Initialize GovOPlaN meta repository
This commit is contained in:
51
tools/checks/security-audit/semgrep-govoplan.yml
Normal file
51
tools/checks/security-audit/semgrep-govoplan.yml
Normal file
@@ -0,0 +1,51 @@
|
||||
rules:
|
||||
- id: govoplan.python.subprocess-shell-true
|
||||
languages: [python]
|
||||
severity: WARNING
|
||||
message: Avoid shell=True for module/runtime commands; prefer argv lists and explicit argument validation.
|
||||
patterns:
|
||||
- pattern-either:
|
||||
- pattern: subprocess.run(..., shell=True, ...)
|
||||
- pattern: subprocess.call(..., shell=True, ...)
|
||||
- pattern: subprocess.check_call(..., shell=True, ...)
|
||||
- pattern: subprocess.check_output(..., shell=True, ...)
|
||||
|
||||
- id: govoplan.python.os-system
|
||||
languages: [python]
|
||||
severity: WARNING
|
||||
message: Avoid os.system; use subprocess with argv lists and explicit environment handling.
|
||||
pattern: os.system(...)
|
||||
|
||||
- id: govoplan.python.pickle-load
|
||||
languages: [python]
|
||||
severity: WARNING
|
||||
message: Pickle loading is unsafe for untrusted data; use structured formats or signed payloads.
|
||||
pattern-either:
|
||||
- pattern: pickle.load(...)
|
||||
- pattern: pickle.loads(...)
|
||||
|
||||
- id: govoplan.python.cors-wildcard-credentials
|
||||
languages: [python]
|
||||
severity: ERROR
|
||||
message: Credentialed CORS must not use wildcard origins.
|
||||
pattern: CORSMiddleware(..., allow_origins=["*"], allow_credentials=True, ...)
|
||||
|
||||
- id: govoplan.web.localstorage-sensitive-value
|
||||
languages: [javascript, typescript]
|
||||
severity: WARNING
|
||||
message: Do not persist tokens, API keys, credentials, or passwords in localStorage.
|
||||
patterns:
|
||||
- pattern: localStorage.setItem($KEY, $VALUE)
|
||||
- metavariable-regex:
|
||||
metavariable: $KEY
|
||||
regex: (?i).*(token|api.?key|secret|password|credential).*
|
||||
|
||||
- id: govoplan.web.window-localstorage-sensitive-value
|
||||
languages: [javascript, typescript]
|
||||
severity: WARNING
|
||||
message: Do not persist tokens, API keys, credentials, or passwords in localStorage.
|
||||
patterns:
|
||||
- pattern: window.localStorage.setItem($KEY, $VALUE)
|
||||
- metavariable-regex:
|
||||
metavariable: $KEY
|
||||
regex: (?i).*(token|api.?key|secret|password|credential).*
|
||||
Reference in New Issue
Block a user