version: "1.1.0"
name: CI/CD
description: Security rules for CI/CD pipeline environments
guards:
forbidden_path:
patterns:
- "**/.github/secrets/**"
- "**/.gitlab-ci-secrets/**"
- "**/.circleci/secrets/**"
- "**/.ssh/**"
- "**/id_rsa*"
- "**/id_ed25519*"
- "**/.aws/**"
- "**/.gnupg/**"
- "/etc/shadow"
- "/etc/passwd"
- "**/AppData/Roaming/Microsoft/Credentials/**"
- "**/AppData/Local/Microsoft/Credentials/**"
- "**/AppData/Roaming/Microsoft/Vault/**"
- "**/NTUSER.DAT"
- "**/Windows/System32/config/SAM"
- "**/Windows/System32/config/SECURITY"
- "**/Windows/System32/config/SYSTEM"
exceptions:
- "**/.github/workflows/**"
- "**/.gitlab-ci.yml"
- "**/.circleci/config.yml"
egress_allowlist:
allow:
- "*.npmjs.org"
- "registry.npmjs.org"
- "registry.yarnpkg.com"
- "pypi.org"
- "files.pythonhosted.org"
- "crates.io"
- "static.crates.io"
- "rubygems.org"
- "packagist.org"
- "proxy.golang.org"
- "storage.googleapis.com"
- "*.docker.io"
- "*.docker.com"
- "*.gcr.io"
- "ghcr.io"
- "*.ecr.aws"
- "github.com"
- "api.github.com"
- "*.githubusercontent.com"
- "gitlab.com"
- "api.gitlab.com"
- "gradle.org"
- "plugins.gradle.org"
- "repo.maven.apache.org"
block: []
default_action: block
secret_leak:
patterns:
- name: aws_access_key
pattern: "AKIA[0-9A-Z]{16}"
severity: critical
- name: github_token
pattern: "gh[ps]_[A-Za-z0-9]{36}"
severity: critical
- name: private_key
pattern: "-----BEGIN\\s+(RSA\\s+)?PRIVATE\\s+KEY-----"
severity: critical
- name: docker_auth
pattern: "(?i)docker[_\\-]?(password|token)\\s*[:=]"
severity: critical
skip_paths:
- "**/test/**"
- "**/tests/**"
patch_integrity:
max_additions: 5000
max_deletions: 2500
require_balance: false
max_imbalance_ratio: 50.0
forbidden_patterns:
- "(?i)disable[\\s_\\-]?(security|auth|ssl|tls)"
- "(?i)rm\\s+-rf\\s+/"
- "(?i)chmod\\s+777"
shell_command:
enabled: true
enforce_forbidden_paths: true
mcp_tool:
allow:
- read_file
- write_file
- list_directory
- run_tests
- build
block:
- shell_exec
- deploy_production
require_confirmation: []
default_action: block
max_args_size: 5242880
settings:
fail_fast: true
verbose_logging: true
session_timeout_secs: 1800