SemGrep rule to identify direct uses of crypto/rand.Reader and recommend the use of the SecureRandomReader instead (#6330)

* semgrep rules for crypto/rand added * error fixed * semgrep rules for crypto/rand added * error fixed * requested changes updated * requested changes added * Ent exclude files added
3 months ago · 81c9ef0204
parent 429247f407
commit 81c9ef0204
1 changed files with 33 additions and 0 deletions
--- a/.semgrep/avoid-crypto-rand.yaml
+++ b/.semgrep/avoid-crypto-rand.yaml
@ -0,0 +1,33 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+rules:
+  - id: avoid-crypto-rand-use-secure-reader
+    languages:
+      - go
+    severity: WARNING
+    message: |
+      The 'crypto/rand' package is being used directly. 
+      To ensure consistent security patterns across our codebase, 
+      please use 'SecureRandomReader' instead.
+    patterns:
+      - pattern: |
+          rand.Reader
+      - pattern-inside: |
+          import "crypto/rand"
+          ...
+    paths:
+      exclude:
+          - "*_test.go"
+          - "**/website/*"
+          - "**/testing/*"
+          - "options.go"
+          - "testing.go"
+          - "controller.go"
+          - "servers.go"
+          - "worker.go"
+          - "repository_scope.go"
+          - "keys.go"
+          - "testing_ent.go"
+          - "options_ent.go"
+    fix: Use SecureRandomReader instead of crypto/rand.Reader directly.