Skip to main content

​
Report Structure

A KafkaCode report consists of three main sections:
1

Scan Summary

High-level overview of the scan results
2

Issue Listings

Detailed findings grouped by severity
3

Recommendations

Actionable advice for each issue

​
Understanding the Scan Summary

🎯 PRIVACY SCAN REPORT
═══════════════════════════════════════════════════════════

πŸ“Š SCAN SUMMARY
πŸ“ Directory: ./src
⏰ Timestamp: 2025-01-15 10:30:45
πŸ“„ Files Scanned: 25
πŸ” Total Issues: 3
πŸ† Privacy Grade: 🟑 B-

═══════════════════════════════════════════════════════════

​
Key Metrics Explained

MetricMeaningWhat to Look For
DirectoryPath that was scannedVerify correct location
TimestampWhen scan was performedTrack scan history
Files ScannedNumber of source files analyzedEnsure expected coverage
Total IssuesCount of all findingsLower is better
Privacy GradeOverall grade (A+ to F)Target A- or better for production

​
Privacy Grade Interpretation

🟒 A+ / A / A-

Excellentβœ… Production-ready
  • Minimal to no issues
  • Safe to deploy
  • Maintain current practices

πŸ”΅ B+ / B / B-

Good⚠️ Minor improvements needed
  • Generally safe
  • Address issues when convenient
  • Review before major releases

🟑 C+ / C / C-

Moderate⚠️ Action required
  • Notable privacy concerns
  • Fix before production
  • Not recommended for deployment

πŸ”΄ D / F

Critical❌ Must fix immediately
  • Security vulnerabilities
  • Block all deployments
  • Emergency response needed

​
Reading Issue Listings

Issues are organized by severity level:

​
Critical Issues πŸ”΄

πŸ”΄ CRITICAL (1)
────────────────────────────────────────────────────────────
  πŸ“„ src/config.js:12
     AWS Access Key detected
     aws_access_key_id = "AKIAIOSFODNN7EXAMPLE"

     πŸ’‘ Recommendation: Move to environment variables
What it means:
  • Severity: Critical (100 points)
  • File: src/config.js
  • Line: 12
  • Issue: Hardcoded AWS access key
  • Code: Actual problematic code shown
  • Action: Move to environment variables immediately
Why it’s critical:
  • Exposed credentials can be exploited
  • Direct access to cloud resources
  • Potential for data breaches
  • Compliance violations
How to fix: 
// ❌ Before (Critical)
const aws_access_key_id = "AKIAIOSFODNN7EXAMPLE";

// βœ… After (Fixed)
const aws_access_key_id = process.env.AWS_ACCESS_KEY_ID;

​
High Severity Issues 🟠

🟠 HIGH (1)
────────────────────────────────────────────────────────────
  πŸ“„ src/auth.js:23
     API key found in code
     const apiKey = "sk_live_abc123..."

     πŸ’‘ Recommendation: Use configuration management
What it means:
  • Severity: High (50 points)
  • Issue: Hardcoded API key (Stripe, GitHub, etc.)
  • Risk: Potential unauthorized access
  • Priority: Fix before next release
How to fix: 
// ❌ Before (High)
const apiKey = "sk_live_abc123...";

// βœ… After (Fixed)
const apiKey = process.env.STRIPE_API_KEY;

​
Medium Severity Issues 🟑

🟑 MEDIUM (2)
────────────────────────────────────────────────────────────
  πŸ“„ src/utils/validator.js:45
     Email address found in code
     const adminEmail = "[email protected]"

     πŸ’‘ Recommendation: Use configuration file

  πŸ“„ src/database/connection.js:8
     Potential database connection string
     const dbUrl = "mongodb://localhost:27017/mydb"

     πŸ’‘ Recommendation: Use environment variables
What it means:
  • Severity: Medium (10 points each)
  • Issue: PII or configuration data in code
  • Risk: Privacy compliance concerns
  • Priority: Address when convenient
How to fix: 
// ❌ Before (Medium)
const adminEmail = "[email protected]";
const dbUrl = "mongodb://localhost:27017/mydb";

// βœ… After (Fixed)
const adminEmail = config.get('ADMIN_EMAIL');
const dbUrl = process.env.DATABASE_URL;

​
Low Severity Issues πŸ”΅

πŸ”΅ LOW (3)
────────────────────────────────────────────────────────────
  πŸ“„ src/config.js:5
     IP address detected
     const serverIP = "192.168.1.100"

     πŸ’‘ Recommendation: Use DNS names when possible
What it means:
  • Severity: Low (1 point)
  • Issue: Minor configuration concerns
  • Risk: Minimal
  • Priority: Optional cleanup
How to fix: 
// ⚠️ Before (Low)
const serverIP = "192.168.1.100";

// βœ… After (Better)
const serverHost = "api.company.com";

​
Common Issue Types

​
1. Hardcoded Secrets

  • Problem
  • Solution
  • Prevention
# ❌ Critical: Exposed AWS credentials
AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

# ❌ High: Hardcoded API key
STRIPE_KEY = "sk_live_51H..."

# ❌ Critical: Database password
DB_PASSWORD = "mypassword123"

​
2. PII in Code

  • Problem
  • Solution
  • Compliance
// ❌ Medium: Email addresses
const supportEmail = "[email protected]";
const adminEmail = "[email protected]";

// ❌ Medium: Phone numbers
const helpline = "+1-555-123-4567";

// ❌ Critical: SSN in test data
const testSSN = "123-45-6789";

​
3. Connection Strings

  • Problem
  • Solution
  • Security
# ❌ Critical: Full connection string with password
DATABASE_URL = "postgresql://user:password@localhost:5432/db"

# ❌ High: MongoDB with credentials
MONGO_URI = "mongodb://admin:pass123@localhost:27017/mydb"

# ❌ Medium: Redis URL
REDIS_URL = "redis://localhost:6379"

​
4. High Entropy Strings

🟑 MEDIUM
  πŸ“„ src/utils/crypto.js:15
     High entropy string detected (potential secret)
     const key = "x7K9mP2nQ8vL4wR6tY3zA1bC5dE0fG"

     πŸ’‘ Recommendation: If this is a secret, move to secure storage
What it means:
  • String has high randomness (entropy > 4.5)
  • Likely a generated secret or token
  • May be a legitimate random value
How to evaluate:
  1. Is it a secret? β†’ Move to env var or vault
  2. Is it a hash? β†’ OK to keep if public
  3. Is it a test fixture? β†’ Add comment explaining

​
Action Priority Matrix

GradeCriticalHighMediumLowAction
F2+AnyAnyAny🚨 Emergency fix
D1-22+AnyAny⚠️ Immediate action
C-11+AnyAny⚠️ Fix before deploy
C/C+01-25+Any⚠️ Address soon
B-/B/B+00-11-5Anyℹ️ Plan fixes
A-/A/A+000-11-10βœ… Optional cleanup

​
False Positives

Sometimes KafkaCode may flag non-issues:

​
Example 1: Test Data

// ⚠️ Flagged as Medium (email)
const testEmail = "[email protected]";

// βœ… Add context to reduce false positive
const TEST_EMAIL = "[email protected]"; // Test data only, not real PII

​
Example 2: Public Information

# ⚠️ Flagged as Low (URL)
PUBLIC_API = "https://api.example.com/public"

# βœ… This is acceptable - public endpoint
# No action needed

​
Example 3: Placeholder Values

// ⚠️ Flagged as High (API key pattern)
String apiKey = "your-api-key-here";  // Placeholder

// βœ… Better: Use a clearly fake value
String apiKey = "REPLACE_WITH_YOUR_API_KEY";
How to handle:
  1. Review the context
  2. Determine if it’s a real issue
  3. If false positive, add a comment
  4. Consider refactoring for clarity

​
Report Examples

​
Clean Project (A+)

πŸ“Š SCAN SUMMARY
πŸ“„ Files Scanned: 50
πŸ” Total Issues: 0
πŸ† Privacy Grade: 🟒 A+

βœ… No privacy issues detected!
Interpretation: Perfect! Safe for production.

​
Minor Issues (A-)

πŸ“Š SCAN SUMMARY
πŸ“„ Files Scanned: 50
πŸ” Total Issues: 2
πŸ† Privacy Grade: 🟒 A-

πŸ”΅ LOW (2)
  πŸ“„ src/config.js:8
     IP address: "192.168.1.1"
Interpretation: Very good. Optional cleanup of IP addresses.

​
Moderate Concerns (C)

πŸ“Š SCAN SUMMARY
πŸ“„ Files Scanned: 50
πŸ” Total Issues: 15
πŸ† Privacy Grade: 🟑 C

πŸ”΄ CRITICAL (1)
  πŸ“„ src/db.js:5
     Database password

🟠 HIGH (2)
  πŸ“„ API keys detected

🟑 MEDIUM (8)
  πŸ“„ Multiple PII leaks

πŸ”΅ LOW (4)
  πŸ“„ Various configuration issues
Interpretation: Not production-ready. Fix critical/high issues immediately.

​
Critical Problems (F)

πŸ“Š SCAN SUMMARY
πŸ“„ Files Scanned: 50
πŸ” Total Issues: 25
πŸ† Privacy Grade: πŸ”΄ F

πŸ”΄ CRITICAL (5)
  πŸ“„ Multiple exposed secrets

🟠 HIGH (8)
  πŸ“„ Extensive API key exposure

🟑 MEDIUM (10)
  πŸ“„ Widespread PII issues

πŸ”΅ LOW (2)
Interpretation: Emergency. Complete security audit needed. Block all deployments.

​
Next Steps

CI/CD Integration

Automate scanning in your pipeline

Privacy Grading

Deep dive into the grading system

Detection Methods

Understand what’s being detected

Examples

See real-world examples