bfdaf63ba9
A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.
This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).
Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
148 lines
4.5 KiB
YAML
148 lines
4.5 KiB
YAML
# Semgrep Configuration for BreakPilot
|
|
# https://semgrep.dev/
|
|
#
|
|
# Run locally: semgrep scan --config auto
|
|
# Run with this config: semgrep scan --config .semgrep.yml
|
|
|
|
rules:
|
|
# =============================================
|
|
# Python/FastAPI Security Rules
|
|
# =============================================
|
|
|
|
- id: hardcoded-secret-in-string
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
$VAR = "...$SECRET..."
|
|
- pattern: |
|
|
$VAR = '...$SECRET...'
|
|
message: "Potential hardcoded secret detected. Use environment variables or Vault."
|
|
languages: [python]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-798: Use of Hard-coded Credentials"
|
|
|
|
- id: sql-injection-fastapi
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
$CURSOR.execute(f"...{$USER_INPUT}...")
|
|
- pattern: |
|
|
$CURSOR.execute("..." + $USER_INPUT + "...")
|
|
- pattern: |
|
|
$CURSOR.execute("..." % $USER_INPUT)
|
|
message: "Potential SQL injection. Use parameterized queries."
|
|
languages: [python]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-89: SQL Injection"
|
|
owasp: "A03:2021 - Injection"
|
|
|
|
- id: command-injection
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: os.system($USER_INPUT)
|
|
- pattern: subprocess.call($USER_INPUT, shell=True)
|
|
- pattern: subprocess.run($USER_INPUT, shell=True)
|
|
- pattern: subprocess.Popen($USER_INPUT, shell=True)
|
|
message: "Potential command injection. Avoid shell=True with user input."
|
|
languages: [python]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-78: OS Command Injection"
|
|
owasp: "A03:2021 - Injection"
|
|
|
|
- id: insecure-jwt-algorithm
|
|
patterns:
|
|
- pattern: jwt.decode(..., algorithms=["none"], ...)
|
|
- pattern: jwt.decode(..., algorithms=["HS256"], verify=False, ...)
|
|
message: "Insecure JWT algorithm or verification disabled."
|
|
languages: [python]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-347: Improper Verification of Cryptographic Signature"
|
|
|
|
- id: path-traversal
|
|
patterns:
|
|
- pattern: open(... + $USER_INPUT + ...)
|
|
- pattern: open(f"...{$USER_INPUT}...")
|
|
- pattern: Path(...) / $USER_INPUT
|
|
message: "Potential path traversal. Validate and sanitize file paths."
|
|
languages: [python]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-22: Path Traversal"
|
|
|
|
- id: insecure-pickle
|
|
patterns:
|
|
- pattern: pickle.loads($DATA)
|
|
- pattern: pickle.load($FILE)
|
|
message: "Pickle deserialization is insecure. Use JSON or other safe formats."
|
|
languages: [python]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-502: Deserialization of Untrusted Data"
|
|
|
|
# =============================================
|
|
# Go Security Rules
|
|
# =============================================
|
|
|
|
- id: go-sql-injection
|
|
patterns:
|
|
- pattern: |
|
|
$DB.Query(fmt.Sprintf("...", $USER_INPUT))
|
|
- pattern: |
|
|
$DB.Exec(fmt.Sprintf("...", $USER_INPUT))
|
|
message: "Potential SQL injection in Go. Use parameterized queries."
|
|
languages: [go]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-89: SQL Injection"
|
|
|
|
- id: go-hardcoded-credentials
|
|
patterns:
|
|
- pattern: |
|
|
$VAR := "..."
|
|
- metavariable-regex:
|
|
metavariable: $VAR
|
|
regex: (password|secret|apiKey|api_key|token)
|
|
message: "Potential hardcoded credential. Use environment variables."
|
|
languages: [go]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-798: Use of Hard-coded Credentials"
|
|
|
|
# =============================================
|
|
# JavaScript/TypeScript Security Rules
|
|
# =============================================
|
|
|
|
- id: js-xss-innerhtml
|
|
patterns:
|
|
- pattern: $EL.innerHTML = $USER_INPUT
|
|
message: "Potential XSS via innerHTML. Use textContent or sanitize input."
|
|
languages: [javascript, typescript]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-79: Cross-site Scripting"
|
|
owasp: "A03:2021 - Injection"
|
|
|
|
- id: js-eval
|
|
patterns:
|
|
- pattern: eval($CODE)
|
|
- pattern: new Function($CODE)
|
|
message: "Avoid eval() and new Function() with dynamic input."
|
|
languages: [javascript, typescript]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code"
|