19855efacc
Some checks failed
Tests / Go Tests (push) Has been cancelled
Tests / Python Tests (push) Has been cancelled
Tests / Integration Tests (push) Has been cancelled
Tests / Go Lint (push) Has been cancelled
Tests / Python Lint (push) Has been cancelled
Tests / Security Scan (push) Has been cancelled
Tests / All Checks Passed (push) Has been cancelled
Security Scanning / Secret Scanning (push) Has been cancelled
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Security Scanning / Go Security Scan (push) Has been cancelled
Security Scanning / Python Security Scan (push) Has been cancelled
Security Scanning / Node.js Security Scan (push) Has been cancelled
Security Scanning / Docker Image Security (push) Has been cancelled
Security Scanning / Security Summary (push) Has been cancelled
CI/CD Pipeline / Go Tests (push) Has been cancelled
CI/CD Pipeline / Python Tests (push) Has been cancelled
CI/CD Pipeline / Website Tests (push) Has been cancelled
CI/CD Pipeline / Linting (push) Has been cancelled
CI/CD Pipeline / Security Scan (push) Has been cancelled
CI/CD Pipeline / Docker Build & Push (push) Has been cancelled
CI/CD Pipeline / Integration Tests (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / CI Summary (push) Has been cancelled
ci/woodpecker/manual/build-ci-image Pipeline was successful
ci/woodpecker/manual/main Pipeline failed
All services: admin-v2, studio-v2, website, ai-compliance-sdk, consent-service, klausur-service, voice-service, and infrastructure. Large PDFs and compiled binaries excluded via .gitignore.
148 lines
4.5 KiB
YAML
148 lines
4.5 KiB
YAML
# Semgrep Configuration for BreakPilot
|
|
# https://semgrep.dev/
|
|
#
|
|
# Run locally: semgrep scan --config auto
|
|
# Run with this config: semgrep scan --config .semgrep.yml
|
|
|
|
rules:
|
|
# =============================================
|
|
# Python/FastAPI Security Rules
|
|
# =============================================
|
|
|
|
- id: hardcoded-secret-in-string
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
$VAR = "...$SECRET..."
|
|
- pattern: |
|
|
$VAR = '...$SECRET...'
|
|
message: "Potential hardcoded secret detected. Use environment variables or Vault."
|
|
languages: [python]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-798: Use of Hard-coded Credentials"
|
|
|
|
- id: sql-injection-fastapi
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
$CURSOR.execute(f"...{$USER_INPUT}...")
|
|
- pattern: |
|
|
$CURSOR.execute("..." + $USER_INPUT + "...")
|
|
- pattern: |
|
|
$CURSOR.execute("..." % $USER_INPUT)
|
|
message: "Potential SQL injection. Use parameterized queries."
|
|
languages: [python]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-89: SQL Injection"
|
|
owasp: "A03:2021 - Injection"
|
|
|
|
- id: command-injection
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: os.system($USER_INPUT)
|
|
- pattern: subprocess.call($USER_INPUT, shell=True)
|
|
- pattern: subprocess.run($USER_INPUT, shell=True)
|
|
- pattern: subprocess.Popen($USER_INPUT, shell=True)
|
|
message: "Potential command injection. Avoid shell=True with user input."
|
|
languages: [python]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-78: OS Command Injection"
|
|
owasp: "A03:2021 - Injection"
|
|
|
|
- id: insecure-jwt-algorithm
|
|
patterns:
|
|
- pattern: jwt.decode(..., algorithms=["none"], ...)
|
|
- pattern: jwt.decode(..., algorithms=["HS256"], verify=False, ...)
|
|
message: "Insecure JWT algorithm or verification disabled."
|
|
languages: [python]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-347: Improper Verification of Cryptographic Signature"
|
|
|
|
- id: path-traversal
|
|
patterns:
|
|
- pattern: open(... + $USER_INPUT + ...)
|
|
- pattern: open(f"...{$USER_INPUT}...")
|
|
- pattern: Path(...) / $USER_INPUT
|
|
message: "Potential path traversal. Validate and sanitize file paths."
|
|
languages: [python]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-22: Path Traversal"
|
|
|
|
- id: insecure-pickle
|
|
patterns:
|
|
- pattern: pickle.loads($DATA)
|
|
- pattern: pickle.load($FILE)
|
|
message: "Pickle deserialization is insecure. Use JSON or other safe formats."
|
|
languages: [python]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-502: Deserialization of Untrusted Data"
|
|
|
|
# =============================================
|
|
# Go Security Rules
|
|
# =============================================
|
|
|
|
- id: go-sql-injection
|
|
patterns:
|
|
- pattern: |
|
|
$DB.Query(fmt.Sprintf("...", $USER_INPUT))
|
|
- pattern: |
|
|
$DB.Exec(fmt.Sprintf("...", $USER_INPUT))
|
|
message: "Potential SQL injection in Go. Use parameterized queries."
|
|
languages: [go]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-89: SQL Injection"
|
|
|
|
- id: go-hardcoded-credentials
|
|
patterns:
|
|
- pattern: |
|
|
$VAR := "..."
|
|
- metavariable-regex:
|
|
metavariable: $VAR
|
|
regex: (password|secret|apiKey|api_key|token)
|
|
message: "Potential hardcoded credential. Use environment variables."
|
|
languages: [go]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-798: Use of Hard-coded Credentials"
|
|
|
|
# =============================================
|
|
# JavaScript/TypeScript Security Rules
|
|
# =============================================
|
|
|
|
- id: js-xss-innerhtml
|
|
patterns:
|
|
- pattern: $EL.innerHTML = $USER_INPUT
|
|
message: "Potential XSS via innerHTML. Use textContent or sanitize input."
|
|
languages: [javascript, typescript]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-79: Cross-site Scripting"
|
|
owasp: "A03:2021 - Injection"
|
|
|
|
- id: js-eval
|
|
patterns:
|
|
- pattern: eval($CODE)
|
|
- pattern: new Function($CODE)
|
|
message: "Avoid eval() and new Function() with dynamic input."
|
|
languages: [javascript, typescript]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code"
|