2 # This file uses standard regular expression syntax, however be mindful
3 # of escaping YAML delimiters too (such as `:`) using double quotes "".
7 - \.git/(index|objects)
34 - (irb|plsq|mysql|bash|zsh)_history
35 - (zsh|bash)rc-secrets
38 - configuration\.user\.xpl
56 - aws_secret_access_key
63 - jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin\.xml
67 - configuration\.user\.xpl
79 regex: -----BEGIN\sRSA\sPRIVATE\sKEY----
80 desc: "This looks like it could be a private key"
83 regex: (password|passwd)(.*:|.*=.*)
84 desc: "Possible hardcoded password"
88 desc: "Curl can be used for retrieving objects from untrusted sources"
92 desc: "clone blocked as using an non approved external source"
96 desc: "Insecure cryptographic algorithm"
100 desc: "Insecure cryptographic algorithm"
104 desc: "Insecure cryptographic algorithm"
108 desc: "Insecure hashing algorithm"
112 desc: "Insecure cryptographic algorithm"
116 desc: "This looks like it could be a private key"
120 desc: "Rivest Cipher 4 is an insecure stream cipher"
124 desc: "RACE Message Digest is an insecure hashing algorithm"
128 desc: "Possible leak of sensitive information"
132 desc: "Insecure hashing algorithm"
136 desc: "Insecure hashing algorithm"
140 desc: "Possible leak of private SSH key"
144 desc: "Insecure SSL Version"
148 desc: "Insecure cryptographic hashing algorithm"
152 desc: "Insecure TLS Version"
156 desc: "WGET is blocked to unknown / untrusted destinations"
159 regex: run_as_root.*=.*True
160 desc: "Its better to use sudo or a rootwrapper"
163 regex: \sexec\s*(\"|\().+(\"|\))
164 desc: "Exec can be dangerous when used with arbitrary, untrusted code."
168 desc: "Eval can be dangerous when used with arbitrary, untrusted code."
171 regex: app\.run\s*\(.*debug.*=.*True.*\)
173 "Running flask in debug mode can give away sensitive data"
176 regex: autoescape.*=.*False
177 desc: "Not escaping HTML input is vulnerable to XSS attacks."
180 regex: safestring\.mark_safe.*\(.*\)
181 desc: "Not escaping HTML input is vulnerable to XSS attacks."
184 regex: shell.*=.*True
185 desc: "Shell=True can lead to dangerous shell escapes"
190 "tmp directories are risky. They are world writable and easily guessed"
195 "Avoid dangerous file parsing & serialization libs, use yaml.safe_load"
199 desc: "Avoid coms applications that transmit credentials in clear text"
203 desc: "Avoid coms applications that transmit credentials in clear text"
207 desc: "Avoid coms applications that transmit credentials in clear text"
210 desc: "Interface listening on all addresses - may break security zones"
228 - apex: exceptions/apex.yaml
229 - armband: exceptions/armband.yaml
230 - bamboo: exceptions/bamboo.yaml
231 - barometer: exceptions/barometer.yaml
232 - bottlenecks: exceptions/bottlenecks.yaml
233 - calipso: exceptions/calipso.yaml
234 - compass4nfv: exceptions/compass4nfv.yaml
235 - conductor: exceptions/conductor.yaml
236 - copper: exceptions/copper.yaml
237 - cperf: exceptions/cperf.yaml
238 - daisy: exceptions/daisy.yaml
239 - doctor: exceptions/doctor.yaml
240 - dovetail: exceptions/dovetail.yaml
241 - dpacc: exceptions/dpacc.yaml
242 - enfv: exceptions/enfv.yaml
243 - escalator: exceptions/escalator.yaml
244 - fds: exceptions/fds.yaml
245 - functest: exceptions/functest.yaml
246 - octopus: exceptions/octopus.yaml
247 - pharos: exceptions/pharos.yaml
248 - releng: exceptions/releng.yaml
249 - sandbox: exceptions/sandbox.yaml
250 - yardstick: exceptions/yardstick.yaml
251 - infra: exceptions/infra.yaml
252 - ipv6: exceptions/ipv6.yaml
253 - joid: exceptions/joid.yaml
254 - kvmfornfv: exceptions/kvmfornfv.yaml
255 - lsoapi: exceptions/lsoapi.yaml
256 - models: exceptions/models.yaml
257 - moon: exceptions/moon.yaml
258 - multisite: exceptions/multisite.yaml
259 - netready: exceptions/netready.yaml