Implementing Secure Coding Practices to Prevent Common Vulnerabilities

---
name: Implementing Secure Coding Practices to Prevent Common Vulnerabilities
version: "1.0"
category: Security
category_context: Flags unsafe code, secrets, and insecure configurations.
globs:
  - "**/*.js"
  - "**/*.ts"
  - "**/*.py"
  - "**/*.java"
  - "**/*.c"
  - "**/*.cpp"
triggers:
  - file_change
  - file_open
  - file_save
rules:
  - id: input-validation
    description: Ensure all user inputs are validated and sanitized to prevent injection attacks.
    severity: high
    patterns:
      - pattern: |
          $INPUT
        conditions:
          - $INPUT is user input
        actions:
          - message: "User input should be validated and sanitized to prevent injection attacks."
          - suggestion: "Implement input validation and sanitization mechanisms."

  - id: authentication-authorization
    description: Implement strong authentication and authorization mechanisms.
    severity: high
    patterns:
      - pattern: |
          $AUTH
        conditions:
          - $AUTH is authentication or authorization code
        actions:
          - message: "Ensure authentication and authorization mechanisms are robust and follow best practices."
          - suggestion: "Use multi-factor authentication and the principle of least privilege."

  - id: secure-communication
    description: Use secure communication protocols to protect data in transit.
    severity: high
    patterns:
      - pattern: |
          $COMM
        conditions:
          - $COMM is communication code
        actions:
          - message: "Ensure communication protocols are secure to protect data in transit."
          - suggestion: "Use HTTPS and validate certificates properly."

  - id: error-handling
    description: Implement proper error handling to avoid exposing sensitive information.
    severity: medium
    patterns:
      - pattern: |
          $ERROR
        conditions:
          - $ERROR is error handling code
        actions:
          - message: "Ensure error handling does not expose sensitive information."
          - suggestion: "Use generic error messages for users and detailed logs for developers."

  - id: secure-configuration
    description: Configure applications securely to reduce the risk of security breaches.
    severity: high
    patterns:
      - pattern: |
          $CONFIG
        conditions:
          - $CONFIG is configuration code
        actions:
          - message: "Ensure application configurations are secure."
          - suggestion: "Disable unnecessary services and change default settings."

  - id: data-protection
    description: Protect sensitive data using strong encryption and key management practices.
    severity: high
    patterns:
      - pattern: |
          $DATA
        conditions:
          - $DATA is data handling code
        actions:
          - message: "Ensure sensitive data is protected using strong encryption."
          - suggestion: "Implement strong encryption algorithms and secure key management."

  - id: regular-security-testing
    description: Conduct regular security testing to identify and address vulnerabilities.
    severity: medium
    patterns:
      - pattern: |
          $TEST
        conditions:
          - $TEST is testing code
        actions:
          - message: "Ensure regular security testing is conducted."
          - suggestion: "Implement penetration testing and code reviews regularly."

  - id: patch-management
    description: Keep software and dependencies updated with the latest security patches.
    severity: high
    patterns:
      - pattern: |
          $DEPENDENCY
        conditions:
          - $DEPENDENCY is dependency management code
        actions:
          - message: "Ensure software and dependencies are updated with the latest security patches."
          - suggestion: "Regularly update and patch dependencies to address known vulnerabilities."

  - id: security-education
    description: Educate developers on secure coding practices.
    severity: medium
    patterns:
      - pattern: |
          $EDUCATION
        conditions:
          - $EDUCATION is documentation or comment
        actions:
          - message: "Ensure developers are educated on secure coding practices."
          - suggestion: "Provide regular training and workshops on secure coding."

  - id: secure-file-operations
    description: Validate and sanitize file paths to prevent path traversal attacks.
    severity: high
    patterns:
      - pattern: |
          $FILE
        conditions:
          - $FILE is file operation code
        actions:
          - message: "Ensure file paths are validated and sanitized to prevent path traversal attacks."
          - suggestion: "Implement validation and sanitization mechanisms for file paths."

  - id: secure-database-access
    description: Use parameterized queries to prevent SQL injection attacks.
    severity: high
    patterns:
      - pattern: |
          $DB
        conditions:
          - $DB is database access code
        actions:
          - message: "Ensure parameterized queries are used to prevent SQL injection attacks."
          - suggestion: "Implement parameterized queries or prepared statements for database access."

  - id: secure-third-party-libraries
    description: Use reputable third-party libraries and keep them updated.
    severity: medium
    patterns:
      - pattern: |
          $LIBRARY
        conditions:
          - $LIBRARY is third-party library code
        actions:
          - message: "Ensure third-party libraries are reputable and updated."
          - suggestion: "Regularly update and patch third-party libraries to address known vulnerabilities."

  - id: secure-session-management
    description: Implement secure session management practices.
    severity: high
    patterns:
      - pattern: |
          $SESSION
        conditions:
          - $SESSION is session management code
        actions:
          - message: "Ensure session management practices are secure."
          - suggestion: "Use unique session IDs, encrypt session data, and expire sessions after inactivity."

  - id: secure-logging
    description: Ensure sensitive information is not logged in clear text.
    severity: high
    patterns:
      - pattern: |
          $LOG
        conditions:
          - $LOG is logging code
        actions:
          - message: "Ensure sensitive information is not logged in clear text."
          - suggestion: "Use logging frameworks that support encryption and redaction of sensitive data."

  - id: secure-code-reviews
    description: Conduct regular code reviews to identify and fix security vulnerabilities.
    severity: medium
    patterns:
      - pattern: |
          $REVIEW
        conditions:
          - $REVIEW is code review process
        actions:
          - message: "Ensure regular code reviews are conducted to identify and fix security vulnerabilities."
          - suggestion: "Involve team members with security expertise in code reviews."

  - id: secure-deployment-practices
    description: Follow secure deployment practices to prevent unauthorized changes.
    severity: high
    patterns:
      - pattern: |
          $DEPLOY
        conditions:
          - $DEPLOY is deployment code
        actions:
          - message: "Ensure secure deployment practices are followed to prevent unauthorized changes."
          - suggestion: "Use secure configurations, restrict access to deployment environments, and monitor for unauthorized changes."

  - id: secure-api-development
    description: Implement authentication and authorization mechanisms for APIs.
    severity: high
    patterns:
      - pattern: |
          $API
        conditions:
          - $API is API development code
        actions:
          - message: "Ensure authentication and authorization mechanisms are implemented for APIs."
          - suggestion: "Use authentication and authorization mechanisms to control access to APIs."