Skip to content

πŸ›‘οΈ PatchPilot: AI agent security rules (5 rules)#166

Closed
patchpilot-adhit[bot] wants to merge 1 commit into
mainfrom
patchpilot/agent-rules-mntb1foz
Closed

πŸ›‘οΈ PatchPilot: AI agent security rules (5 rules)#166
patchpilot-adhit[bot] wants to merge 1 commit into
mainfrom
patchpilot/agent-rules-mntb1foz

Conversation

@patchpilot-adhit

Copy link
Copy Markdown

πŸ›‘οΈ AI Agent Security Rules

PatchPilot detected security findings in this repository that AI coding assistants are likely to repeat. This PR adds rules to your agent config files so Claude Code, Cursor, and GitHub Copilot avoid the same mistakes in future sessions.

What changed

Updated files: CLAUDE.md

Rules added

  • 3 stale AI pattern rules β€” insecure patterns from LLM training data
  • 2 secrets rules β€” hardcoded credential patterns

Rule detail

🟑 Always use https:// for external service calls (CWE-319)

Always use https:// for external API calls, webhooks, and service-to-service requests. TLS provides confidentiality for credentials in flight and integrity for the response body; modern providers accept https on all production endpoints, and localhost/loopback are already exempt from this guidance.

🟠 Always use SHA-256+ for checksums and bcrypt/argon2/scrypt for passwords (CWE-328)

Always use SHA-256 or higher for integrity checksums. Always use bcrypt, argon2, or scrypt for password hashing. These modern algorithms provide collision resistance and slow brute-force attacks; they are drop-in replacements wherever older hash functions appeared in AI-generated code.

🟠 Always parse dynamic data with JSON.parse or fixed argument lists (CWE-94)

Always parse dynamic data with JSON.parse() and always invoke subprocesses with a fixed argument list (execFile(cmd, [args])). These safe constructions replace direct execution of dynamic strings and eliminate the code-injection class of bugs at the source.

πŸ”΄ Never hardcode credentials (CWE-798)

NEVER hardcode credentials in source code. Load them from environment variables (process.env.CREDENTIALS) or a secrets manager. Add the config file to .gitignore.

🟑 Never hardcode JWT secrets or tokens (CWE-798)

NEVER hardcode JWT secrets or tokens in source code. Load them from environment variables (process.env.JWT_SECRET) or a secrets manager. Add the config file to .gitignore.


Generated by PatchPilot. Merge to activate these rules for all AI agents on this project.

@adhit-r adhit-r closed this Apr 10, 2026
@adhit-r adhit-r reopened this Apr 10, 2026
@adhit-r adhit-r closed this Apr 10, 2026
@adhit-r adhit-r deleted the patchpilot/agent-rules-mntb1foz branch June 2, 2026 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant