Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8dfab4ba14f1dd02ccb7d7e17a90a7a669c98957
breakpilot-compliance/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_crypto.yml
Benjamin Admin 8dfab4ba14 feat: Payment Compliance Pack — Semgrep + CodeQL + State Machine + Schema 
Ausfuehrbares Pruefpaket fuer Payment-Terminal-Systeme:

1. Semgrep-Regeln (25 Regeln in 5 Dateien):
   - Logging: Sensitive Daten, Tokens, Debug-Flags
   - Crypto: MD5/SHA1/DES/ECB, Hardcoded Secrets, Weak Random, TLS
   - API: Debug-Routes, Exception Leaks, IDOR, Input Validation
   - Config: Test-Endpoints, CORS, Cookies, Retry
   - Data: Telemetrie, Cache, Export, Queue, Testdaten

2. CodeQL Query-Specs (5 Briefings):
   - Sensitive Data → Logs
   - Sensitive Data → HTTP Response
   - Tenant Context Loss
   - Sensitive Data → Telemetry
   - Cache/Export Leak

3. State-Machine-Tests (10 Testfaelle):
   - 11 Zustaende, 15 Events, 8 Invarianten
   - Duplicate Response, Timeout+Late Success, Decline
   - Invalid Reversal, Cancel, Backend Timeout
   - Parallel Reversal, Unknown Response, Reconnect
   - Late Response after Cancel

4. Finding Schema (JSON Schema):
   - Einheitliches Format fuer alle Engines
   - control_id, engine, status, confidence, evidence, verdict_text

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 14:59:49 +02:00

44 lines
1.6 KiB
YAML
Raw Blame History

rules:
- id: payment-no-md5-sha1
message: Unsichere Hash-Algorithmen erkannt.
severity: ERROR
languages: [python, javascript, typescript, java, go]
pattern-regex: (?i)\b(md5|sha1)\b
- id: payment-no-des-3des
message: Veraltete symmetrische Verfahren erkannt.
severity: ERROR
languages: [python, javascript, typescript, java, go]
pattern-regex: (?i)\b(des|3des|tripledes)\b
- id: payment-no-ecb
message: ECB-Modus ist fuer sensible Daten ungeeignet.
severity: ERROR
languages: [python, javascript, typescript, java, go]
pattern-regex: (?i)\becb\b
- id: payment-hardcoded-secret
message: Moeglicherweise hartkodiertes Secret erkannt.
severity: ERROR
languages: [python, javascript, typescript, java, go]
patterns:
- pattern-either:
- pattern: $KEY = "..."
- pattern: const $KEY = "..."
- pattern: final String $KEY = "..."
- metavariable-pattern:
metavariable: $KEY
pattern-regex: (?i).*(secret|apikey|api_key|password|passwd|privatekey|private_key|terminalkey|zvtkey|opiKey).*
- id: payment-weak-random
message: Nicht-kryptographischer Zufall in Sicherheitskontext erkannt.
severity: ERROR
languages: [python, javascript, typescript, java]
pattern-regex: (?i)(Math\.random|random\.random|new Random\()
- id: payment-disable-tls-verify
message: TLS-Zertifikatspruefung scheint deaktiviert zu sein.
severity: ERROR
languages: [python, javascript, typescript, java, go]
pattern-regex: (?i)(verify\s*=\s*False|rejectUnauthorized\s*:\s*false|InsecureSkipVerify\s*:\s*true|trustAll)
Reference in New Issue View Git Blame Copy Permalink