HomeAPIBlog

wheels security scan

Scans your CFWheels application for security vulnerabilities and provides remediation recommendations.

Usage

wheels security scan [path] [--fix] [--report=<format>] [--severity=<level>] [--output=<file>]

Parameters

  • path - (Optional) Path to scan. Default: current directory (.)

  • --fix - (Optional) Attempt to fix issues automatically

  • --report - (Optional) Report format: console, json, html. Default: console

  • --severity - (Optional) Minimum severity to report: low, medium, high, critical. Default: medium

  • --output - (Optional) Output file for report

Description

The security scan command performs comprehensive security analysis of your CFWheels application, checking for:

  • SQL injection vulnerabilities

  • Cross-site scripting (XSS) risks

  • Cross-site request forgery (CSRF) issues

  • Insecure direct object references

  • Security misconfigurations

  • Outdated dependencies with known vulnerabilities

  • Weak authentication patterns

  • Information disclosure risks

Examples

Standard security scan

wheels security scan

Scan with auto-fix

wheels security scan --fix

Generate HTML security report

wheels security scan --report=html --output=security-audit.html

Scan specific directory with high severity only

wheels security scan app/models --severity=high

JSON report for CI/CD integration

wheels security scan --report=json --output=scan-results.json

Severity Levels

The --severity parameter filters which issues are reported:

Low

  • Code style issues that could lead to vulnerabilities

  • Missing best practices

  • Informational findings

Medium (Default)

  • Potential security issues requiring review

  • Missing security headers

  • Weak configurations

High

  • Confirmed vulnerabilities with moderate impact

  • Authentication/authorization issues

  • Data validation problems

Critical

  • Severe vulnerabilities requiring immediate attention

  • SQL injection risks

  • Remote code execution possibilities

Output

Security Scan Results
====================

Scanning application...
✓ Configuration files
✓ Controllers (15 files)
✓ Models (8 files)
✓ Views (23 files)
✗ Dependencies (2 issues)

CRITICAL: 1 issue found
-----------------------
1. SQL Injection Risk
   File: /app/models/User.cfc
   Line: 45
   Code: findOne(where="id = #params.id#")
   Fix: Use parameterized queries
   
HIGH: 3 issues found
--------------------
1. XSS Vulnerability
   File: /app/views/users/show.cfm
   Line: 12
   Code: <h1>#user.name#</h1>
   Fix: Use htmlEditFormat() or encodeForHTML()

2. Missing CSRF Token
   File: /app/views/users/edit.cfm
   Line: 8
   Fix: Add authenticityToken() to form

3. Outdated Dependency
   Package: jackson-databind
   Version: 2.9.0 (CVE-2019-12345)
   Fix: Update to version 2.14.0 or higher

MEDIUM: 5 issues found
LOW: 12 issues found

Summary:
- Critical: 1
- High: 3
- Medium: 5
- Low: 12
- Total: 21 vulnerabilities

Recommended Actions:
1. Fix all CRITICAL issues immediately
2. Address HIGH issues before deployment
3. Plan remediation for MEDIUM issues
4. Review LOW issues for false positives

Auto-Fix Feature

The --fix flag automatically resolves safe issues:

wheels security scan --fix

Auto-fixing security issues...
✓ Added htmlEditFormat() to 3 output statements
✓ Added CSRF tokens to 2 forms
✓ Updated .htaccess security headers
✗ Cannot auto-fix: SQL injection (requires manual review)

Fixed 5 of 8 fixable issues
Manual intervention required for 3 issues

Report Formats

HTML Report

wheels security scan --report=security-report.html

Generates interactive HTML report with:

  • Executive summary

  • Detailed findings with code snippets

  • Remediation steps

  • Compliance mapping (OWASP, CWE)

JSON Report

wheels security scan --report=security-report.json

Machine-readable format for CI/CD integration

Integration

CI/CD Pipeline

# Example GitHub Actions
- name: Security Scan
  run: |
    wheels security scan --severity=medium --report=json --output=scan.json
    if [ $? -ne 0 ]; then
      echo "Security vulnerabilities found"
      exit 1
    fi

Pre-commit Hook

#!/bin/bash
wheels security scan --severity=high
if [ $? -ne 0 ]; then
  echo "Commit blocked: Security issues detected"
  exit 1
fi

Notes

  • Scans are performed locally; no code is sent externally

  • False positives can be suppressed with inline comments

  • Regular scanning is recommended as part of development workflow

  • Keep scan rules updated with wheels deps update

  • Some fixes require manual review to ensure functionality

Previouswheels securityNextPerformance Commands

Last updated

Was this helpful?