Skip to content

feat: add Kilo Gastown methodology spec and SAST tooling #942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
KooshaPari wants to merge 13 commits into from
Closed

feat: add Kilo Gastown methodology spec and SAST tooling #942

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0f98bcc
Add Kilo Gastown methodology spec
Mar 31, 2026
3d28883
docs: resolve merge conflict in KILO_GASTOWN_SPEC.md
claude Mar 31, 2026
f44d1fd
ci: add SAST tooling (semgrep, trufflehog)
Apr 1, 2026
fa9c9d5
chore: add governance baselines, rulesets, and update security workflow
Apr 2, 2026
07c09bc
Merge origin/main into feat/kilo-gastown-spec-and-sast
Apr 2, 2026
faafc4f
ci: refresh sast and pr readiness tooling
Apr 2, 2026
52b6035
ci: fix models catalog refresh path
Apr 2, 2026
b460bab
fix: unblock secret scan and codex executor syntax
Apr 2, 2026
576b830
ci: tighten quick sast to pr delta and fix gofmt debt
Apr 2, 2026
eac2d7f
fix(security): clear semgrep findings on pr diff
Apr 2, 2026
d530d80
ci: harden governance and security baselines
Apr 2, 2026
39ba5a3
feat: apply phenotype governance standards
Apr 2, 2026
d9cff8a
feat: apply governance standards
Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/RULESET_BASELINE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# cliproxyapi-plusplus Ruleset Baseline

This repository now has a checked-in baseline that matches the repaired remote `Main` ruleset.

## Enforced Branch Protection Baseline

- require pull requests before merge on the default branch
- no branch deletion
- no force push / non-fast-forward updates
- require at least 1 approval
- dismiss stale approvals on new push
- require resolved review threads before merge
- allow merge methods: `merge`, `squash`
- enable GitHub `code_quality`
- enable GitHub `copilot_code_review`

## Repo-Local Governance Gates

The repo-local workflow set remains the main CI and policy contract:

- `policy-gate`
- `pr-path-guard`
- `pr-test-build`
- `required-check-names-guard`
- `quality-gate`
- `security-guard`
- `codeql`
- `sast-quick`
- `sast-full`

Current required check manifests:

- `.github/required-checks.txt`
- `.github/release-required-checks.txt`

Those manifests should drive the next remote ruleset wave once the stable job names are re-verified
against live workflow output.
Comment on lines +39 to +46
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify manifest files exist and check their contents

echo "=== Checking for manifest files ==="
for manifest in ".github/required-checks.txt" ".github/release-required-checks.txt"; do
  if [[ -f "$manifest" ]]; then
    echo -e "\n✓ Found: $manifest"
    echo "Contents:"
    cat "$manifest"
  else
    echo -e "\n✗ Missing: $manifest"
  fi
done

echo -e "\n=== Cross-checking documented workflows against manifests ==="
documented_workflows=("policy-gate" "pr-path-guard" "pr-test-build" "required-check-names-guard" "quality-gate" "security-guard" "codeql" "sast-quick" "sast-full")

for workflow in "${documented_workflows[@]}"; do
  if grep -q "$workflow" .github/required-checks.txt 2>/dev/null || grep -q "$workflow" .github/release-required-checks.txt 2>/dev/null; then
    echo "$workflow found in manifests"
  else
    echo "$workflow not found in manifests"
  fi
done

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 1151

Manifest files exist but are incomplete—most documented workflows are missing.

Both .github/required-checks.txt and .github/release-required-checks.txt exist, but the manifest contents significantly diverge from the documented workflow names (lines 21-29). The manifests currently list only pr-test-build and pr-path-guard, while 7 documented workflows are absent: policy-gate, required-check-names-guard, quality-gate, security-guard, codeql, sast-quick, and sast-full. These manifests must be updated to align with the documented workflows before they can reliably drive the next ruleset wave.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/RULESET_BASELINE.md around lines 31 - 37, The manifests
`.github/required-checks.txt` and `.github/release-required-checks.txt` only
list `pr-test-build` and `pr-path-guard` but are missing the documented workflow
names; update both manifest files to include the full set of documented checks
(`policy-gate`, `required-check-names-guard`, `quality-gate`, `security-guard`,
`codeql`, `sast-quick`, `sast-full`, plus the existing `pr-test-build` and
`pr-path-guard`) so the manifests match the workflows listed in lines 21-29 and
can reliably drive the next ruleset wave. Ensure the names exactly match the
workflow job names used in the repository (case-sensitive) and save both
`.github/required-checks.txt` and `.github/release-required-checks.txt`.


## Exception Policy

- only documented billing or quota failures may be excluded from blocking CI evaluation
- review threads and blocking comments must be resolved before merge
- PRs must not rely on local `--no-verify` bypasses instead of server-side checks
Comment thread
coderabbitai[bot] marked this conversation as resolved.
41 changes: 41 additions & 0 deletions .github/rulesets/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"name": "Main",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"bypass_actors": [],
"rules": [
{ "type": "deletion" },
{ "type": "non_fast_forward" },
{
"type": "pull_request",
"parameters": {
"required_approving_review_count": 1,
"dismiss_stale_reviews_on_push": true,
"required_reviewers": [],
"require_code_owner_review": false,
"require_last_push_approval": false,
"required_review_thread_resolution": true,
"allowed_merge_methods": ["merge", "squash"]
}
},
Comment thread
coderabbitai[bot] marked this conversation as resolved.
{
"type": "code_quality",
"parameters": {
"severity": "errors"
}
},
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
{
"type": "copilot_code_review",
"parameters": {
"review_on_push": true,
"review_draft_pull_requests": true
}
}
]
}
86 changes: 86 additions & 0 deletions .github/workflows/sast-full.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: SAST Full Analysis

on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:

permissions:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github/codeql-action/* typically requires actions: read permission (the existing codeql.yml includes it). sast-full.yml sets only contents: read and security-events: write, which may cause the CodeQL steps to fail with insufficient permissions in some repo/org settings.

Suggested change
permissions:
permissions:
actions: read

Copilot uses AI. Check for mistakes.
contents: read
security-events: write

jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
matrix:
language: [python, cpp, javascript]
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL scans wrong languages, misses Go entirely

High Severity

The CodeQL language matrix is [python, cpp, javascript], but this is a Go repository (the go.mod declares module github.com/kooshapari/CLIProxyAPI/v7). The existing codeql.yml correctly targets [go]. This full SAST analysis will scan three languages that have no source files in the repo while completely missing the actual Go codebase — rendering the CodeQL job useless.

Fix in Cursor Fix in Web

steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: CodeQL matrix missing Go language.

The matrix lists [python, cpp, javascript] but this is primarily a Go codebase (per cargo clippy in sast-quick.yml, the AGENTS.md build instructions, and the codebase structure). Without go in the matrix, CodeQL will not analyze the core Go code, making the full SAST scan incomplete for this repository.

Suggested change
- uses: actions/checkout@v4
language: [go, python, javascript]

Note: also removed cpp since this doesn't appear to be a C++ project. Adjust if there is C++ code present.


- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CodeQL matrix doesn’t include the repo’s primary language (Go) and includes cpp even though there are no C/C++ sources in the repository. Also, the repo already has a dedicated Go CodeQL workflow (.github/workflows/codeql.yml). Consider either extending the existing CodeQL workflow for additional languages present here (Go/Python/JS) or adjusting this job to scan the actual languages in the repo and avoid duplicating CodeQL uploads.

Copilot uses AI. Check for mistakes.

Comment on lines +23 to +30
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses CodeQL action v3 (github/codeql-action/*@v3), but the existing .github/workflows/codeql.yml uses v4 (see .github/workflows/codeql.yml:24-36). Aligning on a single major version reduces maintenance overhead and avoids behavioral differences across workflows.

Copilot uses AI. Check for mistakes.
trivy-repo:
name: Trivy Repository Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Using @master branch reference for trivy-action.

Pinning to a mutable branch (@master) introduces supply-chain risk and non-reproducible builds. If the upstream action is compromised or introduces breaking changes, your CI will silently adopt them.

Recommend pinning to a specific version tag or commit SHA:

      - uses: aquasecurity/trivy-action@v0.28.0

- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
continue-on-error: true
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aquasecurity/trivy-action@master and trufflesecurity/trufflehog@main are floating refs. For a security workflow, these should be pinned to a version tag or (ideally) a commit SHA to reduce supply-chain risk and ensure reproducible scans.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Trivy action is referenced from the moving @master branch. Pin to a version tag or commit SHA to avoid unexpected behavior changes and reduce supply-chain risk.

Copilot uses AI. Check for mistakes.

- name: Upload Trivy SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
category: trivy
Comment thread
coderabbitai[bot] marked this conversation as resolved.

full-semgrep:
name: Full Semgrep Analysis
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4

- uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
p/cwe-top-25
.semgrep-rules/
generateSarif: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep-full

full-secrets:
name: Full Secret Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --only-verified --fail
continue-on-error: true
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in the quick workflow: trufflehog is run with --fail but the step is continue-on-error: true, so verified secret findings won’t fail the scheduled/manual run. Decide whether this should be enforcing (remove continue-on-error) or informational (remove --fail).

Suggested change
continue-on-error: true

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TruffleHog action is referenced from the moving @main branch. Pin to a release tag or commit SHA for reproducibility and supply-chain safety.

Copilot uses AI. Check for mistakes.
69 changes: 69 additions & 0 deletions .github/workflows/sast-quick.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: SAST Quick Check

on:
pull_request:
push:
branches: [main]

permissions:
contents: read
security-events: write
pull-requests: write
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workflow permissions include pull-requests: write, but this workflow doesn’t appear to create/update PR comments or reviews. Consider dropping it to follow least-privilege (keep contents: read and security-events: write).

Suggested change
pull-requests: write

Copilot uses AI. Check for mistakes.

jobs:
semgrep:
name: Semgrep Scan
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4

- uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: returntocorp/semgrep-action@v1 is deprecated.

The returntocorp/semgrep-action has been deprecated in favor of running the Semgrep CLI directly or using the semgrep/semgrep-action container. The @v1 tag may stop receiving updates.

Recommended replacement:

      - uses: semgrep/semgrep-action@v1

Or run semgrep CLI directly:

      - run: semgrep ci --config p/security-audit --config p/owasp-top-ten --config p/cwe-top-25 --config .semgrep-rules/ --sarif --output semgrep.sarif

p/cwe-top-25
.semgrep-rules/
generateSarif: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep

secrets:
name: Secret Scanning
runs-on: ubuntu-latest
timeout-minutes: 3
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: trufflesecurity/trufflehog@main
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security actions pinned to mutable branch references

Medium Severity

trufflesecurity/trufflehog@main and aquasecurity/trivy-action@master are pinned to mutable branch refs rather than commit SHAs or immutable version tags. A compromised upstream repo could inject malicious code that runs in CI with contents: read and security-events: write permissions. This is especially concerning for security-focused workflows running on every PR.

Additional Locations (2)
Fix in Cursor Fix in Web

with:
path: ./
extra_args: --only-verified --fail
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trufflehog is invoked with --fail, but the step is marked continue-on-error: true, so verified secrets won’t actually fail the workflow. If the goal is to gate PRs on verified findings, remove continue-on-error; if the goal is reporting-only, drop --fail to avoid implying enforcement.

Suggested change
extra_args: --only-verified --fail
extra_args: --only-verified

Copilot uses AI. Check for mistakes.
continue-on-error: true
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret scan continue-on-error defeats --fail flag

Medium Severity

The trufflehog step uses --fail (exit non-zero on verified secrets) but also sets continue-on-error: true, which means the job still reports success. In sast-quick.yml this runs on PRs, so a pull request containing verified leaked secrets will not be blocked by this check — undermining the purpose of secret scanning in CI.

Additional Locations (1)
Fix in Cursor Fix in Web

Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trufflesecurity/trufflehog@main is a floating ref. For supply-chain safety and reproducible results, pin to a version tag or commit SHA (especially in security workflows).

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step sets --fail in TruffleHog args, but the action step is marked continue-on-error: true, which prevents failures from ever gating. Decide whether secret findings should block (remove continue-on-error) or be informational (remove --fail).

Suggested change
continue-on-error: true

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Using @main branch reference for trufflehog.

Pinning to @main introduces supply-chain risk and non-reproducible builds. Pin to a specific release tag or commit SHA for security:

      - uses: trufflesecurity/trufflehog@v3.82.12

lint-rust:
name: Rust Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- run: cargo clippy --all-targets --all-features -- -D warnings
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rust lint job runs on Go-only repository

Medium Severity

The lint-rust job runs cargo clippy on every PR and push to main, but this repository contains no Rust code — no Cargo.toml, no .rs files. This job will either fail (wasting CI time and creating noise) or require cargo setup for nothing. For a Go repo, this likely intended to be a Go lint step.

Fix in Cursor Fix in Web

Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lint-rust job runs cargo clippy, but this repo doesn’t contain a Cargo project (no Cargo.toml found). This job will fail on every run. Remove the Rust lint job, or guard it (e.g., only run when Cargo.toml exists / when Rust paths change).

Copilot uses AI. Check for mistakes.

license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: licensefinder/license_finder_action@v2
continue-on-error: true
19 changes: 14 additions & 5 deletions .github/workflows/security-guard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,18 @@
name: security-guard
on: [workflow_dispatch]
name: Security Guard

on:
workflow_call:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-guard.yml is now callable as a reusable workflow (workflow_call), but it relies on secrets.GITGUARDIAN_API_KEY. Reusable workflows only receive secrets that are explicitly declared under on.workflow_call.secrets and passed by the caller; otherwise this will be empty and the scan will fail unexpectedly.

Suggested change
workflow_call:
workflow_call:
secrets:
GITGUARDIAN_API_KEY:
required: true

Copilot uses AI. Check for mistakes.
workflow_dispatch:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow is listed as a required check (security-guard.yml|ggshield-scan), but it only triggers via workflow_dispatch/workflow_call and is not invoked by any other workflow. As a result, PRs/branch updates won't automatically produce the required status check, potentially blocking merges unless run manually. Consider adding pull_request/push triggers (or wiring a caller workflow) or removing it from the required-check manifest if it should remain manual-only.

Suggested change
workflow_dispatch:
workflow_dispatch:
push:
pull_request:

Copilot uses AI. Check for mistakes.

jobs:
audit:
ggshield-scan:
runs-on: ubuntu-latest
steps:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/checkout@v4
- name: Run security audit
run: echo "Security audit placeholder - no script available yet"
- uses: actions/setup-python@v5
- name: Install ggshield
run: pip install ggshield
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pip install ggshield is unpinned and actions/setup-python doesn’t specify a python-version, which makes this check non-reproducible (and can break on future releases). Pin the ggshield version and set an explicit Python version, consistent with the Semgrep workflows.

Suggested change
- name: Install ggshield
run: pip install ggshield
with:
python-version: '3.11'
- name: Install ggshield
run: pip install ggshield==1.25.3

Copilot uses AI. Check for mistakes.
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Unpinned pip install ggshield — supply-chain risk

No version is specified, so every CI run pulls the latest release. A compromised upstream release would immediately affect all pipelines. Pin to a specific version (e.g., pip install ggshield==25.1.0).

- name: Run ggshield secret scan
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
run: ggshield secret scan path . --recursive
52 changes: 52 additions & 0 deletions .semgrep-rules/architecture-violations.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
rules:
- id: circular-module-dependency
patterns:
- pattern-either:
- pattern: |
use crate::domain::*;
- pattern: |
use crate::adapters::*;
message: Potential circular dependency. Check module import hierarchy.
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The rule circular-module-dependency is misleadingly named. It currently flags any wildcard import (*) in the domain or adapters modules, which is a style preference rather than a detection of circular dependencies. Consider renaming the rule to no-wildcard-imports or implementing a more robust check for actual dependency cycles.

languages: [rust]
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The repository cliproxyapi++ is a Go project (as evidenced by the Taskfile.yml, AGENTS.md, and .go source files), but these Semgrep rules are configured for Rust (languages: [rust]) and use Rust-specific syntax like crate:: and async fn. These rules will not execute on the Go source code. Please update the rules to use languages: [go] and patterns appropriate for the Go project structure.

severity: MEDIUM

- id: layer-violation-adapter-accessing-domain
patterns:
- pattern: |
mod adapters {
...
use crate::domain::...
...
}
message: Adapter layer should not directly access domain logic. Use ports/traits instead.
languages: [rust]
severity: MEDIUM

- id: mixed-concerns-in-handler
patterns:
- pattern: |
async fn $HANDLER(...) {
...
database.query(...)
...
api.call(...)
...
filesystem.write(...)
...
}
message: Handler mixes database, API, and filesystem concerns. Consider dependency injection.
languages: [rust]
severity: LOW

- id: direct-database-in-tests
patterns:
- pattern: |
#[test]
fn $TEST(...) {
...
Database::connect(...)
...
}
message: Tests should use mocks/fixtures, not direct database connections.
languages: [rust]
severity: MEDIUM
58 changes: 58 additions & 0 deletions .semgrep-rules/secrets-detection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
rules:
- id: hardcoded-aws-key
patterns:
- pattern-either:
- pattern: |
"AKIA[0-9A-Z]{16}"
- pattern: |
AKIA[0-9A-Z]{16}
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These secret-detection rules are written like regexes, but pattern: matches literal code/text structure, not a regular expression. As written, this will only match the literal string AKIA[0-9A-Z]{16} (and similarly for the token/webhook patterns), so it won’t detect real secrets. Use pattern-regex: (or regex:-based constructs) for token-like detectors, and avoid "..." which currently matches only three dots.

Copilot uses AI. Check for mistakes.
message: Potential AWS Access Key detected. Use environment variables instead.
languages: [generic]
severity: CRITICAL

- id: hardcoded-api-key-env
patterns:
- pattern-either:
- pattern: |
api_key = "..."
- pattern: |
apiKey = "..."
- pattern: |
API_KEY = "..."
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The patterns for hardcoded keys use the = operator, which is common in configuration files but may miss assignments in Go source code where the short variable declaration operator := is frequently used. Consider adding patterns that account for := or using a more flexible regex to catch various assignment styles in the generic language mode.

message: Hardcoded API key detected. Use environment variables or secrets management.
languages: [generic]
severity: HIGH
Comment on lines +8 to +12
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The character class uses \\n which (after YAML parsing) typically excludes a literal backslash and the letter n, not an actual newline. If the goal is to avoid matching across lines, use \n (newline escape) in the regex (and consider \r as well). As written, this can increase false positives by allowing matches that span newlines.

Copilot uses AI. Check for mistakes.

Comment on lines +2 to +18
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These secret-detection rules appear to use regex syntax inside pattern, but Semgrep won’t treat pattern as a regex (so strings like AKIA[0-9A-Z]{16} and "..." will match literally and likely never trigger). Consider switching to pattern-regex (or using metavariables) so the rules actually detect real secrets.

Copilot uses AI. Check for mistakes.
- id: hardcoded-password
patterns:
- pattern-either:
- pattern: |
password = "..."
- pattern: |
passwd = "..."
- pattern: |
pwd = "..."
message: Hardcoded password detected. Use environment variables or secrets management.
Comment thread
coderabbitai[bot] marked this conversation as resolved.
languages: [generic]
severity: CRITICAL
Comment on lines +19 to +23
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same newline-escape issue as the API key rule: \\n inside the negated character class is unlikely to exclude actual newline characters. Using \n (and possibly \r) would better prevent cross-line matches and reduce false positives.

Copilot uses AI. Check for mistakes.

- id: hardcoded-slack-webhook
patterns:
- pattern: |
https://hooks.slack.com/services/[A-Z0-9/]+
message: Slack webhook URL detected. This should be in environment variables.
languages: [generic]
severity: HIGH

- id: hardcoded-github-token
patterns:
- pattern-either:
- pattern: |
ghp_[A-Za-z0-9_]{36,255}
- pattern: |
gho_[A-Za-z0-9_]{36,255}
- pattern: |
ghu_[A-Za-z0-9_]{36,255}
message: GitHub token detected. Never commit tokens to code.
languages: [generic]
severity: CRITICAL
Loading
Loading