Sensei Logo Sensei Hub


Discover cookbooks curated by Secure Code Warrior and the Sensei Community. How do I install cookbooks?

Have suggestions or feedback?

Suggest cookbooks/recipes Provide feedback
Secure Code Warrior
Android Security Set

Recipes created from security recommendations in the official Android documentation (

- WebView best practices
- Disable JavaScript
- Disable file access
- Disable content access
- Disable geolocation
- Never allow mixed content
- Manifest best practices
- Disable backups
- Explicitly disable backups
- Disable cleartext traffic
- Explicitly disable cleartext traffic
- Disable explicit exported components

Secure Code Warrior
Basic Protection Set

Cookbook which can be used as a starting point for security

This cookbook contains a set of low effort recipes that can be used to detect, fix and prevent common recurring critical and high severity vulnerabilities. Enabling this cookbook will set a security baseline. The expected outcome from this cookbook is not to fix issues that are currently present in the codebase. Because we expect that these flaws have been detected by existing security measures such as peer reviews, penetration tests, and SAST tools. The main purpose is that we prevent new instances of these issues from being introduced in the codebase. Because catching these typical flaws late during development or even in production would increase the cost and time of fixing the issues significantly. Overall, this cookbook gives you the opportunity to improve the state of security by preventing the reappearance from common flaws.


Protection against code injection
- org.yaml.snakeyaml.Yaml


Protection against sql injection
- java.sql.Statement
- java.sql.Connection


Protection against XML External Entities/Entity Expansion
- javax.xml.parsers.DocumentBuilderFactory
- javax.xml.parsers.SAXParserFactory
- javax.xml.transform.TransformerFactory
- javax.xml.validation.SchemaFactory
- javax.xml.xpath.XPathFactory

Secure Code Warrior
Java Gotchas

Examples of simple Java mistakes that can be easily detected and fixed with Sensei

- split "." does not split a string delimited by 'full stop' characters.
- throwable.printstacktrace(...) methods can give an attacker valuable details about program operation.

Secure Code Warrior
Spring Boot

A cookbook that simplifies Spring Boot development. It aims to automate common routines performed by developers, preventing them to repeat themselves or introduce known issues

It covers the following modules:
- Spring Beans
- Spring MVC
- Spring Data
- Spring Security

Secure Code Warrior

Examples of best practices that can be easily detected and fixed with Sensei

- Not releasing DynamoDbClient
- Not releasing AmazonDynamoDbClient
- Avoid hardcoding AWSSessionCredentials
- Automatic region detection by AWS
- Use the Region enum