
CVE Detection: Identifies known vulnerabilities with CVSS severity scores and suggested fixed versions
Transitive Dependencies: Detects vulnerabilities in indirect dependencies
Web Scanner: Checks for Subresource Integrity (SRI) on external assets

Not Covered: Build pipeline security, code signing verification, SBOM generation, SLSA framework compliance

A04:2025 — Cryptographic Failures

Strong

Failures related to cryptography (or lack thereof) which often lead to exposure of sensitive data. This includes hardcoded secrets, weak encryption algorithms, and missing transport security.

CodeFrog Coverage:

Gitleaks: Comprehensive secrets scanning for hardcoded credentials, API keys, tokens (findings are redacted in UI)
Web Scanner: Checks for HTTPS/TLS/HSTS enforcement, secure cookie flags (Secure, HttpOnly, SameSite)
TLS Certificate Validation: Checks certificate expiration and validity
Semgrep: Detects weak crypto algorithm patterns in code (MD5, SHA1, DES, etc.)

Not Covered: Encryption key management practices, certificate pinning validation, runtime crypto implementation testing

A05:2025 — Injection

Partial

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. Includes SQL injection, NoSQL injection, OS command injection, LDAP injection, and Cross-Site Scripting (XSS).

CodeFrog Coverage:

Semgrep/OpenGrep: Language-aware detection of SQL injection patterns, OS command injection, LDAP/XPath injection
XSS Detection: Identifies reflected XSS patterns and template injection vulnerabilities
Framework-Specific Rules: Detects unsafe eval/exec usage and concatenated queries

Not Covered: Dynamic fuzzing, runtime injection testing, blind injection detection, second-order injection

A06:2025 — Insecure Design

Minimal

A new category for 2021 focusing on risks related to design and architectural flaws. Requires threat modeling, secure design patterns, and reference architectures.

CodeFrog Coverage:

Limited automated detection capabilities
Some architectural anti-patterns may be detected by Semgrep rules

Not Covered: Threat modeling, design review, abuse case analysis, security architecture validation

Recommendation: Use manual threat modeling, document design assumptions, add security checklists to PR templates

A07:2025 — Authentication Failures

Partial

Previously "Identification and Authentication Failures." Confirmation of user identity, authentication, and session management is critical to protect against authentication-related attacks.

CodeFrog Coverage:

Semgrep: Detects password anti-patterns, weak password storage/validation code, missing MFA hooks
Web Scanner: Validates cookie security flags (Secure, HttpOnly, SameSite) and session cookie configurations
Code Patterns: Identifies hardcoded credentials and authentication bypass patterns

Not Covered: Runtime authentication testing, brute force protection validation, session fixation testing, MFA implementation testing

A08:2025 — Software or Data Integrity Failures

Partial

Focuses on code and infrastructure that does not protect against integrity violations. Includes insecure CI/CD pipelines, auto-update without integrity verification, and insecure deserialization.

CodeFrog Coverage:

Web Scanner: Checks for Subresource Integrity (SRI) on external JavaScript/CSS resources
Semgrep: Detects insecure deserialization patterns and unsafe update flows
Code Analysis: Identifies unsigned code execution and integrity check bypasses

Not Covered: CI/CD pipeline security, code signing validation, update mechanism security, runtime integrity monitoring

A09:2025 — Logging & Alerting Failures

Minimal

Previously "Security Logging and Monitoring Failures." Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response allows attackers to persist undetected.

CodeFrog Coverage:

Limited automated detection capabilities
Some logging anti-patterns may be detected by Semgrep rules

Not Covered: Runtime logging posture checks, log retention policies, alerting configuration, SIEM integration, audit trail validation

Recommendation: Implement comprehensive logging strategy, use centralized logging, configure alerting for security events

A10:2025 — Mishandling of Exceptional Conditions

New in 2025

A new category for 2025 focusing on improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions that systems may encounter.

CodeFrog Coverage:

Web Scanner: Detects verbose error messages and framework error page exposure (Spring Boot, ASP.NET, Rails, Node/Express, PHP)
Semgrep: May detect some error handling anti-patterns and fail-open scenarios (rules dependent)
Code Analysis: Identifies uncaught exceptions and improper error propagation in some languages

Not Covered: Comprehensive exception handling validation, fail-safe vs fail-open analysis, race condition detection, edge case testing

Note: This is a new category in OWASP 2025. CodeFrog's coverage is evolving as testing methodologies develop.

Summary & Recommendations

CodeFrog's Security Testing Strengths

CodeFrog provides strong automated coverage for:

Security Misconfiguration (A02:2025): Comprehensive web security header analysis, CORS validation, sensitive file detection
Software Supply Chain Failures (A03:2025): Dependency vulnerability scanning with CVE detection and fix recommendations
Cryptographic Failures (A04:2025): Secrets scanning, TLS/HSTS validation, cookie security, weak crypto detection

CodeFrog provides partial, rules-dependent coverage for:

Broken Access Control (A01:2025): Static analysis for authorization patterns, CORS checks, SSRF detection
Injection (A05:2025): Language-aware SAST for SQL/OS/XSS patterns (no dynamic fuzzing)
Authentication Failures (A07:2025): Cookie flags, password anti-patterns, credential detection
Software/Data Integrity Failures (A08:2025): SRI checks, deserialization patterns
Mishandling of Exceptional Conditions (A10:2025): Error page detection, some exception handling patterns

CodeFrog has minimal automated coverage for:

Insecure Design (A06:2025): Requires manual threat modeling and architectural review
Logging & Alerting Failures (A09:2025): No runtime logging posture checks

Honest Assessment: CodeFrog provides strong coverage for Security Misconfiguration, Cryptographic Failures, and Software Supply Chain vulnerabilities via built-in scanners. It offers partial, rules-dependent coverage for Injection, Access Control, Authentication, Integrity, and Exception Handling through Semgrep/OpenGrep. Insecure Design and Logging/Monitoring require manual review and are not fully automated.

Improving Your Security Posture

To maximize CodeFrog's effectiveness:

Enable curated Semgrep rulesets: Use language-specific bundles (p/javascript, p/python, p/go, p/java) in addition to --config auto
Run all scanners regularly: Combine Secrets Scanning, Static Analysis, OSV Scanner, and Web Security Scanner for comprehensive coverage
Use bulk domain testing: Leverage CodeFrog's DNS API integration to test multiple domains at scale
Integrate with CI/CD: Automate security scanning in your development pipeline
Complement with manual testing: Use threat modeling for Insecure Design, manual penetration testing for runtime vulnerabilities
Monitor and alert: Implement comprehensive logging and alerting strategies beyond automated scanning

CodeFrog OWASP Top 10 Coverage

What's Changed: OWASP 2021 → 2025

CodeFrog Coverage: OWASP Top 10 2025

A01:2025 — Broken Access Control

A02:2025 — Security Misconfiguration

A03:2025 — Software Supply Chain Failures

A04:2025 — Cryptographic Failures

A05:2025 — Injection

A06:2025 — Insecure Design

A07:2025 — Authentication Failures

A08:2025 — Software or Data Integrity Failures

A09:2025 — Logging & Alerting Failures

A10:2025 — Mishandling of Exceptional Conditions

Summary & Recommendations

CodeFrog's Security Testing Strengths

Improving Your Security Posture

Additional Resources