← Scan another repo

github.com/caddyserver/caddy

@ 69d6ace32e23

Submitted 6/20/2026, 12:38:40 AM · Status: ok

Risk grade
F
100 / 100
Findings
100
0 critical23 high41 medium0 low36 info0 on CISA KEV0ATT&CK
Showing 100 of 100 findings

Findings

  • Detected aws-access-token: Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms
    Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected generic-api-key: Detected a Generic API Key, potentially exposing access to various services and sensitive operations
    Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    gitleaks
  • Detected private-key: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption
    Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    gitleaks
  • Detected private-key: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption
    Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    gitleaks
  • Detected private-key: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption
    Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    gitleaks
  • `Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose t
    `Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitr…
    semgrepmodules/caddyhttp/fileserver/browse.go:119
  • bcrypt hash detected
    semgrepmodules/caddyhttp/caddyauth/bcrypt.go:76
  • Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a
    Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
    semgrepcmd/commandfuncs.go:77
  • Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a
    Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
    semgrepcmd/packagesfuncs.go:267
  • Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a
    Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
    semgrepcmd/packagesfuncs.go:274
  • Detected non-static command inside Write. Audit the input to 'stdinPipe.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a
    Detected non-static command inside Write. Audit the input to 'stdinPipe.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
    semgrepcmd/commandfuncs.go:119
  • Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
    semgrepcaddyconfig/httpcaddyfile/addresses.go:277
  • Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
    semgrepmodules/caddyhttp/encode/testdata/caddy_asciinema_player.js:1
  • Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
    semgrepmodules/caddyhttp/reverseproxy/caddyfile.go:173
  • Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.
    semgrepcaddytest/a.caddy.localhost.key:1
  • Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.
    semgrepcaddytest/caddy.localhost.key:1
  • Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them
    Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input …
    semgrep.github/workflows/release-proposal.yml:78
  • Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them
    Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input …
    semgrep.github/workflows/release-proposal.yml:182
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/release-proposal.yml:41
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/release-proposal.yml:68
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/release-proposal.yml:131
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/release-proposal.yml:243

This report is public.