Add Code Pattern Scan - Semgrep & Secret Scan - Gitleaks

configs/gitleaks.toml

@@ -0,0 +1,17 @@
+[[rules]]
+description = "JDBC connection string with credentials"
+regex = '''jdbc:[^"]*user=.*&password=.*|jdbc:[^"']*:[^"']*@[^"']*'''
+tags = ["credentials","db","jdbc"]
+severity = "high"
+
+[[rules]]
+description = "Generic DB password assignment"
+regex = '''(?i)(db|database|jdbc|connection).*(password|passwd)\s*[:=]\s*['"][^'"]+['"]'''
+tags = ["credentials"]
+severity = "high"
+
+[[rules]]
+description = "Hardcoded Password"
+regex = '''(?i)(password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]'''
+tags = ["password", "security"]
+severity = "high"

rules/generic-sql-create-grant.yml

@@ -0,0 +1,11 @@
+rules:
+  - id: org.yourorg.sql.create-grant
+    languages: [java, python, javascript]
+    message: "SQL statement appears to create users or grant privileges — verify intent."
+    severity: ERROR
+    pattern-either:
+      - pattern: $S.execute($Q)
+      - pattern: $S.executeUpdate($Q)
+    metavariable-pattern:
+      metavariable: $Q
+      pattern: "*CREATE USER*|*GRANT*|*ALTER USER*|*SET PASSWORD*"

rules/java-bypass-auth-dev-flag.yml

@@ -0,0 +1,7 @@
+rules:
+  - id: org.yourorg.java.bypass-auth-dev-flag
+    languages: [java]
+    message: "Auth bypass when environment = dev detected. Remove bypass logic from code."
+    severity: ERROR
+    pattern: |
+      if ($ENV.equals("dev")) { return true; }

rules/java-hardcoded-jdbc-credentials.yml

@@ -0,0 +1,7 @@
+rules:
+  - id: org.yourorg.java.hardcoded-jdbc-credentials
+    languages: [java]
+    message: "Possible hardcoded DB credentials in DriverManager.getConnection(). Use a secret manager."
+    severity: ERROR
+    pattern: |
+      DriverManager.getConnection($URL, $USER, $PASS)

rules/java-jdbc-url-with-creds.yml

@@ -0,0 +1,9 @@
+rules:
+  - id: org.yourorg.jdbc.url-with-creds
+    languages: [java, python]
+    message: "JDBC URL appears to contain credentials. Avoid embedding username/password in URL."
+    severity: ERROR
+    pattern: $VAR = "$URL"
+    metavariable-pattern:
+      metavariable: $URL
+      pattern: "jdbc:*user=*password=*"

rules/sql-injection.yml

@@ -0,0 +1,17 @@
+rules:
+  - id: java-sql-injection
+    patterns:
+      - pattern: |
+          Statement stmt = $DB.createStatement();
+          $RESULT = stmt.executeQuery($QUERY);
+      - metavariable-pattern:
+          metavariable: $QUERY
+          pattern: $QUERY
+    message: |
+      [SQL Injection Risk] Directly using dynamic SQL queries can be dangerous.
+      Use PreparedStatement with parameters instead.
+    languages: [java]
+    severity: ERROR
+    metadata:
+      category: security
+      cwe: "CWE-89: SQL Injection"