saving in place

2025-10-04 09:31:02 -05:00
parent 76c1b5cee1
commit f358f49aa9
295 changed files with 72071 additions and 17209 deletions
--- a/.semgrep/rules/go-security-rules.yaml
+++ b/.semgrep/rules/go-security-rules.yaml
@@ -0,0 +1,114 @@
+---
+version: v1
+
+rules:
+  - id: go-unsafe-pointer-conversion
+    patterns:
+      - pattern-either:
+          - pattern: |
+              import "unsafe"
+              ...
+              unsafe.Pointer(...)
+          - pattern: |
+              import "unsafe"
+              ...
+              uintptr(...)
+    message: "Unsafe pointer conversion detected. This can cause memory corruption."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-hardcoded-credentials
+    patterns:
+      - pattern-either:
+          - pattern: |
+              "$S0CR3T_$ID"
+          - pattern: |
+              "$S3CR3T_$KEY"
+          - pattern: |
+              "$API_$TOKEN"
+    message: "Hardcoded credential detected. Move to environment variables or secrets manager."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-weak-crypto
+    patterns:
+      - pattern-either:
+          - pattern: |
+              import "crypto/md5"
+              ...
+              md5.New(...)
+          - pattern: |
+              import "crypto/sha1"
+              ...
+              sha1.New(...)
+    message: "Weak cryptographic algorithm detected. Use SHA-256 or higher."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-weak-rng
+    patterns:
+      - pattern-either:
+          - pattern: |
+              import "math/rand"
+              ...
+              rand.Int(...)
+          - pattern: |
+              import "math/rand"
+              ...
+              rand.Seed(...)
+    message: "Weak random number generator detected. Use crypto/rand for security-sensitive random values."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-incorrect-permission
+    patterns:
+      - pattern: |
+          os.Mkdir(..., 0777)
+    message: "Incorrect permission setting. Using 0777 is too permissive."
+    languages: [go]
+    severity: WARNING
+
+  - id: go-incorrect-permission-2
+    patterns:
+      - pattern: |
+          os.Chmod(..., 0777)
+    message: "Incorrect permission setting. Using 0777 is too permissive."
+    languages: [go]
+    severity: WARNING
+
+  - id: go-tls-insecure-skip-verify
+    patterns:
+      - pattern: |
+          &tls.Config{InsecureSkipVerify: true}
+    message: "Insecure TLS configuration detected. InsecureSkipVerify bypasses certificate validation."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-printf-direct-fmt-string
+    patterns:
+      - pattern: |
+          fmt.Printf($USER_INPUT, ...)
+    message: "Direct use of user input in format string. This can lead to format string vulnerabilities."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-sql-injection
+    patterns:
+      - pattern: |
+          db.Query($USER_INPUT, ...)
+    message: "Potential SQL injection vulnerability. Use parameterized queries instead."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-integer-overflow
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $VAR := int32($INPUT)
+          - pattern: |
+              $VAR := int16($INPUT)
+          - pattern: |
+              $VAR := int8($INPUT)
+    message: "Potential integer overflow/underflow. Consider checking input bounds."
+    languages: [go]
+    severity: WARNING