- from: git
test: git\s{1,}reset
description: "This command going to reset all your local changes."
id: git:reset
severity: High
filters:
- type: NotContains
value: "--soft"
alternative: "git stash"
alternative_info: "Saves your changes to the stash so you can recover them later with 'git stash pop'."
- from: git
test: git\s{1,}rm\s{1,}(?:-\S+\s+)*(\*|\.)(\s|$)
description: "This command going to delete all files."
id: git:delete_all
severity: High
- from: git
test: git\s{1,}clean\s{1,}(?:-[a-zA-Z]*f[a-zA-Z]*d[a-zA-Z]*|-[a-zA-Z]*d[a-zA-Z]*f[a-zA-Z]*|(?:-\S+\s+)*-f(?:\s+-\S+)*\s+-d|(?:-\S+\s+)*-d(?:\s+-\S+)*\s+-f|--force\s+(?:-\S+\s+)*-d|(?:-\S+\s+)*-d(?:\s+-\S+)*\s+--force)
description: "This command will remove all untracked files and directories."
id: git:clean_force
severity: High
filters:
- type: NotContains
value: "--dry-run"
- type: NotContains
value: "-n"
alternative: "git clean -fdn"
alternative_info: "Dry-run mode shows what would be deleted without actually removing anything."
- from: git
test: git\s{1,}push\s{1,}.*(-f\b|--force)
description: "This command will force push and overwrite remote history."
id: git:force_push
severity: High
filters:
- type: NotContains
value: "--force-with-lease"
- type: NotContains
value: "--force-if-includes"
alternative: "git push --force-with-lease"
alternative_info: "Checks that your local ref is up-to-date before force pushing, preventing accidental overwrites of others' work."
- from: git
test: git\s{1,}branch\s{1,}(?:-D|(?:-d|--delete)\s+--force|--force\s+(?:-d|--delete))
description: "This command will force delete a branch."
id: git:force_delete_branch
severity: High
alternative: "git branch -d <branch>"
alternative_info: "Uses safe delete (-d) which refuses to delete a branch with unmerged changes."
- from: git
test: git\s{1,}checkout\s{1,}.*(-f\b|--force)
description: "This command will force checkout and discard local changes."
id: git:force_checkout
severity: High
alternative: "git stash && git checkout <branch>"
alternative_info: "Stash your changes first so they can be recovered later."
- from: git
test: git\s{1,}checkout\s{1,}--\s{1,}(\.\/?|\*)(\s|$)
description: "This command will discard all local changes in the working directory."
id: git:checkout_discard_all
severity: High
alternative: "git stash"
alternative_info: "Saves your changes to the stash so you can recover them later with 'git stash pop'."
- from: git
test: git\s{1,}restore\s{1,}(.*\s)?(\.\/?|\*)(\s|$)
description: "This command will discard all local changes in the working directory."
id: git:restore_discard_all
severity: High
alternative: "git stash"
alternative_info: "Saves your changes to the stash so you can recover them later with 'git stash pop'."
- from: git
test: git\s{1,}rebase\s{1,}(-i\b|--interactive)
description: "This command will start an interactive rebase which can modify commit history."
id: git:interactive_rebase
severity: Medium
- from: git
test: git\s{1,}filter-branch
description: "This command will rewrite Git history and can be dangerous if used incorrectly."
id: git:filter_branch
severity: High
alternative: "git-filter-repo"
alternative_info: "A faster, safer, and officially recommended alternative to filter-branch."
- from: git
test: git\s{1,}gc\s{1,}.*--prune=now
description: "This command will permanently delete unreachable objects."
id: git:gc_prune
severity: High
- from: git
test: git\s{1,}update-ref\s{1,}(-d\b|--delete)
description: "This command will delete a Git reference."
id: git:delete_ref
severity: High
- from: git
test: git\s{1,}merge\s{1,}(--no-ff|--abort)
description: "This command will perform a non-fast-forward merge or abort an ongoing merge."
id: git:merge_no_ff
severity: Medium
- from: git
test: git\s{1,}cherry-pick
description: "This command will apply changes from existing commits to the current branch."
id: git:cherry_pick
severity: Medium
- from: git
test: git\s{1,}bisect
description: "This command will start a binary search to find a commit that introduced a bug."
id: git:bisect
severity: Medium
- from: git
test: git\s{1,}worktree\s{1,}(add|remove)
description: "This command will add or remove a Git worktree."
id: git:worktree_management
severity: Medium
- from: git
test: git\s{1,}add\s{1,}(\.|--all|-A)(\s|$)
description: "Do you want to add all changes files to the staging area?"
id: git-strict:add_all
severity: Low
- from: git
test: git\s{1,}commit\s{1,}(--all\b|-[a-z]*a)
description: "Do you want to commit all changes file and commit them?"
id: git-strict:commit_all
severity: Low
- from: git
test: git\s{1,}rebase
description: "This command will rewrite commit history by moving commits to a new base."
id: git-strict:rebase
severity: Medium
- from: git
test: git\s{1,}stash\s{1,}(pop|drop)
description: "This command will apply or remove stashed changes."
id: git-strict:stash_pop_drop
severity: Low
- from: git
test: git\s{1,}stash\s{1,}clear(\s|$)
description: "This command will permanently delete all stash entries with no way to recover them."
id: git:stash_clear
severity: High
alternative: "git stash list"
alternative_info: "Review your stashes before clearing them. Use 'git stash drop stash@{N}' to remove individual entries."
- from: git
test: git\s{1,}submodule\s{1,}(update|deinit)
description: "This command will update or deinitialize Git submodules."
id: git-strict:submodule_update
severity: Low
- from: git
test: git\s{1,}tag\s{1,}(-a\b|--annotate)
description: "This command will create an annotated tag."
id: git-strict:create_tag
severity: Low
- from: git
test: git\s{1,}push\s{1,}.*--mirror
description: "Mirror push overwrites the ENTIRE remote — all branches, tags, and refs."
id: git:push_mirror
severity: Critical
- from: git
test: git\s{1,}push\s{1,}(\S+\s{1,}--delete\s|--delete\s{1,}\S+\s|\S+\s{1,}:\S)
description: "This command will delete a remote branch."
id: git:push_delete_branch
severity: High
- from: git
test: git\s{1,}reflog\s{1,}expire\s{1,}.*--expire=now
description: "Expiring all reflog entries destroys the last recovery mechanism for lost commits."
id: git:reflog_expire
severity: Critical