Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/becwright/becs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@ becwright add <name> # install one, e.g. `becwright add no-token-in-logs`
| `no-console-log-js` | Warns about `console.log(...)` in JS/TS | `warning` |
| `no-debug-go` | Blocks `fmt.Println()` and `panic()` in Go | `blocking` |
| `no-debug-rust` | Blocks `dbg!()` and `println!()` in Rust | `blocking` |
| `no-set-x-left-in` | Blocks `set -x` tracing left enabled in shell scripts | `blocking` |

The Python BECs use `paths: ["src/**/*.py"]`, the JS/TS ones `["**/*.js", "**/*.ts"]`, the Go bundles use `["**/*.go"]`, and the Rust bundles use `["**/*.rs"]`. After installing, adjust `paths` in your `.bec/rules.yaml` if your code lives elsewhere.
19 changes: 19 additions & 0 deletions src/becwright/becs/no-set-x-left-in.bec.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
becwright_bec: 1
exported_from: https://github.com/DataDave-Dev/becwright
rule:
id: no-set-x-left-in
intent: >
Do not leave `set -x` (shell command tracing) enabled in shipped scripts.
why_it_matters: >
`set -x` echoes every executed command, including expanded variables, to
stdout/stderr before it runs. In CI logs or captured output, that means
secrets, tokens, and other sensitive values passed as arguments get
printed in plaintext — a common accidental leak vector in shell scripts
that were debugged locally and never cleaned up before commit.
paths:
- "**/*.sh"
severity: blocking
check:
kind: builtin
module: forbid
args: "--pattern 'set\\s+-x'"
Comment on lines +13 to +19

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect sibling BECs and matcher syntax before finalizing this rule.
sed -n '1,120p' src/becwright/becs/no-debug-go.bec.yaml
rg -n 'set -x|xtrace|forbid|pattern' src/becwright/becs

Repository: DataDave-Dev/becwright

Length of output: 1703


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## Rule file\n'
cat -n src/becwright/becs/no-set-x-left-in.bec.yaml

printf '\n## README entry\n'
sed -n '1,80p' src/becwright/becs/README.md

printf '\n## Search matcher implementation and docs\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' \
  'kind:\s*builtin|module:\s*forbid|forbid\b|xtrace|set -o xtrace|set \+x|set -x' \
  src .github README.md .

Repository: DataDave-Dev/becwright

Length of output: 22283


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## forbid implementation\n'
cat -n src/becwright/checks/forbid.py

printf '\n## regex probe\n'
python3 - <<'PY'
import re

pattern = r"set\s+-x"
rx = re.compile(pattern)

samples = [
    "set -x",
    "set -o xtrace",
    "set -eux",
    "set -xe",
    "set +x",
    "set -o xtrace; echo hi",
    "set -x; set +x",
]

for s in samples:
    print(f"{s!r:24} -> {bool(rx.search(s))}")
PY

Repository: DataDave-Dev/becwright

Length of output: 2627


Broaden the xtrace pattern --pattern 'set\\s+-x' only matches the literal set -x; it misses common xtrace forms like set -o xtrace and combined flags such as set -eux.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/becwright/becs/no-set-x-left-in.bec.yaml` around lines 13 - 19, The
forbid rule in the xtrace check is too narrow because the current pattern only
catches the literal set -x. Update the builtin forbid configuration in the
no-set-x-left-in.bec.yaml rule to use a broader pattern that also matches set -o
xtrace and combined shell option flags like set -eux, while keeping the rule
anchored to the existing check metadata and paths.

Loading