mirror/profilarr
1
0
Fork 0
mirror of https://github.com/Dictionarry-Hub/profilarr.git synced 2026-04-21 22:39:26 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
develop
profilarr/tests/scan/semgrep/secrets.yml
santiagosayshey 7289fc5cd0 feat: security hardening + CI pipeline (#310)
2026-03-08 20:46:01 +10:30

84 lines
2.7 KiB
YAML
Raw Permalink Blame History

rules:
# Secret/token embedded in URL string
- id: profilarr.secrets.token-in-url
patterns:
- pattern-regex: '`https?://\$\{[^}]*(token|pat|key|secret|password)[^}]*\}@'
message: >
Secret or token embedded directly in a URL string. This can
leak in logs, error messages, and process listings. Consider
using HTTP headers (Authorization: Bearer) where possible.
languages: [generic]
severity: WARNING
metadata:
category: security
subcategory:
- vuln
confidence: HIGH
cwe:
- 'CWE-522: Insufficiently Protected Credentials'
# JSON.stringify on config/settings objects in server code
- id: profilarr.secrets.json-stringify-config
patterns:
- pattern-regex: 'JSON\.stringify\(\s*(?:input\.config|config|settings)\s*\)'
paths:
include:
- '/src/lib/server/**'
message: >
JSON.stringify() on a config/settings object that may contain
secrets (webhook URLs, API keys, tokens). If this goes to logs
or responses, secrets could leak.
languages: [generic]
severity: WARNING
metadata:
category: security
subcategory:
- audit
confidence: LOW
cwe:
- 'CWE-532: Insertion of Sensitive Information into Log File'
# Logger calls with meta containing secret field names
- id: profilarr.secrets.logger-meta-sensitive
patterns:
- pattern-regex: 'logger\.\w+\([^)]*meta:\s*\{[^}]*\b(api_key|apiKey|password|secret|token|webhook_url|personalAccessToken|pat)\b[^}]*\}'
paths:
include:
- '/src/lib/server/**'
message: >
Logger call includes a meta field that may contain a secret.
The logger writes meta as JSON to console and log files.
Ensure sensitive fields are redacted before logging.
languages: [generic]
severity: ERROR
metadata:
category: security
subcategory:
- vuln
confidence: MEDIUM
cwe:
- 'CWE-532: Insertion of Sensitive Information into Log File'
# Hardcoded credentials in source (not tests)
- id: profilarr.secrets.hardcoded-credential
patterns:
- pattern-regex: '(?:api_key|apiKey|password|secret|token)\s*[:=]\s*["\x27][a-zA-Z0-9+/=_-]{16,}["\x27]'
paths:
include:
- '/src/**'
exclude:
- '/tests/**'
- '**/*.test.*'
message: >
Possible hardcoded secret detected. Secrets should come from
environment variables or the database, never hardcoded in source.
languages: [generic]
severity: ERROR
metadata:
category: security
subcategory:
- vuln
confidence: MEDIUM
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
Reference in New Issue View Git Blame Copy Permalink