Other Detectors
In addition to AI-specific security, Oculum detects traditional vulnerabilities. These detectors provide baseline security coverage alongside AI-focused detection.
Secrets Detection
hardcoded_secret
Severity: Critical
Detects API keys, tokens, and credentials hardcoded in source code.
Detects:
- AWS access keys and secrets
- GitHub tokens (classic and fine-grained)
- OpenAI, Anthropic, and other AI API keys
- Database connection strings
- Private keys (RSA, SSH, etc.)
- JWT secrets
Example:
// DETECTED: Hardcoded OpenAI key
const openai = new OpenAI({
apiKey: "sk-proj-abc123xyz789..." // Critical!
});
Remediation:
// SAFE: Use environment variables
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY
});
high_entropy_string
Severity: Medium-High
Detects high-randomness strings that may be secrets.
Uses Shannon entropy analysis to identify potential credentials even without known patterns.
Example:
// DETECTED: High entropy string
const token = "aB3$kL9#mN2@pQ5&xY8";
sensitive_url
Severity: Medium
Detects URLs that may expose internal services or contain credentials.
Detects:
- Internal IPs and hostnames
- URLs with credentials
- Webhook endpoints
- Admin/debug endpoints
Example:
// DETECTED: Internal URL exposed
const apiUrl = "http://internal-api.corp.local:8080";
// DETECTED: Credentials in URL
const dbUrl = "postgres://admin:password@db.example.com/prod";
Configuration Audit
debug_enabled
Severity: Medium-High
Detects debug settings enabled in production configurations.
Example:
// DETECTED: Debug mode in production config
{
"NODE_ENV": "production",
"DEBUG": "true" // Should be false
}
insecure_config
Severity: Medium
Detects insecure configuration settings.
Detects:
- Permissive CORS settings
- Disabled security headers
- Insecure cookie settings
- Missing HTTPS enforcement
Example:
// DETECTED: Overly permissive CORS
app.use(cors({
origin: '*', // Should be specific origins
credentials: true
}));
exposed_port
Severity: Low-Medium
Detects potentially sensitive ports exposed in configurations.
Example:
# DETECTED: Debug port exposed
services:
app:
ports:
- "5005:5005" # Java debug port
Weak Cryptography
weak_crypto
Severity: Medium-High
Detects usage of weak or deprecated cryptographic functions.
Detects:
- MD5 for security purposes
- SHA1 for signatures
- DES/3DES encryption
- ECB mode
- Weak random number generation
Example:
// DETECTED: MD5 for password hashing
import { createHash } from 'crypto';
const hash = createHash('md5').update(password).digest('hex');
Remediation:
// SAFE: Use bcrypt or argon2
import { hash } from 'bcrypt';
const hashedPassword = await hash(password, 12);
insufficient_key_length
Severity: Medium
Detects cryptographic keys that are too short.
Example:
// DETECTED: RSA key too short
const { privateKey } = generateKeyPairSync('rsa', {
modulusLength: 1024 // Should be 2048+
});
Traditional Web Vulnerabilities
Oculum includes basic detection for common web vulnerabilities, though these are not the primary focus:
sql_injection
Severity: High-Critical
Detects SQL injection patterns.
// DETECTED: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
xss
Severity: High
Detects cross-site scripting vulnerabilities.
// DETECTED: XSS via innerHTML
element.innerHTML = userInput;
command_injection
Severity: Critical
Detects shell command injection.
// DETECTED: Command injection
exec(`ls ${userPath}`);
Detection Coverage
| Category | Depth: local | Depth: verified | Depth: deep |
|---|---|---|---|
| Known secret patterns | Full | Full + validation | Full + context |
| Entropy-based secrets | High FP rate | Validated | Context-aware |
| Config issues | Pattern-based | Validated | Full analysis |
| Weak crypto | Function calls | + context | Data flow |
| OWASP vulnerabilities | Basic patterns | Validated | Taint analysis |
Focus Areas
Oculum's traditional detection is designed to complement its AI-specific capabilities:
High Coverage:
- Secret detection (essential for AI apps with API keys)
- Configuration audit (AI service configs)
- Authentication patterns
Standard Coverage:
- OWASP Top 10
- Cryptographic issues
- Injection vulnerabilities
For comprehensive traditional vulnerability scanning, consider pairing Oculum with dedicated tools like Semgrep, SonarQube, or Snyk.
Related
- AI Security Detectors — AI-specific detection
- Scan Depths — Detection accuracy by depth
- Suppressing Findings — Handle false positives