code-security

分类: 运维与交付 | 上传者: semgrep | 下载: 0 | 版本: v1.0（最新）

Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'.

更新日志: Source: GitHub https://github.com/semgrep/skills

目录结构

当前层级: skills/code-security/

📁 rules/
- 📄 _sections.md 6.9 KB
- 📄 _template.md 635 B
- 📄 authentication-jwt.md 2.9 KB
- 📄 best-practice.md 3.1 KB
- 📄 code-injection.md 3.7 KB
- 📄 command-injection.md 3.4 KB
- 📄 correctness.md 3.2 KB
- 📄 csrf.md 3.8 KB
- 📄 docker.md 2.7 KB
- 📄 github-actions.md 5.3 KB
- 📄 insecure-crypto.md 4.1 KB
- 📄 insecure-deserialization.md 6.7 KB
- 📄 insecure-transport.md 5.3 KB
- 📄 kubernetes.md 4.4 KB
- 📄 maintainability.md 1.8 KB
- 📄 memory-safety.md 3.1 KB
- 📄 path-traversal.md 5.4 KB
- 📄 performance.md 3.1 KB
- 📄 prototype-pollution.md 2.6 KB
- 📄 race-condition.md 7.0 KB
- 📄 regex-dos.md 3.7 KB
- 📄 secrets.md 4.1 KB
- 📄 sql-injection.md 5.3 KB
- 📄 ssrf.md 5.0 KB
- 📄 terraform-aws.md 4.3 KB
- 📄 terraform-azure.md 9.8 KB
- 📄 terraform-gcp.md 8.5 KB
- 📄 unsafe-functions.md 4.9 KB
- 📄 xss.md 5.2 KB
- 📄 xxe.md 4.5 KB
📄 AGENTS.md 109.6 KB
📄 metadata.json 199 B
📄 README.md 2.7 KB
📄 SKILL.md 4.9 KB

SKILL.md

---
name: code-security
description: "Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'."
---

# Code Security Guidelines

Comprehensive security rules for writing secure code across 15+ languages. Covers OWASP Top 10, infrastructure security, and coding best practices with 28 rule categories.

## How to Use This Skill

**Proactive mode** — When writing or reviewing code, automatically check for relevant vulnerabilities based on the language and patterns present. You don't need to wait for the user to ask about security.

**Reactive mode** — When the user asks about security, use the categories below to find the relevant rule file, then read it for detailed vulnerable/secure code examples.

### Workflow
1. Identify the language and what the code does (handles input? queries a DB? reads files?)
2. Check the relevant rules below — focus on Critical and High impact first
3. Read the specific rule file from `rules/` for detailed code examples in that language
4. Apply the secure patterns, or flag the vulnerable patterns if reviewing

## Language-Specific Priority Rules

When writing code in these languages, check these rules first:

| Language | Priority Rules to Check |
|----------|------------------------|
| **Python** | SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto |
| **JavaScript/TypeScript** | XSS, prototype pollution, code injection, insecure transport, CSRF |
| **Java** | SQL injection, XXE, insecure deserialization, insecure crypto, SSRF |
| **Go** | SQL injection, command injection, path traversal, insecure transport |
| **C/C++** | Memory safety, unsafe functions, command injection, path traversal |
| **Ruby** | SQL injection, command injection, code injection, insecure deserialization |
| **PHP** | SQL injection, XSS, command injection, code injection, path traversal |
| **HCL/YAML** | Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions |

## Categories

### Critical Impact
- **SQL Injection** (`rules/sql-injection.md`) - Use parameterized queries, never concatenate user input
- **Command Injection** (`rules/command-injection.md`) - Avoid shell commands with user input, use safe APIs
- **XSS** (`rules/xss.md`) - Escape output, use framework protections
- **XXE** (`rules/xxe.md`) - Disable external entities in XML parsers
- **Path Traversal** (`rules/path-traversal.md`) - Validate and sanitize file paths
- **Insecure Deserialization** (`rules/insecure-deserialization.md`) - Never deserialize untrusted data
- **Code Injection** (`rules/code-injection.md`) - Never eval() user input
- **Hardcoded Secrets** (`rules/secrets.md`) - Use environment variables or secret managers
- **Memory Safety** (`rules/memory-safety.md`) - Prevent buffer overflows, use-after-free (C/C++)

### High Impact
- **Insecure Crypto** (`rules/insecure-crypto.md`) - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
- **Insecure Transport** (`rules/insecure-transport.md`) - Use HTTPS, verify certificates
- **SSRF** (`rules/ssrf.md`) - Validate URLs, use allowlists
- **JWT Issues** (`rules/authentication-jwt.md`) - Always verify signatures
- **CSRF** (`rules/csrf.md`) - Use CSRF tokens on state-changing requests
- **Prototype Pollution** (`rules/prototype-pollution.md`) - Validate object keys in JavaScript

### Infrastructure
- **Terraform AWS/Azure/GCP** (`rules/terraform-aws.md`, `rules/terraform-azure.md`, `rules/terraform-gcp.md`) - Encryption, least privilege, no public access
- **Kubernetes** (`rules/kubernetes.md`) - No privileged containers, run as non-root
- **Docker** (`rules/docker.md`) - Don't run as root, pin image versions
- **GitHub Actions** (`rules/github-actions.md`) - Avoid script injection, pin action versions

### Medium/Low Impact
- **Regex DoS** (`rules/regex-dos.md`) - Avoid catastrophic backtracking
- **Race Conditions** (`rules/race-condition.md`) - Use proper synchronization
- **Correctness** (`rules/correctness.md`) - Avoid common logic bugs
- **Best Practices** (`rules/best-practice.md`) - General secure coding patterns

See `rules/_sections.md` for the full index with CWE/OWASP references.

## Quick Reference

| Vulnerability | Key Prevention |
|--------------|----------------|
| SQL Injection | Parameterized queries |
| XSS | Output encoding |
| Command Injection | Avoid shell, use APIs |
| Path Traversal | Validate paths |
| SSRF | URL allowlists |
| Secrets | Environment variables |
| Crypto | SHA-256, AES-256 |

登录后下载/点赞/收藏 ❤ 136 | ★ 0

code-security

目录结构

SKILL.md

举报内容

提示