File size: 671 Bytes
246d201 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
DEFAULT_INVARIANT_POLICY = """from invariant.detectors import semgrep, secrets, CodeIssue
raise "Disallow secrets in bash commands [risk=medium]" if:
(call: ToolCall)
call is tool:cmd_run
any(secrets(call.function.arguments.command))
raise "Vulnerability in python code [risk=medium]" if:
(call: ToolCall)
call is tool:ipython_run_cell
semgrep_res := semgrep(call.function.arguments.code, lang="python")
any(semgrep_res)
raise "Vulnerability in bash command [risk=medium]" if:
(call: ToolCall)
call is tool:cmd_run
semgrep_res := semgrep(call.function.arguments.command, lang="bash")
any(semgrep_res)
"""
|