zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

[rule]
id = "py-fastapi-depends"
languages = ["python"]
category = "middleware"
confidence = "medium"
description = "FastAPI Depends(...) used as a parameter default (dependency-injection auth gate)"
# Matches both `token: str = Depends(...)` (typed) and `token = Depends(...)`
# (untyped) parameter defaults. `Depends` is FastAPI's idiomatic way to wire
# auth dependencies (`oauth2_scheme`, `get_current_user`, `require_role`),
# but it's also used for non-auth dependency injection — confidence is
# `medium` and we intentionally emit no rego template (the wrapped callable
# is what encodes the policy, and that needs human or deep-mode review).
query = """
[
  (typed_default_parameter
    value: (call
      function: (identifier) @fn_name)) @match
  (default_parameter
    value: (call
      function: (identifier) @fn_name)) @match
]
"""

[rule.predicates.fn_name]
eq = "Depends"

[[rule.tests]]
input = """
def read_items(token: str = Depends(oauth2_scheme)):
    pass
"""
expect_match = true

[[rule.tests]]
input = """
def read_items(token = Depends(get_current_user)):
    pass
"""
expect_match = true

[[rule.tests]]
input = """
def read_items(token: str = "default"):
    pass
"""
expect_match = false

[[rule.tests]]
input = """
def factory(builder = Builder()):
    pass
"""
expect_match = false