bump: adds new semgrep rules

Author: pedrobpereira

integration-tests/config-discover/expected/tools-configs/pylint.rc

@@ -5,5 +5,5 @@ load-plugins=
 
 [MESSAGES CONTROL]
 disable=all
-enable=C0123,C0200,C0303,E0100,E0101,E0102,E0103,E0104,E0105,E0106,E0107,E0108,E0110,E0112,E0113,E0114,E0115,E0116,E0117,E0202,E0203,E0211,E0236,E0238,E0239,E0240,E0241,E0301,E0302,E0601,E0603,E0604,E0701,E0702,E0704,E0710,E0711,E0712,E1003,E1102,E1111,E1120,E1121,E1123,E1124,E1125,E1126,E1127,E1132,E1200,E1201,E1205,E1206,E1300,E1301,E1302,E1303,E1304,E1305,E1306,R0202,R0203,W0101,W0102,W0104,W0105,W0106,W0107,W0108,W0109,W0120,W0122,W0124,W0150,W0199,W0221,W0222,W0233,W0404,W0410,W0601,W0602,W0604,W0611,W0612,W0622,W0702,W0705,W0711,W1300,W1301,W1302,W1303,W1305,W1306,W1307
+enable=C0123,C0200,E0100,E0101,E0102,E0103,E0104,E0105,E0106,E0107,E0108,E0110,E0112,E0113,E0114,E0115,E0116,E0117,E0202,E0203,E0211,E0236,E0238,E0239,E0240,E0241,E0301,E0302,E0601,E0603,E0604,E0701,E0702,E0704,E0710,E0711,E0712,E1003,E1102,E1111,E1120,E1121,E1123,E1124,E1125,E1126,E1127,E1132,E1200,E1201,E1205,E1206,E1300,E1301,E1302,E1303,E1304,E1305,E1306,R0202,R0203,W0101,W0102,W0104,W0105,W0106,W0107,W0108,W0109,W0120,W0122,W0124,W0150,W0199,W0221,W0222,W0233,W0404,W0410,W0601,W0602,W0604,W0611,W0612,W0622,W0702,W0705,W0711,W1300,W1301,W1302,W1303,W1305,W1306,W1307
 

integration-tests/config-discover/expected/tools-configs/semgrep.yaml

@@ -34476,3 +34476,82 @@ rules:
             - '*.yml'
       pattern-regex: "[​‌‍⁠\uFEFF]"
       severity: WARNING
+    - id: codacy.python.openai.non-guardrails-direct-call
+      languages:
+        - python
+      message: Direct OpenAI SDK call detected. Use Guardrails client (GuardrailsOpenAI/GuardrailsAsyncOpenAI) instead.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        cwe: 'CWE-20: Improper Input Validation'
+        justification: |
+            Guardrails is a drop-in replacement that automatically validates inputs/outputs. Prefer Guardrails clients over raw openai.* calls.
+        references:
+            - https://openai.github.io/openai-guardrails-python/
+      patterns:
+        - pattern-either:
+            - pattern: openai.ChatCompletion.create(...)
+            - pattern: openai.Completion.create(...)
+            - pattern: openai.chat.completions.create(...)
+            - pattern: openai.responses.create(...)
+            - pattern: openai.embeddings.create(...)
+            - pattern: openai.images.generate(...)
+            - pattern: openai.audio.transcriptions.create(...)
+            - pattern: openai.audio.speech.create(...)
+      severity: WARNING
+    - id: codacy.python.openai.non-guardrails-client-usage
+      languages:
+        - python
+      message: OpenAI client used without Guardrails. Replace with GuardrailsOpenAI / GuardrailsAsyncOpenAI.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        cwe: 'CWE-20: Improper Input Validation'
+        justification: |
+            Guardrails advises using GuardrailsOpenAI/GuardrailsAsyncOpenAI as a drop-in replacement so validation runs automatically on every API call.
+        references:
+            - https://openai.github.io/openai-guardrails-python/
+      patterns:
+        - pattern-either:
+            - pattern: |
+                $C = OpenAI(...)
+                ...
+                $C.chat.completions.create(...)
+            - pattern: |
+                $C = OpenAI(...)
+                ...
+                $C.responses.create(...)
+            - pattern: |
+                $C = OpenAI(...)
+                ...
+                $C.embeddings.create(...)
+            - pattern: |
+                $C = AsyncOpenAI(...)
+                ...
+                $C.chat.completions.create(...)
+            - pattern: |
+                $C = AsyncOpenAI(...)
+                ...
+                $C.responses.create(...)
+            - pattern: |
+                $C = AsyncOpenAI(...)
+                ...
+                $C.embeddings.create(...)
+        - pattern-not: |
+            $C = GuardrailsOpenAI(...)
+        - pattern-not: |
+            $C = GuardrailsAsyncOpenAI(...)
+      severity: WARNING
+    - id: codacy.python.openai.import-without-guardrails
+      languages:
+        - python
+      message: OpenAI SDK imported without Guardrails import. Consider GuardrailsOpenAI / GuardrailsAsyncOpenAI.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        references:
+            - https://openai.github.io/openai-guardrails-python/
+      pattern: |
+        import openai
+      pattern-not: "from guardrails import GuardrailsOpenAI |\nfrom guardrails import GuardrailsAsyncOpenAI    \n"
+      severity: INFO

integration-tests/init-with-token/expected/codacy.yaml

@@ -6,6 +6,6 @@ tools:
     - [email protected]
     - [email protected]
     - [email protected]
-    - [email protected].7
+    - [email protected].9
     - [email protected]
     - [email protected]

integration-tests/init-without-token/expected/tools-configs/pylint.rc

@@ -1,9 +1,9 @@
-[MASTER]
-ignore=CVS
-persistent=yes
-load-plugins=
 
+
+[MASTER]
 [MESSAGES CONTROL]
 disable=all
-enable=C0123,C0200,C0303,E0100,E0101,E0102,E0103,E0104,E0105,E0106,E0107,E0108,E0110,E0112,E0113,E0114,E0115,E0116,E0117,E0202,E0203,E0211,E0236,E0238,E0239,E0240,E0241,E0301,E0302,E0601,E0603,E0604,E0701,E0702,E0704,E0710,E0711,E0712,E1003,E1102,E1111,E1120,E1121,E1123,E1124,E1125,E1126,E1127,E1132,E1200,E1201,E1205,E1206,E1300,E1301,E1302,E1303,E1304,E1305,E1306,R0202,R0203,W0101,W0102,W0104,W0105,W0106,W0107,W0108,W0109,W0120,W0122,W0124,W0150,W0199,W0221,W0222,W0233,W0404,W0410,W0601,W0602,W0604,W0611,W0612,W0622,W0702,W0705,W0711,W1300,W1301,W1302,W1303,W1305,W1306,W1307
-
+enable=C0123,C0200,E0100,E0101,E0102,E0103,E0104,E0105,E0106,E0107,E0108,E0110,E0112,E0113,E0114,E0115,E0116,E0117,E0202,E0203,E0211,E0236,E0238,E0239,E0240,E0241,E0301,E0302,E0601,E0603,E0604,E0701,E0702,E0704,E0710,E0711,E0712,E1003,E1102,E1111,E1120,E1121,E1123,E1124,E1125,E1126,E1127,E1132,E1200,E1201,E1205,E1206,E1300,E1301,E1302,E1303,E1304,E1305,E1306,R0202,R0203,W0101,W0102,W0104,W0105,W0106,W0107,W0108,W0109,W0120,W0122,W0124,W0150,W0199,W0221,W0222,W0233,W0404,W0410,W0601,W0602,W0604,W0611,W0612,W0622,W0702,W0705,W0711,W1300,W1301,W1302,W1303,W1305,W1306,W1307
+ignore=CVS
+load-plugins=
+persistent=yes

integration-tests/init-without-token/expected/tools-configs/semgrep.yaml

@@ -34476,3 +34476,82 @@ rules:
             - '*.yml'
       pattern-regex: "[​‌‍⁠\uFEFF]"
       severity: WARNING
+    - id: codacy.python.openai.non-guardrails-direct-call
+      languages:
+        - python
+      message: Direct OpenAI SDK call detected. Use Guardrails client (GuardrailsOpenAI/GuardrailsAsyncOpenAI) instead.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        cwe: 'CWE-20: Improper Input Validation'
+        justification: |
+            Guardrails is a drop-in replacement that automatically validates inputs/outputs. Prefer Guardrails clients over raw openai.* calls.
+        references:
+            - https://openai.github.io/openai-guardrails-python/
+      patterns:
+        - pattern-either:
+            - pattern: openai.ChatCompletion.create(...)
+            - pattern: openai.Completion.create(...)
+            - pattern: openai.chat.completions.create(...)
+            - pattern: openai.responses.create(...)
+            - pattern: openai.embeddings.create(...)
+            - pattern: openai.images.generate(...)
+            - pattern: openai.audio.transcriptions.create(...)
+            - pattern: openai.audio.speech.create(...)
+      severity: WARNING
+    - id: codacy.python.openai.non-guardrails-client-usage
+      languages:
+        - python
+      message: OpenAI client used without Guardrails. Replace with GuardrailsOpenAI / GuardrailsAsyncOpenAI.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        cwe: 'CWE-20: Improper Input Validation'
+        justification: |
+            Guardrails advises using GuardrailsOpenAI/GuardrailsAsyncOpenAI as a drop-in replacement so validation runs automatically on every API call.
+        references:
+            - https://openai.github.io/openai-guardrails-python/
+      patterns:
+        - pattern-either:
+            - pattern: |
+                $C = OpenAI(...)
+                ...
+                $C.chat.completions.create(...)
+            - pattern: |
+                $C = OpenAI(...)
+                ...
+                $C.responses.create(...)
+            - pattern: |
+                $C = OpenAI(...)
+                ...
+                $C.embeddings.create(...)
+            - pattern: |
+                $C = AsyncOpenAI(...)
+                ...
+                $C.chat.completions.create(...)
+            - pattern: |
+                $C = AsyncOpenAI(...)
+                ...
+                $C.responses.create(...)
+            - pattern: |
+                $C = AsyncOpenAI(...)
+                ...
+                $C.embeddings.create(...)
+        - pattern-not: |
+            $C = GuardrailsOpenAI(...)
+        - pattern-not: |
+            $C = GuardrailsAsyncOpenAI(...)
+      severity: WARNING
+    - id: codacy.python.openai.import-without-guardrails
+      languages:
+        - python
+      message: OpenAI SDK imported without Guardrails import. Consider GuardrailsOpenAI / GuardrailsAsyncOpenAI.
+      metadata:
+        category: security
+        confidence: MEDIUM
+        references:
+            - https://openai.github.io/openai-guardrails-python/
+      pattern: |
+        import openai
+      pattern-not: "from guardrails import GuardrailsOpenAI |\nfrom guardrails import GuardrailsAsyncOpenAI    \n"
+      severity: INFO

plugins/tools/semgrep/embedded/rules.yaml

@@ -113519,4 +113519,89 @@ rules:
     category: security
     impact: MEDIUM
     confidence: LOW
+- id: codacy.python.openai.non-guardrails-direct-call
+  message: "Direct OpenAI SDK call detected. Use Guardrails client (GuardrailsOpenAI/GuardrailsAsyncOpenAI) instead."
+  severity: WARNING
+  languages: [python]
+  metadata:
+    category: security
+    cwe: "CWE-20: Improper Input Validation"
+    references:
+      - https://openai.github.io/openai-guardrails-python/
+    justification: >
+      Guardrails is a drop-in replacement that automatically validates inputs/outputs.
+      Prefer Guardrails clients over raw openai.* calls.
+    confidence: MEDIUM
+  patterns:
+    - pattern-either:
+      - pattern: openai.ChatCompletion.create(...)
+      - pattern: openai.Completion.create(...)
+      - pattern: openai.chat.completions.create(...)
+      - pattern: openai.responses.create(...)
+      - pattern: openai.embeddings.create(...)
+      - pattern: openai.images.generate(...)
+      - pattern: openai.audio.transcriptions.create(...)
+      - pattern: openai.audio.speech.create(...)
+- id: codacy.python.openai.non-guardrails-client-usage
+  message: "OpenAI client used without Guardrails. Replace with GuardrailsOpenAI / GuardrailsAsyncOpenAI."
+  severity: WARNING
+  languages: [python]
+  metadata:
+    category: security
+    cwe: "CWE-20: Improper Input Validation"
+    references:
+      - https://openai.github.io/openai-guardrails-python/
+    justification: >
+      Guardrails advises using GuardrailsOpenAI/GuardrailsAsyncOpenAI as a drop-in replacement
+      so validation runs automatically on every API call.
+    confidence: MEDIUM
+  # Catch typical client flows while avoiding false hits when the client *is* a Guardrails client.
+  patterns:
+    - pattern-either:
+        # Synchronous client patterns
+        - pattern: |
+            $C = OpenAI(...)
+            ...
+            $C.chat.completions.create(...)
+        - pattern: |
+            $C = OpenAI(...)
+            ...
+            $C.responses.create(...)
+        - pattern: |
+            $C = OpenAI(...)
+            ...
+            $C.embeddings.create(...)
+        # Async client patterns
+        - pattern: |
+            $C = AsyncOpenAI(...)
+            ...
+            $C.chat.completions.create(...)
+        - pattern: |
+            $C = AsyncOpenAI(...)
+            ...
+            $C.responses.create(...)
+        - pattern: |
+            $C = AsyncOpenAI(...)
+            ...
+            $C.embeddings.create(...)
+    - pattern-not: |
+        $C = GuardrailsOpenAI(...)
+    - pattern-not: |
+        $C = GuardrailsAsyncOpenAI(...)
+- id: codacy.python.openai.import-without-guardrails
+  message: "OpenAI SDK imported without Guardrails import. Consider GuardrailsOpenAI / GuardrailsAsyncOpenAI."
+  severity: INFO
+  languages: [python]
+  metadata:
+    category: security
+    references:
+      - https://openai.github.io/openai-guardrails-python/
+    confidence: MEDIUM
+  # Soft signal: import present but no Guardrails import in same file.
+  # This is informational to help teams spot likely non-guardrailed files early.
+  pattern: |
+    import openai
+  pattern-not: |
+    from guardrails import GuardrailsOpenAI |
+    from guardrails import GuardrailsAsyncOpenAI    
 

tools/pylint/pylintDefaultPatterns.go

@@ -4,7 +4,6 @@ package pylint
 var DefaultPatterns = []string{
 	"C0123",
 	"C0200",
-	"C0303",
 	"E0100",
 	"E0101",
 	"E0102",