allowlists:
commands:
- { command: curl, trust: standard, reason: "Transfers data from or to a server" }
rules:
- id: curl-pipe-shell
level: critical
match:
pipeline:
stages:
- command:
any_of: [curl, wget]
- command:
any_of: [sh, bash, zsh, dash, ksh, fish]
decision: deny
reason: "Remote code execution: piping download to shell"
- id: wget-pipe-interpreter
level: critical
match:
pipeline:
stages:
- command:
any_of: [curl, wget]
- command:
any_of: [python, python3, ruby, perl, node]
flags:
none_of: ["-m", "-c", "-e"]
decision: deny
reason: "Remote code execution: piping download to interpreter"
- id: curl-pipe-interpreter-inline
level: critical
match:
pipeline:
stages:
- command:
any_of: [curl, wget]
- command:
any_of: [python, python3, ruby, perl, node]
flags:
any_of: ["-c", "-e"]
decision: ask
reason: "Inline interpreter code piped from download"
- id: curl-upload-secrets
level: high
match:
command: curl
flags:
any_of: ["-d", "--data", "--data-raw", "--data-binary", "--data-urlencode",
"-F", "--form", "--json",
"-T", "--upload-file"]
decision: ask
reason: "curl with data upload flags"
- id: curl-request-method
level: high
match:
command: curl
flags:
any_of: ["-X", "--request"]
decision: ask
reason: "curl with explicit HTTP method"
- id: scp-upload
level: high
match:
command: scp
decision: ask
reason: "scp file transfer"
- id: rsync-remote
level: high
match:
command: rsync
decision: ask
reason: "rsync file transfer"
- id: nc-netcat
level: high
match:
command:
any_of: [nc, netcat, ncat]
decision: ask
reason: "Netcat network connection"
- id: printenv
level: high
match:
command:
any_of: [printenv, env]
decision: ask
reason: "Environment dump may expose secrets"
- id: source-env
level: high
match:
command:
any_of: [source, "."]
args:
any_of: [".env", ".env.*", "**/.env", "**/.env.*", ".envrc"]
decision: deny
reason: "Sourcing environment file"