← all rules
code/js-bcrypt-low-rounds
bcrypt cost factor below 10
What it detects
bcrypt.hash(..., N) with N below 10 makes offline password cracking cheap. Use at least 10 (current OWASP recommendation is 12+). AI-generated examples often default to 4 or 8 for 'speed'.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.