c54c569f30
Completed clean root directory structure: - Root now contains only: .git, .env, docs/, orig/ - Moved all remaining files and directories to orig/: - Config files (.claude, .dockerignore, .drone.yml, etc.) - All .env variants (except active .env) - Git config (.gitconfig, .github, .gitignore, etc.) - Tool configs (.golangci.yml, .revive.toml, etc.) - Documentation (*.md files, @prompts) - Build files (Dockerfiles, Makefile, go.mod, go.sum) - Docker compose files - All source directories (scripts, tests, tools, etc.) - Runtime directories (logs, monitoring, reports) - Dependency files (node_modules, lib, cache) - Special files (--delete) - Removed empty runtime directories (bin/, data/) V2 structure is now clean: - docs/planning/ - V2 planning documents - orig/ - Complete V1 codebase preserved - .env - Active environment config (not in git) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
114 lines
3.1 KiB
YAML
114 lines
3.1 KiB
YAML
---
|
|
version: v1
|
|
|
|
rules:
|
|
- id: go-unsafe-pointer-conversion
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
import "unsafe"
|
|
...
|
|
unsafe.Pointer(...)
|
|
- pattern: |
|
|
import "unsafe"
|
|
...
|
|
uintptr(...)
|
|
message: "Unsafe pointer conversion detected. This can cause memory corruption."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-hardcoded-credentials
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
"$S0CR3T_$ID"
|
|
- pattern: |
|
|
"$S3CR3T_$KEY"
|
|
- pattern: |
|
|
"$API_$TOKEN"
|
|
message: "Hardcoded credential detected. Move to environment variables or secrets manager."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-weak-crypto
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
import "crypto/md5"
|
|
...
|
|
md5.New(...)
|
|
- pattern: |
|
|
import "crypto/sha1"
|
|
...
|
|
sha1.New(...)
|
|
message: "Weak cryptographic algorithm detected. Use SHA-256 or higher."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-weak-rng
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
import "math/rand"
|
|
...
|
|
rand.Int(...)
|
|
- pattern: |
|
|
import "math/rand"
|
|
...
|
|
rand.Seed(...)
|
|
message: "Weak random number generator detected. Use crypto/rand for security-sensitive random values."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-incorrect-permission
|
|
patterns:
|
|
- pattern: |
|
|
os.Mkdir(..., 0777)
|
|
message: "Incorrect permission setting. Using 0777 is too permissive."
|
|
languages: [go]
|
|
severity: WARNING
|
|
|
|
- id: go-incorrect-permission-2
|
|
patterns:
|
|
- pattern: |
|
|
os.Chmod(..., 0777)
|
|
message: "Incorrect permission setting. Using 0777 is too permissive."
|
|
languages: [go]
|
|
severity: WARNING
|
|
|
|
- id: go-tls-insecure-skip-verify
|
|
patterns:
|
|
- pattern: |
|
|
&tls.Config{InsecureSkipVerify: true}
|
|
message: "Insecure TLS configuration detected. InsecureSkipVerify bypasses certificate validation."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-printf-direct-fmt-string
|
|
patterns:
|
|
- pattern: |
|
|
fmt.Printf($USER_INPUT, ...)
|
|
message: "Direct use of user input in format string. This can lead to format string vulnerabilities."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-sql-injection
|
|
patterns:
|
|
- pattern: |
|
|
db.Query($USER_INPUT, ...)
|
|
message: "Potential SQL injection vulnerability. Use parameterized queries instead."
|
|
languages: [go]
|
|
severity: ERROR
|
|
|
|
- id: go-integer-overflow
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: |
|
|
$VAR := int32($INPUT)
|
|
- pattern: |
|
|
$VAR := int16($INPUT)
|
|
- pattern: |
|
|
$VAR := int8($INPUT)
|
|
message: "Potential integer overflow/underflow. Consider checking input bounds."
|
|
languages: [go]
|
|
severity: WARNING |