2 # This file uses standard regular expression syntax, however be mindful
3 # of escaping YAML delimiters too (such as `:`) using double quotes "".
7 - \.git/(index|objects)
34 - (irb|plsq|mysql|bash|zsh)_history
35 - (zsh|bash)rc-secrets
38 - configuration\.user\.xpl
55 - aws_secret_access_key
59 regex: -----BEGIN\sRSA\sPRIVATE\sKEY----
60 desc: "This looks like it could be a private key"
63 regex: (password|passwd)(.*:|.*=.*)
64 desc: "Possible hardcoded password"
68 desc: "Curl can be used for retrieving objects from untrusted sources"
72 desc: "clone blocked as using an non approved external source"
76 desc: "Insecure cryptographic algorithm"
80 desc: "Insecure cryptographic algorithm"
84 desc: "Insecure cryptographic algorithm"
88 desc: "Insecure hashing algorithm"
92 desc: "Insecure cryptographic algorithm"
96 desc: "This looks like it could be a private key"
100 desc: "Rivest Cipher 4 is an insecure stream cipher"
104 desc: "RACE Message Digest is an insecure hashing algorithm"
108 desc: "Possible leak of sensitive information"
112 desc: "Insecure hashing algorithm"
116 desc: "Insecure hashing algorithm"
120 desc: "Possible leak of private SSH key"
124 desc: "Insecure SSL Version"
128 desc: "Insecure cryptographic hashing algorithm"
132 desc: "Insecure TLS Version"
136 desc: "WGET is blocked to unknown / untrusted destinations"
139 regex: run_as_root.*=.*True
140 desc: "Its better to use sudo or a rootwrapper"
143 regex: \sexec\s*(\"|\().+(\"|\))
144 desc: "Exec can be dangerous when used with arbitrary, untrusted code."
148 desc: "Eval can be dangerous when used with arbitrary, untrusted code."
151 regex: app\.run\s*\(.*debug.*=.*True.*\)
153 "Running flask in debug mode can give away sensitive data"
156 regex: autoescape.*=.*False
157 desc: "Not escaping HTML input is vulnerable to XSS attacks."
160 regex: safestring\.mark_safe.*\(.*\)
161 desc: "Not escaping HTML input is vulnerable to XSS attacks."
164 regex: shell.*=.*True
165 desc: "Shell=True can lead to dangerous shell escapes"
170 "tmp directories are risky. They are world writable and easily guessed"
175 "Avoid dangerous file parsing & serialization libs, use yaml.safe_load"
179 desc: "Avoid coms applications that transmit credentials in clear text"
183 desc: "Avoid coms applications that transmit credentials in clear text"
187 desc: "Avoid coms applications that transmit credentials in clear text"
190 desc: "Interface listening on all addresses - may break security zones"
208 - apex: exceptions/apex.yaml
209 - armband: exceptions/armband.yaml
210 - bamboo: exceptions/bamboo.yaml
211 - barometer: exceptions/barometer.yaml
212 - bottlenecks: exceptions/bottlenecks.yaml
213 - calipso: exceptions/calipso.yaml
214 - compass4nfv: exceptions/compass4nfv.yaml
215 - conductor: exceptions/conductor.yaml
216 - copper: exceptions/copper.yaml
217 - cperf: exceptions/cperf.yaml
218 - daisy: exceptions/daisy.yaml
219 - doctor: exceptions/doctor.yaml
220 - dovetail: exceptions/dovetail.yaml
221 - dpacc: exceptions/dpacc.yaml
222 - enfv: exceptions/enfv.yaml
223 - escalator: exceptions/escalator.yaml
224 - fds: exceptions/fds.yaml
225 - functest: exceptions/functest.yaml
226 - octopus: exceptions/octopus.yaml
227 - pharos: exceptions/pharos.yaml
228 - releng: exceptions/releng.yaml
229 - sandbox: exceptions/sandbox.yaml
230 - yardstick: exceptions/yardstick.yaml
231 - infra: exceptions/infra.yaml
232 - ipv6: exceptions/ipv6.yaml
233 - joid: exceptions/joid.yaml
234 - kvmfornfv: exceptions/kvmfornfv.yaml
235 - lsoapi: exceptions/lsoapi.yaml
236 - models: exceptions/models.yaml
237 - moon: exceptions/moon.yaml
238 - multisite: exceptions/multisite.yaml
239 - netready: exceptions/netready.yaml