zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

[rule]
id = "java-http-security-authorize"
languages = ["java"]
category = "middleware"
confidence = "high"
description = "Spring Security HttpSecurity authorization configuration"
query = """
(method_invocation
  name: (identifier) @method_name
  arguments: (argument_list)
) @match
"""

[rule.predicates.method_name]
match = "^(authorizeRequests|authorizeHttpRequests|formLogin|httpBasic|oauth2Login|oauth2ResourceServer)$"

[[rule.tests]]
input = """
public class SecurityConfig {
    public void configure(HttpSecurity http) {
        http.authorizeRequests().anyRequest().authenticated();
    }
}
"""
expect_match = true

[[rule.tests]]
input = """
public class SecurityConfig {
    public void configure(HttpSecurity http) {
        http.csrf().disable();
    }
}
"""
expect_match = false