# Semgrep Configuration for BreakPilot # https://semgrep.dev/ # # Run locally: semgrep scan --config auto # Run with this config: semgrep scan --config .semgrep.yml rules: # ============================================= # Python/FastAPI Security Rules # ============================================= - id: hardcoded-secret-in-string patterns: - pattern-either: - pattern: | $VAR = "...$SECRET..." - pattern: | $VAR = '...$SECRET...' message: "Potential hardcoded secret detected. Use environment variables or Vault." languages: [python] severity: WARNING metadata: category: security cwe: "CWE-798: Use of Hard-coded Credentials" - id: sql-injection-fastapi patterns: - pattern-either: - pattern: | $CURSOR.execute(f"...{$USER_INPUT}...") - pattern: | $CURSOR.execute("..." + $USER_INPUT + "...") - pattern: | $CURSOR.execute("..." % $USER_INPUT) message: "Potential SQL injection. Use parameterized queries." languages: [python] severity: ERROR metadata: category: security cwe: "CWE-89: SQL Injection" owasp: "A03:2021 - Injection" - id: command-injection patterns: - pattern-either: - pattern: os.system($USER_INPUT) - pattern: subprocess.call($USER_INPUT, shell=True) - pattern: subprocess.run($USER_INPUT, shell=True) - pattern: subprocess.Popen($USER_INPUT, shell=True) message: "Potential command injection. Avoid shell=True with user input." languages: [python] severity: ERROR metadata: category: security cwe: "CWE-78: OS Command Injection" owasp: "A03:2021 - Injection" - id: insecure-jwt-algorithm patterns: - pattern: jwt.decode(..., algorithms=["none"], ...) - pattern: jwt.decode(..., algorithms=["HS256"], verify=False, ...) message: "Insecure JWT algorithm or verification disabled." languages: [python] severity: ERROR metadata: category: security cwe: "CWE-347: Improper Verification of Cryptographic Signature" - id: path-traversal patterns: - pattern: open(... + $USER_INPUT + ...) - pattern: open(f"...{$USER_INPUT}...") - pattern: Path(...) / $USER_INPUT message: "Potential path traversal. Validate and sanitize file paths." languages: [python] severity: WARNING metadata: category: security cwe: "CWE-22: Path Traversal" - id: insecure-pickle patterns: - pattern: pickle.loads($DATA) - pattern: pickle.load($FILE) message: "Pickle deserialization is insecure. Use JSON or other safe formats." languages: [python] severity: WARNING metadata: category: security cwe: "CWE-502: Deserialization of Untrusted Data" # ============================================= # Go Security Rules # ============================================= - id: go-sql-injection patterns: - pattern: | $DB.Query(fmt.Sprintf("...", $USER_INPUT)) - pattern: | $DB.Exec(fmt.Sprintf("...", $USER_INPUT)) message: "Potential SQL injection in Go. Use parameterized queries." languages: [go] severity: ERROR metadata: category: security cwe: "CWE-89: SQL Injection" - id: go-hardcoded-credentials patterns: - pattern: | $VAR := "..." - metavariable-regex: metavariable: $VAR regex: (password|secret|apiKey|api_key|token) message: "Potential hardcoded credential. Use environment variables." languages: [go] severity: WARNING metadata: category: security cwe: "CWE-798: Use of Hard-coded Credentials" # ============================================= # JavaScript/TypeScript Security Rules # ============================================= - id: js-xss-innerhtml patterns: - pattern: $EL.innerHTML = $USER_INPUT message: "Potential XSS via innerHTML. Use textContent or sanitize input." languages: [javascript, typescript] severity: WARNING metadata: category: security cwe: "CWE-79: Cross-site Scripting" owasp: "A03:2021 - Injection" - id: js-eval patterns: - pattern: eval($CODE) - pattern: new Function($CODE) message: "Avoid eval() and new Function() with dynamic input." languages: [javascript, typescript] severity: ERROR metadata: category: security cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code"