chore(aegis): add scanners/semgrep-rules.yml

2026-06-26 14:14:42 +02:00
parent 7f40cf159c
commit e6699d5d51
1 changed files with 19 additions and 0 deletions
@@ -0,0 +1,19 @@
+# Aegis custom Semgrep rules (M1).
+# Extends the standard packs (p/owasp-top-ten, p/<lang>) referenced from the
+# semgrep job in .gitea/workflows/security.yml. Add project-specific rules here.
+# Keep noise low (tune p/default out where FP-heavy) — see R-02 risk register.
+rules:
+  - id: aegis-no-hardcoded-credentials
+    languages: [java, javascript, typescript, python]
+    message: "Possible hardcoded credential — move to an env var / secret."
+    severity: WARNING
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+    patterns:
+      - pattern-regex: '(?i)(password|passwd|secret|api[_-]?key|token)\s*[:=]\s*["'\''][^"'\'']{8,}["'\'']'
+      - pattern-not-regex: '(?i)\$\{|process\.env|System\.getenv|@Value|@ConfigurationProperties'
+  - id: aegis-no-http-outbound
+    languages: [java, javascript, typescript]
+    message: "Outbound HTTP URL — prefer HTTPS."
+    severity: INFO
+    pattern-regex: 'http://(?!localhost|127\.0\.0\.1|192\.168\.|10\.|backend|frontend|postgres)'