What we scan for
Every check HatTest runs, straight from our detection catalog — 155 finding classes across 17 categories, each mapped to the industry-standard OWASP taxonomy. We report what we find with evidence and a fix; we never claim a site is “secure.”
-
High
A04:2025Anthropic API key exposed
An Anthropic API key (sk-ant-…) was found in client-visible code.
-
High
A04:2025AWS access key + secret pair exposed
An AWS access key id (AKIA…/ASIA…) was found alongside its 40-character secret access key in client-visible code — a complete, immediately-usable credential.
-
High
A04:2025Azure Storage account key exposed
An Azure Storage AccountKey= shared key was found in client-visible code.
-
High
A04:2025Database connection string with embedded credentials exposed
A database URL containing an inline user:password (Postgres/MySQL/MongoDB/Redis/AMQP) was found in client-visible code.
-
High
A04:2025DigitalOcean token exposed
A DigitalOcean personal access token (dop_v1_/doo_v1_/dor_v1_) was found in client-visible code.
-
High
A04:2025Docker Hub access token exposed
A Docker Hub access token (dckr_pat_…) was found in client-visible code.
-
High
A04:2025Doppler service token exposed
A Doppler token (dp.pt.… / dp.st.… …) was found in client-visible code.
-
High
A04:2025Secret exposed in client code (high-entropy value on a secret-named variable)
A high-entropy value assigned to a secret-named variable (e.g. SESSION_SECRET, JWT_SIGNING_KEY, api_secret, db_password, client_secret) was found in client-visible code — a credential regardless of provider prefix.
-
High
A04:2025GitHub fine-grained PAT exposed
A GitHub fine-grained personal access token (github_pat_…) was found in client-visible code.
-
High
A04:2025GitHub token exposed
A GitHub token (ghp_/gho_/ghu_/ghs_/ghr_) was found in client-visible code.
-
High
A04:2025GitLab personal access token exposed
A GitLab personal access token (glpat-…) was found in client-visible code.
-
High
A04:2025Google OAuth client secret exposed
A Google OAuth client secret (GOCSPX-…) was found in client-visible code.
-
High
A04:2025Groq API key exposed
A Groq API key (gsk_…) was found in client-visible code.
-
High
A04:2025Hugging Face access token exposed
A Hugging Face access token (hf_…) was found in client-visible code.
-
High
A04:2025Linear API key exposed
A Linear API key (lin_api_…) was found in client-visible code.
-
High
A04:2025Mailchimp API key exposed
A Mailchimp API key (<hex>-usN, corroborated by a nearby 'mailchimp' token) was found in client-visible code.
-
High
A04:2025Mapbox secret token exposed
A Mapbox secret token (sk.…) was found in client-visible code.
-
High
A04:2025Netlify personal access token exposed
A Netlify personal access token (nfp_…) was found in client-visible code.
-
High
A04:2025New Relic API key exposed
A New Relic API key (NRAK-…) was found in client-visible code.
-
High
A04:2025OpenAI API key exposed
An OpenAI API key (sk-…, incl. sk-proj-/sk-svcacct-) was found in client-visible code.
-
High
A04:2025Perplexity API key exposed
A Perplexity API key (pplx-…) was found in client-visible code.
-
High
A04:2025PlanetScale database token exposed
A PlanetScale password or service token (pscale_pw_… / pscale_tkn_…) was found in client-visible code.
-
High
A04:2025Private key exposed (PEM key block)
A PEM-encoded private key block (RSA/EC/DSA/OpenSSH/encrypted PKCS#8/PGP) was found in client-visible code.
-
High
A04:2025PyPI upload token exposed
A PyPI upload token (pypi-AgEIcHlwaS…) was found in client-visible code.
-
High
A04:2025SendGrid API key exposed
A SendGrid API key (SG.…) was found in client-visible code.
-
High
A04:2025Shopify access token exposed
A Shopify access token (shpat_/shpca_/shppa_/shpss_) was found in client-visible code.
-
High
A04:2025Slack token exposed
A Slack token (xoxb-/xoxp-/xoxa-/xoxr-/xoxs-/xoxe-/xapp-) was found in client-visible code.
-
High
A04:2025Square access token exposed
A Square access token (sq0atp-/sq0csp-) was found in client-visible code.
-
High
A04:2025Stripe live secret key exposed
A Stripe sk_live_ secret key was found in client-visible code.
-
High
A04:2025Supabase secret key exposed (sb_secret_)
A Supabase sb_secret_ secret key was found in client-visible code.
-
High
A04:2025Supabase service_role key exposed
A Supabase service_role JWT was found in client-visible code — this key bypasses Row-Level Security.
-
Medium
A04:2025AWS access key id exposed
An AWS access key id (AKIA…/ASIA…) was found in client-visible code, with no secret access key alongside it.
-
Medium
A04:2025Figma personal access token exposed
A Figma personal access token (figd_…) was found in client-visible code.
-
Medium
A04:2025Mailgun API key exposed
A Mailgun API key (key-…, corroborated by a nearby 'mailgun' token) was found in client-visible code.
-
Medium
A04:2025npm token exposed
An npm access token (npm_…) was found in client-visible code.
-
Medium
A04:2025Postman API key exposed
A Postman API key (PMAK-…) was found in client-visible code.
-
Medium
A04:2025Slack incoming webhook URL exposed
A Slack incoming-webhook URL (hooks.slack.com/services/…) was found in client-visible code.
-
Medium
A04:2025Stripe restricted key exposed
A Stripe rk_live_ restricted key was found in client-visible code.
-
Medium
A04:2025Stripe test secret key exposed
A Stripe sk_test_ test-mode secret key was found in client-visible code.
-
Medium
A04:2025Stripe webhook signing secret exposed
A Stripe whsec_ webhook signing secret was found in client-visible code.
-
Medium
A04:2025Telegram bot token exposed
A Telegram bot token (<id>:AA…) was found in client-visible code.
-
Medium
A04:2025Twilio API key exposed
A Twilio API key (SK…, corroborated by a nearby 'twilio' token) was found in client-visible code.
-
Info
A04:2025Google/Firebase API key found
A Google/Firebase browser API key (AIza…) was found in client-visible code. These are usually public by design and meant to be referrer/app-restricted.
-
High
A01:2025Unauthenticated GraphQL access to sensitive data
A schema-built query executed anonymously returned records containing sensitive-looking fields — the GraphQL analog of broken access control.
-
High
A01:2025Authenticated user can read another user's object by ID (BOLA / IDOR)
A logged-in test user could not list a table's rows, yet could fetch another user's specific object directly by its id — object-level authorization is missing (the classic BOLA / IDOR shape, on a table that often exposes no owner column).
-
High
A01:2025Authenticated user can read another user's sensitive rows
A logged-in test user that owns no rows in a table could still read another user's rows, and those rows carry sensitive data — access control is not scoped per user.
-
High
A01:2025BaaS collection exposes sensitive data to anonymous reads
A PocketBase/Appwrite collection returned records with sensitive-looking fields to an anonymous list request.
-
High
A01:2025CouchDB allows anonymous database enumeration (admin party)
An anonymous GET /_all_dbs succeeded — the CouchDB server has no admin configured ('admin party'), so every database is world-accessible.
-
High
A01:2025CouchDB database exposes sensitive data to anonymous reads
An anonymous read of a CouchDB database returned documents with sensitive-looking fields.
-
High
A01:2025Elasticsearch/OpenSearch cluster allows anonymous index enumeration
An anonymous GET /_cat/indices succeeded — the cluster is unauthenticated, so all indices are world-accessible.
-
High
A01:2025Elasticsearch index exposes sensitive data to anonymous queries
An anonymous _search of an index returned documents with sensitive-looking fields.
-
High
A01:2025GraphQL backend exposes sensitive data to anonymous queries
An anonymous (or public-API-key) GraphQL query returned records containing sensitive-looking fields.
-
High
A01:2025Anonymous read exposes sensitive data
An anonymous SELECT returned rows containing sensitive columns or sensitive values (PII, credentials, financial data).
-
High
A01:2025Anonymous writes accepted (RLS does not block unauthenticated writes)
An anonymous INSERT was accepted by the table's row-level-security policies.
-
High
A01:2025Firestore collection is world-readable (open security rules)
An anonymous read of a Firestore collection returned document data — the collection's `allow read` rule lets unauthenticated clients through.
-
High
A01:2025Firebase Realtime Database is world-readable (open security rules)
An anonymous read of the Realtime Database root succeeded — the database's .read rule allows unauthenticated access.
-
High
A01:2025Firebase Storage bucket lists objects to anonymous users (open security rules)
An anonymous list of the default Firebase Storage bucket returned object metadata — the Storage rules allow unauthenticated read/list.
-
High
A01:2025Cloud bucket is world-listable and holds private-looking files
An S3/GCS/Azure bucket allows anonymous listing, and the sampled object names match private-data patterns (backups, invoices, KYC, .env, …).
-
High
A01:2025Supabase Storage bucket is world-listable and holds private-looking files
A Supabase Storage bucket returns objects to an anonymous list request, and the sampled names match private-data patterns.
-
Medium
A01:2025Likely unauthenticated access to sensitive data
An anonymous GET of an API route returned sensitive-looking (PII-shaped) fields — the endpoint appears to serve private data without authentication.
-
Medium
A01:2025Owner-less table readable across users (no per-user scoping — confirm intended)
A table with no per-user ownership column returned a row readable by more than one user, so it has no per-user access scoping — and the rows carry sensitive data. Indistinguishable by structure alone from an intended public/shared table.
-
Medium
A01:2025Authenticated user can read another user's rows (no sensitive columns — confirm intended)
A logged-in test user that owns no rows in a table could read another user's rows, but no sensitive columns were detected — possibly a public feed by design.
-
Medium
A01:2025Authenticated user can read other users' rows in a shared-looking table (confirm intended)
A logged-in test user owns rows in a table AND can read rows owned by others — structurally identical to a legitimate shared/co-membership/public-profile table, so it cannot be confirmed a leak by data alone.
-
Medium
A01:2025Authenticated user can write another user's row (writes not owner-scoped — confirm intended)
A value-neutral update by a logged-in test user succeeded against another user's row — the write (UPDATE) policy is not scoped per owner.
-
Medium
A01:2025Anonymous writes accepted on an intake table (confirm intended)
An anonymous INSERT was accepted on a table that looks like an intake/submission form (contact, waitlist, feedback, signup).
-
Medium
A01:2025Cloud bucket allows anonymous listing (contents not obviously public)
An S3/GCS/Azure bucket allows anonymous listing; the objects are not recognizable public assets, so exposure is possible but unconfirmed.
-
Medium
A01:2025Supabase Storage bucket list is anonymously readable
An anonymous GET /storage/v1/bucket returns the project's bucket names — the storage bucket metadata is world-readable.
-
Medium
A01:2025Supabase Storage bucket allows anonymous listing (contents not obviously public)
A Supabase Storage bucket is anonymously listable; the objects are not recognizable public assets, so exposure is possible but unconfirmed.
-
Low
A01:2025GraphQL introspection is enabled
The backend's GraphQL endpoint answers an introspection query, exposing the full schema (types, fields, operations).
-
Info
A01:2025BaaS collection is anonymously readable (no sensitive columns)
A PocketBase/Appwrite collection returned records to an anonymous request, but no sensitive field patterns were seen — likely public-by-design.
-
Info
A01:2025CouchDB database is anonymously readable (no sensitive columns)
An anonymous read of a CouchDB database returned documents, but no sensitive field patterns — likely public-by-design.
-
Info
A01:2025Elasticsearch index is anonymously queryable (no sensitive fields)
An anonymous _search of an index returned documents, but no sensitive field patterns — likely a public search index.
-
Info
A01:2025Table is anon-readable but holds no sensitive columns
An anonymous SELECT returned rows, but no sensitive column or value patterns were detected — likely intentionally public.
-
Info
A01:2025Supabase RPC (stored-procedure) surface referenced by the app
The app's code calls Supabase RPC functions. A function defined SECURITY DEFINER runs with the definer's privileges and bypasses row-level security — an anon-callable one would be an RLS-bypass vector. This is presence-only: we detect the calls in the bundle but do NOT invoke the functions, so anon-callability and SECURITY DEFINER are unconfirmed.
-
Info
A01:2025Cloud bucket allows anonymous listing (public assets)
An S3/GCS/Azure bucket allows anonymous listing and its objects look like public CDN assets (images, css, js).
-
Info
A01:2025Cloudflare R2 public bucket in use
A public r2.dev URL is referenced — an R2 bucket exposed through Cloudflare's public-by-design dev endpoint.
-
Info
A01:2025Supabase Storage bucket allows anonymous listing (public assets)
A Supabase Storage bucket is anonymously listable and its objects look like public assets.
-
High
A02:2025Spring Boot actuator /env exposes configuration
The Spring Boot actuator /env endpoint is public and dumps the app's property sources.
-
High
A02:2025Spring Boot actuator heap dump downloadable
The Spring Boot actuator /heapdump endpoint is public, serving a full JVM heap dump.
-
High
A02:2025AWS credentials file publicly served
An ~/.aws/credentials INI file exposing aws_access_key_id / aws_secret_access_key is downloadable.
-
High
A02:2025Backup archive publicly served
A ZIP archive (backup.zip / www.zip / public_html.zip) — confirmed by its archive magic bytes — is downloadable.
-
High
A02:2025Plaintext credentials file publicly served
A plaintext credentials file (~/.netrc or ~/.pgpass) is downloadable and returns real credential lines, not HTML.
-
High
A02:2025Docker registry credentials publicly served
A Docker CLI config (~/.docker/config.json) with an `auths` block is served publicly.
-
High
A02:2025Environment file (.env) publicly served
A .env-style environment file (any variant — .env, .env.production, .env.bak, …) is downloadable and returns real KEY=value lines, not an HTML page.
-
High
A02:2025Kubernetes kubeconfig publicly served
A kubeconfig (~/.kube/config) with cluster credentials is served publicly.
-
High
A02:2025Private key file publicly served
A PEM private key (e.g. .ssh/id_rsa, id_rsa) is downloadable.
-
High
A02:2025Rails database.yml with credentials publicly served
A Rails config/database.yml (or /database.yml) is served publicly and contains a literal database password.
-
High
A02:2025Cloud service-account key file publicly served
A GCP/Firebase service-account or OAuth credential file (serviceAccount.json, firebase-adminsdk.json, credentials.json) with a private_key is downloadable.
-
High
A02:2025Deploy (SFTP) credentials publicly served
A VS Code SFTP deploy config (.vscode/sftp.json) exposing a host plus a password or private-key path is downloadable.
-
High
A02:2025SQL database dump publicly served
A SQL dump (backup.sql / dump.sql / database.sql) with CREATE TABLE / INSERT statements is downloadable.
-
High
A02:2025Terraform state publicly served
A Terraform state file (terraform.tfstate) is downloadable.
-
High
A02:2025WordPress config backup leaks DB credentials
A wp-config.php backup (wp-config.php.bak/~/.save/.old) is served as raw source, exposing DB_PASSWORD and auth salts.
-
Medium
A02:2025Spring Boot actuator endpoints exposed
The Spring Boot actuator index is public, listing management endpoints (env, beans, mappings, …).
-
Medium
A02:2025docker-compose file publicly served
A docker-compose.yml/.yaml is served publicly, exposing service environment variables and topology.
-
Medium
A02:2025.NET appsettings.json with secrets exposed
A .NET appsettings.json carrying ConnectionStrings or other secrets is served publicly.
-
Medium
A02:2025Git repository metadata exposed (.git)
Git internals (.git/config, .git/HEAD, or .git/logs/HEAD) are served publicly.
-
Medium
A02:2025Laravel log file publicly served
The Laravel application log (storage/logs/laravel.log) is served publicly.
-
Medium
A02:2025.npmrc auth token publicly served
An .npmrc (or similar registry config) containing a _authToken / _auth / _password is downloadable.
-
Medium
A02:2025phpinfo() output publicly served
A phpinfo() page is publicly reachable (e.g. /phpinfo.php).
-
Medium
A02:2025Config file with sensitive keys exposed
A JSON config file (e.g. config.json) served publicly contains sensitive-looking keys (api_key, secret, password, token).
-
Medium
A02:2025Apache server-status publicly served
The Apache mod_status page (/server-status) is publicly reachable.
-
Medium
A02:2025WordPress debug.log publicly served
The WordPress /wp-content/debug.log is served publicly, exposing PHP errors and stack traces.
-
Low
A02:2025.DS_Store index exposed
A macOS .DS_Store file is served publicly; it discloses the names of other files in the directory.
-
Low
A02:2025WordPress usernames enumerable via REST API
The WordPress /wp-json/wp/v2/users endpoint returns the site's usernames.
-
Low
A02:2025WordPress XML-RPC enabled
The WordPress /xmlrpc.php endpoint is enabled and responding.
-
High
A04:2025TLS certificate has expired
The certificate the site serves for HTTPS is past its expiry date.
-
High
A04:2025TLS certificate is not yet valid
The served certificate's start (not-before) date is in the future, so it isn't valid yet.
-
Medium
A04:2025TLS certificate is expiring soon
The served certificate is valid now but expires within the next 30 days.
-
Medium
A04:2025TLS certificate does not match the hostname
The served certificate's subject/SAN names do not cover the hostname being visited.
-
Medium
A04:2025TLS certificate is self-signed / not from a trusted CA
The certificate is self-issued (issuer equals subject), so it does not chain to a publicly trusted certificate authority.
-
Medium
A04:2025TLS certificate uses a weak (short) RSA key
The served certificate's RSA public key is smaller than the 2048-bit minimum.
-
Medium
A04:2025TLS certificate uses a weak signature algorithm
The served leaf certificate is signed with a collision-broken hash (SHA-1, MD5, or MD2).
-
Info
A02:2025No DMARC record — spoofed mail is not rejected
The domain publishes no DMARC (_dmarc, v=DMARC1) policy, so mailbox providers have no instruction to quarantine or reject failing mail.
-
Info
A02:2025DMARC does not protect this subdomain
This subdomain has no DMARC record of its own, and the organizational domain's policy does not enforce on subdomains (sp=none, or no sp= tag with p=none) — so mail spoofing this subdomain is not rejected.
-
Info
A02:2025DMARC policy not enforced (p=none)
The DMARC record uses p=none (monitor-only) or omits the required p= tag, so failing mail is still delivered.
-
Info
A02:2025No SPF record — sender spoofing is unrestricted
The domain publishes no SPF (v=spf1) TXT record, so receivers have no authorized-sender policy to check.
-
Info
A02:2025Multiple SPF records — policy is undefined
The domain publishes more than one v=spf1 record; per RFC 7208 this is a permerror and SPF may be ignored entirely.
-
Info
A02:2025SPF is neutral (?all) — no enforcement
The SPF record ends in "?all" (neutral): it expresses no pass/fail policy.
-
Info
A02:2025SPF authorizes any sender (+all)
The SPF record ends in "+all", which explicitly authorizes every host on the internet to send as this domain.
-
Medium
A02:2025CORS allows the `null` origin with credentials
The server returns Access-Control-Allow-Origin: null together with Access-Control-Allow-Credentials: true.
-
Medium
A02:2025CORS reflects arbitrary origins with credentials
The server echoes any request Origin back in Access-Control-Allow-Origin together with Access-Control-Allow-Credentials: true.
-
Medium
A02:2025CORS allows any origin with credentials
Access-Control-Allow-Origin: * is sent together with Access-Control-Allow-Credentials: true.
-
Info
A02:2025CORS allows the `null` origin (no credentials)
The server returns Access-Control-Allow-Origin: null, but without credentials.
-
Info
A02:2025CORS reflects arbitrary origins (no credentials)
The server echoes any request Origin back in Access-Control-Allow-Origin, but without credentials.
-
Info
A02:2025CORS allows any origin (no credentials)
Access-Control-Allow-Origin: * without credentials — common and low-risk for public data.
-
Medium
A03:2025WordPress core is significantly outdated
The detected WordPress core version is on a branch several releases behind the current line, so it is missing the accumulated security fixes WordPress backports to maintained branches.
-
Medium
A03:2025WordPress plugin with a known vulnerability
A WordPress plugin was detected at a version below the patch for a known CVE (the version is inferred from the plugin's asset URL).
-
Medium
A03:2025Outdated JavaScript library with known vulnerabilities
A client-side JavaScript library is loaded at a version below the fix for one or more known CVEs (the version is observed in a script URL or the library's own version banner).
-
Low
A03:2025WordPress plugin present — version could not be confirmed
A WordPress plugin with a known CVE history was detected, but its version could not be read from the page assets — so vulnerability can't be confirmed or ruled out.
-
Low
A08:2025Third-party subresource loaded without Subresource Integrity
A cross-origin (third-party) subresource — a <script>, stylesheet, or module/preload — is loaded without a Subresource Integrity (SRI) hash, so the browser can't verify the file wasn't tampered with before running or applying it.
-
Low
A08:2025Subresource Integrity present but not enforced (missing crossorigin)
A cross-origin subresource carries an `integrity` hash but no `crossorigin` attribute. On a cross-origin resource the browser fetches in no-cors mode and gets an opaque response it cannot read, so the SRI hash is silently NOT enforced — the pin does not take effect.
-
Low
A02:2025GraphQL introspection is enabled
The API's GraphQL endpoint answers an introspection query, exposing the full schema (queries, mutations, types).
-
Low
A02:2025API specification is publicly exposed
An OpenAPI/Swagger specification is served publicly, documenting every route and parameter of the API.
-
Low
A02:2025Source map exposes original application source
A JavaScript bundle references a publicly-served .map file whose sourcesContent reconstructs the original, un-minified source (comments, internal logic, endpoints).
-
Info
A02:2025Server banner discloses version
The Server response header includes a version number.
-
Info
A02:2025Framework disclosed via X-Powered-By
The X-Powered-By response header advertises the server framework (and sometimes its version).
-
Medium
A01:2025Cognito identity pool grants AWS credentials to anonymous clients
An AWS Cognito identity pool allows unauthenticated access, so an anonymous request obtains temporary AWS credentials with no sign-in.
-
Low
A07:2025Firebase authorized domains include a wildcard
The Firebase project's authorizedDomains list contains a wildcard entry, widening the OAuth redirect surface.
-
Info
A07:2025Clerk open registration is enabled
The Clerk environment config (readable from the public Frontend API with the publishable key) shows sign-up mode is "public" — anyone can self-register.
-
Info
A07:2025Firebase open registration is enabled
The Firebase project config (readable with the public web API key) shows email/password sign-up is open to anyone.
-
Medium
A04:2025Broken cipher suites accepted
The server negotiated a genuinely broken cipher (RC4, EXPORT, or NULL) from a weak-only ClientHello.
-
Medium
A04:2025Weak cipher negotiated when strong suites were offered
Even when offered strong suites, the server chose a weak (non-AEAD) cipher.
-
Low
A04:2025Legacy 3DES cipher accepted
The server accepts the legacy 3DES (Triple-DES) cipher suite.
-
Low
A04:2025No forward secrecy (static-RSA key exchange)
The server negotiated a static-RSA key-exchange cipher even though modern ECDHE suites were offered, so sessions have no forward secrecy.
-
Medium
A02:2025Session cookie missing HttpOnly
A session-looking cookie is readable by JavaScript because it lacks the HttpOnly attribute.
-
Medium
A04:2025Session cookie missing Secure
A session-looking cookie is set without the Secure attribute on an HTTPS site.
-
Low
A02:2025Session cookie missing SameSite
A session-looking cookie has no SameSite attribute.
-
Medium
A02:2025Client-visible MCP / AI-agent configuration
AI-agent / Model Context Protocol wiring is reachable from the client (an mcpServers block, MCP SDK, or an MCP server reference).
-
Info
A02:2025AI / LLM surface present
A client-visible AI/LLM integration was detected — an LLM provider host called from the browser and/or an agent framework in the bundle.
-
Low
A02:2025Content-Security-Policy present but weak
A CSP exists but its script policy allows unsafe-inline, unsafe-eval, or a wildcard source.
-
Info
A02:2025Standard hardening headers absent
One or more defense-in-depth response headers (HSTS, CSP, X-Content-Type-Options, frame protection, Referrer-Policy) are missing.
-
High
A02:2025Possible subdomain takeover (dangling DNS record)
A DNS record (via CNAME) points at a hosting service resource (S3 bucket, GitHub Pages site, Heroku app, …) that is unclaimed — the service returned its distinctive 'unregistered' response.
-
Medium
A10:2025Server error / debug page exposed
The site served a framework debug or stack-trace page instead of a generic error — leaking its framework and version, server file paths, and often source snippets, SQL, or configuration.
-
Low
A04:2025Deprecated TLS 1.0 / 1.1 still accepted
The server still completes handshakes over TLS 1.0 and/or 1.1, which are formally deprecated.
-
Low
A04:2025HSTS max-age is very short or zero
Strict-Transport-Security is set but with a max-age under a day (or 0).
This list is generated from the same catalog that powers every report, so it always reflects what the scanner actually checks. New detections are added over time. How scanning works · Ask about a specific check.