Implementing Secure Code Review Practices
Learn how to establish effective code review processes that prioritize security, enabling teams to identify vulnerabilities before code deployment.
0 likes
157 views
Rule Content
{
"title": "Implementing Secure Code Review Practices",
"description": "Establish effective code review processes that prioritize security, enabling teams to identify vulnerabilities before code deployment.",
"category": "Security",
"rules": [
{
"id": "SCR-001",
"description": "Ensure all user inputs are validated and sanitized to prevent injection attacks.",
"severity": "high",
"patterns": [
{
"pattern": ".*(eval|exec|system|popen|shell_exec|passthru|proc_open|pcntl_exec)\\(.*\\$.*\\).*",
"message": "Avoid using dynamic function calls with user input to prevent code injection vulnerabilities."
},
{
"pattern": ".*\\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES)\\[.*\\].*",
"message": "Ensure all user inputs are validated and sanitized before use."
}
]
},
{
"id": "SCR-002",
"description": "Implement proper authentication and session management to prevent unauthorized access.",
"severity": "high",
"patterns": [
{
"pattern": ".*password_hash\\(.*\\).*",
"message": "Ensure passwords are hashed using strong algorithms like bcrypt."
},
{
"pattern": ".*session_start\\(.*\\).*",
"message": "Verify that session management is secure and sessions are properly invalidated upon logout."
}
]
},
{
"id": "SCR-003",
"description": "Avoid hardcoding sensitive information such as passwords and API keys.",
"severity": "critical",
"patterns": [
{
"pattern": ".*(password|api_key|secret|token)\\s*=\\s*['\"].*['\"].*",
"message": "Do not hardcode sensitive information; use environment variables or secure vaults instead."
}
]
},
{
"id": "SCR-004",
"description": "Ensure proper error handling to prevent information leakage.",
"severity": "medium",
"patterns": [
{
"pattern": ".*(print|echo|var_dump|die|exit)\\(.*\\$.*\\).*",
"message": "Avoid displaying detailed error messages to users; log errors securely without exposing sensitive information."
}
]
},
{
"id": "SCR-005",
"description": "Use secure functions to prevent buffer overflows and memory corruption.",
"severity": "high",
"patterns": [
{
"pattern": ".*(strcpy|strcat|sprintf|vsprintf|gets)\\(.*\\).*",
"message": "Avoid using unsafe functions; use their safer counterparts like strncpy, strncat, snprintf, or fgets."
}
]
},
{
"id": "SCR-006",
"description": "Ensure proper access controls are implemented to enforce the principle of least privilege.",
"severity": "high",
"patterns": [
{
"pattern": ".*chmod\\(.*\\).*",
"message": "Verify that file permissions are set correctly to restrict unauthorized access."
},
{
"pattern": ".*chown\\(.*\\).*",
"message": "Ensure ownership of files and directories is properly assigned to limit access."
}
]
},
{
"id": "SCR-007",
"description": "Regularly update and patch dependencies to mitigate known vulnerabilities.",
"severity": "medium",
"patterns": [
{
"pattern": ".*require\\(.*\\).*",
"message": "Ensure that all required packages are up-to-date and free from known vulnerabilities."
},
{
"pattern": ".*import\\s+.*",
"message": "Verify that imported modules are current and secure."
}
]
},
{
"id": "SCR-008",
"description": "Implement secure communication protocols to protect data in transit.",
"severity": "critical",
"patterns": [
{
"pattern": ".*http://.*",
"message": "Use HTTPS instead of HTTP to encrypt data in transit."
}
]
},
{
"id": "SCR-009",
"description": "Ensure proper logging practices to monitor and detect security incidents.",
"severity": "medium",
"patterns": [
{
"pattern": ".*log\\(.*\\).*",
"message": "Ensure that logs do not contain sensitive information and are stored securely."
}
]
},
{
"id": "SCR-010",
"description": "Conduct regular code reviews and security testing to identify and remediate vulnerabilities.",
"severity": "high",
"patterns": [
{
"pattern": ".*",
"message": "Regularly review code and perform security testing to maintain a secure codebase."
}
]
}
]
}