clawsec 0.0.1

package/rules/builtin/README.md

@@ -0,0 +1,139 @@
+# Clawsec Built-in Rule Templates
+
+This directory contains pre-built security rule templates for common use cases. You can use these as starting points for your own security configurations.
+
+## Rule Templates
+
+### Cloud Providers
+| File | Description |
+|------|-------------|
+| `aws-security.yaml` | AWS operations protection (EC2, S3, IAM, RDS, etc.) |
+| `gcp-security.yaml` | Google Cloud operations protection |
+| `azure-security.yaml` | Azure operations protection |
+
+### Infrastructure
+| File | Description |
+|------|-------------|
+| `kubernetes.yaml` | Kubernetes cluster operations protection |
+| `docker.yaml` | Docker container and image operations |
+| `terraform.yaml` | Terraform/OpenTofu state and destroy operations |
+| `serverless.yaml` | Serverless function deployment protection |
+
+### Development
+| File | Description |
+|------|-------------|
+| `git-operations.yaml` | Git force push, reset, and history rewriting |
+| `cicd-security.yaml` | CI/CD pipeline secrets protection |
+| `package-managers.yaml` | NPM, PyPI, Cargo, and other package managers |
+| `mobile-development.yaml` | iOS/Android app signing and deployment |
+
+### Data & Databases
+| File | Description |
+|------|-------------|
+| `database-sql.yaml` | SQL database destructive operations |
+| `database-nosql.yaml` | NoSQL (MongoDB, Redis, etc.) operations |
+| `cloud-storage.yaml` | Cloud storage (S3, GCS, Azure Blob) protection |
+
+### Secrets & Credentials
+| File | Description |
+|------|-------------|
+| `api-keys.yaml` | Common API key patterns (OpenAI, GitHub, etc.) |
+| `authentication.yaml` | Auth tokens, JWTs, passwords |
+| `secrets-management.yaml` | Vault, AWS Secrets Manager, etc. |
+| `container-registry.yaml` | Docker Hub, ECR, GCR credentials |
+
+### Security & Compliance
+| File | Description |
+|------|-------------|
+| `pii-protection.yaml` | Personal identifiable information |
+| `healthcare-hipaa.yaml` | HIPAA-compliant healthcare rules |
+| `financial-pci.yaml` | PCI-DSS compliant financial rules |
+| `crypto-wallets.yaml` | Cryptocurrency wallet and exchange protection |
+
+### Network & Web
+| File | Description |
+|------|-------------|
+| `network-security.yaml` | Network-based attacks and exfiltration |
+| `web-security.yaml` | Web application security |
+| `ssh-security.yaml` | SSH credentials and tunneling |
+
+### Services
+| File | Description |
+|------|-------------|
+| `payment-processing.yaml` | Stripe, PayPal, payment gateway protection |
+| `messaging-services.yaml` | Slack, Discord, Telegram tokens |
+| `monitoring.yaml` | Datadog, New Relic, Sentry credentials |
+| `ai-services.yaml` | OpenAI, Anthropic, Hugging Face API keys |
+
+### Environment Presets
+| File | Description |
+|------|-------------|
+| `minimal.yaml` | Lightweight rules for trusted environments |
+| `development-env.yaml` | Balanced rules for development |
+| `production-strict.yaml` | Maximum security for production |
+| `filesystem.yaml` | Dangerous filesystem operations |
+
+## Usage
+
+### Reference in clawsec.yaml
+
+```yaml
+# clawsec.yaml
+version: "1.0"
+
+# Extend from a built-in template
+extends:
+  - builtin/aws-security
+  - builtin/pii-protection
+
+# Override specific settings
+rules:
+  purchase:
+    spendLimits:
+      perTransaction: 200
+```
+
+### Copy and Customize
+
+```bash
+# Copy a template to your project
+cp rules/builtin/production-strict.yaml clawsec.yaml
+
+# Edit to customize for your needs
+```
+
+## Creating Custom Rules
+
+Use these templates as references when creating your own rules. The structure includes:
+
+- `name`: Unique identifier for the rule set
+- `description`: Human-readable description
+- `version`: Template version
+- `rules`: Security rules configuration
+  - `destructive`: Dangerous operations (shell, cloud, code)
+  - `secrets`: Credential and secret patterns
+  - `website`: URL allowlist/blocklist
+  - `purchase`: Payment protection
+  - `exfiltration`: Data exfiltration patterns
+  - `sanitization`: Prompt injection protection
+
+## Contributing
+
+To add a new rule template:
+
+1. Create a YAML file in this directory
+2. Follow the naming convention: `category-subcategory.yaml`
+3. Include `name`, `description`, and `version` fields
+4. Add comprehensive patterns for the use case
+5. Update this README with the new template
+
+## Security Levels
+
+Templates use these severity and action combinations:
+
+| Environment | Severity | Action | Description |
+|-------------|----------|--------|-------------|
+| Production | critical | block | Maximum protection |
+| Staging | high | confirm | Requires approval |
+| Development | medium | warn | Logs warnings |
+| Testing | low | log | Silent audit |

package/rules/builtin/ai-services.yaml

@@ -0,0 +1,70 @@
+# AI Services Security Rules
+# Protects AI/ML service credentials
+
+name: ai-services
+description: Security rules for AI and ML services
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # OpenAI
+      - "sk-[a-zA-Z0-9]{48}"
+      - "sk-proj-[a-zA-Z0-9-_]{48,}"
+      - "OPENAI_API_KEY"
+      - "OPENAI_ORG_ID"
+
+      # Anthropic
+      - "sk-ant-[a-zA-Z0-9-]{40,}"
+      - "ANTHROPIC_API_KEY"
+
+      # Google AI (Gemini, PaLM)
+      - "GOOGLE_AI_API_KEY"
+      - "PALM_API_KEY"
+      - "GEMINI_API_KEY"
+
+      # Cohere
+      - "COHERE_API_KEY"
+
+      # Hugging Face
+      - "hf_[a-zA-Z0-9]{34}"
+      - "HUGGINGFACE_TOKEN"
+      - "HF_TOKEN"
+
+      # Replicate
+      - "REPLICATE_API_TOKEN"
+      - "r8_[a-zA-Z0-9]{40}"
+
+      # Stability AI
+      - "STABILITY_API_KEY"
+
+      # Midjourney
+      - "MIDJOURNEY_"
+
+      # ElevenLabs
+      - "ELEVENLABS_API_KEY"
+
+      # AssemblyAI
+      - "ASSEMBLYAI_API_KEY"
+
+      # Deepgram
+      - "DEEPGRAM_API_KEY"
+
+      # AWS Bedrock
+      - "bedrock:InvokeModel"
+
+      # Azure OpenAI
+      - "AZURE_OPENAI_API_KEY"
+      - "AZURE_OPENAI_ENDPOINT"
+
+  website:
+    enabled: true
+    mode: allowlist
+    allowlist:
+      - "api.openai.com"
+      - "api.anthropic.com"
+      - "api.cohere.ai"
+      - "api-inference.huggingface.co"

package/rules/builtin/api-keys.yaml

@@ -0,0 +1,64 @@
+# API Keys Security Rules
+# Detects and blocks exposure of various API keys
+
+name: api-keys
+description: Prevents exposure of API keys from popular services
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # OpenAI
+      - "sk-[a-zA-Z0-9]{48}"
+      - "sk-proj-[a-zA-Z0-9-_]{48,}"
+
+      # Anthropic
+      - "sk-ant-[a-zA-Z0-9-]{40,}"
+
+      # Google
+      - "AIza[0-9A-Za-z_-]{35}"
+      - "ya29\\.[0-9A-Za-z_-]+"
+
+      # GitHub
+      - "ghp_[a-zA-Z0-9]{36}"
+      - "gho_[a-zA-Z0-9]{36}"
+      - "ghu_[a-zA-Z0-9]{36}"
+      - "ghs_[a-zA-Z0-9]{36}"
+      - "ghr_[a-zA-Z0-9]{36}"
+
+      # Slack
+      - "xox[baprs]-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}"
+
+      # Twilio
+      - "SK[a-f0-9]{32}"
+      - "AC[a-f0-9]{32}"
+
+      # SendGrid
+      - "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}"
+
+      # Mailgun
+      - "key-[a-zA-Z0-9]{32}"
+
+      # NPM
+      - "npm_[a-zA-Z0-9]{36}"
+
+      # PyPI
+      - "pypi-AgEIcHlwaS5vcmc[a-zA-Z0-9-_]{50,}"
+
+      # Heroku
+      - "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}"
+
+      # Datadog
+      - "[a-f0-9]{32}"
+
+      # New Relic
+      - "NRAK-[A-Z0-9]{27}"
+
+      # Algolia
+      - "[a-f0-9]{32}"
+
+      # Firebase
+      - "AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}"

package/rules/builtin/authentication.yaml

@@ -0,0 +1,56 @@
+# Authentication Security Rules
+# Protects authentication credentials and tokens
+
+name: authentication
+description: Protects authentication credentials and sensitive tokens
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # JWT Tokens
+      - "eyJ[a-zA-Z0-9_-]*\\.eyJ[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*"
+
+      # API Keys (generic patterns)
+      - "api[_-]?key\\s*[:=]\\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?"
+      - "api[_-]?secret\\s*[:=]\\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?"
+
+      # OAuth tokens
+      - "access[_-]?token\\s*[:=]\\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?"
+      - "refresh[_-]?token\\s*[:=]\\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?"
+
+      # Session tokens
+      - "session[_-]?id\\s*[:=]\\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?"
+      - "PHPSESSID"
+      - "JSESSIONID"
+      - "ASP.NET_SessionId"
+
+      # Password patterns
+      - "password\\s*[:=]\\s*['\"]?[^\\s'\"]{8,}['\"]?"
+      - "passwd\\s*[:=]\\s*['\"]?[^\\s'\"]{8,}['\"]?"
+      - "pwd\\s*[:=]\\s*['\"]?[^\\s'\"]{8,}['\"]?"
+
+      # Private keys
+      - "-----BEGIN.*PRIVATE KEY-----"
+      - "-----BEGIN RSA PRIVATE KEY-----"
+      - "-----BEGIN EC PRIVATE KEY-----"
+      - "-----BEGIN OPENSSH PRIVATE KEY-----"
+
+      # SSH keys
+      - "ssh-rsa AAAA"
+      - "ssh-ed25519 AAAA"
+
+      # Bearer tokens
+      - "Bearer\\s+[a-zA-Z0-9_-]{20,}"
+      - "Authorization:\\s*Bearer"
+
+  exfiltration:
+    enabled: true
+    severity: high
+    action: block
+    patterns:
+      - "curl.*Authorization"
+      - "wget.*--header.*Authorization"

package/rules/builtin/aws-security.yaml

@@ -0,0 +1,57 @@
+# AWS Security Rules
+# Protects against dangerous AWS operations
+
+name: aws-security
+description: Prevents destructive AWS operations like instance termination and data deletion
+version: "1.0"
+
+rules:
+  destructive:
+    enabled: true
+    severity: critical
+    action: block
+    cloud:
+      enabled: true
+      patterns:
+        # EC2 Operations
+        - "aws ec2 terminate-instances"
+        - "aws ec2 delete-"
+        - "aws ec2 modify-instance-attribute --disable-api-termination false"
+
+        # S3 Operations
+        - "aws s3 rb --force"
+        - "aws s3 rm --recursive"
+        - "aws s3api delete-bucket"
+        - "aws s3api delete-objects"
+
+        # IAM Operations
+        - "aws iam delete-user"
+        - "aws iam delete-role"
+        - "aws iam delete-policy"
+        - "aws iam delete-access-key"
+
+        # RDS Operations
+        - "aws rds delete-db-instance"
+        - "aws rds delete-db-cluster"
+        - "aws rds delete-db-snapshot"
+
+        # Lambda Operations
+        - "aws lambda delete-function"
+        - "aws lambda delete-layer-version"
+
+        # CloudFormation
+        - "aws cloudformation delete-stack"
+
+        # EKS/ECS
+        - "aws eks delete-cluster"
+        - "aws ecs delete-cluster"
+        - "aws ecs delete-service"
+
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      - "AKIA[0-9A-Z]{16}"  # AWS Access Key ID
+      - "aws_secret_access_key"
+      - "AWS_SECRET_ACCESS_KEY"

package/rules/builtin/azure-security.yaml

@@ -0,0 +1,58 @@
+# Azure Security Rules
+# Protects against dangerous Azure operations
+
+name: azure-security
+description: Prevents destructive Azure operations
+version: "1.0"
+
+rules:
+  destructive:
+    enabled: true
+    severity: critical
+    action: block
+    cloud:
+      enabled: true
+      patterns:
+        # Virtual Machines
+        - "az vm delete"
+        - "az vm deallocate"
+        - "az vmss delete"
+
+        # Storage
+        - "az storage account delete"
+        - "az storage container delete"
+        - "az storage blob delete"
+        - "azcopy remove --recursive"
+
+        # Resource Groups
+        - "az group delete"
+
+        # Databases
+        - "az sql server delete"
+        - "az sql db delete"
+        - "az cosmosdb delete"
+        - "az postgres server delete"
+        - "az mysql server delete"
+
+        # AKS
+        - "az aks delete"
+        - "az aks nodepool delete"
+
+        # Functions
+        - "az functionapp delete"
+
+        # App Service
+        - "az webapp delete"
+
+        # Key Vault
+        - "az keyvault delete"
+        - "az keyvault secret delete"
+
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      - "AZURE_CLIENT_SECRET"
+      - "AZURE_TENANT_ID"
+      - "AZURE_SUBSCRIPTION_ID"

package/rules/builtin/cicd-security.yaml

@@ -0,0 +1,64 @@
+# CI/CD Security Rules
+# Protects CI/CD pipelines and related secrets
+
+name: cicd-security
+description: Security rules for CI/CD pipelines and automation
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # GitHub Actions
+      - "GITHUB_TOKEN"
+      - "ACTIONS_RUNTIME_TOKEN"
+      - "GITHUB_SHA"
+
+      # GitLab CI
+      - "CI_JOB_TOKEN"
+      - "CI_REGISTRY_PASSWORD"
+      - "GITLAB_TOKEN"
+      - "glpat-[a-zA-Z0-9-]{20}"
+
+      # Jenkins
+      - "JENKINS_API_TOKEN"
+      - "JENKINS_USER"
+
+      # CircleCI
+      - "CIRCLE_TOKEN"
+      - "CIRCLECI_TOKEN"
+
+      # Travis CI
+      - "TRAVIS_TOKEN"
+
+      # AWS CodeBuild
+      - "CODEBUILD_RESOLVED_SOURCE_VERSION"
+
+      # Azure DevOps
+      - "SYSTEM_ACCESSTOKEN"
+      - "AZURE_DEVOPS_EXT_PAT"
+
+      # Bitbucket
+      - "BITBUCKET_APP_PASSWORD"
+      - "BITBUCKET_CLONE_PASSWORD"
+
+      # Vercel
+      - "VERCEL_TOKEN"
+
+      # Netlify
+      - "NETLIFY_AUTH_TOKEN"
+
+      # Fly.io
+      - "FLY_API_TOKEN"
+
+  destructive:
+    enabled: true
+    severity: high
+    action: confirm
+    patterns:
+      - "gh workflow disable"
+      - "gh repo delete"
+      - "vercel remove"
+      - "netlify sites:delete"

package/rules/builtin/cloud-storage.yaml

@@ -0,0 +1,64 @@
+# Cloud Storage Security Rules
+# Protects cloud storage operations and credentials
+
+name: cloud-storage
+description: Security rules for cloud storage services
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # AWS S3
+      - "s3://.*access.*key"
+      - "AWS_ACCESS_KEY_ID"
+      - "AWS_SECRET_ACCESS_KEY"
+
+      # Google Cloud Storage
+      - "gs://.*credentials"
+      - "GOOGLE_CLOUD_KEYFILE"
+
+      # Azure Blob Storage
+      - "DefaultEndpointsProtocol=https;AccountName="
+      - "AZURE_STORAGE_CONNECTION_STRING"
+      - "AZURE_STORAGE_KEY"
+
+      # Cloudflare R2
+      - "CLOUDFLARE_R2_ACCESS_KEY"
+
+      # DigitalOcean Spaces
+      - "SPACES_ACCESS_KEY"
+      - "SPACES_SECRET_KEY"
+
+      # Backblaze B2
+      - "B2_APPLICATION_KEY"
+      - "B2_APPLICATION_KEY_ID"
+
+      # Wasabi
+      - "WASABI_ACCESS_KEY"
+
+  exfiltration:
+    enabled: true
+    severity: high
+    action: block
+    patterns:
+      # Upload to public buckets
+      - "aws s3 cp.*--acl public-read"
+      - "gsutil cp.*-a public-read"
+      - "aws s3 sync.*--acl public-read"
+
+      # Data transfer to external storage
+      - "rclone copy.*:"
+      - "rclone sync.*:"
+
+  destructive:
+    enabled: true
+    severity: critical
+    action: confirm
+    patterns:
+      - "aws s3 rm --recursive"
+      - "aws s3 rb --force"
+      - "gsutil rm -r"
+      - "az storage blob delete-batch"

package/rules/builtin/container-registry.yaml

@@ -0,0 +1,55 @@
+# Container Registry Security Rules
+# Protects container registry credentials and operations
+
+name: container-registry
+description: Security rules for container registries
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # Docker Hub
+      - "DOCKER_PASSWORD"
+      - "DOCKER_AUTH_CONFIG"
+      - "DOCKERHUB_TOKEN"
+
+      # AWS ECR
+      - "aws ecr get-login-password"
+      - "AWS_ECR_LOGIN_TOKEN"
+
+      # Google Container Registry
+      - "GCR_KEY"
+      - "_json_key"
+
+      # Azure Container Registry
+      - "ACR_PASSWORD"
+      - "AZURE_CONTAINER_REGISTRY_PASSWORD"
+
+      # GitHub Container Registry
+      - "GHCR_TOKEN"
+
+      # Quay.io
+      - "QUAY_TOKEN"
+      - "QUAY_PASSWORD"
+
+      # Harbor
+      - "HARBOR_PASSWORD"
+
+      # JFrog Artifactory
+      - "ARTIFACTORY_API_KEY"
+      - "JFROG_PASSWORD"
+
+  destructive:
+    enabled: true
+    severity: high
+    action: confirm
+    patterns:
+      # Image deletion
+      - "docker rmi.*:latest"
+      - "docker push.*:latest"
+      - "aws ecr batch-delete-image"
+      - "gcloud container images delete"
+      - "az acr repository delete"

package/rules/builtin/crypto-wallets.yaml

@@ -0,0 +1,71 @@
+# Cryptocurrency Wallet Security Rules
+# Protects cryptocurrency wallet credentials and operations
+
+name: crypto-wallets
+description: Security rules for cryptocurrency wallets and exchanges
+version: "1.0"
+
+rules:
+  secrets:
+    enabled: true
+    severity: critical
+    action: block
+    patterns:
+      # Private keys (Ethereum/Bitcoin hex format)
+      - "[0-9a-fA-F]{64}"
+
+      # Mnemonic seed phrases (12/24 words)
+      - "(?i)(abandon|ability|able|about|above).*(?:word|seed|mnemonic)"
+
+      # Wallet seed/private key mentions
+      - "(?i)private[_\\s-]?key\\s*[:=]"
+      - "(?i)seed[_\\s-]?phrase\\s*[:=]"
+      - "(?i)mnemonic\\s*[:=]"
+      - "(?i)secret[_\\s-]?key\\s*[:=]"
+
+      # Exchange API keys
+      # Binance
+      - "BINANCE_API_KEY"
+      - "BINANCE_SECRET"
+
+      # Coinbase
+      - "COINBASE_API_KEY"
+      - "COINBASE_SECRET"
+      - "CB_ACCESS_KEY"
+
+      # Kraken
+      - "KRAKEN_API_KEY"
+      - "KRAKEN_SECRET"
+
+      # FTX (historical)
+      - "FTX_API_KEY"
+
+      # Kucoin
+      - "KUCOIN_API_KEY"
+
+      # Metamask
+      - "METAMASK_"
+
+      # WalletConnect
+      - "WALLETCONNECT_"
+
+      # Infura
+      - "INFURA_API_KEY"
+      - "INFURA_PROJECT_ID"
+
+      # Alchemy
+      - "ALCHEMY_API_KEY"
+
+  purchase:
+    enabled: true
+    severity: critical
+    action: block
+    domains:
+      mode: blocklist
+      blocklist:
+        - "*.binance.com"
+        - "*.coinbase.com"
+        - "*.kraken.com"
+        - "*.kucoin.com"
+        - "*.crypto.com"
+        - "*.gemini.com"