Files
govoplan/tools/checks/security-audit/semgrep-govoplan.yml

52 lines
2.0 KiB
YAML

rules:
- id: govoplan.python.subprocess-shell-true
languages: [python]
severity: WARNING
message: Avoid shell=True for module/runtime commands; prefer argv lists and explicit argument validation.
patterns:
- pattern-either:
- pattern: subprocess.run(..., shell=True, ...)
- pattern: subprocess.call(..., shell=True, ...)
- pattern: subprocess.check_call(..., shell=True, ...)
- pattern: subprocess.check_output(..., shell=True, ...)
- id: govoplan.python.os-system
languages: [python]
severity: WARNING
message: Avoid os.system; use subprocess with argv lists and explicit environment handling.
pattern: os.system(...)
- id: govoplan.python.pickle-load
languages: [python]
severity: WARNING
message: Pickle loading is unsafe for untrusted data; use structured formats or signed payloads.
pattern-either:
- pattern: pickle.load(...)
- pattern: pickle.loads(...)
- id: govoplan.python.cors-wildcard-credentials
languages: [python]
severity: ERROR
message: Credentialed CORS must not use wildcard origins.
pattern: CORSMiddleware(..., allow_origins=["*"], allow_credentials=True, ...)
- id: govoplan.web.localstorage-sensitive-value
languages: [javascript, typescript]
severity: WARNING
message: Do not persist tokens, API keys, credentials, or passwords in localStorage.
patterns:
- pattern: localStorage.setItem($KEY, $VALUE)
- metavariable-regex:
metavariable: $KEY
regex: (?i).*(token|api.?key|secret|password|credential).*
- id: govoplan.web.window-localstorage-sensitive-value
languages: [javascript, typescript]
severity: WARNING
message: Do not persist tokens, API keys, credentials, or passwords in localStorage.
patterns:
- pattern: window.localStorage.setItem($KEY, $VALUE)
- metavariable-regex:
metavariable: $KEY
regex: (?i).*(token|api.?key|secret|password|credential).*