Merge Develop into Release

.pre-commit-config.yaml

@@ -14,9 +14,9 @@ repos:
       - id: check-yaml
         exclude: |
           (?x)^(
-            # These are multi-document
-            yaml/github-actions/semgrep-configuration/semgrep-github-action-push-without-branches\.test\.yml|
-            yaml/kubernetes/security/.*\.test\.yaml
+            # Semgrep rule test files may use multi-document YAML
+            # to separate test cases
+            .*\.test\.ya?ml
           )$
   # Exception case - multi-document YAML OK - still check YAML
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -27,7 +27,7 @@ repos:
         args: [--allow-multiple-documents]
         files: |
           (?x)^(
-            # These are multi-document
-            yaml/github-actions/semgrep-configuration/semgrep-github-action-push-without-branches\.test\.yml|
-            yaml/kubernetes/security/.*\.test\.yaml
+            # Semgrep rule test files may use multi-document YAML
+            # to separate test cases
+            .*\.test\.ya?ml
           )$

ai/ai-best-practices/anthropic-hardcoded-api-key/anthropic-hardcoded-api-key-go.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: anthropic-hardcoded-api-key-go
+    languages: [go]
+    severity: ERROR
+    message: >-
+      Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: security
+      subcategory: [vuln]
+      likelihood: HIGH
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/docs/initial-setup
+    patterns:
+      - pattern: option.WithAPIKey("$KEY")
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: ^sk-ant-

ai/ai-best-practices/anthropic-hardcoded-api-key/anthropic-hardcoded-api-key-java.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: anthropic-hardcoded-api-key-java
+    languages: [java]
+    severity: ERROR
+    message: >-
+      Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: security
+      subcategory: [vuln]
+      likelihood: HIGH
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/docs/initial-setup
+    patterns:
+      - pattern: $OBJ.apiKey("$KEY")
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: ^sk-ant-

ai/ai-best-practices/anthropic-hardcoded-api-key/anthropic-hardcoded-api-key-javascript.yaml

@@ -0,0 +1,22 @@
+rules:
+  - id: anthropic-hardcoded-api-key-javascript
+    languages: [javascript, typescript]
+    severity: ERROR
+    message: >-
+      Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: security
+      subcategory: [vuln]
+      likelihood: HIGH
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/docs/initial-setup
+    patterns:
+      - pattern: |
+          new Anthropic({apiKey: "$KEY", ...})
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: ^sk-ant-

ai/ai-best-practices/anthropic-hardcoded-api-key/anthropic-hardcoded-api-key-python.yaml

@@ -0,0 +1,27 @@
+rules:
+  - id: anthropic-hardcoded-api-key-python
+    languages: [python]
+    severity: ERROR
+    message: >-
+      Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: security
+      subcategory: [vuln]
+      likelihood: HIGH
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/docs/initial-setup
+    pattern-either:
+      - patterns:
+          - pattern: Anthropic(api_key="$KEY", ...)
+          - metavariable-regex:
+              metavariable: $KEY
+              regex: ^sk-ant-
+      - patterns:
+          - pattern: AsyncAnthropic(api_key="$KEY", ...)
+          - metavariable-regex:
+              metavariable: $KEY
+              regex: ^sk-ant-

ai/ai-best-practices/anthropic-hardcoded-api-key/anthropic-hardcoded-api-key-ruby.yaml

@@ -0,0 +1,22 @@
+rules:
+  - id: anthropic-hardcoded-api-key-ruby
+    languages: [ruby]
+    severity: ERROR
+    message: >-
+      Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: security
+      subcategory: [vuln]
+      likelihood: HIGH
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/docs/initial-setup
+    patterns:
+      - pattern: |
+          Anthropic::Client.new(api_key: "$KEY", ...)
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: ^sk-ant-

ai/ai-best-practices/anthropic-missing-max-tokens/anthropic-missing-max-tokens.yaml → ai/ai-best-practices/anthropic-missing-max-tokens/anthropic-missing-max-tokens-javascript.yaml

@@ -1,24 +1,4 @@
 rules:
-  - id: anthropic-missing-max-tokens-python
-    languages: [python]
-    severity: WARNING
-    message: >-
-      Anthropic messages.create() called without 'max_tokens' parameter. Setting
-      max_tokens prevents unexpectedly long or expensive responses.
-    metadata:
-      cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
-      category: security
-      subcategory: [audit]
-      likelihood: MEDIUM
-      impact: MEDIUM
-      confidence: HIGH
-      technology: [anthropic]
-      references:
-        - https://docs.anthropic.com/en/api/messages
-    patterns:
-      - pattern: $CLIENT.messages.create(...)
-      - pattern-not: $CLIENT.messages.create(..., max_tokens=$MT, ...)
-
   - id: anthropic-missing-max-tokens-javascript
     languages: [javascript, typescript]
     severity: WARNING

ai/ai-best-practices/anthropic-missing-max-tokens/anthropic-missing-max-tokens-python.yaml

@@ -0,0 +1,20 @@
+rules:
+  - id: anthropic-missing-max-tokens-python
+    languages: [python]
+    severity: WARNING
+    message: >-
+      Anthropic messages.create() called without 'max_tokens' parameter. Setting
+      max_tokens prevents unexpectedly long or expensive responses.
+    metadata:
+      cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
+      category: security
+      subcategory: [audit]
+      likelihood: MEDIUM
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/api/messages
+    patterns:
+      - pattern: $CLIENT.messages.create(...)
+      - pattern-not: $CLIENT.messages.create(..., max_tokens=$MT, ...)

ai/ai-best-practices/anthropic-missing-metadata-user-id/anthropic-missing-metadata-user-id.yaml → ai/ai-best-practices/anthropic-missing-metadata-user-id/anthropic-missing-metadata-user-id-javascript.yaml

@@ -1,25 +1,4 @@
 rules:
-  - id: anthropic-missing-metadata-user-id-python
-    languages: [python]
-    severity: WARNING
-    message: >-
-      Anthropic messages.create() called without 'metadata' parameter. Pass a
-      metadata object with a hashed user_id to enable abuse tracking and policy
-      enforcement. See https://docs.anthropic.com/en/api/messages
-    metadata:
-      cwe: "CWE-778: Insufficient Logging"
-      category: security
-      subcategory: [audit]
-      likelihood: MEDIUM
-      impact: MEDIUM
-      confidence: HIGH
-      technology: [anthropic]
-      references:
-        - https://docs.anthropic.com/en/api/messages
-    patterns:
-      - pattern: $CLIENT.messages.create(...)
-      - pattern-not: $CLIENT.messages.create(..., metadata=$META, ...)
-
   - id: anthropic-missing-metadata-user-id-javascript
     languages: [javascript, typescript]
     severity: WARNING

ai/ai-best-practices/anthropic-missing-metadata-user-id/anthropic-missing-metadata-user-id-python.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: anthropic-missing-metadata-user-id-python
+    languages: [python]
+    severity: WARNING
+    message: >-
+      Anthropic messages.create() called without 'metadata' parameter. Pass a
+      metadata object with a hashed user_id to enable abuse tracking and policy
+      enforcement. See https://docs.anthropic.com/en/api/messages
+    metadata:
+      cwe: "CWE-778: Insufficient Logging"
+      category: security
+      subcategory: [audit]
+      likelihood: MEDIUM
+      impact: MEDIUM
+      confidence: HIGH
+      technology: [anthropic]
+      references:
+        - https://docs.anthropic.com/en/api/messages
+    patterns:
+      - pattern: $CLIENT.messages.create(...)
+      - pattern-not: $CLIENT.messages.create(..., metadata=$META, ...)

ai/ai-best-practices/anthropic-missing-refusal-check/anthropic-missing-refusal-check.yaml → ai/ai-best-practices/anthropic-missing-refusal-check/anthropic-missing-refusal-check-javascript.yaml

@@ -1,35 +1,4 @@
 rules:
-  - id: anthropic-missing-refusal-check-python
-    languages: [python]
-    severity: WARNING
-    message: >-
-      Anthropic response content accessed without checking stop_reason. Check
-      response.stop_reason to handle cases where the model stops unexpectedly
-      (e.g., due to max_tokens or content filtering).
-    metadata:
-      cwe: "CWE-1188: Initialization with an Insecure Default"
-      category: security
-      subcategory: [audit]
-      likelihood: MEDIUM
-      impact: MEDIUM
-      confidence: HIGH
-      technology: [anthropic]
-      references:
-        - https://docs.anthropic.com/en/api/messages
-    patterns:
-      - pattern: $RESP.content
-      - pattern-inside: |
-          $RESP = $CLIENT.messages.create(...)
-          ...
-      - pattern-not-inside: |
-          if $RESP.stop_reason == "end_turn":
-              ...
-      - pattern-not-inside: |
-          if $RESP.stop_reason != ...:
-              ...
-          else:
-              ...
-
   - id: anthropic-missing-refusal-check-javascript
     languages: [javascript, typescript]
     severity: WARNING