C01✓Secrets & credentials — exposed keys, tokens, and credentials in code, config, and repo history.
C02✓Authentication & authorization — every endpoint tested for broken access control and privilege escalation.
C03✓Injection surfaces — SQL, XSS, command injection, and unsafe input handling across the app.
C04✓API security — rate limiting, data exposure, and abuse paths on every public and internal API.
C05✓Dependency risks — vulnerable, outdated, and abandoned packages, with upgrade paths.
C06✓Data handling — how user data is stored, transmitted, and logged. GDPR-relevant flags included.
C07✓Infrastructure & config — cloud misconfigurations, open buckets, permissive CORS, missing headers.
C08✓AI-specific patterns — prompt injection surfaces, unsafe LLM output handling, and model-API key exposure for AI-powered products.