rules: - id: govoplan.python.subprocess-shell-true languages: [python] severity: WARNING message: Avoid shell=True for module/runtime commands; prefer argv lists and explicit argument validation. patterns: - pattern-either: - pattern: subprocess.run(..., shell=True, ...) - pattern: subprocess.call(..., shell=True, ...) - pattern: subprocess.check_call(..., shell=True, ...) - pattern: subprocess.check_output(..., shell=True, ...) - id: govoplan.python.os-system languages: [python] severity: WARNING message: Avoid os.system; use subprocess with argv lists and explicit environment handling. pattern: os.system(...) - id: govoplan.python.pickle-load languages: [python] severity: WARNING message: Pickle loading is unsafe for untrusted data; use structured formats or signed payloads. pattern-either: - pattern: pickle.load(...) - pattern: pickle.loads(...) - id: govoplan.python.cors-wildcard-credentials languages: [python] severity: ERROR message: Credentialed CORS must not use wildcard origins. pattern: CORSMiddleware(..., allow_origins=["*"], allow_credentials=True, ...) - id: govoplan.web.localstorage-sensitive-value languages: [javascript, typescript] severity: WARNING message: Do not persist tokens, API keys, credentials, or passwords in localStorage. patterns: - pattern: localStorage.setItem($KEY, $VALUE) - metavariable-regex: metavariable: $KEY regex: (?i).*(token|api.?key|secret|password|credential).* - id: govoplan.web.window-localstorage-sensitive-value languages: [javascript, typescript] severity: WARNING message: Do not persist tokens, API keys, credentials, or passwords in localStorage. patterns: - pattern: window.localStorage.setItem($KEY, $VALUE) - metavariable-regex: metavariable: $KEY regex: (?i).*(token|api.?key|secret|password|credential).*