Skip to main content
Early access: get Pro free for 3 months →
DocsContact
Scanning

Scan Modes

HZSec runs six parallel detection engines in a single scan. Each targets a distinct class of vulnerability. You can run all six together or target one mode at a time.

01

Secrets & Credentials

Finds API keys, tokens, connection strings, and passwords that have been committed to code — intentionally or by accident.

What it checks
  • ·40+ named patterns covering AWS, GCP, Azure, GitHub, Stripe, Twilio, SendGrid, and dozens of other services.
  • ·Entropy analysis catches high-entropy strings that don't match a named pattern but are statistically likely to be secrets.
  • ·Checks both current files and, if run in a git repo, commit history back to the initial commit.
Example findings
AWS access key in .env.exampleGitHub PAT hardcoded in CI configDatabase password in source file
02

Insecure Configuration

Detects configuration values that are known to weaken security — regardless of what language or framework you're using.

What it checks
  • ·Debug mode enabled in production config (Django DEBUG=True, Flask debug=True, Rails config.log_level = :debug).
  • ·HTTP endpoints where HTTPS should be used.
  • ·Weak TLS versions (TLS 1.0, TLS 1.1) or insecure cipher suites.
  • ·Missing security headers in web server configs (nginx, Apache, Caddy).
Example findings
DEBUG=True in .envhttp:// callback URLSSLv3 in nginx.conf
03

Vulnerable Code Patterns

Identifies code constructs that are commonly exploited in the OWASP Top 10 and CWE catalog.

What it checks
  • ·SQL injection via string concatenation or f-string formatting in query builders.
  • ·Cross-site scripting (XSS) via unsanitized user input in template rendering.
  • ·Path traversal in file read/write operations.
  • ·Unsafe deserialization using pickle, YAML.load(), or eval().
  • ·Command injection via subprocess with shell=True and user input.
Example findings
f"SELECT * FROM users WHERE id={user_id}"pickle.loads(untrusted_data)subprocess.run(cmd, shell=True)
04

Dependency CVEs

Checks every dependency in your lockfiles against current CVE databases — without sending your package list anywhere.

What it checks
  • ·Reads: package.json / package-lock.json, requirements.txt / Pipfile.lock, go.sum, Cargo.lock, Gemfile.lock, pom.xml.
  • ·Cross-references CISA Known Exploited Vulnerabilities (KEV) catalog and NVD.
  • ·CVE data is pulled to your machine daily. Scans run against the local copy — no package names leave your device.
  • ·Findings include CVSS score, affected version range, patched version, and a link to the CVE advisory.
Example findings
lodash < 4.17.21 (Prototype Pollution)log4j 2.x < 2.15.0 (Log4Shell)requests < 2.32.0 (SSRF)
05

Web Exposure

Surfaces security gaps in how your web application presents itself to browsers and upstream proxies.

What it checks
  • ·Open or overly permissive CORS configurations (`Access-Control-Allow-Origin: *`).
  • ·Missing or misconfigured Content Security Policy (CSP).
  • ·Absent security headers: `X-Frame-Options`, `X-Content-Type-Options`, `Strict-Transport-Security`.
  • ·Exposed admin routes or sensitive paths accessible without authentication middleware.
Example findings
cors({ origin: "*" }) in ExpressNo CSP header in Next.js configAdmin route missing auth check
06

System Hardening

Reviews your project's infrastructure and deployment configuration for hardening gaps based on CIS benchmarks.

What it checks
  • ·Overly permissive file permissions (world-writable scripts, 0777 on sensitive config).
  • ·Docker: running as root, no USER directive, privileged mode, sensitive mounts.
  • ·CI/CD: secrets printed to logs, environment variables exposed in build artifacts.
  • ·SSH config: PasswordAuthentication enabled, PermitRootLogin yes.
Example findings
chmod 777 deploy.shDocker USER not setenv vars echoed in GitHub Actions

Targeting a specific mode

Pass a single mode name with --mode. Available modes: full (default), quick, secret, config, web, hardening, custom.

# Secrets only
hzsec scan --mode secret ./src

# Config files only
hzsec scan --mode config ./src

# All detectors (default)
hzsec scan --mode full ./src

Quick mode

Quick mode runs the code, config, and web detectors — skipping hardening and dependency checks. It completes faster and is well-suited for pre-commit use.

hzsec scan --mode quick ./src

# Use as a pre-commit hook — add to .git/hooks/pre-commit:
#!/bin/sh
hzsec scan --mode quick --fail-on critical .

.gitignore

HZSec respects .gitignore by default. Build artifacts, node_modules, virtual environments, and compiled output are automatically excluded from every scan.

← First ScanCLI Reference →