| Scan Time | 2025-10-29 17:53:25 |
|---|---|
| Path Audited | /home/son/sites/magento |
| Rules Checked | Total: 81 | Passed: 36 | Failed: 28 | Unknown: 17 |
| Findings Overview | Critical: 2 | High: 15 | Medium: 9 | Low: 2 | Total: 28 |
| Score (Rules Passed %) |
36 / 81 (44.4%)
|
| ID | Severity | Status | Title | Details |
|---|---|---|---|---|
| MB-R001 | high | FAIL | No chmod 777 (no world-writable files/dirs) --- (World-writable files or directories detected. Remove 777 and tighten permissions.) | fs_no_world_writable — World-writable found: /home/son/sites/magento/pub/opt/magento/var/resource_config.json(777), /home/son/sites/magento/pub/index.php(777), /home/son/sites/magento/pub/errors/local.xml.sample(777), /home/son/sites/magento/pub/errors/default/404.phtml(777), /home/son/sites/magento/pub/errors/default/images/i_msg-note.gif(777), /home/son/sites/magento/pub/errors/default/images/i_msg-success.gif(777), /home/son/sites/magento/pub/errors/default/images/favicon.ico(777), /home/son/sites/magento/pub/errors/default/images/i_msg-error.gif(777), /home/son/sites/magento/pub/errors/default/images/logo.gif(777), /home/son/sites/magento/pub/errors/default/503.phtml(777), /home/son/sites/magento/pub/errors/default/css/styles.css(777), /home/son/sites/magento/pub/errors/default/nocache.phtml(777), /home/son/sites/magento/pub/errors/default/report.phtml(777), /home/son/sites/magento/pub/errors/default/page.phtml(777), /home/son/sites/magento/pub/errors/404.php(777), /home/son/sites/magento/pub/errors/noCache.php(777), /home/son/sites/magento/pub/errors/processorFactory.php(777), /home/son/sites/magento/pub/errors/design.xml(777), /home/son/sites/magento/pub/errors/report.php(777), /home/son/sites/magento/pub/errors/processor.php(777), /home/son/sites/magento/pub/errors/503.php(777), /home/son/sites/magento/pub/errors/.htaccess(777), /home/son/sites/magento/pub/media/downloadable/downloadable/downloadable/files/links/l/u/luma_background_-_model_against_fence_4_sec_.mp4(777), /home/son/sites/magento/pub/media/downloadable/downloadable/downloadable/files/link_samples/l/u/luma_background_-_model_against_fence_4_sec_.mp4(777), /home/son/sites/magento/pub/media/downloadable/downloadable/downloadable/files/samples/l/u/luma_background_-_model_against_fence_4_sec_.mp4(777), /home/son/sites/magento/pub/media/downloadable/downloadable/files/links/l/u/luma_background_-_model_against_fence_4_sec_.mp4(777), /home/son/sites/magento/pub/media/downloadable/downloadable/files/link_samples/l/u/luma_background_-_model_against_fence_4_sec_.mp4(777), /home/son/sites/magento/pub/media/downloadable/downloadable/files/samples/l/u/luma_background_-_model_against_fence_4_sec_.mp4(777), /home/son/sites/magento/pub/media/downloadable/.htaccess(777), /home/son/sites/magento/pub/media/sitemap/.htaccess(777), /home/son/sites/magento/pub/media/custom_options/.htaccess(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj03-black_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj11-red_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj09-yellow_back.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj07-red_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj08-gray_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj07-yellow_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj08-green_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj02-green_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj04-black_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj12-black_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj12-orange_back.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj02-orange_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj03-black_back.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj11-green_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj06-blue_alt1.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj11-black_alt1.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj10-black_main.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj03-black_alt1.jpg(777), /home/son/sites/magento/pub/media/catalog/catalog/product/m/j/mj10-orange_main.jpg(777) — |
| MB-R002 | high | FAIL | env.php permissions <= 0640 --- (app/etc/env.php permissions are too permissive. Set to 0640 (owner read/write, group read).) | file_mode_max — app/etc/env.php mode 755 exceeds 640 — |
| MB-R003 | high | PASS | Webroot hygiene (no .git/.env/backups in pub/) --- (Webroot is clean: no sensitive or backup artifacts exposed under pub/.) | webroot_hygiene — Webroot clean: /home/son/sites/magento/pub — 1 |
| MB-R004 | high | PASS | Code directories not group/other-writable --- (Code directories (app, vendor, lib) are not group/other-writable.) | code_dirs_readonly — Code directories not group/other writable — 1 |
| MB-R005 | medium | PASS | Directory listing disabled --- (Directory listing is disabled for public paths.) | http_no_directory_listing — No directory listing in common paths — 1 |
| MB-R006 | high | FAIL | Non-default admin path (not /admin) --- (Admin path is still '/admin'. Change env.php backend.frontName to a non-guessable value and update web server rules.) | php_array_neq — Value at 'backend.frontName' != 'admin' (actual: 'admin') — |
| MB-R007 | critical | FAIL | Admin 2FA module enabled --- (Two-Factor Authentication is disabled or missing. Enable Magento_TwoFactorAuth and enforce 2FA for all admin users.) | php_array_eq — Value at 'modules.Magento_TwoFactorAuth' == 1 (actual: 0) — |
| MB-R008 | high | FAIL | Strong password policy enforced --- (Admin password/security policy is not configured. Define complexity, history, lockout, and rotation settings under admin/security.) | php_array_exists — Path 'system.default.admin/security' not found in app/etc/config.php — |
| MB-R009 | medium | FAIL | Admin session timeout <= 900s --- (Admin session lifetime exceeds 900 seconds. Reduce session.lifetime to ≤ 900 for better security.) | php_array_numeric_compare — Path 'session.lifetime' not found in app/etc/env.php — |
| MB-R010 | medium | FAIL | Admin URL exposure restricted --- (Admin URL is exposed (default path and no network ACLs). Change backend.frontName and/or restrict access via web server allow/deny.) | php_array_neq — Value at 'backend.frontName' != 'admin' (actual: 'admin') — |
| MB-R011 | medium | FAIL | Login rate-limiting / CAPTCHA enabled --- (CAPTCHA / rate-limiting is not configured. Enable admin CAPTCHA (or reCAPTCHA) to slow brute-force attempts.) | php_array_exists — Path 'system.default.admin/captcha' not found in app/etc/config.php — |
| MB-R012 | high | PASS | No raw SQL without abstraction --- (No unsafe raw SQL statements detected; database queries use abstraction layers.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R013 | medium | PASS | Template output is escaped --- (Template output uses proper escaping functions.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R014 | medium | PASS | Avoid PHP superglobals directly --- (No direct access to PHP superglobals detected.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R015 | high | PASS | Forms include CSRF tokens (form_key) --- (Forms include CSRF protection via form_key.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R016 | medium | PASS | SSRF protections present --- (Outbound HTTP requests include SSRF protections (allowlists and timeouts).) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R017 | high | FAIL | No unsafe deserialization --- (Unsafe unserialize() calls detected. Replace with JSON or Magento Serializer classes.) | code_grep — Forbidden pattern found in: /home/son/sites/magento/app/code/Magebean/SecurityReports/Setup/Patch/Data/InstallSecurityRules.php — |
| MB-R018 | high | FAIL | Command execution functions are not used --- (exec(), shell_exec(), or system() calls found. Avoid OS command execution.) | code_grep — Forbidden pattern found in: /home/son/sites/magento/app/code/Magebean/SecurityReports/Engine/Checks/GitHistoryCheck.php, /home/son/sites/magento/app/code/Magebean/SecurityReports/Setup/Patch/Data/InstallSecurityRules.php — |
| MB-R019 | high | FAIL | No eval/assert/dynamic execution --- (Use of eval/assert/create_function detected. Remove or refactor these functions.) | code_grep — Forbidden pattern found in: /home/son/sites/magento/app/code/Magebean/SecurityReports/Setup/Patch/Data/InstallSecurityRules.php, /home/son/sites/magento/app/code/Magebean/SecurityReports/Setup/Patch/Data/InstallSecurityRules.php — |
| MB-R020 | medium | PASS | Path traversal protections (sanitization present) --- (Path sanitization functions (realpath/basename) are present.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R021 | medium | PASS | Secure file upload handling --- (No unsafe file upload flows detected (user file is validated or uploads not used).) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R022 | low | PASS | Escaping for JS context --- (No unescaped dynamic PHP output detected in JavaScript context.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R023 | high | PASS | Use CSPRNG; avoid weak PRNG --- (No weak PRNG detected near security-sensitive code (or no such code present).) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R024 | high | PASS | Sensitive data not logged --- (No sensitive data (passwords, tokens, card details) logged in code.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R025 | medium | PASS | Use Magento APIs for crypto & session --- (Magento's built-in APIs are used for encryption and session management.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R026 | high | FAIL | Force HTTPS in admin and storefront --- (HTTPS is not enforced in admin or storefront. Enable secure URLs in env.php.) | php_array_eq — Path 'system.default.web.secure.use_in_adminhtml' not found in app/etc/env.php — php_array_eq — Path 'system.default.web.secure.use_in_frontend' not found in app/etc/env.php — http_force_https_redirect — No HTTP→HTTPS redirect — |
| MB-R027 | medium | FAIL | HSTS header is set --- (HSTS header is missing. Add Strict-Transport-Security to enforce HTTPS on clients.) | http_has_hsts — HSTS header missing — |
| MB-R028 | high | PASS | TLS protocols >= 1.2 --- (TLS is configured to use version 1.2 or higher.) | http_tls_min_version — TLS < 1.2 disabled (nmap) — 1 |
| MB-R029 | medium | PASS | No mixed content (http://) in templates/assets --- (No insecure http:// references detected in templates or assets.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R030 | high | FAIL | Secure cookies: Secure + HttpOnly enabled --- (Cookies lack Secure or HttpOnly flags. Enable them to protect against theft and XSS.) | php_array_eq — Path 'session.cookie.secure' not found in app/etc/env.php — php_array_eq — Path 'session.cookie.httponly' not found in app/etc/env.php — http_cookie_flags — Cookie flags missing on sensitive cookies — |
| MB-R031 | high | FAIL | Magento runs in PRODUCTION mode --- (Magento is not in PRODUCTION mode. Set MAGE_MODE to 'production' in env.php and redeploy.) | php_array_eq — Value at 'MAGE_MODE' == 'production' (actual: 'developer') — |
| MB-R032 | medium | PASS | Xdebug disabled in production --- (Xdebug is not enabled in the production PHP configuration.) | text_grep — code_grep OK (patterns satisfied) — 1 http_no_xdebug_headers — No debug headers — 1 |
| MB-R033 | medium | PASS | display_errors is Off --- (PHP display_errors is Off. No error traces visible.) | text_grep — code_grep OK (patterns satisfied) — 1 http_no_stacktrace — No error traces observed — 1 |
| MB-R034 | low | PASS | Compiled DI generated (metadata & code) --- (Generated DI metadata and code are present.) | fs_exists — Exists: generated/metadata — 1 fs_exists — Exists: generated/code — 1 |
| MB-R035 | low | PASS | Static content deployed --- (Static view files are deployed (pub/static and var/view_preprocessed exist).) | fs_exists — Exists: pub/static — 1 fs_exists — Exists: var/view_preprocessed — 1 http_static_assets_deployed — Static assets deployed/versioned — 1 |
| MB-R036 | medium | PASS | No dev debug configs on production (template hints off) --- (Developer template hints are disabled in production.) | php_array_eq — Path 'system.default.dev/debug/template_hints' not found in app/etc/env.php — php_array_absent — Path 'system.default.dev.debug.template_hints' not present in app/etc/env.php — 1 |
| MB-R037 | high | FAIL | Full Page Cache (FPC) enabled --- (Full Page Cache is disabled or not using Varnish. Enable FPC for performance.) | php_array_eq — Path 'system.default.system/full_page_cache/caching_application' not found in app/etc/env.php — http_cache_signals — No cache/FPC signals — |
| MB-R038 | medium | FAIL | Cache backend is Redis/Varnish (not file) --- (Cache backend is still using file-based storage. Switch to Redis or Varnish.) | php_array_eq — Path 'cache.frontend.default.backend' not found in app/etc/env.php — php_array_eq — Path 'cache.backend' not found in app/etc/env.php — |
| MB-R039 | medium | PASS | Indexers are READY (no backlog) --- (All indexers are in READY state with no backlog.) | text_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R040 | high | FAIL | Session storage hardened (Redis with auth) --- (Session storage is not hardened. Use Redis with a password for secure sessions.) | php_array_eq — Value at 'session.save' == 'redis' (actual: 'files') — php_array_exists — Path 'session.redis.password' not found in app/etc/env.php — |
| MB-R041 | low | FAIL | No dev cache backends (avoid file backend) --- (File cache backend detected. Replace with Redis or Varnish for production.) | php_array_neq — Path 'cache.frontend.default.backend' not found in app/etc/env.php — php_array_neq — Path 'cache.backend' not found in app/etc/env.php — |
| MB-R042 | high | PASS | Logs and reports not exposed under pub/ --- (Log and report directories are not exposed under pub/.) | webroot_hygiene — Webroot clean: /home/son/sites/magento/pub — 1 |
| MB-R043 | medium | PASS | Log rotation configured --- (Log rotation is configured (rotate and compress directives present).) | text_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R044 | medium | PASS | Debug template hints disabled in production --- (Debug template hints are disabled in production.) | php_array_eq — Path 'system.default.dev/translate_inline/active' not found in app/etc/env.php — php_array_absent — Path 'system.default.dev.translate_inline.active' not present in app/etc/env.php — 1 |
| MB-R045 | high | PASS | PII not logged in application logs --- (No PII such as passwords, tokens, or card data is logged.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R046 | medium | FAIL | Crontab entries present (Magento cron) --- (No Magento cron entry found in repo or docs. Ensure 'bin/magento cron:run' runs every minute via crontab or scheduler.) | crontab_grep — No matching crontab entries — code_grep — Required pattern not found: /(?:^|\s)(?:php\s+[^\n]*?)?bin\/magento\s+cron:run\b/ — |
| MB-R047 | high | FAIL | Cron heartbeat is recent (<= 900s) --- (Cron has not run in the last 15 minutes. Investigate cron service and schedule.) | fs_mtime_max_age — var/cron/cron.timestamp not found — |
| MB-R048 | medium | PASS | Cron backlog below threshold --- (Cron queue size is within acceptable limits.) | text_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R049 | critical | UNKNOWN | No vulnerable packages (CVE via OSV) --- ([UNKNOWN] CVE file not found (requires --cve-data package)) | composer_audit_offline — [UNKNOWN] CVE file not found (requires --cve-data package) — |
| MB-R050 | critical | UNKNOWN | Adobe core module advisories resolved --- ([UNKNOWN] vendor directory not found) | composer_core_advisories_offline — [UNKNOWN] vendor directory not found — |
| MB-R051 | medium | UNKNOWN | Suggest fixed versions for vulnerable packages --- ([UNKNOWN] CVE bundle not found/openable; tried: (no candidates)) | composer_fix_version — [UNKNOWN] CVE bundle not found/openable; tried: (no candidates) — |
| MB-R052 | medium | PASS | High-risk modules flagged --- (No high-risk modules from the list are installed, or they are acknowledged and controlled.) | composer_risk_surface_tag — Risk-surface tagging: 20000 files scanned; 149 subjects tagged — 1 |
| MB-R053 | low | PASS | Temporary mitigations documented --- (Mitigations/workarounds are documented in SECURITY.md.) | fs_exists — Exists: SECURITY.md — 1 text_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R054 | critical | UNKNOWN | Known-exploited packages prioritized (CISA KEV) --- ([UNKNOWN] CVE bundle not found (zip or VULNS dir)) | composer_match_list — [UNKNOWN] CVE bundle not found (zip or VULNS dir) — |
| MB-R055 | high | UNKNOWN | Transitive dependencies checked for CVEs --- ([UNKNOWN] CVE file not found (requires --cve-data package)) | composer_audit_offline — [UNKNOWN] CVE file not found (requires --cve-data package) — |
| MB-R056 | medium | UNKNOWN | No constraints blocking security updates --- ([UNKNOWN] CVE bundle not found/openable; tried: (no candidates)) | composer_constraints_conflict — [UNKNOWN] CVE bundle not found/openable; tried: (no candidates) — |
| MB-R057 | high | UNKNOWN | No yanked/withdrawn packages --- ([UNKNOWN] Yanked metadata not found; tried: DATA/packagist-yanked.json | rules/packagist-yanked.json) | composer_yanked_offline — [UNKNOWN] Yanked metadata not found; tried: DATA/packagist-yanked.json | rules/packagist-yanked.json — |
| MB-R058 | medium | UNKNOWN | No outdated Marketplace extensions --- ([UNKNOWN] Release metadata not found; bundle root unresolved; tried: (no candidates)) | composer_outdated_offline — [UNKNOWN] Release metadata not found; bundle root unresolved; tried: (no candidates) — |
| MB-R059 | low | UNKNOWN | Advisories handled in timely manner --- ([UNKNOWN] Bundle not found/openable; tried: (no candidates)) | composer_advisory_latency — [UNKNOWN] Bundle not found/openable; tried: (no candidates) — |
| MB-R060 | medium | UNKNOWN | No extensions without vendor support --- ([UNKNOWN] Vendor-support metadata not found; bundle root unresolved; tried: (no candidates)) | composer_vendor_support_offline — [UNKNOWN] Vendor-support metadata not found; bundle root unresolved; tried: (no candidates) — |
| MB-R061 | high | UNKNOWN | No packages marked 'abandoned' on Packagist --- ([UNKNOWN] Abandoned metadata not found; bundle root unresolved; tried: (no candidates)) | composer_abandoned_offline — [UNKNOWN] Abandoned metadata not found; bundle root unresolved; tried: (no candidates) — |
| MB-R062 | medium | UNKNOWN | No packages without release in > 24 months --- ([UNKNOWN] Release-history metadata not found) | composer_release_recency_offline — [UNKNOWN] Release-history metadata not found — |
| MB-R063 | medium | UNKNOWN | No packages from archived repositories --- ([UNKNOWN] Repo-status metadata not found) | composer_repo_archived_offline — [UNKNOWN] Repo-status metadata not found — |
| MB-R064 | medium | UNKNOWN | No risky forks replacing upstream libs --- ([UNKNOWN] Repo-status metadata not found) | composer_risky_fork_offline — [UNKNOWN] Repo-status metadata not found — |
| MB-R065 | medium | PASS | No wildcard constraints in composer.json --- (No wildcard or 'dev-master' constraints found in composer.json.) | composer_json_constraints — Collected 37 constraints from composer.json at /home/son/sites/magento/composer.json — 1 |
| MB-R066 | medium | PASS | No dev branches in composer.json --- (No dev branch constraints (dev-*) are used.) | composer_json_constraints — Collected 37 constraints from composer.json at /home/son/sites/magento/composer.json — 1 |
| MB-R067 | low | FAIL | prefer-stable=true in composer.json --- (prefer-stable is not enabled. Set config.prefer-stable=true to favor stable releases.) | composer_json_kv — Missing 'key' argument (dot-path) — |
| MB-R068 | critical | UNKNOWN | Composer audit clean (no known vulns) --- ([UNKNOWN] CVE file not found (requires --cve-data package)) | composer_audit_offline — [UNKNOWN] CVE file not found (requires --cve-data package) — |
| MB-R069 | medium | UNKNOWN | Direct dependencies up-to-date --- ([UNKNOWN] Release metadata not found; bundle root unresolved; tried: /home/son/sites/magento/rules/release-history.json) | composer_outdated_offline — [UNKNOWN] Release metadata not found; bundle root unresolved; tried: /home/son/sites/magento/rules/release-history.json — |
| MB-R070 | high | PASS | composer.lock integrity with composer.json --- (composer.lock is in sync with composer.json.) | composer_lock_integrity — composer.lock integrity OK (632 packages) — 1 |
| MB-R071 | medium | UNKNOWN | No abandoned libraries allowed --- ([UNKNOWN] Abandoned metadata not found; bundle root unresolved; tried: (no candidates)) | composer_abandoned_offline — [UNKNOWN] Abandoned metadata not found; bundle root unresolved; tried: (no candidates) — |
| MB-R072 | critical | FAIL | No secrets in VCS (working tree or git history) --- (Secrets detected in files or Git history. Remove, rotate keys, and purge history with a secure rewrite.) | webroot_hygiene — Forbidden artifacts in webroot: /home/son/sites/magento/vendor/colinmollenhour/credis/testenv/.env — git_history_scan — git_history_scan fallback OK (no matches) — 1 |
| MB-R073 | high | FAIL | HTTPS-only endpoints configured --- (Insecure http:// endpoint references found. Switch to HTTPS.) | text_grep — Invalid regex in must_not_match: /http:/// — code_grep — Invalid regex in must_not_match: /http://[^\s"'>]+/ — |
| MB-R074 | medium | FAIL | Debug/verbose off for third-party integrations --- (Third-party debug/verbose logging is enabled. Disable debug_logging in env.php.) | php_array_eq — Path 'system.default.dev/debug/debug_logging' not found in app/etc/env.php — |
| MB-R075 | high | FAIL | Webhook signature validation present --- (Webhook signature validation not detected. Verify MAC using shared secret headers.) | code_grep — Required pattern not found: /hash_hmac\(|\\Stripe\\Webhook::constructEvent/ — |
| MB-R076 | medium | FAIL | Outbound connections restricted by allow-list --- (No allowlist or timeouts for outbound requests. Add domain allowlists and cURL timeouts.) | code_grep — Required pattern not found: /CURLOPT_(RESOLVE|CONNECTTIMEOUT|TIMEOUT)/ — |
| MB-R077 | high | PASS | PII minimization for third-party flows --- (No direct handling of sensitive PII (e.g., full card, CVV, SSN, passport).) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R078 | medium | FAIL | Strong TLS ciphers on upstream gateways --- (Weak or unspecified TLS ciphers. Configure strong cipher suites on the web server.) | nginx_directive — nginx.conf not found — apache_htaccess_directive — .htaccess matched /SSLCipherSuite\s+/ — |
| MB-R079 | high | PASS | API keys stored in env.php (not in DB/plain code) --- (API credentials are stored in env.php, not embedded in code or the DB.) | php_array_key_search — php_array_key_search '(api_)?key|secret|token' matches=1 (min 1) in app/etc/env.php — 1 |
| MB-R080 | medium | PASS | Third-party logging sanitized (mask/redact) --- (Third-party logs apply masking/redaction for sensitive fields.) | code_grep — code_grep OK (patterns satisfied) — 1 |
| MB-R081 | low | PASS | SaaS integrations scoped by ACL (least privilege/IP allowlist) --- (Integration docs mention least-privilege scopes and optional IP allowlisting.) | text_grep — code_grep OK (patterns satisfied) — 1 |
--cve-data=<bundle.zip> to enable this section.This report was generated using Magebean CLI, based on the Magebean Security Baseline v1. Findings are provided for informational and audit purposes only.