clawsec 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +560 -0
- package/dist/bin/clawsec.d.ts +7 -0
- package/dist/bin/clawsec.d.ts.map +1 -0
- package/dist/bin/clawsec.js +12 -0
- package/dist/bin/clawsec.js.map +1 -0
- package/dist/src/actions/block.d.ts +22 -0
- package/dist/src/actions/block.d.ts.map +1 -0
- package/dist/src/actions/block.js +83 -0
- package/dist/src/actions/block.js.map +1 -0
- package/dist/src/actions/confirm.d.ts +35 -0
- package/dist/src/actions/confirm.d.ts.map +1 -0
- package/dist/src/actions/confirm.js +156 -0
- package/dist/src/actions/confirm.js.map +1 -0
- package/dist/src/actions/executor.d.ts +64 -0
- package/dist/src/actions/executor.d.ts.map +1 -0
- package/dist/src/actions/executor.js +114 -0
- package/dist/src/actions/executor.js.map +1 -0
- package/dist/src/actions/index.d.ts +13 -0
- package/dist/src/actions/index.d.ts.map +1 -0
- package/dist/src/actions/index.js +15 -0
- package/dist/src/actions/index.js.map +1 -0
- package/dist/src/actions/log.d.ts +19 -0
- package/dist/src/actions/log.d.ts.map +1 -0
- package/dist/src/actions/log.js +63 -0
- package/dist/src/actions/log.js.map +1 -0
- package/dist/src/actions/types.d.ts +85 -0
- package/dist/src/actions/types.d.ts.map +1 -0
- package/dist/src/actions/types.js +78 -0
- package/dist/src/actions/types.js.map +1 -0
- package/dist/src/actions/warn.d.ts +22 -0
- package/dist/src/actions/warn.d.ts.map +1 -0
- package/dist/src/actions/warn.js +84 -0
- package/dist/src/actions/warn.js.map +1 -0
- package/dist/src/approval/agent-confirm.d.ts +104 -0
- package/dist/src/approval/agent-confirm.d.ts.map +1 -0
- package/dist/src/approval/agent-confirm.js +173 -0
- package/dist/src/approval/agent-confirm.js.map +1 -0
- package/dist/src/approval/index.d.ts +14 -0
- package/dist/src/approval/index.d.ts.map +1 -0
- package/dist/src/approval/index.js +9 -0
- package/dist/src/approval/index.js.map +1 -0
- package/dist/src/approval/native.d.ts +56 -0
- package/dist/src/approval/native.d.ts.map +1 -0
- package/dist/src/approval/native.js +196 -0
- package/dist/src/approval/native.js.map +1 -0
- package/dist/src/approval/store.d.ts +88 -0
- package/dist/src/approval/store.d.ts.map +1 -0
- package/dist/src/approval/store.js +192 -0
- package/dist/src/approval/store.js.map +1 -0
- package/dist/src/approval/types.d.ts +119 -0
- package/dist/src/approval/types.d.ts.map +1 -0
- package/dist/src/approval/types.js +6 -0
- package/dist/src/approval/types.js.map +1 -0
- package/dist/src/approval/webhook.d.ts +170 -0
- package/dist/src/approval/webhook.d.ts.map +1 -0
- package/dist/src/approval/webhook.js +362 -0
- package/dist/src/approval/webhook.js.map +1 -0
- package/dist/src/cli/commands/audit.d.ts +43 -0
- package/dist/src/cli/commands/audit.d.ts.map +1 -0
- package/dist/src/cli/commands/audit.js +115 -0
- package/dist/src/cli/commands/audit.js.map +1 -0
- package/dist/src/cli/commands/feedback.d.ts +27 -0
- package/dist/src/cli/commands/feedback.d.ts.map +1 -0
- package/dist/src/cli/commands/feedback.js +228 -0
- package/dist/src/cli/commands/feedback.js.map +1 -0
- package/dist/src/cli/commands/index.d.ts +11 -0
- package/dist/src/cli/commands/index.d.ts.map +1 -0
- package/dist/src/cli/commands/index.js +13 -0
- package/dist/src/cli/commands/index.js.map +1 -0
- package/dist/src/cli/commands/status.d.ts +20 -0
- package/dist/src/cli/commands/status.d.ts.map +1 -0
- package/dist/src/cli/commands/status.js +122 -0
- package/dist/src/cli/commands/status.js.map +1 -0
- package/dist/src/cli/commands/test.d.ts +23 -0
- package/dist/src/cli/commands/test.d.ts.map +1 -0
- package/dist/src/cli/commands/test.js +134 -0
- package/dist/src/cli/commands/test.js.map +1 -0
- package/dist/src/cli/commands/types.d.ts +81 -0
- package/dist/src/cli/commands/types.d.ts.map +1 -0
- package/dist/src/cli/commands/types.js +6 -0
- package/dist/src/cli/commands/types.js.map +1 -0
- package/dist/src/cli/index.d.ts +17 -0
- package/dist/src/cli/index.d.ts.map +1 -0
- package/dist/src/cli/index.js +267 -0
- package/dist/src/cli/index.js.map +1 -0
- package/dist/src/config/defaults.d.ts +20 -0
- package/dist/src/config/defaults.d.ts.map +1 -0
- package/dist/src/config/defaults.js +123 -0
- package/dist/src/config/defaults.js.map +1 -0
- package/dist/src/config/index.d.ts +8 -0
- package/dist/src/config/index.d.ts.map +1 -0
- package/dist/src/config/index.js +41 -0
- package/dist/src/config/index.js.map +1 -0
- package/dist/src/config/loader.d.ts +99 -0
- package/dist/src/config/loader.d.ts.map +1 -0
- package/dist/src/config/loader.js +242 -0
- package/dist/src/config/loader.js.map +1 -0
- package/dist/src/config/schema.d.ts +627 -0
- package/dist/src/config/schema.d.ts.map +1 -0
- package/dist/src/config/schema.js +585 -0
- package/dist/src/config/schema.js.map +1 -0
- package/dist/src/detectors/destructive/cloud-detector.d.ts +51 -0
- package/dist/src/detectors/destructive/cloud-detector.d.ts.map +1 -0
- package/dist/src/detectors/destructive/cloud-detector.js +556 -0
- package/dist/src/detectors/destructive/cloud-detector.js.map +1 -0
- package/dist/src/detectors/destructive/code-detector.d.ts +59 -0
- package/dist/src/detectors/destructive/code-detector.d.ts.map +1 -0
- package/dist/src/detectors/destructive/code-detector.js +558 -0
- package/dist/src/detectors/destructive/code-detector.js.map +1 -0
- package/dist/src/detectors/destructive/index.d.ts +54 -0
- package/dist/src/detectors/destructive/index.d.ts.map +1 -0
- package/dist/src/detectors/destructive/index.js +168 -0
- package/dist/src/detectors/destructive/index.js.map +1 -0
- package/dist/src/detectors/destructive/shell-detector.d.ts +43 -0
- package/dist/src/detectors/destructive/shell-detector.d.ts.map +1 -0
- package/dist/src/detectors/destructive/shell-detector.js +302 -0
- package/dist/src/detectors/destructive/shell-detector.js.map +1 -0
- package/dist/src/detectors/destructive/types.d.ts +143 -0
- package/dist/src/detectors/destructive/types.d.ts.map +1 -0
- package/dist/src/detectors/destructive/types.js +6 -0
- package/dist/src/detectors/destructive/types.js.map +1 -0
- package/dist/src/detectors/exfiltration/cloud-detector.d.ts +51 -0
- package/dist/src/detectors/exfiltration/cloud-detector.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/cloud-detector.js +427 -0
- package/dist/src/detectors/exfiltration/cloud-detector.js.map +1 -0
- package/dist/src/detectors/exfiltration/http-detector.d.ts +47 -0
- package/dist/src/detectors/exfiltration/http-detector.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/http-detector.js +429 -0
- package/dist/src/detectors/exfiltration/http-detector.js.map +1 -0
- package/dist/src/detectors/exfiltration/index.d.ts +44 -0
- package/dist/src/detectors/exfiltration/index.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/index.js +118 -0
- package/dist/src/detectors/exfiltration/index.js.map +1 -0
- package/dist/src/detectors/exfiltration/network-detector.d.ts +55 -0
- package/dist/src/detectors/exfiltration/network-detector.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/network-detector.js +504 -0
- package/dist/src/detectors/exfiltration/network-detector.js.map +1 -0
- package/dist/src/detectors/exfiltration/types.d.ts +139 -0
- package/dist/src/detectors/exfiltration/types.d.ts.map +1 -0
- package/dist/src/detectors/exfiltration/types.js +6 -0
- package/dist/src/detectors/exfiltration/types.js.map +1 -0
- package/dist/src/detectors/purchase/domain-detector.d.ts +44 -0
- package/dist/src/detectors/purchase/domain-detector.d.ts.map +1 -0
- package/dist/src/detectors/purchase/domain-detector.js +296 -0
- package/dist/src/detectors/purchase/domain-detector.js.map +1 -0
- package/dist/src/detectors/purchase/form-detector.d.ts +27 -0
- package/dist/src/detectors/purchase/form-detector.d.ts.map +1 -0
- package/dist/src/detectors/purchase/form-detector.js +344 -0
- package/dist/src/detectors/purchase/form-detector.js.map +1 -0
- package/dist/src/detectors/purchase/index.d.ts +65 -0
- package/dist/src/detectors/purchase/index.d.ts.map +1 -0
- package/dist/src/detectors/purchase/index.js +216 -0
- package/dist/src/detectors/purchase/index.js.map +1 -0
- package/dist/src/detectors/purchase/spend-tracker.d.ts +132 -0
- package/dist/src/detectors/purchase/spend-tracker.d.ts.map +1 -0
- package/dist/src/detectors/purchase/spend-tracker.js +313 -0
- package/dist/src/detectors/purchase/spend-tracker.js.map +1 -0
- package/dist/src/detectors/purchase/types.d.ts +139 -0
- package/dist/src/detectors/purchase/types.d.ts.map +1 -0
- package/dist/src/detectors/purchase/types.js +6 -0
- package/dist/src/detectors/purchase/types.js.map +1 -0
- package/dist/src/detectors/purchase/url-detector.d.ts +31 -0
- package/dist/src/detectors/purchase/url-detector.d.ts.map +1 -0
- package/dist/src/detectors/purchase/url-detector.js +292 -0
- package/dist/src/detectors/purchase/url-detector.js.map +1 -0
- package/dist/src/detectors/secrets/api-key-detector.d.ts +30 -0
- package/dist/src/detectors/secrets/api-key-detector.d.ts.map +1 -0
- package/dist/src/detectors/secrets/api-key-detector.js +297 -0
- package/dist/src/detectors/secrets/api-key-detector.js.map +1 -0
- package/dist/src/detectors/secrets/index.d.ts +43 -0
- package/dist/src/detectors/secrets/index.d.ts.map +1 -0
- package/dist/src/detectors/secrets/index.js +261 -0
- package/dist/src/detectors/secrets/index.js.map +1 -0
- package/dist/src/detectors/secrets/pii-detector.d.ts +54 -0
- package/dist/src/detectors/secrets/pii-detector.d.ts.map +1 -0
- package/dist/src/detectors/secrets/pii-detector.js +286 -0
- package/dist/src/detectors/secrets/pii-detector.js.map +1 -0
- package/dist/src/detectors/secrets/token-detector.d.ts +51 -0
- package/dist/src/detectors/secrets/token-detector.d.ts.map +1 -0
- package/dist/src/detectors/secrets/token-detector.js +233 -0
- package/dist/src/detectors/secrets/token-detector.js.map +1 -0
- package/dist/src/detectors/secrets/types.d.ts +157 -0
- package/dist/src/detectors/secrets/types.d.ts.map +1 -0
- package/dist/src/detectors/secrets/types.js +6 -0
- package/dist/src/detectors/secrets/types.js.map +1 -0
- package/dist/src/detectors/website/category-detector.d.ts +22 -0
- package/dist/src/detectors/website/category-detector.d.ts.map +1 -0
- package/dist/src/detectors/website/category-detector.js +162 -0
- package/dist/src/detectors/website/category-detector.js.map +1 -0
- package/dist/src/detectors/website/index.d.ts +53 -0
- package/dist/src/detectors/website/index.d.ts.map +1 -0
- package/dist/src/detectors/website/index.js +232 -0
- package/dist/src/detectors/website/index.js.map +1 -0
- package/dist/src/detectors/website/pattern-matcher.d.ts +33 -0
- package/dist/src/detectors/website/pattern-matcher.d.ts.map +1 -0
- package/dist/src/detectors/website/pattern-matcher.js +121 -0
- package/dist/src/detectors/website/pattern-matcher.js.map +1 -0
- package/dist/src/detectors/website/types.d.ts +105 -0
- package/dist/src/detectors/website/types.d.ts.map +1 -0
- package/dist/src/detectors/website/types.js +6 -0
- package/dist/src/detectors/website/types.js.map +1 -0
- package/dist/src/engine/analyzer.d.ts +87 -0
- package/dist/src/engine/analyzer.d.ts.map +1 -0
- package/dist/src/engine/analyzer.js +427 -0
- package/dist/src/engine/analyzer.js.map +1 -0
- package/dist/src/engine/cache.d.ts +80 -0
- package/dist/src/engine/cache.d.ts.map +1 -0
- package/dist/src/engine/cache.js +167 -0
- package/dist/src/engine/cache.js.map +1 -0
- package/dist/src/engine/index.d.ts +11 -0
- package/dist/src/engine/index.d.ts.map +1 -0
- package/dist/src/engine/index.js +11 -0
- package/dist/src/engine/index.js.map +1 -0
- package/dist/src/engine/llm-client.d.ts +210 -0
- package/dist/src/engine/llm-client.d.ts.map +1 -0
- package/dist/src/engine/llm-client.js +506 -0
- package/dist/src/engine/llm-client.js.map +1 -0
- package/dist/src/engine/types.d.ts +163 -0
- package/dist/src/engine/types.d.ts.map +1 -0
- package/dist/src/engine/types.js +21 -0
- package/dist/src/engine/types.js.map +1 -0
- package/dist/src/feedback/index.d.ts +9 -0
- package/dist/src/feedback/index.d.ts.map +1 -0
- package/dist/src/feedback/index.js +8 -0
- package/dist/src/feedback/index.js.map +1 -0
- package/dist/src/feedback/learner.d.ts +222 -0
- package/dist/src/feedback/learner.d.ts.map +1 -0
- package/dist/src/feedback/learner.js +401 -0
- package/dist/src/feedback/learner.js.map +1 -0
- package/dist/src/feedback/store.d.ts +113 -0
- package/dist/src/feedback/store.d.ts.map +1 -0
- package/dist/src/feedback/store.js +228 -0
- package/dist/src/feedback/store.js.map +1 -0
- package/dist/src/feedback/types.d.ts +126 -0
- package/dist/src/feedback/types.d.ts.map +1 -0
- package/dist/src/feedback/types.js +6 -0
- package/dist/src/feedback/types.js.map +1 -0
- package/dist/src/hooks/before-agent-start/handler.d.ts +37 -0
- package/dist/src/hooks/before-agent-start/handler.d.ts.map +1 -0
- package/dist/src/hooks/before-agent-start/handler.js +109 -0
- package/dist/src/hooks/before-agent-start/handler.js.map +1 -0
- package/dist/src/hooks/before-agent-start/index.d.ts +8 -0
- package/dist/src/hooks/before-agent-start/index.d.ts.map +1 -0
- package/dist/src/hooks/before-agent-start/index.js +7 -0
- package/dist/src/hooks/before-agent-start/index.js.map +1 -0
- package/dist/src/hooks/before-agent-start/prompts.d.ts +48 -0
- package/dist/src/hooks/before-agent-start/prompts.d.ts.map +1 -0
- package/dist/src/hooks/before-agent-start/prompts.js +103 -0
- package/dist/src/hooks/before-agent-start/prompts.js.map +1 -0
- package/dist/src/hooks/before-tool-call/handler.d.ts +42 -0
- package/dist/src/hooks/before-tool-call/handler.d.ts.map +1 -0
- package/dist/src/hooks/before-tool-call/handler.js +226 -0
- package/dist/src/hooks/before-tool-call/handler.js.map +1 -0
- package/dist/src/hooks/before-tool-call/index.d.ts +7 -0
- package/dist/src/hooks/before-tool-call/index.d.ts.map +1 -0
- package/dist/src/hooks/before-tool-call/index.js +6 -0
- package/dist/src/hooks/before-tool-call/index.js.map +1 -0
- package/dist/src/hooks/tool-result-persist/filter.d.ts +72 -0
- package/dist/src/hooks/tool-result-persist/filter.d.ts.map +1 -0
- package/dist/src/hooks/tool-result-persist/filter.js +305 -0
- package/dist/src/hooks/tool-result-persist/filter.js.map +1 -0
- package/dist/src/hooks/tool-result-persist/handler.d.ts +49 -0
- package/dist/src/hooks/tool-result-persist/handler.d.ts.map +1 -0
- package/dist/src/hooks/tool-result-persist/handler.js +217 -0
- package/dist/src/hooks/tool-result-persist/handler.js.map +1 -0
- package/dist/src/hooks/tool-result-persist/index.d.ts +11 -0
- package/dist/src/hooks/tool-result-persist/index.d.ts.map +1 -0
- package/dist/src/hooks/tool-result-persist/index.js +11 -0
- package/dist/src/hooks/tool-result-persist/index.js.map +1 -0
- package/dist/src/index.d.ts +256 -0
- package/dist/src/index.d.ts.map +1 -0
- package/dist/src/index.js +222 -0
- package/dist/src/index.js.map +1 -0
- package/dist/src/notifications/discord.d.ts +10 -0
- package/dist/src/notifications/discord.d.ts.map +1 -0
- package/dist/src/notifications/discord.js +218 -0
- package/dist/src/notifications/discord.js.map +1 -0
- package/dist/src/notifications/index.d.ts +37 -0
- package/dist/src/notifications/index.d.ts.map +1 -0
- package/dist/src/notifications/index.js +68 -0
- package/dist/src/notifications/index.js.map +1 -0
- package/dist/src/notifications/slack.d.ts +10 -0
- package/dist/src/notifications/slack.d.ts.map +1 -0
- package/dist/src/notifications/slack.js +218 -0
- package/dist/src/notifications/slack.js.map +1 -0
- package/dist/src/notifications/telegram.d.ts +10 -0
- package/dist/src/notifications/telegram.d.ts.map +1 -0
- package/dist/src/notifications/telegram.js +242 -0
- package/dist/src/notifications/telegram.js.map +1 -0
- package/dist/src/notifications/types.d.ts +119 -0
- package/dist/src/notifications/types.d.ts.map +1 -0
- package/dist/src/notifications/types.js +6 -0
- package/dist/src/notifications/types.js.map +1 -0
- package/dist/src/proxy/index.d.ts +8 -0
- package/dist/src/proxy/index.d.ts.map +1 -0
- package/dist/src/proxy/index.js +9 -0
- package/dist/src/proxy/index.js.map +1 -0
- package/dist/src/proxy/middleware.d.ts +55 -0
- package/dist/src/proxy/middleware.d.ts.map +1 -0
- package/dist/src/proxy/middleware.js +215 -0
- package/dist/src/proxy/middleware.js.map +1 -0
- package/dist/src/proxy/server.d.ts +57 -0
- package/dist/src/proxy/server.d.ts.map +1 -0
- package/dist/src/proxy/server.js +298 -0
- package/dist/src/proxy/server.js.map +1 -0
- package/dist/src/proxy/types.d.ts +136 -0
- package/dist/src/proxy/types.d.ts.map +1 -0
- package/dist/src/proxy/types.js +6 -0
- package/dist/src/proxy/types.js.map +1 -0
- package/dist/src/sanitization/index.d.ts +10 -0
- package/dist/src/sanitization/index.d.ts.map +1 -0
- package/dist/src/sanitization/index.js +9 -0
- package/dist/src/sanitization/index.js.map +1 -0
- package/dist/src/sanitization/patterns.d.ts +51 -0
- package/dist/src/sanitization/patterns.d.ts.map +1 -0
- package/dist/src/sanitization/patterns.js +266 -0
- package/dist/src/sanitization/patterns.js.map +1 -0
- package/dist/src/sanitization/scanner.d.ts +29 -0
- package/dist/src/sanitization/scanner.d.ts.map +1 -0
- package/dist/src/sanitization/scanner.js +328 -0
- package/dist/src/sanitization/scanner.js.map +1 -0
- package/dist/src/sanitization/types.d.ts +57 -0
- package/dist/src/sanitization/types.d.ts.map +1 -0
- package/dist/src/sanitization/types.js +5 -0
- package/dist/src/sanitization/types.js.map +1 -0
- package/openclaw.plugin.json +114 -0
- package/package.json +63 -0
- package/rules/builtin/README.md +139 -0
- package/rules/builtin/ai-services.yaml +70 -0
- package/rules/builtin/api-keys.yaml +64 -0
- package/rules/builtin/authentication.yaml +56 -0
- package/rules/builtin/aws-security.yaml +57 -0
- package/rules/builtin/azure-security.yaml +58 -0
- package/rules/builtin/cicd-security.yaml +64 -0
- package/rules/builtin/cloud-storage.yaml +64 -0
- package/rules/builtin/container-registry.yaml +55 -0
- package/rules/builtin/crypto-wallets.yaml +71 -0
- package/rules/builtin/database-nosql.yaml +58 -0
- package/rules/builtin/database-sql.yaml +62 -0
- package/rules/builtin/development-env.yaml +67 -0
- package/rules/builtin/docker.yaml +57 -0
- package/rules/builtin/filesystem.yaml +71 -0
- package/rules/builtin/financial-pci.yaml +61 -0
- package/rules/builtin/gcp-security.yaml +57 -0
- package/rules/builtin/git-operations.yaml +68 -0
- package/rules/builtin/healthcare-hipaa.yaml +64 -0
- package/rules/builtin/kubernetes.yaml +60 -0
- package/rules/builtin/messaging-services.yaml +53 -0
- package/rules/builtin/minimal.yaml +47 -0
- package/rules/builtin/mobile-development.yaml +61 -0
- package/rules/builtin/monitoring.yaml +63 -0
- package/rules/builtin/network-security.yaml +57 -0
- package/rules/builtin/package-managers.yaml +74 -0
- package/rules/builtin/payment-processing.yaml +66 -0
- package/rules/builtin/pii-protection.yaml +48 -0
- package/rules/builtin/production-strict.yaml +55 -0
- package/rules/builtin/secrets-management.yaml +63 -0
- package/rules/builtin/serverless.yaml +74 -0
- package/rules/builtin/ssh-security.yaml +66 -0
- package/rules/builtin/terraform.yaml +51 -0
- package/rules/builtin/web-security.yaml +62 -0
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# Terraform Security Rules
|
|
2
|
+
# Protects against dangerous Terraform operations
|
|
3
|
+
|
|
4
|
+
name: terraform
|
|
5
|
+
description: Prevents destructive Terraform operations
|
|
6
|
+
version: "1.0"
|
|
7
|
+
|
|
8
|
+
rules:
|
|
9
|
+
destructive:
|
|
10
|
+
enabled: true
|
|
11
|
+
severity: critical
|
|
12
|
+
action: confirm
|
|
13
|
+
cloud:
|
|
14
|
+
enabled: true
|
|
15
|
+
patterns:
|
|
16
|
+
# Destroy operations
|
|
17
|
+
- "terraform destroy"
|
|
18
|
+
- "terraform destroy -auto-approve"
|
|
19
|
+
- "terraform apply -destroy"
|
|
20
|
+
|
|
21
|
+
# Forced replacements
|
|
22
|
+
- "terraform taint"
|
|
23
|
+
- "terraform apply -replace"
|
|
24
|
+
|
|
25
|
+
# State manipulation
|
|
26
|
+
- "terraform state rm"
|
|
27
|
+
- "terraform state mv"
|
|
28
|
+
- "terraform import"
|
|
29
|
+
- "terraform workspace delete"
|
|
30
|
+
|
|
31
|
+
# Force unlock
|
|
32
|
+
- "terraform force-unlock"
|
|
33
|
+
|
|
34
|
+
# OpenTofu equivalents
|
|
35
|
+
- "tofu destroy"
|
|
36
|
+
- "tofu destroy -auto-approve"
|
|
37
|
+
- "tofu state rm"
|
|
38
|
+
|
|
39
|
+
# Terragrunt
|
|
40
|
+
- "terragrunt destroy"
|
|
41
|
+
- "terragrunt destroy-all"
|
|
42
|
+
- "terragrunt run-all destroy"
|
|
43
|
+
|
|
44
|
+
secrets:
|
|
45
|
+
enabled: true
|
|
46
|
+
severity: critical
|
|
47
|
+
action: block
|
|
48
|
+
patterns:
|
|
49
|
+
- "TF_VAR_"
|
|
50
|
+
- "backend.*access_key"
|
|
51
|
+
- "backend.*secret_key"
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
# Web Application Security Rules
|
|
2
|
+
# Prevents common web security vulnerabilities
|
|
3
|
+
|
|
4
|
+
name: web-security
|
|
5
|
+
description: Security rules for web application development
|
|
6
|
+
version: "1.0"
|
|
7
|
+
|
|
8
|
+
rules:
|
|
9
|
+
sanitization:
|
|
10
|
+
enabled: true
|
|
11
|
+
severity: high
|
|
12
|
+
action: block
|
|
13
|
+
categories:
|
|
14
|
+
instructionOverride: true
|
|
15
|
+
systemLeak: true
|
|
16
|
+
jailbreak: true
|
|
17
|
+
encodedPayload: true
|
|
18
|
+
|
|
19
|
+
secrets:
|
|
20
|
+
enabled: true
|
|
21
|
+
severity: critical
|
|
22
|
+
action: block
|
|
23
|
+
patterns:
|
|
24
|
+
# Session secrets
|
|
25
|
+
- "SESSION_SECRET"
|
|
26
|
+
- "COOKIE_SECRET"
|
|
27
|
+
- "JWT_SECRET"
|
|
28
|
+
|
|
29
|
+
# CORS
|
|
30
|
+
- "ACCESS_CONTROL_ALLOW_ORIGIN.*\\*"
|
|
31
|
+
|
|
32
|
+
# Encryption keys
|
|
33
|
+
- "ENCRYPTION_KEY"
|
|
34
|
+
- "CRYPTO_KEY"
|
|
35
|
+
- "SECRET_KEY_BASE"
|
|
36
|
+
|
|
37
|
+
# OAuth
|
|
38
|
+
- "OAUTH_CLIENT_SECRET"
|
|
39
|
+
- "GOOGLE_CLIENT_SECRET"
|
|
40
|
+
- "FACEBOOK_APP_SECRET"
|
|
41
|
+
- "TWITTER_CONSUMER_SECRET"
|
|
42
|
+
|
|
43
|
+
# Database
|
|
44
|
+
- "DATABASE_URL"
|
|
45
|
+
- "MONGODB_URI"
|
|
46
|
+
- "REDIS_URL"
|
|
47
|
+
|
|
48
|
+
website:
|
|
49
|
+
enabled: true
|
|
50
|
+
mode: blocklist
|
|
51
|
+
severity: high
|
|
52
|
+
blocklist:
|
|
53
|
+
# Known malicious domains (examples)
|
|
54
|
+
- "*.malware.com"
|
|
55
|
+
- "*.phishing.com"
|
|
56
|
+
- "evil*.com"
|
|
57
|
+
|
|
58
|
+
# Common honeypot domains
|
|
59
|
+
- "*.local"
|
|
60
|
+
- "*.test"
|
|
61
|
+
- "localhost"
|
|
62
|
+
- "127.0.0.1"
|