Create rules/semgrep-ruleset-v1.yaml

rules/semgrep-ruleset-v1.yaml

@@ -0,0 +1,106 @@
+# rules/semgrep-ruleset-v1.yaml
+# Semgrep Ruleset v1 – Flask + FastAPI + Secrets + OWASP Mapping
+
+rules:
+# -------------------------------
+# A03:2021 – Injection (Command Injection)
+# -------------------------------
+- id: python.command-injection
+  languages: [python]
+  mode: taint
+  severity: ERROR
+  message: Untrusted input flows into command execution.
+
+  metadata:
+    owasp:
+      - A03:2021-Injection
+    cwe:
+      - CWE-78
+    category: command-injection
+    autofix: false
+
+  pattern-sources:
+    - pattern: flask.request.args[$X]
+    - pattern: flask.request.json[$X]
+    - pattern: fastapi.params.Query($X)
+    - pattern: fastapi.params.Body($X)
+    - pattern: sys.argv[$X]
+
+  pattern-sinks:
+    - pattern: subprocess.run($CMD, shell=True)
+    - pattern: subprocess.Popen($CMD, shell=True)
+    - pattern: os.system($CMD)
+
+  pattern-sanitizers:
+    - pattern: shlex.quote($X)
+
+# -------------------------------
+# A08:2021 – Software and Data Integrity Failures
+# -------------------------------
+- id: python.unsafe-deserialization
+  languages: [python]
+  mode: taint
+  severity: ERROR
+  message: Untrusted input reaches unsafe deserialization.
+
+  metadata:
+    owasp:
+      - A08:2021-Software_and_Data_Integrity_Failures
+    cwe:
+      - CWE-502
+    category: deserialization
+
+  pattern-sources:
+    - pattern: flask.request.data
+    - pattern: fastapi.params.Body($X)
+    - pattern: open($F).read()
+
+  pattern-sinks:
+    - pattern: pickle.loads($X)
+    - pattern: yaml.load($X)
+
+  pattern-sanitizers:
+    - pattern: yaml.safe_load($X)
+
+# -------------------------------
+# A05:2021 – Security Misconfiguration
+# -------------------------------
+- id: python.requests-without-timeout
+  languages: [python]
+  severity: WARNING
+  message: HTTP request without timeout can cause denial of service.
+
+  metadata:
+    owasp:
+      - A05:2021-Security_Misconfiguration
+    cwe:
+      - CWE-400
+    category: availability
+
+  pattern: requests.$METHOD(...)
+  metavariable-regex:
+    metavariable: $METHOD
+    regex: (get|post|put|delete|patch)
+  pattern-not: requests.$METHOD(..., timeout=...)
+
+# -------------------------------
+# A02:2021 – Cryptographic Failures
+# -------------------------------
+- id: python.hardcoded-secrets
+  languages: [python]
+  severity: ERROR
+  message: Potential hardcoded secret detected.
+
+  metadata:
+    owasp:
+      - A02:2021-Cryptographic_Failures
+    cwe:
+      - CWE-798
+    category: secrets
+
+  patterns:
+    - pattern: $X = "sk_live_..."
+    - pattern: $X = "hf_..."
+    - pattern: $X = "AKIA..."
+    - pattern: $X = "AIza..."
+``