-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpanic-attack.toml
More file actions
36 lines (32 loc) · 1.37 KB
/
panic-attack.toml
File metadata and controls
36 lines (32 loc) · 1.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# SPDX-License-Identifier: AGPL-3.0-or-later
# panic-attack.toml — IDApTIK security scan configuration
[project]
name = "idaptik"
language = "rescript"
[scan]
# Directories to scan
include = ["src", "vm", "shared", "sync-server"]
# Directories to skip
exclude = [
"_build",
".git",
"node_modules",
".deno",
"lib", # compiled .res.mjs output — not source
"vm/src", # compiled output — actual source is vm/lib/ocaml/
"public", # generated assets
]
[rules]
# ReScript-specific dangerous patterns
dangerous_patterns = [
{ name = "no-js-apis", pattern = "Js\\.Dict\\.|Js\\.Array2\\.|Js\\.String2\\.", severity = "high" },
{ name = "no-belt", pattern = "Belt\\.", severity = "high" },
{ name = "no-deprecated-json", pattern = "Js\\.Json\\.", severity = "medium" },
{ name = "no-get-unsafe-on-user-input", pattern = "getUnsafe", severity = "medium" },
]
[false-positives]
# 164 known findings — 30 critical are hardcoded narrative game data
# (device names, mission passwords, NPC dialogue) — NOT real credentials
narrative-data-category = "secrets"
narrative-data-note = "Game narrative strings (device names, passwords, missions) are intentional game data, not credentials. Classify each hit before acting."
# panic-attack unsafe_blocks conflates: Obj.magic (banned), getUnsafe (legitimate FFI boundaries), try/catch (legitimate)