insecure-defaults
Detects fail-open security vulnerabilities where applications run insecurely with missing or weak default configuration.
- Identifies hardcoded secrets, weak authentication defaults, permissive access controls, and weak cryptography that allow apps to start and operate without proper configuration
- Distinguishes between fail-open vulnerabilities (app runs insecurely with defaults) and fail-secure patterns (app crashes if config is missing)
- Focuses on production-reachable code; automatically excludes test fixtures, example files, documentation, and development-only configurations
- Includes verification workflow to trace code paths, confirm runtime behavior, and assess production impact before reporting findings
Insecure Defaults Detection
Finds fail-open vulnerabilities where apps run insecurely with missing configuration. Distinguishes exploitable defaults from fail-secure patterns that crash safely.
- Fail-open (CRITICAL):
SECRET = env.get('KEY') or 'default'→ App runs with weak secret - Fail-secure (SAFE):
SECRET = env['KEY']→ App crashes if missing
When to Use
- Security audits of production applications (auth, crypto, API security)
- Configuration review of deployment files, IaC templates, Docker configs
- Code review of environment variable handling and secrets management
- Pre-deployment checks for hardcoded credentials or weak defaults
When NOT to Use
Do not use this skill for:
- Test fixtures explicitly scoped to test environments (files in
test/,spec/,__tests__/) - Example/template files (
.example,.template,.samplesuffixes)
More from trailofbits/skills
ask-questions-if-underspecified
Clarify requirements before implementing. Use when serious doubts arise.
4.2Ksemgrep
>-
3.8Kmodern-python
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
3.8Kcodeql
>-
3.6Ksecure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
3.4Kcode-maturity-assessor
Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations.
3.3K