-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsemgrep.yaml
More file actions
210 lines (199 loc) · 8.13 KB
/
semgrep.yaml
File metadata and controls
210 lines (199 loc) · 8.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
---
# Repository-owned Semgrep/OpenGrep rules.
#
# Keep this file small and project-specific. Broad default/community rules tend
# to duplicate Clippy, cargo-audit, and CodeQL. These rules encode local Rust
# and workflow policies that are easier to express structurally than with Clippy.
rules:
- id: la-stack.rust.no-stdio-diagnostics-in-src
languages:
- rust
severity: WARNING
message: "Avoid stdout/stderr diagnostics in library src/ code."
metadata:
category: maintainability
rationale: "Library code should return data or typed errors rather than printing diagnostics."
paths:
include:
- "/src/**/*.rs"
patterns:
- pattern-either:
- pattern: println!(...)
- pattern: eprintln!(...)
- pattern-not-inside: |
mod tests {
...
}
- pattern-not-inside: |
#[cfg(test)]
mod $MOD {
...
}
- pattern-not-inside: |
#[cfg(test)]
fn $FUNC(...) {
...
}
- id: la-stack.rust.no-nonfinite-unwrap-defaults
languages:
- rust
severity: WARNING
message: "Do not hide failed floating-point conversion with NaN or infinity defaults."
metadata:
category: correctness
rationale: "Non-finite values must surface as typed errors with source-location metadata."
paths:
include:
- "/src/**/*.rs"
pattern-either:
- pattern: $VALUE.unwrap_or(f64::NAN)
- pattern: $VALUE.unwrap_or(f64::INFINITY)
- pattern: $VALUE.unwrap_or(f64::NEG_INFINITY)
- pattern: $VALUE.unwrap_or(std::f64::NAN)
- pattern: $VALUE.unwrap_or(std::f64::INFINITY)
- pattern: $VALUE.unwrap_or(std::f64::NEG_INFINITY)
- pattern: $VALUE.unwrap_or_else(|| f64::NAN)
- pattern: $VALUE.unwrap_or_else(|| f64::INFINITY)
- pattern: $VALUE.unwrap_or_else(|| f64::NEG_INFINITY)
- id: la-stack.rust.no-public-infallible-raw-f64-constructors
languages:
- rust
severity: WARNING
message: "Raw f64 Matrix/Vector constructors must be fallible public APIs; keep infallible literal helpers crate-private."
metadata:
category: correctness
rationale: >-
Matrix and Vector store only finite values. Public raw constructors must
return Result so callers receive LaError::NonFinite instead of a panic;
infallible construction is reserved for crate-private validated/literal
paths.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/raw_f64_constructors.rs"
pattern-regex: '(?m)^\s*pub\s+(?:const\s+)?fn\s+(?:new|from_rows)\s*\([^)]*(?:\[\s*f64\s*;\s*D\s*\]|\[\s*\[\s*f64\s*;\s*D\s*\]\s*;\s*D\s*\])[^)]*\)\s*->\s*(?:Self|(?:Matrix|Vector)\s*<)'
- id: la-stack.rust.no-public-api-panic-paths
languages:
- regex
severity: WARNING
message: "Public APIs should expose fallibility with Result/Option instead of panic/assert/unwrap paths."
metadata:
category: correctness
rationale: >-
Public functions returning plain values should be genuinely infallible
for all representable inputs. Caller-visible failure belongs in
Result/Option; panic-only paths make recoverable conditions look
infallible.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/public_api_panic_paths.rs"
pattern-regex: '(?ms)^\s*pub\s+(?:const\s+|async\s+|unsafe\s+)*fn\s+[A-Za-z_][A-Za-z0-9_]*[^;{]*\{(?:(?!^\s*\}).|\n){0,1000}(?:panic!|assert!|debug_assert!|unreachable!|\.unwrap\s*\(|\.expect\s*\()'
- id: la-stack.rust.public-error-enums-non-exhaustive
languages:
- rust
severity: WARNING
message: "Public error enums must be #[non_exhaustive] so adding variants remains API-safe."
metadata:
category: maintainability
rationale: "Error enums grow as diagnostics become more precise; non-exhaustive public enums keep that growth additive for downstream callers."
paths:
include:
- "/src/**/*.rs"
pattern-regex: '(?m)(?<!#\[non_exhaustive\]\n)^\s*pub\s+enum\s+[A-Za-z_][A-Za-z0-9_]*Error(?:<[^>{}]*)?\s*\{'
- id: la-stack.rust.no-unwrap-expect-in-doctests
languages:
- generic
severity: WARNING
message: "Use fallible doctest flow instead of unwrap() or expect() in public documentation examples."
metadata:
category: correctness
rationale: >-
Public Rust documentation examples should model typed error handling
with Result and ? rather than teaching panic-based control flow.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/doctests/**/*.txt"
exclude:
- "/tests/semgrep/src/**"
pattern-regex: '^\s*//[!/]\s*(?:#\s*)?.*(?:\b[\w:]+|[\]\)])\.(unwrap|expect)\s*\('
- id: la-stack.rust.no-unwrap-expect-in-benches-examples
languages:
- rust
severity: WARNING
message: "Use explicit fixture error handling instead of unwrap() or expect() in benchmarks and examples."
metadata:
category: correctness
rationale: >-
Benchmarks and public examples should keep failure modes explicit so
users and CI see the operation that failed instead of a panic-only
unwrap/expect path.
paths:
include:
- "/benches/**/*.rs"
- "/examples/**/*.rs"
- "/tests/semgrep/src/project_rules/bench_example_usage.rs"
pattern-either:
- pattern: $VALUE.unwrap()
- pattern: $VALUE.expect(...)
- id: la-stack.github-actions.external-action-sha-pinned
languages:
- regex
severity: WARNING
message: "Pin external GitHub Actions to a full 40-character commit SHA."
metadata:
category: security
rationale: "Moving tags can change workflow behavior without review."
paths:
include:
- "/.github/workflows/**/*.yml"
- "/.github/workflows/**/*.yaml"
patterns:
- pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@(?![a-fA-F0-9]{40}(?:\s+#|$))[^\s#]+'
- id: la-stack.github-actions.external-action-approved-allowlist
languages:
- regex
severity: WARNING
message: "Use only approved external GitHub Actions, or update the repository allowlist deliberately."
metadata:
category: security
rationale: "A small allowlist keeps workflow supply-chain review explicit."
paths:
include:
- "/.github/workflows/**/*.yml"
- "/.github/workflows/**/*.yaml"
patterns:
- pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)(?!(?:actions/checkout|actions/cache|actions/download-artifact|actions/github-script|actions/setup-python|actions/upload-artifact|actions-rust-lang/setup-rust-toolchain|astral-sh/setup-uv|codacy/codacy-analysis-cli-action|codecov/codecov-action|github/codeql-action/(?:upload-sarif|init|analyze)|taiki-e/cache-cargo-install-action|zizmorcore/zizmor-action)@)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@'
- id: la-stack.github-actions.external-action-version-comment
languages:
- regex
severity: WARNING
message: "Keep a readable version comment next to external GitHub Action SHA pins."
metadata:
category: maintainability
rationale: "Version comments make Dependabot updates and human review manageable."
paths:
include:
- "/.github/workflows/**/*.yml"
- "/.github/workflows/**/*.yaml"
patterns:
- pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@[a-fA-F0-9]{40}\s*$'
- id: la-stack.docs.check-before-fix-command-order
languages:
- regex
severity: WARNING
message: "Document non-mutating just check commands before mutating just fix commands."
metadata:
category: maintainability
rationale: "User-facing workflow docs should encourage validation before mutation."
paths:
include:
- "/AGENTS.md"
- "/README.md"
- "/docs/**/*.md"
- "/justfile"
exclude:
- "/docs/archive/**"
patterns:
- pattern-regex: '(?ms)\bjust\s+fix\b.{0,400}\bjust\s+check\b|\bjust\s+python-fix\b.{0,400}\bjust\s+python-check\b'