2 # This file uses standard regular expression syntax, however be mindful
3 # of escaping YAML delimiters too (such as `:`) using double quotes "".
7 - \.git/(index|objects)
34 - (irb|plsq|mysql|bash|zsh)_history
35 - (zsh|bash)rc-secrets
38 - configuration\.user\.xpl
55 - aws_secret_access_key
59 regex: -----BEGIN\sRSA\sPRIVATE\sKEY----
60 desc: "This looks like it could be a private key"
63 regex: (password|passwd)(.*:|.*=.*)
64 desc: "Possible hardcoded password"
68 desc: "Curl can be used for retrieving objects from untrusted sources"
72 desc: "clone blocked as using an non approved external source"
76 desc: "Insecure cryptographic algorithm"
80 desc: "Insecure cryptographic algorithm"
84 desc: "Insecure cryptographic algorithm"
88 desc: "Insecure hashing algorithm"
92 desc: "Insecure cryptographic algorithm"
96 desc: "This looks like it could be a private key"
100 desc: "Rivest Cipher 4 is an insecure stream cipher"
105 "RACE Integrity Primitives Evaluation Message Digest
106 is an insecure hashing algorithm"
110 desc: "Possible leak of sensitive information"
114 desc: "Insecure hashing algorithm"
118 desc: "Insecure hashing algorithm"
122 desc: "Possible leak of private SSH key"
126 desc: "Insecure SSL Version"
130 desc: "Insecure cryptographic hashing algorithm"
134 desc: "Insecure TLS Version"
138 desc: "WGET is blocked to unknown / untrusted destinations"
141 regex: run_as_root.*=.*True
142 desc: "Its better to use sudo or a rootwrapper"
145 regex: \sexec\s*(\"|\().+(\"|\))
146 desc: "Exec can be dangerous when used with arbitrary, untrusted code."
150 desc: "Eval can be dangerous when used with arbitrary, untrusted code."
153 regex: app\.run\s*\(.*debug.*=.*True.*\)
155 "Running flask in debug mode can give away sensitive data on a
156 systems configuration"
159 regex: autoescape.*=.*False
161 "Without escaping HTML input an application becomes
162 vulnerable to Cross Site Scripting (XSS) attacks."
165 regex: safestring\.mark_safe.*\(.*\)
167 "Without escaping HTML input an application becomes
168 vulnerable to Cross Site Scripting (XSS) attacks."
171 regex: shell.*=.*True
173 "Shell=True can lead to dangerous shell escapes,
174 expecially when the input can be crafted by untrusted external input"
179 "Use of tmp directories can be dangerous. Its world writable and
180 accessable, and can be easily guessed by attackers"
185 "Avoid dangerous file parsing and object serialization libraries,
186 use instead `yaml.safe_load`"
190 desc: "Avoid coms applications that transmit credentials in clear text"
194 desc: "Avoid coms applications that transmit credentials in clear text"
198 desc: "Avoid coms applications that transmit credentials in clear text"
212 - apex: exceptions/apex.yaml
213 - armband: exceptions/armband.yaml
214 - bamboo: exceptions/bamboo.yaml
215 - barometer: exceptions/barometer.yaml
216 - bottlenecks: exceptions/bottlenecks.yaml
217 - calipso: exceptions/calipso.yaml
218 - compass4nfv: exceptions/compass4nfv.yaml
219 - conductor: exceptions/conductor.yaml
220 - copper: exceptions/copper.yaml
221 - cperf: exceptions/cperf.yaml
222 - daisy: exceptions/daisy.yaml
223 - doctor: exceptions/doctor.yaml
224 - dovetail: exceptions/dovetail.yaml
225 - dpacc: exceptions/dpacc.yaml
226 - enfv: exceptions/enfv.yaml
227 - escalator: exceptions/escalator.yaml
228 - fds: exceptions/fds.yaml
229 - functest: exceptions/functest.yaml
230 - octopus: exceptions/octopus.yaml
231 - pharos: exceptions/pharos.yaml
232 - releng: exceptions/releng.yaml
233 - sandbox: exceptions/sandbox.yaml
234 - yardstick: exceptions/yardstick.yaml