mev-beta/.semgrep/rules/go-security-rules.yaml

---
version: v1

rules:
  - id: go-unsafe-pointer-conversion
    patterns:
      - pattern-either:
          - pattern: |
              import "unsafe"
              ...
              unsafe.Pointer(...)
          - pattern: |
              import "unsafe"
              ...
              uintptr(...)
    message: "Unsafe pointer conversion detected. This can cause memory corruption."
    languages: [go]
    severity: ERROR

  - id: go-hardcoded-credentials
    patterns:
      - pattern-either:
          - pattern: |
              "$S0CR3T_$ID"
          - pattern: |
              "$S3CR3T_$KEY"
          - pattern: |
              "$API_$TOKEN"
    message: "Hardcoded credential detected. Move to environment variables or secrets manager."
    languages: [go]
    severity: ERROR

  - id: go-weak-crypto
    patterns:
      - pattern-either:
          - pattern: |
              import "crypto/md5"
              ...
              md5.New(...)
          - pattern: |
              import "crypto/sha1"
              ...
              sha1.New(...)
    message: "Weak cryptographic algorithm detected. Use SHA-256 or higher."
    languages: [go]
    severity: ERROR

  - id: go-weak-rng
    patterns:
      - pattern-either:
          - pattern: |
              import "math/rand"
              ...
              rand.Int(...)
          - pattern: |
              import "math/rand"
              ...
              rand.Seed(...)
    message: "Weak random number generator detected. Use crypto/rand for security-sensitive random values."
    languages: [go]
    severity: ERROR

  - id: go-incorrect-permission
    patterns:
      - pattern: |
          os.Mkdir(..., 0777)
    message: "Incorrect permission setting. Using 0777 is too permissive."
    languages: [go]
    severity: WARNING

  - id: go-incorrect-permission-2
    patterns:
      - pattern: |
          os.Chmod(..., 0777)
    message: "Incorrect permission setting. Using 0777 is too permissive."
    languages: [go]
    severity: WARNING

  - id: go-tls-insecure-skip-verify
    patterns:
      - pattern: |
          &tls.Config{InsecureSkipVerify: true}
    message: "Insecure TLS configuration detected. InsecureSkipVerify bypasses certificate validation."
    languages: [go]
    severity: ERROR

  - id: go-printf-direct-fmt-string
    patterns:
      - pattern: |
          fmt.Printf($USER_INPUT, ...)
    message: "Direct use of user input in format string. This can lead to format string vulnerabilities."
    languages: [go]
    severity: ERROR

  - id: go-sql-injection
    patterns:
      - pattern: |
          db.Query($USER_INPUT, ...)
    message: "Potential SQL injection vulnerability. Use parameterized queries instead."
    languages: [go]
    severity: ERROR

  - id: go-integer-overflow
    patterns:
      - pattern-either:
          - pattern: |
              $VAR := int32($INPUT)
          - pattern: |
              $VAR := int16($INPUT)
          - pattern: |
              $VAR := int8($INPUT)
    message: "Potential integer overflow/underflow. Consider checking input bounds."
    languages: [go]
    severity: WARNING