Scanner Ruleset
v2025.01.01 Superseded January 2025 Initial release. Four foundational categories covering the most exploitable attack surfaces: code execution, hardcoded credentials, prompt injection, and generic API key patterns.
34 rules
3 categories
SS01
Code Execution
NewDangerous runtime function calls that can execute arbitrary code or spawn external shell processes. Python rules use AST parsing to catch obfuscated aliases; JS/TS rules skip commented lines to reduce false positives.
| Rule ID | Severity | What it detects |
|---|---|---|
py_eval | high | eval() — executes arbitrary Python code |
py_exec | high | exec() — executes arbitrary Python code |
py_compile | medium | compile() — compiles arbitrary source to a code object |
py_dunder_import | high | __import__() — dynamic module import bypassing normal resolution |
py_importlib | high | importlib.import_module() — dynamic import at runtime |
py_os_system | high | os.system() — executes shell command via C system() |
py_os_popen | high | os.popen() — opens a pipe to a shell command |
py_subprocess_call | high | subprocess.call() — executes external command |
py_subprocess_run | high | subprocess.run() — executes external command |
py_subprocess_popen | high | subprocess.Popen() — spawns external process |
py_subprocess_check_output | high | subprocess.check_output() — executes command and returns output |
py_subprocess_check_call | high | subprocess.check_call() — executes command, raises on error |
py_subprocess_getoutput | high | subprocess.getoutput() — runs command in shell, returns stdout+stderr |
py_subprocess_getstatusoutput | high | subprocess.getstatusoutput() — runs command, returns (status, output) |
js_eval | high | eval() — executes arbitrary JS at runtime |
js_function_constructor | high | new Function() — constructs callable from arbitrary string |
js_child_process | high | require('child_process') — enables shell command execution |
js_exec_sync | high | execSync() / execFileSync() — synchronous shell execution |
js_spawn_sync | high | spawnSync() — synchronous child process spawn |
js_child_process_import | high | import … from 'child_process' — ESM shell command access |
js_fs_import | medium | import … from 'fs' — ESM filesystem access |
SS02
Hardcoded Credentials
NewHardcoded secrets, API keys, and authentication tokens embedded in source code or configuration files. Matched context is automatically redacted in scan reports before upload.
| Rule ID | Severity | What it detects |
|---|---|---|
aws_access_key | critical | AWS Access Key ID — AKIA[0-9A-Z]{16} |
private_key | critical | PEM private key — -----BEGIN … PRIVATE KEY----- |
github_token | critical | GitHub token — gh[pousr]_[A-Za-z0-9_]{36,} |
slack_token | high | Slack token — xox[bpars]-[0-9a-zA-Z-]{10,} |
generic_secret | high | Generic credential pattern — api_key=, secret_key=, access_token=, auth_token=, password= with ≥16-char value in quotes |
SS15
Prompt Injection
NewInstruction override patterns embedded in Markdown or configuration that attempt to hijack AI agent behavior by superseding the system prompt.
| Rule ID | Severity | What it detects |
|---|---|---|
prompt_ignore_instructions | high | "ignore previous/prior/above instructions" |
prompt_role_hijack | high | "you are now …" — role reassignment injection |
prompt_system_prompt | medium | "system prompt" — system prompt reference |
prompt_disregard | high | "disregard previous/prior instructions" |
prompt_new_instructions | high | "new instructions:" — instruction block injection |
prompt_override | high | "override previous/prior instructions" |
prompt_forget | high | "forget everything/all/previous" |
prompt_do_not_follow | high | "do not follow the previous/above instructions" |