Clayton

Detect instances in which users password are programmatically set.

Passwords set programmatically

Detect secrets such as tokens, API keys, certificates or similar that have been hardcoded in Apex, Aura or Lightning Web Components.

Detect Flows without any access restriction (either by a profile nor by a permission set).

Detect instances in which is possible to send emails without any control, straight invokable from end users.

Detect components that are vulnerable to Clickjacking.

Detect LWC templates that use direct DOM manipulation and bypass the secure Shadow DOM provided by the Lightning Web Components

Detect when sensitive information like tokens, secrets are stored insecurely.

Inspect the data model definition, and ensure sensitive information isn’t logged or exposed unsafely to avoid data leaks.

Detects the use of "ViewAllData" and "ViewAllRecords" in profiles.

Detect subresource integrity vulnerabilities.

Make sure that resources used by Visualforce or Lightning components are retrieved securely in accordance to your Content Security Policy.

Ensure HTTP callouts use secured endpoints (HTTPS) to protect your application and users from attack.

Enforce using named credentials instead of manually hard-wiring credentials when performing HTTP requests.

Detect uses of cryptography with hard-wired keys, so that the security of encrypted data is not compromised.