allowlists:
commands: []
rules:
- id: cat-env-file
level: critical
match:
command:
any_of: [cat, less, more, head, tail, bat]
args:
any_of: [".env", ".env.local", ".env.production", ".env.staging",
".env.development", ".envrc", "**/.env", "**/.env.local",
"**/.env.production"]
decision: deny
reason: "Reading sensitive environment file"
- id: cat-ssh-key
level: critical
match:
command:
any_of: [cat, less, more, head, tail, bat]
args:
any_of: ["~/.ssh/id_*", "~/.ssh/id_rsa", "~/.ssh/id_ed25519",
"~/.ssh/id_ecdsa", "id_rsa", "id_ed25519", "id_ecdsa"]
decision: deny
reason: "Reading SSH private key"
- id: cat-aws-creds
level: critical
match:
command:
any_of: [cat, less, more, head, tail, bat]
args:
any_of: ["~/.aws/credentials", "~/.aws/config"]
decision: deny
reason: "Reading AWS credentials"
- id: cat-kube-config
level: critical
match:
command:
any_of: [cat, less, more, head, tail, bat]
args:
any_of: ["~/.kube/config"]
decision: deny
reason: "Reading Kubernetes config"
- id: cp-secrets
level: critical
match:
command: cp
args:
any_of: [".env", ".env.local", ".env.production", ".env.staging",
".env.development", ".envrc", "**/.env", "**/.env.local",
"~/.ssh/id_*", "~/.ssh/id_rsa", "~/.ssh/id_ed25519",
"~/.ssh/id_ecdsa", "id_rsa", "id_ed25519", "id_ecdsa",
"~/.aws/credentials", "~/.aws/config",
"~/.kube/config"]
decision: ask
reason: "Copying sensitive file"
- id: mv-secrets
level: critical
match:
command: mv
args:
any_of: [".env", ".env.local", ".env.production", ".env.staging",
".env.development", ".envrc", "**/.env", "**/.env.local",
"~/.ssh/id_*", "~/.ssh/id_rsa", "~/.ssh/id_ed25519",
"~/.ssh/id_ecdsa", "id_rsa", "id_ed25519", "id_ecdsa",
"~/.aws/credentials", "~/.aws/config",
"~/.kube/config"]
decision: ask
reason: "Moving sensitive file"
- id: tee-secrets
level: critical
match:
command: tee
args:
any_of: [".env", ".env.local", ".env.production", ".env.staging",
".env.development", ".envrc", "**/.env", "**/.env.local",
"~/.ssh/id_*", "~/.ssh/id_rsa", "~/.ssh/id_ed25519",
"~/.ssh/id_ecdsa",
"~/.aws/credentials", "~/.aws/config",
"~/.kube/config"]
decision: deny
reason: "Writing to sensitive file via tee"
- id: rm-secrets
level: critical
match:
command: rm
args:
any_of: [".env", ".env.local", ".env.production", ".env.staging",
".env.development", ".envrc",
"~/.ssh/id_*", "~/.ssh/id_rsa", "~/.ssh/id_ed25519",
"~/.ssh/id_ecdsa", "~/.ssh/authorized_keys",
"~/.aws/credentials", "~/.aws/config",
"~/.kube/config"]
decision: ask
reason: "Deleting sensitive file"
- id: stdin-redirect-env-file
level: critical
match:
redirect:
op: "<"
target:
any_of: [".env", ".env.local", ".env.production", ".env.staging",
".env.development", ".envrc", "**/.env", "**/.env.local",
"**/.env.production"]
decision: deny
reason: "Reading sensitive environment file via stdin redirect"
- id: stdin-redirect-ssh-key
level: critical
match:
redirect:
op: "<"
target:
any_of: ["~/.ssh/id_*", "~/.ssh/id_rsa", "~/.ssh/id_ed25519",
"~/.ssh/id_ecdsa", "id_rsa", "id_ed25519", "id_ecdsa"]
decision: deny
reason: "Reading SSH private key via stdin redirect"
- id: stdin-redirect-aws-creds
level: critical
match:
redirect:
op: "<"
target:
any_of: ["~/.aws/credentials", "~/.aws/config"]
decision: deny
reason: "Reading AWS credentials via stdin redirect"
- id: stdin-redirect-kube-config
level: critical
match:
redirect:
op: "<"
target:
any_of: ["~/.kube/config"]
decision: deny
reason: "Reading Kubernetes config via stdin redirect"