agent-kit/.semgrep.yaml at main · graysurf/agent-kit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
rules:
  - id: agent-kit.comment.todo
    languages: [generic]
    message: TODO marker (unfinished work or missing edge cases).
    severity: INFO
    pattern-regex: "\\bTODO\\b"
    paths:
      include:
        - "*.py"
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.comment.fixme
    languages: [generic]
    message: FIXME marker (known-bad behavior).
    severity: WARNING
    pattern-regex: "\\bFIXME\\b"
    paths:
      include:
        - "*.py"
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.comment.bug
    languages: [generic]
    message: BUG marker (explicit bug note).
    severity: WARNING
    pattern-regex: "\\bBUG\\b"
    paths:
      include:
        - "*.py"
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.comment.hack
    languages: [generic]
    message: HACK marker (workaround or suspicious code).
    severity: WARNING
    pattern-regex: "\\bHACK\\b"
    paths:
      include:
        - "*.py"
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.comment.xxx
    languages: [generic]
    message: XXX marker (placeholder or code smell).
    severity: INFO
    pattern-regex: "\\bXXX\\b"
    paths:
      include:
        - "*.py"
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.shell.typeset-empty-string-double-quotes
    languages: [generic]
    message: Prefer ='' over ="" in typeset/local lines.
    severity: INFO
    pattern-regex: '^[ \t]*(?:typeset|local)\b.*=""'
    paths:
      include:
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.shell.eval
    languages: [generic]
    message: "Avoid eval in shell scripts; prefer arrays or explicit parsing."
    severity: WARNING
    pattern-regex: "^[ \\t]*eval\\b"
    paths:
      include:
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.shell.curl-pipe-shell
    languages: [generic]
    message: Avoid piping curl/wget output to a shell (supply-chain risk).
    severity: ERROR
    pattern-regex: "^[ \\t]*(?:curl|wget)\\b[^|]*\\|[ \\t]*(?:sh|bash|zsh)\\b"
    paths:
      include:
        - "*.sh"
        - "*.zsh"

  - id: agent-kit.python.subprocess-shell-true
    languages: [python]
    message: Avoid shell=True in subprocess calls; prefer an argv list without a shell.
    severity: ERROR
    pattern-either:
      - pattern: subprocess.$F(..., shell=True, ...)
      - pattern: subprocess.$F(..., shell=True)
      - pattern: subprocess.$F(shell=True, ...)
      - pattern: subprocess.$F(shell=True)
    paths:
      include:
        - "*.py"

  - id: agent-kit.python.os-system
    languages: [python]
    message: Avoid os.system; prefer subprocess with an argv list.
    severity: WARNING
    pattern: os.system(...)
    paths:
      include:
        - "*.py"

  - id: agent-kit.python.eval-exec
    languages: [python]
    message: Avoid eval/exec; prefer safer parsing or explicit code paths.
    severity: WARNING
    pattern-either:
      - pattern: eval(...)
      - pattern: exec(...)
    paths:
      include:
        - "*.py"