npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/unified/cwe-798/zm-cs-cwe798-hardcoded-creds.yaml ADDED Viewed

@@ -0,0 +1,107 @@
+# Source: common | Cluster: N/A
+# CWE-798: C# 硬编码凭据检测规则
+# 逐码 ZhuMa V4.3 — C# 规则库
+#
+# 检测 .NET 源代码中硬编码的密码、API 密钥、连接字符串和令牌。
+rules:
+# ZM-CS-CWE798-001: 硬编码密码/密钥字符串
+- id: zm-cs-cwe798-hardcoded-creds-001
+  severity: ERROR
+  message: |
+    检测到类变量/常量中硬编码了凭据（密码、API密钥、Token、连接字符串）。
+    硬编码凭据会随源代码提交到版本控制系统，一旦仓库公开或内部泄露，
+    攻击者可获取数据库、云服务等敏感系统的访问权限。
+    修复方案：
+    - 使用环境变量: Environment.GetEnvironmentVariable("DB_PASSWORD")
+    - 使用 .NET Secret Manager（开发环境）: dotnet user-secrets
+    - 使用 Azure Key Vault / AWS Secrets Manager
+    - 使用 appsettings.json + Azure App Configuration
+    - 通过 CI/CD 部署时注入凭据，禁止写入源码
+    - 对已泄漏的硬编码凭据立即轮换
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: |
+        $PASSWORD = $VAL;
+    - pattern: |
+        $APIKEY = $VAL;
+    - pattern: |
+        $SECRET = $VAL;
+    - pattern: |
+        $TOKEN = $VAL;
+    - pattern: |
+        $ACCESSKEY = $VAL;
+    - pattern: |
+        $PRIVATEKEY = $VAL;
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: security
+    precision: low
+    references:
+      - "https://cwe.mitre.org/data/definitions/798.html"
+      - "https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets"
+# ZM-CS-CWE798-002: 硬编码连接字符串
+- id: zm-cs-cwe798-hardcoded-creds-002
+  severity: ERROR
+  message: |
+    检测到源代码中硬编码了数据库连接字符串，包含服务器地址、用户名和密码。
+    连接字符串泄露可导致攻击者直接访问数据库，造成数据泄露或破坏。
+    修复方案：
+    - 从 appsettings.json 读取并配合 User Secrets/Azure Key Vault
+    - 使用 Windows 集成身份验证 (Integrated Security=True) 避免密码
+    - 使用托管标识 (Managed Identity) 连接 Azure SQL 等服务
+    - 加密配置节: aspnet_regiis -pef "connectionStrings"
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: |
+        $CONNECTIONSTRING = $VAL;
+    - pattern: |
+        $CONNSTR = $VAL;
+    - pattern: |
+        $SQLCONN = $VAL;
+    - pattern: |
+        $DSN = $VAL;
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: security
+    precision: low
+    references:
+      - "https://cwe.mitre.org/data/definitions/798.html"
+# ZM-CS-CWE798-003: 硬编码 JWT Token / 加密密钥
+- id: zm-cs-cwe798-hardcoded-creds-003
+  severity: ERROR
+  message: |
+    检测到源代码中硬编码了 JWT 签名密钥或加密密钥。
+    密钥泄露将允许攻击者伪造 JWT Token、解密敏感数据。
+    这是应用程序安全中最严重的配置错误之一。
+    修复方案：
+    - 使用 Azure Key Vault / AWS KMS 存储和定期轮换密钥
+    - 从环境变量或安全配置提供程序读取
+    - 实现密钥自动轮换机制
+    - 对已泄露的密钥立即轮换并吊销旧 Token
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: |
+        $SIGNKEY = $VAL;
+    - pattern: |
+        $ENCRYPTKEY = $VAL;
+    - pattern: |
+        $JWTKEY = $VAL;
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: security
+    precision: low
+    references:
+      - "https://cwe.mitre.org/data/definitions/798.html"

package/rules/unified/cwe-798/zm-go-cwe798-hardcoded-creds.yaml ADDED Viewed

@@ -0,0 +1,154 @@
+# Source: common | Cluster: N/A
+# CWE-798: Go 硬编码凭据检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: 常量/变量中硬编码密码、API密钥、Token、数据库连接串
+rules:
+# ZM-GO-HC-001: const 声明硬编码凭据
+- id: zm-go-hc-001
+  severity: ERROR
+  message: |
+    检测到 const 常量声明中硬编码了凭据（密码、API密钥、Token等）。
+    硬编码凭据会随代码提交到版本控制系统，一旦仓库公开或内部泄露，
+    攻击者可获取数据库、云服务等敏感系统的访问权限。
+    修复方案:
+    1. 使用环境变量: os.Getenv("DB_PASSWORD")
+    2. 使用密钥管理服务（Vault / AWS Secrets Manager / K8s Secrets）
+    3. 使用配置文件（.env）+ .gitignore 排除
+    4. 部署时由 CI/CD 注入凭据，禁止写入源码
+    5. 对已泄漏的硬编码凭据立即轮换
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        const $PASSWORD = "..."
+    - pattern: |
+        const $APIKEY = "..."
+    - pattern: |
+        const $SECRET = "..."
+    - pattern: |
+        const $TOKEN = "..."
+    - pattern: |
+        const $ACCESSKEY = "..."
+    - pattern: |
+        const $PRIVATEKEY = "..."
+    - pattern: |
+        const $DSN = "..."
+    - pattern: |
+        const $CONNSTR = "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://cwe.mitre.org/data/definitions/798.html"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
+# ZM-GO-HC-002: var 声明硬编码凭据
+- id: zm-go-hc-002
+  severity: ERROR
+  message: |
+    检测到 var 变量声明中硬编码了凭据。
+    与 const 类似，var 声明的硬编码凭据同样会随代码提交暴露。
+    即使变量名使用了缩写（如 pwd、passwd、ak/sk），本质风险相同。
+    修复方案:
+    1. 使用环境变量或密钥管理服务
+    2. var password = os.Getenv("DB_PASSWORD")
+    3. 禁止在源码中留下任何形式的明文凭据
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        var $PASSWORD = "..."
+    - pattern: |
+        var $APIKEY = "..."
+    - pattern: |
+        var $SECRET = "..."
+    - pattern: |
+        var $TOKEN = "..."
+    - pattern: |
+        var $ACCESSKEY = "..."
+    - pattern: |
+        var $PRIVATEKEY = "..."
+    - pattern: |
+        var $DSN = "..."
+    - pattern: |
+        var $CONNSTR = "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-GO-HC-003: 短赋值硬编码凭据
+- id: zm-go-hc-003
+  severity: ERROR
+  message: |
+    检测到短变量声明（:=）中硬编码了凭据字符串。
+    常见场景: apiKey := "sk-xxx..." / password := "admin123" 等。
+    这些凭据会随Git历史永久留存。
+    修复方案:
+    1. 使用 os.Getenv() 从环境变量读取
+    2. 使用 viper/koanf 从配置文件读取并排除 .gitignore
+    3. 使用密钥管理服务（KMS）动态获取
+  languages:
+    - go
+  pattern-either:
+    - pattern: $PASSWORD := "..."
+    - pattern: $APIKEY := "..."
+    - pattern: $SECRET := "..."
+    - pattern: $TOKEN := "..."
+    - pattern: $ACCESSKEY := "..."
+    - pattern: $PRIVATEKEY := "..."
+    - pattern: $DSN := "..."
+    - pattern: $CONNSTR := "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-GO-HC-004: 赋值语句硬编码凭据
+- id: zm-go-hc-004
+  severity: WARNING
+  message: |
+    检测到赋值语句中将字面量字符串赋给类凭据变量名。
+    包括 db.ConnString / client.Secret / config.Token 等间接凭据暴露。
+    修复方案:
+    1. 从外部配置中心/环境变量读取
+    2. 使用结构体标签 + viper 绑定配置项
+    3. 代码审查确认为测试 mock 数据则标记为误报
+  languages:
+    - go
+  pattern-either:
+    - pattern: $OBJ.Password = "..."
+    - pattern: $OBJ.ApiKey = "..."
+    - pattern: $OBJ.Secret = "..."
+    - pattern: $OBJ.Token = "..."
+    - pattern: $OBJ.AccessKey = "..."
+    - pattern: $OBJ.PrivateKey = "..."
+    - pattern: $OBJ.DSN = "..."
+    - pattern: $OBJ.ConnString = "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: WARNING
+    precision: medium
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"

package/rules/unified/cwe-798/zm-py-cwe798-framework-creds.yaml ADDED Viewed

@@ -0,0 +1,160 @@
+# Source: common | Cluster: N/A
+# CWE-798: Django / Flask 密钥和凭据硬编码检测
+# 逐码 ZhuMa V4.3 — Python 框架特化规则库
+# 检测: SECRET_KEY硬编码、ALLOWED_HOSTS通配符、数据库URL含凭证
+rules:
+# ZM-PY-DJANGO-HC-001: Django SECRET_KEY硬编码
+- id: zm-py-django-hardcoded-creds-001
+  severity: ERROR
+  message: |
+    检测到 Django settings.py 中硬编码了 SECRET_KEY。
+    SECRET_KEY 用于加密签名(CSRF Token、Session、密码重置Token等)，
+    泄露后攻击者可伪造所有签名数据，实现会话劫持和认证绕过。
+    修复方案:
+    1. 使用环境变量: SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
+    2. 使用 django-environ 包: env('DJANGO_SECRET_KEY')
+    3. 开发环境使用随机生成: python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"
+    4. 确保.gitignore包含settings中的密钥文件
+  languages:
+    - python
+  patterns:
+    - pattern: SECRET_KEY = "$VALUE"
+    - metavariable-regex:
+        metavariable: $VALUE
+        regex: ^(?!os\.environ|env\()..+$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    framework: django
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://docs.djangoproject.com/en/stable/ref/settings/#secret-key"
+# ZM-PY-DJANGO-HC-002: ALLOWED_HOSTS通配符
+- id: zm-py-django-hardcoded-creds-002
+  severity: WARNING
+  message: |
+    检测到 Django ALLOWED_HOSTS 设置为 ['*'] 通配符。
+    这允许任何Host Header访问Django应用，攻击者可通过构造恶意Host Header
+    触发缓存投毒、密码重置邮件劫持等攻击。
+    修复方案:
+    1. 明确指定允许的域名: ALLOWED_HOSTS = ['example.com', 'www.example.com']
+    2. 使用环境变量配置: ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',')
+    3. 生产环境绝对禁止使用 ['*']
+  languages:
+    - python
+  patterns:
+    - pattern: ALLOWED_HOSTS = ["*"]
+    - pattern: ALLOWED_HOSTS = ['*']
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: WARNING
+    precision: very-high
+    category: misconfiguration
+    framework: django
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A05:2021 - Security Misconfiguration"
+    references:
+      - "https://docs.djangoproject.com/en/stable/ref/settings/#allowed-hosts"
+# ZM-PY-DJANGO-HC-003: Flask SECRET_KEY硬编码
+- id: zm-py-flask-hardcoded-creds-001
+  severity: ERROR
+  message: |
+    检测到 Flask app.config['SECRET_KEY'] 硬编码了密钥。
+    Flask SECRET_KEY 用于签名Session Cookie，泄露后攻击者可伪造任意Session。
+    修复方案:
+    1. app.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY') or os.urandom(24)
+    2. 使用 python-dotenv 从.env文件加载
+    3. 生产环境通过密钥管理服务注入
+  languages:
+    - python
+  pattern-either:
+    - pattern: 'app.config["SECRET_KEY"] = "$VALUE"'
+    - pattern: "app.config['SECRET_KEY'] = '$VALUE'"
+    - pattern: "app.secret_key = '$VALUE'"
+    - pattern: 'app.secret_key = "$VALUE"'
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    framework: flask
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://flask.palletsprojects.com/en/stable/config/#SECRET_KEY"
+# ZM-PY-CLOUD-HC-001: AWS/GCP/Azure 云凭据硬编码
+- id: zm-py-cloud-hardcoded-creds-001
+  severity: CRITICAL
+  message: |
+    检测到硬编码了 AWS Access Key、GCP Service Account Key 或 Azure 连接字符串。
+    云凭据泄露后攻击者可直接访问云资源(计算/存储/数据库)，造成严重安全事件。
+    修复方案:
+    1. 使用 IAM Role / Workload Identity 替代静态密钥
+    2. 使用环境变量: os.environ.get('AWS_ACCESS_KEY_ID')
+    3. 使用 SDK 默认凭证链(AWS CLI配置、实例元数据等)
+    4. 定期轮换密钥，启用 CloudTrail/审计日志监控
+  languages:
+    - python
+  patterns:
+    - pattern: $VAR = "$VALUE"
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|GCP_SERVICE_ACCOUNT_KEY|GOOGLE_APPLICATION_CREDENTIALS|AZURE_CONNECTION_STRING|AZURE_STORAGE_KEY|AZURE_CLIENT_SECRET)$
+    - metavariable-regex:
+        metavariable: $VALUE
+        regex: ^(?!(os\.environ|env\()).+$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: CRITICAL
+    precision: high
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html"
+# ZM-PY-CLOUD-HC-002: AKIA* Access Key 模式匹配
+- id: zm-py-cloud-hardcoded-creds-002
+  severity: CRITICAL
+  message: |
+    检测到字符串中包含 AWS Access Key ID 模式(AKIA开头)。
+    AWS IAM 访问密钥泄露后攻击者可完全控制对应权限的AWS资源。
+    修复方案:
+    1. 立即在AWS IAM控制台吊销泄露的Access Key
+    2. 使用IAM Role(EC2/Lambda)替代静态密钥
+    3. 使用aws-vault或类似工具管理本地密钥
+    4. 添加.gitignore规则屏蔽含密钥的配置文件
+  languages:
+    - python
+  patterns:
+    - pattern: $STR
+    - metavariable-regex:
+        metavariable: $STR
+        regex: ^"AKIA[A-Z0-9]{16}"$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: CRITICAL
+    precision: very-high
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"

package/rules/unified/cwe-798/zm-py-cwe798-hardcoded-creds.yaml ADDED Viewed

@@ -0,0 +1,87 @@
+# Source: common | Cluster: N/A
+# CWE-798: Python 硬编码凭证检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: 硬编码 API_KEY / password / token / secret / database URL 含凭证
+rules:
+# ZM-PY-HC-01: 硬编码 API_KEY / SECRET_KEY / TOKEN / PASSWORD
+- id: zm-py-hardcoded-creds-001
+  severity: ERROR
+  message: |
+    检测到变量赋值中硬编码了 API_KEY / SECRET_KEY / TOKEN / PASSWORD 等凭证字符串。
+    凭证泄露到代码仓库后攻击者可获取数据库/云服务/第三方 API 访问权限。
+    修复: 使用环境变量 os.environ.get("KEY") 或密钥管理服务（Vault/AWS Secrets Manager）存储凭证。
+  languages:
+    - python
+  patterns:
+    - pattern: $VAR = "..."
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(API_KEY|API_SECRET|SECRET_KEY|SECRET|TOKEN|PASSWORD|PASSWD|DB_PASSWORD|REDIS_PASSWORD|AWS_SECRET|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|ACCESS_KEY|ACCESS_KEY_ID|PRIVATE_KEY|AUTH_TOKEN|CLIENT_SECRET|APP_SECRET)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-PY-HC-02: 硬编码 Database URL 含凭证
+- id: zm-py-hardcoded-creds-002
+  severity: ERROR
+  message: |
+    检测到硬编码的数据库连接字符串包含用户名密码（如 mysql://user:pass@host/db）。
+    DB 凭证泄露到代码仓库可导致数据库遭未授权访问或数据泄露。
+    修复: 使用环境变量或配置中心存储 DB 连接字符串；代码中仅引用变量名。
+  languages:
+    - python
+  pattern-either:
+    - pattern: |
+        $DATABASE_URL = "mysql://...:...@..."
+    - pattern: |
+        $DATABASE_URL = "postgresql://...:...@..."
+    - pattern: |
+        $DATABASE_URL = "mongodb://...:...@..."
+    - pattern: |
+        $DATABASE_URL = "redis://...:...@..."
+    - pattern: |
+        $DB_URL = "mysql://...:...@..."
+    - pattern: |
+        $DB_URL = "postgresql://...:...@..."
+    - pattern: |
+        $SQLALCHEMY_DATABASE_URI = "mysql://...:...@..."
+    - pattern: |
+        $SQLALCHEMY_DATABASE_URI = "postgresql://...:...@..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: medium
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-PY-HC-03: 硬编码 JWT_SECRET / 加密密钥
+- id: zm-py-hardcoded-creds-003
+  severity: ERROR
+  message: |
+    检测到硬编码的 JWT_SECRET / ENCRYPTION_KEY 等加密密钥。
+    密钥泄露后攻击者可伪造 JWT Token 或解密敏感数据。
+    修复: 通过环境变量或密钥管理服务注入密钥；定期轮换密钥。
+  languages:
+    - python
+  patterns:
+    - pattern: $VAR = "..."
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(JWT_SECRET|JWT_SECRET_KEY|ENCRYPTION_KEY|FERNET_KEY|AES_KEY|SECRET_KEY_BASE|SECRET_KEY|DJANGO_SECRET_KEY|FLASK_SECRET_KEY)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"

package/rules/unified/cwe-798/zm-rust-cwe798-hardcoded-creds.yaml ADDED Viewed

@@ -0,0 +1,128 @@
+# Source: common | Cluster: N/A
+# CWE-798: Rust 硬编码凭证检测
+# 逐码 ZhuMa V4.3 — Rust 通用规则库
+# 检测: API_KEY/password/token/secret 字面量赋值
+rules:
+# ZM-RUST-HC-001: 硬编码 API_KEY / SECRET / TOKEN / PASSWORD
+- id: zm-rust-cwe798-hardcoded-creds-001
+  severity: ERROR
+  message: |
+    检测到硬编码的 API_KEY / SECRET / TOKEN / PASSWORD 等凭证字符串。
+    代码仓库中的凭证泄露后攻击者可获取 API、数据库或云服务访问权限。
+    修复方案:
+    1. 使用环境变量:
+       let api_key = std::env::var("API_KEY")
+           .expect("API_KEY environment variable not set");
+    2. 使用 dotenvy crate 加载 .env 文件（确保 .env 在 .gitignore 中）
+    3. 使用密钥管理服务（AWS Secrets Manager, HashiCorp Vault）
+    4. 配置文件中仅存储非敏感信息，凭证通过环境变量注入
+    5. 参考 RustSec 安全实践
+  languages:
+    - rust
+  patterns:
+    - pattern: let $VAR = "...";
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(API_KEY|API_SECRET|SECRET_KEY|SECRET|TOKEN|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|DATABASE_URL|DB_PASSWORD|REDIS_PASSWORD|JWT_SECRET|ENCRYPTION_KEY|AUTH_TOKEN|CLIENT_SECRET|APP_SECRET|PRIVATE_KEY|PASSWORD|PASSWD)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: medium
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-RUST-HC-002: const/static 硬编码凭证
+- id: zm-rust-cwe798-hardcoded-creds-002
+  severity: ERROR
+  message: |
+    检测到 const 或 static 常量中硬编码了凭证字符串。编译时常量中的
+    凭证会被嵌入二进制文件，可通过 strings 命令或反编译提取。
+    修复方案:
+    1. 不要在 const/static 中存储凭证
+    2. 使用运行时环境变量或配置文件注入
+    3. 使用 lazy_static 或 once_cell 从环境变量初始化
+  languages:
+    - rust
+  patterns:
+    - pattern: 'const $VAR: &str = "...";'
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(API_KEY|SECRET|TOKEN|PASSWORD|KEY)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: LOW
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-RUST-HC-003: 数据库 URL 含硬编码凭证
+- id: zm-rust-cwe798-hardcoded-creds-003
+  severity: ERROR
+  message: |
+    检测到数据库连接字符串中包含硬编码的用户名和密码
+    （如 postgres://user:pass@host/db, mysql://user:pass@host/db）。
+    修复方案:
+    1. 使用环境变量:
+       let database_url = std::env::var("DATABASE_URL")?;
+    2. 使用 dotenvy:
+       dotenvy::dotenv().ok();
+       let database_url = std::env::var("DATABASE_URL")?;
+    3. 确保 .env 文件不在版本控制中
+  languages:
+    - rust
+  pattern-either:
+    - pattern: |
+        let $VAR = "postgres://$USER:$PASS@$HOST/$DB"
+    - pattern: |
+        let $VAR = "mysql://$USER:$PASS@$HOST/$DB"
+    - pattern: |
+        let $VAR = "mongodb://$USER:$PASS@$HOST/$DB"
+    - pattern: |
+        let $VAR = "redis://$USER:$PASS@$HOST"
+    - pattern: |
+        let $VAR = "postgresql://$USER:$PASS@$HOST/$DB"
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: medium
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+# ZM-RUST-HC-004: 硬编码 JWT Secret / 签名密钥
+- id: zm-rust-cwe798-hardcoded-creds-004
+  severity: ERROR
+  message: |
+    检测到 JWT Secret 或签名密钥硬编码。攻击者获取密钥后
+    可伪造 JWT Token 绕过认证或提升权限。
+    修复方案:
+    1. 通过环境变量注入 JWT 密钥
+    2. 使用密钥管理服务
+    3. 定期轮换密钥
+    4. 使用非对称密钥（RS256/ES256）时应妥善保管私钥
+  languages:
+    - rust
+  patterns:
+    - pattern: let $VAR = "...";
+    - metavariable-regex:
+        metavariable: $VAR
+        regex: ^(JWT_SECRET|JWT_KEY|SIGNING_KEY|HMAC_KEY|ED25519_PRIVATE_KEY)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"