Add TypeScript security rules and tooling #198

gatsby003 · 2025-07-24T10:25:37Z

Summary by CodeRabbit

New Features
- Introduced multiple static analysis rules for TypeScript to detect insecure cryptographic practices, unsafe file permissions, command injection, hardcoded secrets, weak hash algorithms, and improper use of JWTs.
- Added extensive test cases and snapshots to validate new security rules and ensure detection of insecure patterns in code.
Bug Fixes
- Improved test coverage by adding missing or duplicate snapshot entries for various languages and security scenarios.
Chores
- Added missing newline characters at the end of numerous configuration, rule, and test files to improve file formatting consistency.

coderabbitai · 2025-07-24T10:25:45Z

Caution

Review failed

The pull request is closed.

Walkthrough

This update introduces a comprehensive suite of new static analysis rules and corresponding tests focused on TypeScript security issues, including detection of weak cryptographic algorithms, insecure buffer handling, command and SQL injection, hardcoded secrets, and improper logging of sensitive data. The changes also add or update numerous snapshot and test files across multiple languages, primarily to add missing newlines and enhance test coverage.

Changes

File(s)	Change Summary
`.gitignore`, `package.json`, `sgconfig.yml`	Added missing newline at end of file.
`rules///*.yml` (C, C++, Go, HTML, Java, PHP, Python, Ruby, Rust, TypeScript)	Mostly added missing newlines at end of rule files.
`rules/typescript/security/*.yml`	New TypeScript security rules: detection for weak crypto, buffer misuse, command/SQL injection, hardcoded secrets, sensitive data logging, and more.
`tests/__snapshots__/*.yml`	Added new or duplicate snapshot files for test coverage, labeling, and highlighting for new rules.
`tests/typescript/*.yml`	New TypeScript test cases: for all new rules, covering valid/invalid usage of crypto, buffers, eval, require, JWT, SQL, logging, and more.
`tests//-test.yml` (other languages)	Added missing newlines at end of test files for C, C++, Go, Java, JavaScript, Python, Ruby, Rust, Swift.
`tests/__snapshots__/*` (multiple languages)	Added or duplicated snapshot entries for enhanced test coverage and code highlighting.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant StaticAnalyzer
    participant RuleEngine

    Developer->>StaticAnalyzer: Writes/commits TypeScript code
    StaticAnalyzer->>RuleEngine: Runs new security rules
    RuleEngine-->>StaticAnalyzer: Flags insecure patterns (e.g., weak crypto, hardcoded secrets)
    StaticAnalyzer-->>Developer: Reports warnings/errors (e.g., insecure hash, command injection)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐇
A warren of rules, so tidy and neat,
Now guards TypeScript from insecure defeat.
Snapshots and tests, with newlines aligned,
Hunt for weak hashes and secrets you'll find.
With vigilant eyes, this rabbit will cheer—
Secure code is here, let bugs disappear!
🥕

Pre-Merge Checks (2 passed, 1 warning)

❌ Failed Checks (1 warning)

Check Name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description is empty and provides no context or details about the changes.	Please add a detailed description summarizing what was changed, why the changes were made, and how they were tested, and consider adding a pull request template to the repository to ensure consistency and completeness.

✅ Passed Checks (2 passed)

Check Name	Status	Explanation
Title Check	✅ Passed	The pull request title clearly describes the addition of TypeScript security rules and associated tooling.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Impact Analysis

Introduction of multiple new TypeScript security rules

⚠️ High 🔄 Impacts behavior 🔒Impacts security

The update adds eighteen new static analysis rules under rules/typescript/security to detect insecure patterns—such as weak cryptography (RC4, SHA-1, DES, MD5, Argon2i/d), unsafe Buffer usage, command injection, non-literal RegExp/require paths, hardcoded credentials (JWT tokens, HMAC keys), insecure file permissions, eval misuse, logging of sensitive data, and SQL injection. Several rules have error severity and may cause existing CI pipelines to start failing on newly flagged violations.

Review each AST matcher for precision and scope, validate severity levels (error vs warning) align with project policy, and check for potential false positives or negatives in real codebases.

Run the updated linter against representative TypeScript projects to surface new findings; add or adjust rule suppressions where acceptable, and verify that true positives are correctly flagged while legitimate patterns remain unreported.

🔍 Related Files

rules/typescript/security/argon2-weak-type-typescript.yml
rules/typescript/security/avoid-crypto-rc4-typescript.yml
rules/typescript/security/avoid-crypto-sha1-typescript.yml
rules/typescript/security/avoid-des-typescript.yml
rules/typescript/security/chmod-permissions-typescript.yml
rules/typescript/security/command-injection-typescript.yml
rules/typescript/security/crypto-avoid-weak-hash-typescript.yml
rules/typescript/security/detect-buffer-noassert-typescript.yml
rules/typescript/security/detect-eval-with-expression-typescript.yml
rules/typescript/security/detect-new-buffer-typescript.yml
rules/typescript/security/detect-non-literal-regexp-typescript.yml
rules/typescript/security/detect-non-literal-require-typescript.yml
rules/typescript/security/detected-jwt-token-typescript.yml
rules/typescript/security/hardcoded-hmac-key-typescript.yml
rules/typescript/security/insecure-hash-typescript.yml
rules/typescript/security/jwt-sensitive-data-typescript.yml
rules/typescript/security/jwt-weak-encryption-typescript.yml
rules/typescript/security/log-sensitive-data-typescript.yml
rules/typescript/security/sql-injection-typescript.yml

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch ts-rules

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai generate unit tests to generate unit tests for this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 12

🧹 Nitpick comments (75)

.gitignore (1)

199-201: Good addition, but consider placement before the generator marker

Ignoring .claude makes sense for local tooling artefacts.
Minor nit: future re-generations of this .gitignore via the Toptal generator may overwrite everything after the “End of …” marker, wiping this rule. Placing the custom rule a few lines above that marker (or adding a comment section for custom ignores) avoids accidental loss.
tests/python/__snapshots__/debug-enabled-python-snapshot.yml (2)
4-6: Indent app.run to reflect valid Python syntax

app.run("0.0.0.0", debug=True) should be indented beneath the if __name__ == "__main__": guard; otherwise the snippet represents syntactically invalid Python. Even though the snapshot isn’t executed, keeping examples syntactically correct improves readability and avoids misleading future readers.
-    if __name__ == "__main__":
-    app.run("0.0.0.0", debug=True)
+    if __name__ == "__main__":
+        app.run("0.0.0.0", debug=True)
32-47: Remove duplicate secondary labels to reduce snapshot noise

The labels for Flask (lines 32–39) and app.run("0.0.0.0", debug=True) (lines 44–47) appear twice with identical ranges and styles. Unless the duplication is intentional for tooling requirements, consider keeping only one occurrence of each to keep the snapshot concise and easier to maintain.
rules/typescript/security/chmod-permissions-typescript.yml (3)
5-7: Strip trailing whitespace to satisfy YAML-lint.
Lines 5 – 6 end with superfluous spaces and fail the linter.
-  Do not give 777 permissions to a file. Always make sure you restrict the␠
-  permissions of your application files. Applications should not allow write ␠
+  Do not give 777 permissions to a file. Always make sure you restrict the
+  permissions of your application files. Applications should not allow write
35-35: Missing newline at EOF.
Adds up in diffs and breaks some editors’ POSIX‐style expectations.
-    - matches: MATCH_CHMOD_777
+    - matches: MATCH_CHMOD_777
+
12-31: Consider broader detection of permissive modes.
Attackers rarely stick to literal 0o777; strings ('0777'), decimals (511), or wider octal patterns (0o77[0-7]) slip through. Widening the regex (or adding sibling util patterns) will harden the rule.
rules/typescript/security/sql-injection-typescript.yml (2)
5-6: Remove trailing whitespace flagged by YAML-lint.
Tiny, but keeps the rule file clean.

45-45: Add final newline.
Same rationale as above.
-    - matches: MATCH_SQL_TEMPLATE_STRING
+    - matches: MATCH_SQL_TEMPLATE_STRING
+
tests/typescript/avoid-crypto-sha1-typescript-test.yml (1)
8-8: Insert newline at EOF to satisfy linter and diff tools.
-    const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase");
+    const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase");
+
tests/typescript/detect-non-literal-regexp-typescript-test.yml (1)
9-9: Insert newline at EOF.
-    var a = new RegExp(c, 'i');
+    var a = new RegExp(c, 'i');
+
tests/typescript/detect-non-literal-require-typescript-test.yml (1)
1-9: Add a trailing newline to satisfy YAML lint.

yamllint is flagging no new line character at the end of file.
Add a single \n after the last line to keep the file POSIX-compliant and silence the linter.
-    const a = require(`${c}`);
+    const a = require(`${c}`);
+
tests/typescript/detect-new-buffer-typescript-test.yml (2)
1-8: Terminate the file with a newline.

Same yamllint warning: missing trailing newline. Insert one blank line at EOF.
-    var a = new Buffer(c)
+    var a = new Buffer(c)
+
3-5: Re-evaluate “valid” examples that use the deprecated new Buffer().

new Buffer() is deprecated in Node.js and generally discouraged, even with literal arguments. If the rule is only meant to catch non-literal arguments, consider:

Moving new Buffer('test') to an invalid block in a future, broader rule, or

Adding a comment clarifying why it’s treated as acceptable here.

This helps prevent readers from assuming the pattern is safe.
tests/typescript/avoid-crypto-rc4-typescript-test.yml (1)
1-9: Missing trailing newline.

Add a final newline to avoid yamllint complaints.
-    const decrypted = CryptoJS.RC4.decrypt(encrypted, "Secret Passphrase");
+    const decrypted = CryptoJS.RC4.decrypt(encrypted, "Secret Passphrase");
+
tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml (1)

5-17: Off-by-one risk in RegExp label end index.

RegExp is six characters long (12–17 inclusive).
Current end: 18 hints at a +1 inclusive range, which is inconsistent with other labels (e.g., crypto 0-6). For consistency and to avoid brittle assertions, consider adjusting to end: 17 or adopting a clear inclusive/exclusive convention across snapshots.
tests/typescript/command-injection-typescript-test.yml (1)
8-8: Add missing newline at end-of-file

YAMLlint flags the lack of a terminating newline. Fixing it keeps tooling quiet and avoids diff noise later.
-    childprocess.exec('mv ' + src + " " + dst, (error, stdout, stderr) => {});
+
+    childprocess.exec('mv ' + src + " " + dst, (error, stdout, stderr) => {});
+
tests/typescript/insecure-hash-typescript-test.yml (1)
9-9: Add missing newline at end-of-file

Silences YAMLlint and keeps diff hygiene.
-    crypto.createHash("sha1")
+
+    crypto.createHash("sha1")
+
tests/typescript/argon2-weak-type-typescript-test.yml (1)

4-5: Consider adding a test for the no-options call.

argon2.hash('pwd') (no options) defaults to argon2i, which your rule should flag as invalid. Including this variant in the test corpus will prevent regressions.
tests/__snapshots__/command-injection-typescript-snapshot.yml (2)
1-6: Typo in library name may hamper real-world recall.

Node’s built-in module is child_process, not childprocess.
If the rule only looks for child_process.exec, consider duplicating the sample or renaming here to avoid a false sense of coverage.

30-30: Add newline at EOF to silence YAML-lint.
       end: 68
+
tests/typescript/jwt-weak-encryption-typescript-test.yml (1)
7-8: Add the mandatory final newline to silence YAMLlint

The file fails the new-line-at-end-of-file rule. Append a single blank line after the last character.
     jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func);
+
tests/typescript/avoid-des-typescript-test.yml (1)
10-11: Missing terminating newline

Same YAMLlint violation here—add a blank line to keep the linter green.
     const decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase");
+
tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml (1)

47-51: (Optional) Append a newline for consistency

While not flagged, adding a final newline keeps every YAML file consistent and avoids future lint noise.
tests/typescript/jwt-sensitive-data-typescript-test.yml (1)
11-15: Trim trailing spaces and add final newline

YAMLlint reports trailing whitespace on line 12 and a missing final newline. Fix both issues:
-    )
-    
+    )
 
     jwt.sign(
         { user: { lastname: 'babar' }}
     )
+
tests/typescript/log-sensitive-data-typescript-test.yml (1)
11-11: Add a terminating newline to satisfy YAML-lint

YAMLlint flags a missing newline at EOF (rule new-line-at-end-of-file).
Insert a final blank line to keep CI green.
-    logger.warn(email);
+    logger.warn(email);
+
tests/typescript/detect-buffer-noassert-typescript-test.yml (1)
17-17: Insert final newline to silence YAML-lint

The test file lacks a trailing newline, tripping rule new-line-at-end-of-file.
-    a.writeDoubleLE(0, 0, true)
+
tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml (1)
3-3: YAML key ending with a colon can break parsing

The snapshot uses the plain key
const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase");:
where the trailing colon is both part of the string and the YAML key terminator.
While many parsers cope, this is fragile and inconsistent with the ? |- style used in the other snapshots. Consider switching to the explicit key syntax for reliability.
-  const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase");:
+  ? |-
+    const hash = CryptoJS.HmacSHA1("Message", "Secret Passphrase");
+  :
tests/typescript/chmod-permissions-typescript-test.yml (1)
6-15: Trim trailing whitespace & add terminal newline

Lines 6 and 13 contain trailing spaces, and the file is missing the mandatory final newline (YAML-lint errors).
Tidy the whitespace to avoid spurious diff noise and keep CI linters quiet.
6- 
+ 
13- 
+ 
15+            # ⏎  (add a single LF at EOF)
rules/typescript/security/avoid-crypto-rc4-typescript.yml (2)
5-9: Remove trailing space & reference the correct CWE

Line 5 ends with an extra space – YAML-lint flags it.

RC4 is a cipher, not a hash; CWE-326 “Inadequate Encryption Strength” is more precise than CWE-328.
5-   Avoid RC4 encryption. Use of the RC4 security protocol exposes your 
+   Avoid RC4 encryption. Use of the RC4 security protocol exposes your
8-   [CWE-328] Use of Weak Hash.
+   [CWE-326] Inadequate Encryption Strength.
42-42: Add a final newline

No newline at EOF – breaks Unix tooling and fails YAML-lint.
42   - matches: MATCH_RC4_USAGE
+\n
tests/typescript/detected-jwt-token-typescript-test.yml (1)

11-11: Terminate the file with a newline

Missing trailing newline triggers YAML-lint. Add one LF after line 11.
rules/typescript/security/detect-new-buffer-typescript.yml (2)
5-7: Strip trailing space & clarify deprecation wording

Line 5 ends with a space. Also, explicitly mention deprecation to strengthen the guidance.
5-   Avoid Buffer(argument) with non-literal values. Using Buffer constructor with 
+   Avoid `new Buffer(...)` with non-literal values – this constructor is deprecated, and using it
27-27: Add final newline

Insert a newline at EOF to satisfy linters.
27     - matches: MATCH_NEW_BUFFER
+\n
tests/typescript/detect-eval-with-expression-typescript-test.yml (1)
1-12: Terminate file with a newline to satisfy YAML lint.

Some CI linters (see YAMLlint hint) will fail because the file lacks a trailing newline.
Add a single blank line at the end.
 const answer = eval(expression)
+
rules/typescript/security/insecure-hash-typescript.yml (2)
5-5: Trim trailing spaces and add a final newline.

YAML with trailing whitespace or missing EOF newline is rejected by many strict linters.
Quick clean-up:
-  Do not use weak hash functions. Do not use weak hash algorithms such as MD5 
+  Do not use weak hash functions. Do not use weak hash algorithms such as MD5
@@
-    - matches: MATCH_INSECURE_HASH
+    - matches: MATCH_INSECURE_HASH
+
Also applies to: 43-43

41-43: Simplify the rule block – drop the single-item any.

any: with a lone element is redundant; matches can sit directly under rule. Keeps the rule concise.
-rule:
-  kind: call_expression
-  any:
-    - matches: MATCH_INSECURE_HASH
+rule:
+  kind: call_expression
+  matches: MATCH_INSECURE_HASH
rules/typescript/security/crypto-avoid-weak-hash-typescript.yml (2)
5-6: Whitespace / newline hygiene.

Same lint issues here—remove trailing spaces on lines 5-6 and ensure the file ends with a newline to avoid CI noise.
-  Avoid weak hash algorithm from CryptoJS. Use of insecure hash functions like 
-  MD5 or SHA1 can expose your application to vulnerabilities. Use stronger hash 
+  Avoid weak hash algorithm from CryptoJS. Use of insecure hash functions like
+  MD5 or SHA1 can expose your application to vulnerabilities. Use stronger hash
@@
-    - matches: MATCH_WEAK_HASH
+    - matches: MATCH_WEAK_HASH
+
Also applies to: 38-38

35-38: Drop the redundant one-item any.
-rule:
-  kind: call_expression
-  any:
-    - matches: MATCH_WEAK_HASH
+rule:
+  kind: call_expression
+  matches: MATCH_WEAK_HASH
rules/typescript/security/avoid-crypto-sha1-typescript.yml (2)
5-5: Clean up trailing space & missing newline.
-  Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols 
+  Avoid SHA1 security protocol. Use of insecure encryption or hashing protocols
@@
-    - matches: MATCH_SHA1_USAGE
+    - matches: MATCH_SHA1_USAGE
+
Also applies to: 34-34

31-34: Remove single-item any wrapper for brevity.
-rule:
-  kind: call_expression
-  any:
-    - matches: MATCH_SHA1_USAGE
+rule:
+  kind: call_expression
+  matches: MATCH_SHA1_USAGE
tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml (1)

1-39: Snapshot file appears fine; minor lint only.

Only missing EOF newline is detected by YAMLlint. If your pipeline enforces it, append one blank line.
tests/typescript/sql-injection-typescript-test.yml (1)
18-18: Add the missing newline at EOF to pass YAML linting

yamllint is flagging a “no new line character at the end of file” error.
Insert a single line-feed after the last line to stay POSIX-compliant and keep CI pipelines green.
18     sequelize.query('SELECT * FROM Products WHERE name LIKE ' +  req.body.username);
+
tests/typescript/hardcoded-hmac-key-typescript-test.yml (1)
6-19: Strip trailing whitespace and terminate file with a newline

Several lines contain superfluous spaces and the file lacks a trailing newline, both reported by yamllint. Cleaning these up avoids noisy CI failures and keeps diffs tidy.
6-    
9-    
14-    
16-    
19-
+    
+
rules/typescript/security/avoid-des-typescript.yml (1)
5-8: Fix lint issue & correct CWE reference

Remove the trailing spaces on line 5.

CWE reference for weak encryption algorithms is CWE-327, not CWE-328.
5-  Do not use DES or TripleDES, this is a weak security protocol. Use stronger 
+  Do not use DES or TripleDES, this is a weak security protocol. Use stronger
8-  [CWE-328] Use of Weak Hash.
+  [CWE-327] Use of Weak Encryption Algorithm.
Also add a newline at EOF to silence yamllint.
rules/typescript/security/detected-jwt-token-typescript.yml (1)
5-6: Remove trailing spaces to satisfy YAML linters

Lines 5-6 have stray spaces after the period. Trim them to keep the file clean.
5-  Detects hardcoded JWT tokens within the codebase. Potential JWT token detected. 
6-  Avoid hardcoding JWT tokens in the code as it may lead to security vulnerabilities.
+  Detects hardcoded JWT tokens within the codebase. Potential JWT token detected.
+  Avoid hard-coding JWT tokens in the code as it may lead to security vulnerabilities.
tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml (1)

1-41: (optional) Add newline at EOF for consistency

While not flagged, adding a terminating newline keeps all snapshot files consistent and editor-friendly.
rules/typescript/security/jwt-sensitive-data-typescript.yml (3)
5-6: Trim trailing whitespace in multi-line message block.

The two spaces after both lines break YAML-lint and introduce noisy diffs.
-  Do not put sensitive data in objects. Never include sensitive information in a JWT.␠␠
-  Instead, only use non-personal information to identify the end-user.␠␠
+  Do not put sensitive data in objects. Never include sensitive information in a JWT.
+  Instead, only use non-personal information to identify the end-user.
16-26: Broaden the jwt.*.sign matcher to reduce false-negatives.

Real-world code often imports the library as jsonwebtoken, jwtService, etc.
Consider loosening the identifier regex and anchoring to sign only:
-                regex: "^jwt$"
+                regex: "jwt|jsonwebtoken|.*Jwt.*"
This keeps false-positives low while catching the majority of usages.

60-60: Add a newline at EOF.

Most linters (and GitHub UI) prefer files to end with a single \n.
-    - matches: MATCH_JWT_SENSITIVE_DATA
+    - matches: MATCH_JWT_SENSITIVE_DATA
+
rules/typescript/security/jwt-weak-encryption-typescript.yml (3)
5-7: Whitespace & grammar touch-up in the rule description.

Minor polish improves readability and removes YAML-lint errors.
-  Use default encryption from the JWT library. Do not use `none` as a validation ␠␠
-  algorithm for a JWT token. The none algorithm assumes that the token has been ␠␠
-  verified, which would allow attacker to create a token that would be automatically validated.
+  Use the library defaults. Never pass `none` as a JWT validation algorithm.  
+  The “none” option skips signature verification and lets an attacker forge tokens that are accepted as valid.
40-50: Consider case-insensitive match for "none".

Although unlikely, a mixed-case "None" could slip through.
-                        regex: "^none$"
+                        regex: "(?i)^none$"
54-54: Add missing newline at EOF.
-    - matches: MATCH_JWT_WEAK_ENCRYPTION
+    - matches: MATCH_JWT_WEAK_ENCRYPTION
+
rules/typescript/security/detect-non-literal-require-typescript.yml (3)
5-7: Strip trailing spaces in the message block.
-  Avoid require with non-literal values. Importing packages from dynamic paths ␠␠
-  can be a security vulnerability. An attacker might provide an undesired path ␠␠
+  Avoid `require` with non-literal values. Importing packages from dynamic paths
+  can be a security vulnerability. An attacker might provide an undesired path
24-30: Misses template strings without substitutions.

require(\${pkg}`) is detected, but ``require(foo)`` (no substitution) still bypasses the rule even though it is non-literal at runtime. You can include template_string` regardless of substitutions:
-              - kind: template_string
+              - kind: template_string
and drop the has -> template_substitution guard.

33-33: Add newline at EOF.
-    - matches: MATCH_NON_LITERAL_REQUIRE
+    - matches: MATCH_NON_LITERAL_REQUIRE
+
tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml (1)
4-10: Duplicate constant names may confuse future readers.

Redeclaring const encrypted twice in the same snippet is syntactically invalid TS (even though snapshots aren’t compiled).
Renaming one of them avoids head-scratching when someone copy-pastes the code.
-    const encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase");
-    const decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase");
+    const encryptedTriple = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase");
+    const decryptedTriple = CryptoJS.TripleDES.decrypt(encryptedTriple, "Secret Passphrase");
tests/__snapshots__/avoid-des-typescript-snapshot.yml (1)
4-8: Shadowing encrypted/decrypted in snapshot code.

Same rationale as the previous snapshot – unique names help avoid confusion.
-    const encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase");
-    const decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase");
+    const encrypted3DES = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase");
+    const decrypted3DES = CryptoJS.TripleDES.decrypt(encrypted3DES, "Secret Passphrase");
rules/typescript/security/detect-eval-with-expression-typescript.yml (2)
5-6: Remove trailing whitespace to satisfy YAML lint.

Trailing spaces violate the linter rules and can cause noisy CI failures.
-  Avoid `eval` with expressions. The `eval` function could execute malicious code 
+  Avoid `eval` with expressions. The `eval` function could execute malicious code
40-40: Add a terminating newline.

Many tools (git, POSIX text parsers) expect files to end with \n.
-    - matches: MATCH_EVAL_WITH_EXPRESSION
+\    - matches: MATCH_EVAL_WITH_EXPRESSION
+
rules/typescript/security/log-sensitive-data-typescript.yml (4)
5-6: Strip trailing spaces to keep CI green.
-  Avoid logging sensitive data. Do not log sensitive data such as user id, email 
+  Avoid logging sensitive data. Do not log sensitive data such as user id, email
24-34: property_identifier: log is redundant with console.log and may over-match.

console.log.log(...) is unlikely. If you meant to catch bare log(...) calls, add a separate branch for identifier rather than putting log under member_expression.property_identifier.

40-65: Matcher omits member-expressions like user.email inside arguments.

A sensitive property used as user.email inside the argument won’t match unless it is the property of the outer member_expression. Add a recursive search for any member_expression that ends with the sensitive identifier to tighten coverage.

105-105: Insert missing newline at EOF.
rules/typescript/security/detect-non-literal-regexp-typescript.yml (2)
5-7: Remove trailing whitespace to silence linter.
-  Detects non-literal values in regular expressions. Creating a regular expression 
-  with user input is a security vulnerability as it could lead to a Regular 
+  Detects non-literal values in regular expressions. Creating a regular expression
+  with user input is a security vulnerability as it could lead to a Regular
30-30: Add newline at end of file.
rules/typescript/security/hardcoded-hmac-key-typescript.yml (3)
5-7: Trim trailing spaces to comply with YAML lint.
-  Detects hardcoded HMAC keys. Detected hardcoded cryptographic key. Avoid using 
-  hardcoded secrets; consider storing them securely, such as in environment 
+  Detects hardcoded HMAC keys. Detected hardcoded cryptographic key. Avoid using
+  hardcoded secrets; consider storing them securely, such as in environment
12-27: MATCH_CRYPTO_IMPORT is defined but never referenced.

Dead utilities add cognitive load and may mislead future maintainers.

If you intended to gate the rule on the presence of import 'crypto', include it in rule.any. Otherwise, delete the unused matcher.

93-93: Append newline at EOF.
rules/typescript/security/command-injection-typescript.yml (3)
5-6: Eliminate trailing space.
-  Avoid command injection. When executing a command, never use unchecked variables. 
+  Avoid command injection. When executing a command, never use unchecked variables.
16-21: Rule overlooks imported/destructured exec/spawn identifiers.

import { exec } from 'child_process'; exec(command) will evade the matcher because the callee is an identifier, not a member_expression. Consider an additional branch allowing kind: identifier with the same regex.

35-35: File should end with a newline.
rules/typescript/security/argon2-weak-type-typescript.yml (2)
59-59: Add a terminating newline to satisfy YAML linters.

The file is missing the final line-feed (⏎).
Several CI linters (including the one that flagged this) treat that as a hard error and will fail the pipeline.
-    - matches: MATCH_ARGON2_WEAK_TYPE
+    - matches: MATCH_ARGON2_WEAK_TYPE
+
56-59: Consider matching hash(...) after destructuring imports.

Right now the rule only fires when argon2.hash is invoked through a member expression.
A very common pattern is:
import { hash } from 'argon2';
await hash(pwd, { type: argon2.argon2i });
This usage will silently bypass the rule.
If you want complete coverage, add a complementary matcher that:

Checks for an identifier hash

Ensures it resolves to the argon2 import (e.g. via has! → import_clause with source 'argon2').

Not blocking, but worth considering for stronger guarantees.
rules/typescript/security/detect-buffer-noassert-typescript.yml (2)
5-5: Remove trailing whitespace.

Line 5 contains a stray space after flag set..
It is harmless at runtime but will keep tripping YAML/markdown linters.
-  Avoid calls to 'buffer' with 'noAssert' flag set. If you skip the `offset` 
+  Avoid calls to 'buffer' with 'noAssert' flag set. If you skip the `offset`
90-93: Terminate the file with a newline.

Same issue as the previous rule file—add a final line-feed to keep YAML-lint quiet.
-    - matches: MATCH_BUFFER_NOASSERT_WRITE
+    - matches: MATCH_BUFFER_NOASSERT_WRITE
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7312010 and 93feb70.

📒 Files selected for processing (59)

.gitignore (1 hunks)
rules/typescript/security/argon2-weak-type-typescript.yml (1 hunks)
rules/typescript/security/avoid-crypto-rc4-typescript.yml (1 hunks)
rules/typescript/security/avoid-crypto-sha1-typescript.yml (1 hunks)
rules/typescript/security/avoid-des-typescript.yml (1 hunks)
rules/typescript/security/chmod-permissions-typescript.yml (1 hunks)
rules/typescript/security/command-injection-typescript.yml (1 hunks)
rules/typescript/security/crypto-avoid-weak-hash-typescript.yml (1 hunks)
rules/typescript/security/detect-buffer-noassert-typescript.yml (1 hunks)
rules/typescript/security/detect-eval-with-expression-typescript.yml (1 hunks)
rules/typescript/security/detect-new-buffer-typescript.yml (1 hunks)
rules/typescript/security/detect-non-literal-regexp-typescript.yml (1 hunks)
rules/typescript/security/detect-non-literal-require-typescript.yml (1 hunks)
rules/typescript/security/detected-jwt-token-typescript.yml (1 hunks)
rules/typescript/security/hardcoded-hmac-key-typescript.yml (1 hunks)
rules/typescript/security/insecure-hash-typescript.yml (1 hunks)
rules/typescript/security/jwt-sensitive-data-typescript.yml (1 hunks)
rules/typescript/security/jwt-weak-encryption-typescript.yml (1 hunks)
rules/typescript/security/log-sensitive-data-typescript.yml (1 hunks)
rules/typescript/security/sql-injection-typescript.yml (1 hunks)
tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/avoid-des-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/chmod-permissions-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/command-injection-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/crypto-avoid-weak-hash-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/insecure-hash-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/sql-injection-typescript-snapshot.yml (1 hunks)
tests/python/__snapshots__/debug-enabled-python-snapshot.yml (1 hunks)
tests/typescript/argon2-weak-type-typescript-test.yml (1 hunks)
tests/typescript/avoid-crypto-rc4-typescript-test.yml (1 hunks)
tests/typescript/avoid-crypto-sha1-typescript-test.yml (1 hunks)
tests/typescript/avoid-des-typescript-test.yml (1 hunks)
tests/typescript/chmod-permissions-typescript-test.yml (1 hunks)
tests/typescript/command-injection-typescript-test.yml (1 hunks)
tests/typescript/crypto-avoid-weak-hash-typescript-test.yml (1 hunks)
tests/typescript/detect-buffer-noassert-typescript-test.yml (1 hunks)
tests/typescript/detect-eval-with-expression-typescript-test.yml (1 hunks)
tests/typescript/detect-new-buffer-typescript-test.yml (1 hunks)
tests/typescript/detect-non-literal-regexp-typescript-test.yml (1 hunks)
tests/typescript/detect-non-literal-require-typescript-test.yml (1 hunks)
tests/typescript/detected-jwt-token-typescript-test.yml (1 hunks)
tests/typescript/hardcoded-hmac-key-typescript-test.yml (1 hunks)
tests/typescript/insecure-hash-typescript-test.yml (1 hunks)
tests/typescript/jwt-sensitive-data-typescript-test.yml (1 hunks)
tests/typescript/jwt-weak-encryption-typescript-test.yml (1 hunks)
tests/typescript/log-sensitive-data-typescript-test.yml (1 hunks)
tests/typescript/sql-injection-typescript-test.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

tests/typescript/jwt-sensitive-data-typescript-test.yml

[error] 12-12: trailing spaces

(trailing-spaces)

[error] 15-15: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/command-injection-typescript-test.yml

[error] 8-8: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/insecure-hash-typescript-test.yml

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/detect-non-literal-regexp-typescript-test.yml

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/avoid-crypto-rc4-typescript-test.yml

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/detect-new-buffer-typescript-test.yml

[error] 8-8: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/detect-eval-with-expression-typescript-test.yml

[error] 12-12: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/detect-non-literal-require-typescript-test.yml

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/detect-new-buffer-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 27-27: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/chmod-permissions-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 35-35: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/argon2-weak-type-typescript-test.yml

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/detected-jwt-token-typescript-test.yml

[error] 11-11: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/sql-injection-typescript-test.yml

[error] 18-18: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/log-sensitive-data-typescript-test.yml

[error] 11-11: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/detect-buffer-noassert-typescript-test.yml

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/crypto-avoid-weak-hash-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 38-38: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/avoid-crypto-rc4-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 42-42: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/avoid-des-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 42-42: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/log-sensitive-data-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 105-105: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/detect-non-literal-require-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 33-33: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/crypto-avoid-weak-hash-typescript-test.yml

[error] 10-10: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/sql-injection-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 45-45: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/jwt-weak-encryption-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 54-54: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/hardcoded-hmac-key-typescript-test.yml

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 9-9: trailing spaces

(trailing-spaces)

[error] 14-14: trailing spaces

(trailing-spaces)

[error] 16-16: trailing spaces

(trailing-spaces)

[error] 19-19: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/avoid-crypto-sha1-typescript-test.yml

[error] 8-8: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/detect-non-literal-regexp-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 30-30: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/jwt-sensitive-data-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 60-60: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/chmod-permissions-typescript-test.yml

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 13-13: trailing spaces

(trailing-spaces)

[error] 15-15: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/avoid-des-typescript-test.yml

[error] 11-11: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/insecure-hash-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 43-43: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/avoid-crypto-sha1-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 34-34: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/detect-eval-with-expression-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 40-40: no new line character at the end of file

(new-line-at-end-of-file)

tests/typescript/jwt-weak-encryption-typescript-test.yml

[error] 8-8: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/argon2-weak-type-typescript.yml

[error] 59-59: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/detected-jwt-token-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 22-22: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/detect-buffer-noassert-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 93-93: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/hardcoded-hmac-key-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 93-93: no new line character at the end of file

(new-line-at-end-of-file)

rules/typescript/security/command-injection-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 35-35: no new line character at the end of file

(new-line-at-end-of-file)

🔍 MCP Research (1 server)

Linear: The PR introduces modular TypeScript security rules using precise AST pattern matching to detect weak cryptography, injection risks, insecure permissions, and sensitive data leaks, enforcing severity levels aligned with CWE standards. Test suites with valid/invalid cases and snapshots ensure robust coverage and regression safety. Reviewers should verify pattern accuracy to minimize false positives, confirm severity appropriateness, and validate external references. The .gitignore update for .claude files should be checked for relevance to tooling artifacts.

🔇 Additional comments (10)

rules/typescript/security/sql-injection-typescript.yml (1)

20-21: Potential false-positives: match is case-sensitive & broad.
SELECT etc. in non-SQL contexts will trip this rule. Consider
regex: "(?i)\\b(SELECT|INSERT|UPDATE|DELETE)\\b" to be case-insensitive and word-bounded.

tests/__snapshots__/chmod-permissions-typescript-snapshot.yml (1)

1-30: Snapshot looks good – no structural issues spotted.

tests/typescript/command-injection-typescript-test.yml (1)

4-8: Double-check the rule pattern matches childprocess.exec

Many codebases alias the Node module via
const child_process = require('child_process'); → child_process.exec.
If the rule keyes off child_process.exec, using the lowercase variable name may escape detection. Please verify the detector covers this aliasing pattern.

tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml (1)

1-30: Snapshot LGTM

Structure and label metadata look consistent with earlier snapshots. No issues spotted.

tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml (1)

1-20: Snapshot LGTM

Key formatting (var a = new Buffer(c):) and label offsets are coherent. 👍

tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml (1)

1-22: Snapshot LGTM

The complex-key mapping and offsets correctly mirror the source snippet. No further action.

tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml (1)

1-16: Snapshot looks fine – just ensure CI tolerates large scalar keys.

Nothing blocking; structure is syntactically valid YAML and representative tokens are diverse.

tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml (1)

3-25: Snapshot appears truncated – verify completeness

The snapshot stops abruptly at line 25 with no closing structure. An incomplete snapshot will cause snapshot-matching to fail at runtime.

Please confirm the file contains the full labels list and a terminating newline in the actual commit.

tests/typescript/log-sensitive-data-typescript-test.yml (1)

4-5: Confirm that the rule ignores literal strings containing “email”

The “valid” examples log the literal text email even though no sensitive field is emitted.
Double-check that the rule triggers only on the property access (user.email) and not on the static string, otherwise these cases should move to the invalid set.

tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml (1)

3-5: Snapshot content looks good

Patterns capture both permutations of "none" in the algorithms array – adequate for regression tests.
No issues spotted.

rules/typescript/security/detect-buffer-noassert-typescript.yml

rules/typescript/security/detect-eval-with-expression-typescript.yml

rules/typescript/security/detect-non-literal-regexp-typescript.yml

rules/typescript/security/detected-jwt-token-typescript.yml

rules/typescript/security/hardcoded-hmac-key-typescript.yml

tests/__snapshots__/insecure-hash-typescript-snapshot.yml

tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml

tests/__snapshots__/sql-injection-typescript-snapshot.yml

coderabbitai · 2025-07-24T10:55:46Z

tests/typescript/argon2-weak-type-typescript-test.yml

+invalid:
+  - |
+    await argon2.hash('password', {type: argon2.argon2d})
+    await argon2.hash('password', {type: argon2.argon2i})


⚠️ Potential issue

Missing trailing newline breaks YAML-lint.

yamllint treats lack of \n at EOF as an error, which will fail CI.
Add a single blank line at the end of the file.

await argon2.hash('password', {type: argon2.argon2i}) +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

await argon2.hash('password', {type: argon2.argon2i})

await argon2.hash('password', {type: argon2.argon2i})

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In tests/typescript/argon2-weak-type-typescript-test.yml at line 9, the file is missing a trailing newline which causes yamllint to fail. Add a single blank line at the end of the file to ensure it ends with a newline character and passes YAML linting.

coderabbitai · 2025-07-24T10:55:46Z

tests/typescript/crypto-avoid-weak-hash-typescript-test.yml

+  - |
+    const hash = CryptoJS.MD5("Message", "Secret Passphrase");
+    const hash = CryptoJS.SHA1("Message", "Secret Passphrase");
+    const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase");


⚠️ Potential issue

Trailing newline missing – will trip YAML-lint.

Same lint error here; append a newline.

const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase"); +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase");

const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase");

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 10-10: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In tests/typescript/crypto-avoid-weak-hash-typescript-test.yml at line 10, the file is missing a trailing newline which causes YAML-lint errors. Add a newline character at the end of the file after the last line to fix the linting issue.

- Add ts-node security rules for runtime protection

gatsby003 · 2025-07-24T12:01:52Z

@coderabbitai full review

coderabbitai · 2025-07-24T12:01:58Z

✅ Actions performed

Full review triggered.

coderabbitai

Actionable comments posted: 35

🔭 Outside diff range comments (2)

tests/python/python-peewee-mysql-empty-password-python-test.yml (1)

4-4: Fix typo in class name to keep the “valid” sample actually valid.

MySQLDatabe is misspelled (missing the “s”). As-is, the “valid” snippet will raise NameError, defeating the purpose of demonstrating a valid usage and potentially skewing rule accuracy metrics.
-    mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['pass'], host='10.1.0.8', port=3306)
+    mysql_db1 = MySQLDatabase('my_app', user='app', password=os.env['pass'], host='10.1.0.8', port=3306)

tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml (1)

143-226: Remove duplicate bad2() snapshot entry

The import com.auth0.jwt.algorithms.Algorithm; block in
tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml appears three times (lines 4, 61, 144). The entries at lines 61–142 and 144–226 are byte-for-byte identical, causing a duplicate-key conflict in the YAML mapping.

Please drop the second copy (lines 143–226).

• File: tests/snapshots/java-jwt-hardcoded-secret-java-snapshot.yml
– Duplicate snapshot block at lines 143–226 matches the one at lines 61–142

Proposed diff:

--- a/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml
+++ b/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml
@@ -143,84 +143,6 @@
-  ? |-
-    import com.auth0.jwt.algorithms.Algorithm;
-    public class App
-    {
-    static String secret = "secret";
-    public void bad2() {
-       try {
-           Algorithm algorithm = Algorithm.HMAC256(secret);
-           String token = JWT.create()
-               .withIssuer("auth0")
-               .sign(algorithm);
-       } catch (JWTCreationException exception){
-     }
-    }
-  : labels:
-    - source: '"secret"'
-      style: primary
-      start: 85
-      end: 93
-    - source: secret
-      style: secondary
-      start: 86
-      end: 92
-    - source: Algorithm
-      style: secondary
-      start: 132
-      end: 141
-    - source: algorithm
-      style: secondary
-      start: 142
-      end: 151
-    - source: Algorithm
-      style: secondary
-      start: 154
-      end: 163
-    - source: HMAC256
-      style: secondary
-      start: 164
-      end: 171
-    - source: secret
-      style: secondary
-      start: 172
-      end: 178
-    - source: (secret)
-      style: secondary
-      start: 171
-      end: 179
-    - source: Algorithm.HMAC256(secret)
-      style: secondary
-      start: 154
-      end: 179
-    - source: algorithm = Algorithm.HMAC256(secret)
-      style: secondary
-      start: 142
-      end: 179
-    - source: Algorithm algorithm = Algorithm.HMAC256(secret);
-      style: secondary
-      start: 132
-      end: 180
-    - source: |-
-        public class App
-        {
-        static String secret = "secret";
-        public void bad2() {
-           try {
-               Algorithm algorithm = Algorithm.HMAC256(secret);
-               String token = JWT.create()
-                   .withIssuer("auth0")
-                   .sign(algorithm);
-           } catch (JWTCreationException exception){
-         }
-        }
-      style: secondary
-      start: 43
-      end: 326
-    - source: secret
-      style: secondary
-      start: 76
-      end: 82
-    - source: secret = "secret"
-      style: secondary
-      start: 76
-      end: 93

After removal, re-run the snapshot tests to ensure no parsing errors.

🧹 Nitpick comments (30)

tests/python/python-peewee-pg-empty-password-python-test.yml (1)
8-8: Remove trailing whitespace to pass YAMLlint

Line 8 ends with stray spaces, triggering the trailing-spaces rule. Delete the extra blanks to keep the CI green.
-    pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432)
-  
+    pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432)
rules/c/security/null-library-function-c.yml (1)
262-262: Strip trailing whitespace to silence YAML lint error

The final blank line contains superfluous spaces (YAMLlint trailing-spaces), which will keep the pipeline red until removed.
-   
+
tests/python/python-peewee-pg-hardcoded-secret-python-test.yml (1)
8-8: Remove trailing whitespace on the blank line

YAML-lint flags this as trailing-spaces. Delete the two spaces after the newline to keep the file lint-clean and consistent with the other test fixtures.
-  
+
tests/python/python-requests-empty-password-python-test.yml (1)
9-9: Strip trailing whitespace to satisfy YAML linting

Line 9 ends with superfluous spaces, tripping YAMLlint’s trailing-spaces rule. Removing them keeps the test fixture clean and CI-friendly.
-    requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('username', ''))      
+    requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('username', ''))
tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml (1)
25-32: Remove duplicated label entries to keep snapshots lean and unambiguous.

The two import okhttp3.*; label blocks (25-32) and the two private String password = "hi"; blocks (49-56) are identical. They add no extra coverage but increase snapshot size and can confuse future readers or tooling that aggregates label data.
-    - source: import okhttp3.*;
-      style: secondary
-      start: 0
-      end: 17
...
-    - source: private String password = "hi";
-      style: secondary
-      start: 55
-      end: 86
Unless there is a specific reason to emit exact duplicates, please drop the redundant entries.

Also applies to: 49-56
tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml (2)

85-94: Avoid duplicating identical snapshot blocks

The snippet added here is byte-for-byte identical to the one that already exists at lines 4-12. Keeping two identical examples bloats the snapshot, slows down diff reviews, and may introduce confusion about why two cases are needed when they test the same path (variable holding a hard-coded literal).
Unless the intention is to exercise ordering or metadata differences, consider removing one of the copies or parameterising the test generator to emit the snippet once.

95-166: Consolidate duplicated labels metadata

The label list for the new block is a verbatim duplicate of the label list that already exists above (lines 12-84). Repeating the same 30-line metadata section doubles maintenance effort and increases the risk of the two sets drifting apart over time.
Instead, keep a single label list or generate it programmatically to avoid manual duplication.
tests/python/jwt-python-hardcoded-secret-python-test.yml (1)
22-22: Strip trailing whitespace

YAML-lint flags a trailing space on this blank line. Remove it to keep the test file clean.
-    
+
tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml (1)

187-189: False-positive secret detection – consider suppressing for snapshot directory

gitleaks flags the base64 token on line 188 as a “generic API key”. This string is intentionally hard-coded here to test the rule, not an actual secret.
Add the snapshot path to your .gitleaks.toml [[allowlist.files]] or use an inline # gitleaks: allow comment to prevent noise in CI.
tests/__snapshots__/postgres-empty-password-rust-snapshot.yml (1)
124-129: Identifier as is a reserved Rust keyword

Using as as a variable (as = "") renders the snippet syntactically invalid Rust.
Snapshots don’t have to compile, but picking legal identifiers (e.g. pwd or empty_pwd) avoids confusing readers and future pattern-matching rules.
-    as = "";
+    let empty_pwd = "";
…
-     .password(as)
+     .password(empty_pwd)
rules/typescript/security/avoid-crypto-sha1-typescript.yml (1)

2-2: Consider upgrading severity from warning to error.

Using SHA-1 is categorically insecure (broken collision resistance since 2017). Flagging it as an error better reflects the risk and aligns with CWE-328 guidance.
rules/typescript/security/detect-non-literal-require-typescript.yml (1)
24-27: Binary-expression arguments are not flagged.

require(moduleName + "/foo") and require(${base}/bar) evade detection.
Extend MATCH_NON_LITERAL_REQUIRE to include binary_expression and template strings without substitutions but containing +.
-              - kind: identifier
+              - kind: identifier
+              - kind: binary_expression
rules/typescript/security/log-sensitive-data-typescript.yml (2)
5-5: Remove trailing whitespace to satisfy YAML-lint.

Line 5 ends with a superfluous space that YAML-lint already flags.
This is purely cosmetic but will keep CI green.
-  Avoid logging sensitive data. Do not log sensitive data such as user id, email␠
+  Avoid logging sensitive data. Do not log sensitive data such as user id, email
29-33: Add “debug” to the recognised log levels.

logger.debug/console.debug are frequently used for verbose output and are just as likely to leak PII.
Extending the property_identifier list closes this blind spot.
   any:
     - regex: "^warn$"
     - regex: "^info$"
     - regex: "^error$"
     - regex: "^fatal$"
     - regex: "^log$"
+    - regex: "^debug$"
rules/typescript/security/detect-non-literal-regexp-typescript.yml (1)
5-6: Strip trailing whitespace to appease YAML-lint.

Both lines have dangling spaces that fail the linter.
-  Detects non-literal values in regular expressions. Creating a regular expression␠
-  with user input is a security vulnerability as it could lead to a Regular ␠
+  Detects non-literal values in regular expressions. Creating a regular expression
+  with user input is a security vulnerability as it could lead to a Regular
rules/typescript/security/detect-eval-with-expression-typescript.yml (1)
5-5: Trim trailing space to silence YAML-lint.

Minor formatting issue only.
-  Avoid `eval` with expressions. The `eval` function could execute malicious code ␠
+  Avoid `eval` with expressions. The `eval` function could execute malicious code
rules/typescript/security/detect-buffer-noassert-typescript.yml (1)
5-5: Remove stray space caught by YAML-lint.
-  Avoid calls to 'buffer' with 'noAssert' flag set. If you skip the `offset` ␠
+  Avoid calls to 'buffer' with 'noAssert' flag set. If you skip the `offset`
tests/typescript/jwt-sensitive-data-typescript-test.yml (1)
12-12: Delete trailing whitespace to keep tests lint-clean.
-    )
-    
+    )
rules/typescript/security/chmod-permissions-typescript.yml (2)

5-6: Trim trailing whitespace to satisfy YAML lint
Remove the stray spaces at EOL to keep CI green and avoid noisy diffs.

2-2: Consider escalating severity from warning → error
Granting world-writable/executable permissions is almost always a security defect rather than “maybe fix later”. Evaluate whether error better reflects organisational policy.
tests/typescript/chmod-permissions-typescript-test.yml (2)
6-6: Remove trailing whitespace to pass YAML lint
CI will fail on these two blank lines that contain spaces.

Also applies to: 13-13

9-16: Add callback-style fs.chmod coverage
The rule targets async as well as sync APIs, but the test suite lacks a callback variant:
invalid:
  - |
    const fs = require('fs');
    fs.chmod("/tmp/file", 0o777, () => {});
Including it safeguards against future pattern regressions.
rules/typescript/security/avoid-crypto-rc4-typescript.yml (2)

5-6: Strip trailing whitespace to appease lint
Same whitespace issue – quick win.

8-9: CWE reference looks off
RC4 weakness maps better to CWE-326 (“Inadequate Encryption Strength”) than CWE-328 (weak hash). Consider updating for accuracy.

rules/typescript/security/insecure-hash-typescript.yml (1)

5-6: Trim trailing spaces
YAMLlint flags this – easy fix.
rules/typescript/security/crypto-avoid-weak-hash-typescript.yml (2)
5-6: Remove trailing whitespace
Consistent lint hygiene.

28-31: Include HmacSHA1 to mirror CryptoJS offerings
Currently SHA1 hashing via CryptoJS.HmacSHA1() slips through. Extend the any: list:
                   - regex: "^SHA1$"
+                  - regex: "^HmacSHA1$"
Keeps coverage parity with MD5 counterparts.
rules/typescript/security/hardcoded-hmac-key-typescript.yml (1)
12-23: MATCH_CRYPTO_IMPORT is unused – remove to reduce rule size.

The active rule only references MATCH_HARDCODED_HMAC; keeping an extra util that isn’t consumed adds noise.
-  MATCH_CRYPTO_IMPORT:
-    kind: import_statement
-    ...
-            regex: "^crypto$"
rules/typescript/security/command-injection-typescript.yml (2)
5-5: Remove trailing whitespace to satisfy YAML-lint.

Line 5 ends with an extra space, which the linter already flagged.
-  Avoid command injection. When executing a command, never use unchecked variables.␠
+  Avoid command injection. When executing a command, never use unchecked variables.
32-35: any: wrapper is redundant with a single entry.

Inside rule: there is just one matches. You can drop the any: list and directly write:
rule:
  matches: MATCH_COMMAND_INJECTION
Simplifies the YAML and avoids one nesting level.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 93feb70 and 4b23b8f.

📒 Files selected for processing (195)

.gitignore (1 hunks)
package.json (1 hunks)
rules/c/security/null-library-function-c.yml (1 hunks)
rules/cpp/security/null-library-function-cpp.yml (1 hunks)
rules/go/security/grpc-client-insecure-connection-go.yml (1 hunks)
rules/html/security/plaintext-http-link-html.yml (1 hunks)
rules/java/security/hardcoded-connection-password-java.yml (1 hunks)
rules/java/security/java-jwt-hardcoded-secret-java.yml (1 hunks)
rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml (1 hunks)
rules/java/security/use-of-default-aes-java.yml (1 hunks)
rules/java/security/use-of-md5-java.yml (1 hunks)
rules/java/security/use-of-sha1-java.yml (1 hunks)
rules/php/security/openssl-cbc-static-iv-php.yml (1 hunks)
rules/python/security/hashids-with-django-secret-python.yml (1 hunks)
rules/python/security/python-peewee-pg-empty-password-python.yml (1 hunks)
rules/python/security/python-pg8000-hardcoded-secret-python.yml (1 hunks)
rules/python/security/python-psycopg2-empty-password-python.yml (1 hunks)
rules/python/security/python-psycopg2-hardcoded-secret-python.yml (1 hunks)
rules/python/security/python-redis-empty-password-python.yml (1 hunks)
rules/python/security/python-redis-hardcoded-secret-python.yml (1 hunks)
rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml (1 hunks)
rules/ruby/security/ruby-pg-empty-password-ruby.yml (1 hunks)
rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml (1 hunks)
rules/rust/security/empty-password-rust.yml (1 hunks)
rules/rust/security/hardcoded-password-rust.yml (1 hunks)
rules/typescript/security/argon2-weak-type-typescript.yml (1 hunks)
rules/typescript/security/avoid-crypto-rc4-typescript.yml (1 hunks)
rules/typescript/security/avoid-crypto-sha1-typescript.yml (1 hunks)
rules/typescript/security/avoid-des-typescript.yml (1 hunks)
rules/typescript/security/chmod-permissions-typescript.yml (1 hunks)
rules/typescript/security/command-injection-typescript.yml (1 hunks)
rules/typescript/security/crypto-avoid-weak-hash-typescript.yml (1 hunks)
rules/typescript/security/detect-buffer-noassert-typescript.yml (1 hunks)
rules/typescript/security/detect-eval-with-expression-typescript.yml (1 hunks)
rules/typescript/security/detect-new-buffer-typescript.yml (1 hunks)
rules/typescript/security/detect-non-literal-regexp-typescript.yml (1 hunks)
rules/typescript/security/detect-non-literal-require-typescript.yml (1 hunks)
rules/typescript/security/detected-jwt-token-typescript.yml (1 hunks)
rules/typescript/security/hardcoded-hmac-key-typescript.yml (1 hunks)
rules/typescript/security/insecure-hash-typescript.yml (1 hunks)
rules/typescript/security/jwt-sensitive-data-typescript.yml (1 hunks)
rules/typescript/security/jwt-weak-encryption-typescript.yml (1 hunks)
rules/typescript/security/log-sensitive-data-typescript.yml (1 hunks)
rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml (1 hunks)
rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml (1 hunks)
rules/typescript/security/sql-injection-typescript.yml (1 hunks)
sgconfig.yml (1 hunks)
tests/__snapshots__/argon2-weak-type-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/avoid-crypto-rc4-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/avoid-crypto-sha1-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/avoid-des-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml (1 hunks)
tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml (1 hunks)
tests/__snapshots__/chmod-permissions-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/command-injection-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/crypto-avoid-weak-hash-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml (1 hunks)
tests/__snapshots__/debug-enabled-python-snapshot.yml (1 hunks)
tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-buffer-noassert-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-eval-with-expression-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-new-buffer-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-non-literal-regexp-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detect-non-literal-require-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/detected-jwt-token-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/ecb-cipher-java-snapshot.yml (1 hunks)
tests/__snapshots__/empty-password-rust-snapshot.yml (1 hunks)
tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml (1 hunks)
tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml (1 hunks)
tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml (1 hunks)
tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml (1 hunks)
tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml (1 hunks)
tests/__snapshots__/hardcoded-hmac-key-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml (1 hunks)
tests/__snapshots__/hardcoded-password-rust-snapshot.yml (1 hunks)
tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml (1 hunks)
tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/insecure-biometrics-swift-snapshot.yml (1 hunks)
tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml (1 hunks)
tests/__snapshots__/insecure-hash-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml (1 hunks)
tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml (1 hunks)
tests/__snapshots__/jwt-sensitive-data-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/jwt-weak-encryption-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/log-sensitive-data-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/null-library-function-c-snapshot.yml (1 hunks)
tests/__snapshots__/null-library-function-cpp-snapshot.yml (1 hunks)
tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml (1 hunks)
tests/__snapshots__/postgres-empty-password-rust-snapshot.yml (1 hunks)
tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-requests-empty-password-python-snapshot.yml (1 hunks)
tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml (1 hunks)
tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml (1 hunks)
tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml (1 hunks)
tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml (1 hunks)
tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml (1 hunks)
tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml (1 hunks)
tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml (1 hunks)
tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml (1 hunks)
tests/__snapshots__/sql-injection-typescript-snapshot.yml (1 hunks)
tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml (1 hunks)
tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml (1 hunks)
tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml (1 hunks)
tests/__snapshots__/use-of-blowfish-java-snapshot.yml (1 hunks)
tests/__snapshots__/use-of-default-aes-java-snapshot.yml (1 hunks)
tests/__snapshots__/use-of-sha1-java-snapshot.yml (1 hunks)
tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml (1 hunks)
tests/c/null-library-function-c-test.yml (1 hunks)
tests/cpp/null-library-function-cpp-test.yml (1 hunks)
tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml (1 hunks)
tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml (1 hunks)
tests/go/grpc-client-insecure-connection-go-test.yml (1 hunks)
tests/go/use-of-weak-rsa-key-go-test.yml (1 hunks)
tests/java/datanucleus-hardcoded-connection-password-java-test.yml (1 hunks)
tests/java/ecb-cipher-java-test.yml (1 hunks)
tests/java/hardcoded-connection-password-java-test.yml (1 hunks)
tests/java/hardcoded-secret-in-credentials-java-test.yml (1 hunks)
tests/java/java-jwt-hardcoded-secret-java-test.yml (1 hunks)
tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml (1 hunks)
tests/java/passwordauthentication-hardcoded-password-java-test.yml (1 hunks)
tests/java/system-setproperty-hardcoded-secret-java-test.yml (1 hunks)
tests/java/use-of-blowfish-java-test.yml (1 hunks)
tests/java/use-of-default-aes-java-test.yml (1 hunks)
tests/java/use-of-rc2-java-test.yml (1 hunks)
tests/java/use-of-sha1-java-test.yml (1 hunks)
tests/javascript/express-session-hardcoded-secret-javascript-test.yml (1 hunks)
tests/python/debug-enabled-python-test.yml (1 hunks)
tests/python/hashids-with-flask-secret-python-test.yml (1 hunks)
tests/python/insecure-cipher-algorithm-rc4-python-test.yml (1 hunks)
tests/python/jwt-python-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-ldap3-empty-password-python-test.yml (1 hunks)
tests/python/python-ldap3-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-mysql-empty-password-python-test.yml (1 hunks)
tests/python/python-mysql-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-neo4j-empty-password-python-test.yml (1 hunks)
tests/python/python-neo4j-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-peewee-mysql-empty-password-python-test.yml (1 hunks)
tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-peewee-pg-empty-password-python-test.yml (1 hunks)
tests/python/python-peewee-pg-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-psycopg2-empty-password-python-test.yml (1 hunks)
tests/python/python-psycopg2-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-pymssql-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-pymysql-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-redis-hardcoded-secret-python-test.yml (1 hunks)
tests/python/python-requests-empty-password-python-test.yml (1 hunks)
tests/python/python-urllib3-hardcoded-secret-python-test.yml (1 hunks)
tests/ruby/hardcoded-http-auth-in-controller-ruby-test.yml (1 hunks)
tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml (1 hunks)
tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml (1 hunks)
tests/ruby/ruby-pg-empty-password-ruby-test.yml (1 hunks)
tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml (1 hunks)
tests/rust/empty-password-rust-test.yml (1 hunks)
tests/rust/hardcoded-password-rust-test.yml (1 hunks)
tests/rust/postgres-empty-password-rust-test.yml (1 hunks)
tests/rust/reqwest-accept-invalid-rust-test.yml (1 hunks)
tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml (1 hunks)
tests/rust/tokio-postgres-empty-password-rust-test.yml (1 hunks)
tests/rust/tokio-postgres-hardcoded-password-rust-test.yml (1 hunks)
tests/swift/blowfish-hardcoded-secret-swift-test.yml (1 hunks)
tests/swift/chacha20-hardcoded-secret-swift-test.yml (1 hunks)
tests/swift/insecure-biometrics-swift-test.yml (1 hunks)
tests/swift/rabbit-hardcoded-secret-swift-test.yml (1 hunks)
tests/typescript/argon2-weak-type-typescript-test.yml (1 hunks)
tests/typescript/avoid-crypto-rc4-typescript-test.yml (1 hunks)
tests/typescript/avoid-crypto-sha1-typescript-test.yml (1 hunks)
tests/typescript/avoid-des-typescript-test.yml (1 hunks)
tests/typescript/chmod-permissions-typescript-test.yml (1 hunks)
tests/typescript/command-injection-typescript-test.yml (1 hunks)
tests/typescript/crypto-avoid-weak-hash-typescript-test.yml (1 hunks)
tests/typescript/detect-angular-sce-disabled-typescript.yml (1 hunks)
tests/typescript/detect-buffer-noassert-typescript-test.yml (1 hunks)
tests/typescript/detect-eval-with-expression-typescript-test.yml (1 hunks)
tests/typescript/detect-new-buffer-typescript-test.yml (1 hunks)
tests/typescript/detect-non-literal-regexp-typescript-test.yml (1 hunks)
tests/typescript/detect-non-literal-require-typescript-test.yml (1 hunks)
tests/typescript/detected-jwt-token-typescript-test.yml (1 hunks)
tests/typescript/hardcoded-hmac-key-typescript-test.yml (1 hunks)
tests/typescript/insecure-hash-typescript-test.yml (1 hunks)
tests/typescript/jwt-sensitive-data-typescript-test.yml (1 hunks)
tests/typescript/jwt-weak-encryption-typescript-test.yml (1 hunks)
tests/typescript/log-sensitive-data-typescript-test.yml (1 hunks)
tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml (1 hunks)
tests/typescript/sql-injection-typescript-test.yml (1 hunks)

✅ Files skipped from review due to trivial changes (122)

rules/go/security/grpc-client-insecure-connection-go.yml
package.json
rules/java/security/hardcoded-connection-password-java.yml
rules/php/security/openssl-cbc-static-iv-php.yml
tests/rust/hardcoded-password-rust-test.yml
rules/python/security/python-redis-empty-password-python.yml
rules/java/security/java-jwt-hardcoded-secret-java.yml
tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml
tests/java/use-of-sha1-java-test.yml
rules/ruby/security/ruby-pg-empty-password-ruby.yml
rules/python/security/python-peewee-pg-empty-password-python.yml
tests/rust/empty-password-rust-test.yml
tests/swift/blowfish-hardcoded-secret-swift-test.yml
tests/java/passwordauthentication-hardcoded-password-java-test.yml
tests/java/system-setproperty-hardcoded-secret-java-test.yml
tests/rust/tokio-postgres-empty-password-rust-test.yml
rules/python/security/python-redis-hardcoded-secret-python.yml
tests/java/hardcoded-connection-password-java-test.yml
tests/java/java-jwt-hardcoded-secret-java-test.yml
tests/java/use-of-default-aes-java-test.yml
rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml
rules/python/security/python-psycopg2-hardcoded-secret-python.yml
rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml
tests/python/hashids-with-flask-secret-python-test.yml
tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml
rules/java/security/use-of-sha1-java.yml
tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml
tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml
tests/python/python-urllib3-hardcoded-secret-python-test.yml
rules/python/security/hashids-with-django-secret-python.yml
tests/ruby/hardcoded-http-auth-in-controller-ruby-test.yml
tests/java/ecb-cipher-java-test.yml
tests/rust/tokio-postgres-hardcoded-password-rust-test.yml
tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml
tests/python/python-mysql-hardcoded-secret-python-test.yml
tests/java/hardcoded-secret-in-credentials-java-test.yml
tests/java/use-of-blowfish-java-test.yml
tests/python/python-neo4j-hardcoded-secret-python-test.yml
rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml
tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml
tests/python/insecure-cipher-algorithm-rc4-python-test.yml
tests/python/debug-enabled-python-test.yml
tests/swift/chacha20-hardcoded-secret-swift-test.yml
tests/python/python-pymssql-hardcoded-secret-python-test.yml
tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml
tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml
tests/typescript/detect-angular-sce-disabled-typescript.yml
tests/ruby/ruby-pg-empty-password-ruby-test.yml
tests/python/python-mysql-empty-password-python-test.yml
rules/rust/security/empty-password-rust.yml
tests/python/python-ldap3-empty-password-python-test.yml
tests/rust/postgres-empty-password-rust-test.yml
tests/python/python-pymysql-hardcoded-secret-python-test.yml
tests/swift/insecure-biometrics-swift-test.yml
tests/java/use-of-rc2-java-test.yml
tests/c/null-library-function-c-test.yml
rules/python/security/python-psycopg2-empty-password-python.yml
sgconfig.yml
.gitignore
tests/snapshots/insecure-cipher-algorithm-rc4-python-snapshot.yml
tests/go/use-of-weak-rsa-key-go-test.yml
tests/swift/rabbit-hardcoded-secret-swift-test.yml
tests/snapshots/python-redis-hardcoded-secret-python-snapshot.yml
tests/java/datanucleus-hardcoded-connection-password-java-test.yml
tests/snapshots/use-of-weak-rsa-key-go-snapshot.yml
tests/snapshots/python-psycopg2-empty-password-python-snapshot.yml
rules/java/security/use-of-default-aes-java.yml
tests/javascript/express-session-hardcoded-secret-javascript-test.yml
tests/cpp/null-library-function-cpp-test.yml
tests/snapshots/use-of-blowfish-java-snapshot.yml
tests/go/grpc-client-insecure-connection-go-test.yml
tests/snapshots/insecure-biometrics-swift-snapshot.yml
tests/snapshots/grpc-client-insecure-connection-go-snapshot.yml
tests/snapshots/python-peewee-mysql-hardcoded-secret-python-snapshot.yml
tests/snapshots/python-mysql-empty-password-python-snapshot.yml
tests/snapshots/python-ldap3-empty-password-python-snapshot.yml
tests/snapshots/reqwest-accept-invalid-rust-snapshot.yml
tests/snapshots/hardcoded-password-rust-snapshot.yml
tests/snapshots/use-of-sha1-java-snapshot.yml
tests/typescript/detect-non-literal-regexp-typescript-test.yml
tests/snapshots/null-library-function-cpp-snapshot.yml
tests/snapshots/detect-new-buffer-typescript-snapshot.yml
rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml
tests/snapshots/ecb-cipher-java-snapshot.yml
tests/snapshots/hashids-with-flask-secret-python-snapshot.yml
tests/snapshots/tokio-postgres-empty-password-rust-snapshot.yml
tests/snapshots/detect-angular-sce-disabled-typescript-snapshot.yml
tests/snapshots/use-of-default-aes-java-snapshot.yml
tests/typescript/sql-injection-typescript-test.yml
tests/snapshots/detect-non-literal-require-typescript-snapshot.yml
tests/snapshots/ruby-pg-hardcoded-secret-ruby-snapshot.yml
tests/snapshots/python-requests-empty-password-python-snapshot.yml
tests/typescript/command-injection-typescript-test.yml
tests/snapshots/python-psycopg2-hardcoded-secret-python-snapshot.yml
tests/snapshots/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml
tests/snapshots/hardcoded-http-auth-in-controller-ruby-snapshot.yml
tests/snapshots/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml
tests/snapshots/ruby-faraday-hardcoded-secret-ruby-snapshot.yml
rules/rust/security/hardcoded-password-rust.yml
tests/snapshots/debug-enabled-python-snapshot.yml
tests/snapshots/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml
tests/snapshots/jwt-weak-encryption-typescript-snapshot.yml
tests/snapshots/system-setproperty-hardcoded-secret-java-snapshot.yml
tests/snapshots/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml
tests/snapshots/detect-non-literal-regexp-typescript-snapshot.yml
tests/snapshots/ruby-pg-empty-password-ruby-snapshot.yml
tests/snapshots/empty-password-rust-snapshot.yml
tests/snapshots/chacha20-hardcoded-secret-swift-snapshot.yml
tests/snapshots/avoid-des-typescript-snapshot.yml
tests/snapshots/python-pymysql-hardcoded-secret-python-snapshot.yml
tests/python/python-ldap3-hardcoded-secret-python-test.yml
tests/snapshots/express-session-hardcoded-secret-javascript-snapshot.yml
tests/snapshots/python-urllib3-hardcoded-secret-python-snapshot.yml
tests/python/python-redis-hardcoded-secret-python-test.yml
tests/snapshots/null-library-function-c-snapshot.yml
tests/snapshots/python-pymssql-hardcoded-secret-python-snapshot.yml
tests/snapshots/python-neo4j-hardcoded-secret-python-snapshot.yml
tests/snapshots/tokio-postgres-hardcoded-password-rust-snapshot.yml
tests/snapshots/hardcoded-connection-password-java-snapshot.yml
tests/snapshots/python-mysql-hardcoded-secret-python-snapshot.yml
tests/typescript/jwt-weak-encryption-typescript-test.yml
tests/snapshots/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml

🚧 Files skipped from review as they are similar to previous changes (27)

tests/snapshots/chmod-permissions-typescript-snapshot.yml
tests/typescript/avoid-crypto-sha1-typescript-test.yml
tests/snapshots/crypto-avoid-weak-hash-typescript-snapshot.yml
tests/typescript/detected-jwt-token-typescript-test.yml
tests/typescript/argon2-weak-type-typescript-test.yml
tests/typescript/log-sensitive-data-typescript-test.yml
tests/snapshots/detected-jwt-token-typescript-snapshot.yml
tests/typescript/crypto-avoid-weak-hash-typescript-test.yml
tests/snapshots/argon2-weak-type-typescript-snapshot.yml
tests/snapshots/avoid-crypto-sha1-typescript-snapshot.yml
tests/snapshots/sql-injection-typescript-snapshot.yml
tests/typescript/insecure-hash-typescript-test.yml
tests/typescript/detect-buffer-noassert-typescript-test.yml
tests/snapshots/jwt-sensitive-data-typescript-snapshot.yml
tests/typescript/avoid-des-typescript-test.yml
tests/typescript/detect-non-literal-require-typescript-test.yml
tests/snapshots/avoid-crypto-rc4-typescript-snapshot.yml
tests/snapshots/detect-buffer-noassert-typescript-snapshot.yml
tests/typescript/avoid-crypto-rc4-typescript-test.yml
rules/typescript/security/argon2-weak-type-typescript.yml
tests/snapshots/hardcoded-hmac-key-typescript-snapshot.yml
tests/typescript/detect-new-buffer-typescript-test.yml
tests/snapshots/log-sensitive-data-typescript-snapshot.yml
tests/snapshots/detect-eval-with-expression-typescript-snapshot.yml
tests/typescript/detect-eval-with-expression-typescript-test.yml
tests/snapshots/command-injection-typescript-snapshot.yml
tests/snapshots/insecure-hash-typescript-snapshot.yml

🧰 Additional context used

🪛 Gitleaks (8.27.2)

tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml

187-187: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 YAMLlint (1.37.1)

rules/c/security/null-library-function-c.yml

[error] 262-262: trailing spaces

(trailing-spaces)

rules/cpp/security/null-library-function-cpp.yml

[error] 262-262: trailing spaces

(trailing-spaces)

rules/html/security/plaintext-http-link-html.yml

[error] 80-80: trailing spaces

(trailing-spaces)

rules/java/security/use-of-md5-java.yml

[error] 109-109: trailing spaces

(trailing-spaces)

rules/python/security/python-pg8000-hardcoded-secret-python.yml

[error] 75-75: trailing spaces

(trailing-spaces)

rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml

[error] 199-199: trailing spaces

(trailing-spaces)

rules/typescript/security/avoid-crypto-rc4-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/avoid-crypto-sha1-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/avoid-des-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/chmod-permissions-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

rules/typescript/security/command-injection-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/crypto-avoid-weak-hash-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

rules/typescript/security/detect-buffer-noassert-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/detect-eval-with-expression-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/detect-new-buffer-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/detect-non-literal-regexp-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

rules/typescript/security/detect-non-literal-require-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

rules/typescript/security/detected-jwt-token-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/hardcoded-hmac-key-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

rules/typescript/security/insecure-hash-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/jwt-sensitive-data-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/jwt-weak-encryption-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

[error] 6-6: trailing spaces

(trailing-spaces)

rules/typescript/security/log-sensitive-data-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/typescript/security/sql-injection-typescript.yml

[error] 5-5: trailing spaces

(trailing-spaces)

tests/python/jwt-python-hardcoded-secret-python-test.yml

[error] 22-22: trailing spaces

(trailing-spaces)

tests/python/python-neo4j-empty-password-python-test.yml

[error] 40-40: trailing spaces

(trailing-spaces)

tests/python/python-peewee-mysql-empty-password-python-test.yml

[error] 8-8: trailing spaces

(trailing-spaces)

tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml

[error] 7-7: trailing spaces

(trailing-spaces)

tests/python/python-peewee-pg-empty-password-python-test.yml

[error] 8-8: trailing spaces

(trailing-spaces)

tests/python/python-peewee-pg-hardcoded-secret-python-test.yml

[error] 8-8: trailing spaces

(trailing-spaces)

tests/python/python-psycopg2-empty-password-python-test.yml

[error] 7-7: trailing spaces

(trailing-spaces)

tests/python/python-psycopg2-hardcoded-secret-python-test.yml

[error] 7-7: trailing spaces

(trailing-spaces)

tests/python/python-requests-empty-password-python-test.yml

[error] 9-9: trailing spaces

(trailing-spaces)

tests/rust/reqwest-accept-invalid-rust-test.yml

[error] 13-13: trailing spaces

(trailing-spaces)

tests/typescript/chmod-permissions-typescript-test.yml

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 13-13: trailing spaces

(trailing-spaces)

tests/typescript/hardcoded-hmac-key-typescript-test.yml

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 9-9: trailing spaces

(trailing-spaces)

[error] 14-14: trailing spaces

(trailing-spaces)

[error] 16-16: trailing spaces

(trailing-spaces)

tests/typescript/jwt-sensitive-data-typescript-test.yml

[error] 12-12: trailing spaces

(trailing-spaces)

🔍 MCP Research (1 server)

Linear: The PR adds modular, AST-based TypeScript security rules defined in YAML, targeting cryptographic weaknesses, command injection, SQL injection, and sensitive data exposure. Each rule includes CWE references, severity levels, and external docs, with comprehensive snapshot and YAML tests ensuring detection accuracy and preventing regressions. The design promotes maintainability and extensibility within a mature static analysis ecosystem. Reviewers should verify rule correctness, test coverage, and consistent integration with CI enforcement.

🔇 Additional comments (1)

rules/typescript/security/detected-jwt-token-typescript.yml (1)

17-19: Escape the hyphen inside the character class to avoid unintended ranges.

[A-Za-z0-9-_=] interprets - as a range unless it is first/last or escaped.
Make the intent explicit to prevent future regex-engine surprises.
-          regex: 'eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}(\.[A-Za-z0-9-_.+/=]*)?'
+          regex: 'eyJ[A-Za-z0-9_\-=]{14,}\.[A-Za-z0-9_\-=]{13,}(\.[A-Za-z0-9_\-_.+/=]*)?'
[ suggest_essential_refactor ]

coderabbitai · 2025-07-24T12:12:56Z

rules/cpp/security/null-library-function-cpp.yml

⚠️ Potential issue

Remove trailing whitespace on the new blank line to satisfy YAMLlint
YAMLlint flags trailing-spaces on this newly-added line. Strip the whitespace but keep the terminating newline to retain the intended EOF newline without breaking CI.

- +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 262-262: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In rules/cpp/security/null-library-function-cpp.yml at line 262, there is trailing whitespace on the new blank line causing a YAMLlint trailing-spaces error. Remove all spaces or tabs from this line while keeping the newline character intact to preserve the EOF newline and avoid CI failures.

coderabbitai · 2025-07-24T12:12:57Z

rules/html/security/plaintext-http-link-html.yml

⚠️ Potential issue

Strip trailing whitespace to satisfy YAML linting

YAML-lint reports a trailing-spaces error on this line. CI may fail until the stray blanks are removed.

- +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 80-80: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In rules/html/security/plaintext-http-link-html.yml at line 80, there are trailing whitespace characters causing a YAML linting error. Remove all trailing spaces or tabs at the end of this line to satisfy the YAML linter and prevent CI failures.

coderabbitai · 2025-07-24T12:12:57Z

rules/java/security/use-of-md5-java.yml

⚠️ Potential issue

Remove trailing whitespace to satisfy YAML linting

Line 109 is an otherwise blank line containing stray spaces, triggering YAMLlint (trailing-spaces).
Delete the spaces (or the entire blank line) to restore a clean file and unblock the pipeline.

- +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 109-109: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In rules/java/security/use-of-md5-java.yml at line 109, there is trailing whitespace on an otherwise blank line causing YAML linting errors. Remove all spaces on this line or delete the blank line entirely to fix the trailing-spaces lint issue and ensure the file passes validation.

coderabbitai · 2025-07-24T12:12:57Z

rules/python/security/python-pg8000-hardcoded-secret-python.yml

⚠️ Potential issue

Remove trailing whitespace to pass YAML lint

yamllint flags line 75 for trailing spaces. While harmless at runtime, this will fail style checks in CI. Strip the spaces and keep the blank line (or delete the line entirely).

- +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 75-75: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In rules/python/security/python-pg8000-hardcoded-secret-python.yml at line 75, there is trailing whitespace causing yamllint to fail. Remove all trailing spaces from this line to pass the YAML lint check, either by stripping the spaces or deleting the line if it is blank.

coderabbitai · 2025-07-24T12:12:57Z

rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml

⚠️ Potential issue

Remove trailing whitespace to satisfy YAML linting

yamllint is flagging a trailing-space violation on this line.
Trim the spaces to keep the file clean and prevent CI failures.

- +

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 199-199: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml at line 199, there is trailing whitespace causing a YAML linting error. Remove any spaces or tabs at the end of this line to satisfy yamllint and prevent CI failures.

coderabbitai · 2025-07-24T12:13:01Z

tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml

⚠️ Potential issue

Remove the trailing whitespace to pass YAML linting
YAMLlint flags the space at the end of line 7. This will fail quality gates in CI.

- mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)␠ + mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)

mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 7-7: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In tests/python/python-peewee-mysql-hardcoded-secret-python-test.yml at line 7, there is a trailing whitespace at the end of the line that causes YAML linting to fail. Remove the trailing space after the port number to fix the linting error and pass the CI quality gates.

coderabbitai · 2025-07-24T12:13:01Z

tests/python/python-psycopg2-empty-password-python-test.yml

⚠️ Potential issue

Remove trailing spaces to satisfy YAMLlint.

The line still contains two trailing spaces, and the linter explicitly flags this (trailing-spaces). This will keep the pipeline red until fixed.

- c = psycopg2.connect(user, database=dbname, password="", **params).abc()·· + c = psycopg2.connect(user, database=dbname, password="", **params).abc()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

c = psycopg2.connect(user, database=dbname, password="", **params).abc()

c = psycopg2.connect(user, database=dbname, password="", **params).abc()

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 7-7: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In tests/python/python-psycopg2-empty-password-python-test.yml at line 7, remove the two trailing spaces at the end of the line containing the psycopg2.connect call to satisfy the YAML linter and prevent pipeline failures.

coderabbitai · 2025-07-24T12:13:01Z

tests/python/python-psycopg2-hardcoded-secret-python-test.yml

⚠️ Potential issue

Remove trailing whitespace flagged by YAML lint

YAMLlint reports a trailing-spaces error on this line; leaving the two spaces will break the linting step in CI.

- c = psycopg2.connect(user, database=dbname, password="abc", **params).abc()·· + c = psycopg2.connect(user, database=dbname, password="abc", **params).abc()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

c = psycopg2.connect(user, database=dbname, password="abc", **params).abc()

c = psycopg2.connect(user, database=dbname, password="abc", **params).abc()

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 7-7: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In tests/python/python-psycopg2-hardcoded-secret-python-test.yml at line 7, remove the trailing whitespace at the end of the line containing the psycopg2.connect call to fix the YAML lint trailing-spaces error and ensure the CI linting step passes.

coderabbitai · 2025-07-24T12:13:01Z

tests/rust/reqwest-accept-invalid-rust-test.yml

⚠️ Potential issue

Remove trailing spaces — YAML lint currently fails

The line ends with two extraneous spaces, triggering the YAML-lint trailing-spaces error shown in the static-analysis output. This will keep CI red until fixed.

- reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)

reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 13-13: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In tests/rust/reqwest-accept-invalid-rust-test.yml at line 13, remove the two trailing spaces at the end of the line containing the reqwest::Client::builder() call to fix the YAML lint trailing-spaces error and allow the CI to pass.

coderabbitai · 2025-07-24T12:13:01Z

tests/typescript/hardcoded-hmac-key-typescript-test.yml

+
+    const safely_stored_key = config.get('AWS_KEY')
+    const safe_hmac = crypto.createHmac('sha256', safely_stored_key)
+
+    crypto.createHmac('sha256', process.env.KEY);
+invalid:
+  - |
+    import crypto from "crypto";
+
+    crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj').update(data).digest('hex');
+


⚠️ Potential issue

YAML lint is failing – strip the trailing whitespace.

yamllint reports trailing-space errors on the blank / indented lines 6, 9, 14 and 16, which will block CI.
No functional change – just trim the spaces.

- +

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 6-6: trailing spaces

(trailing-spaces)

[error] 9-9: trailing spaces

(trailing-spaces)

[error] 14-14: trailing spaces

(trailing-spaces)

[error] 16-16: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In tests/typescript/hardcoded-hmac-key-typescript-test.yml around lines 6 to 16, there are trailing spaces on blank or indented lines causing YAML lint errors. Remove all trailing whitespace characters from these lines to fix the linting issues without changing any functionality.

coderabbitai bot requested changes Jul 24, 2025

View reviewed changes

Add TypeScript security rules and tooling

4b23b8f

- Add ts-node security rules for runtime protection

gatsby003 force-pushed the ts-rules branch from 93feb70 to 4b23b8f Compare July 24, 2025 11:59

coderabbitai bot requested changes Jul 24, 2025

View reviewed changes

gatsby003 closed this Jul 24, 2025

gatsby003 deleted the ts-rules branch July 24, 2025 12:15

	await argon2.hash('password', {type: argon2.argon2i})
	await argon2.hash('password', {type: argon2.argon2i})

	const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase");
	const hash = CryptoJS.HmacMD5("Message", "Secret Passphrase");

	mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)
	mysql_db1 = MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306)

	c = psycopg2.connect(user, database=dbname, password="", **params).abc()
	c = psycopg2.connect(user, database=dbname, password="", **params).abc()

	reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)
	reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)

Add TypeScript security rules and tooling #198

Add TypeScript security rules and tooling #198

Uh oh!

Conversation

gatsby003 commented Jul 24, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review failed

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Pre-Merge Checks (2 passed, 1 warning)

Introduction of multiple new TypeScript security rules

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

gatsby003 commented Jul 24, 2025

Uh oh!

coderabbitai bot commented Jul 24, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

gatsby003 commented Jul 24, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jul 24, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)