mirror of
https://github.com/OpenHands/OpenHands.git
synced 2025-12-26 05:48:36 +08:00
01ae22ef57
* Replace OpenDevin with OpenHands * Update CONTRIBUTING.md * Update README.md * Update README.md * update poetry lock; move opendevin folder to openhands * fix env var * revert image references in docs * revert permissions * revert permissions --------- Co-authored-by: Xingyao Wang <xingyao6@illinois.edu>
20 lines
652 B
Python
20 lines
652 B
Python
DEFAULT_INVARIANT_POLICY = """from invariant.detectors import semgrep, secrets, CodeIssue
|
|
|
|
raise "Disallow secrets in bash commands [risk=medium]" if:
|
|
(call: ToolCall)
|
|
call is tool:cmd_run
|
|
any(secrets(call.function.arguments.command))
|
|
|
|
raise "Vulnerability in python code [risk=medium]" if:
|
|
(call: ToolCall)
|
|
call is tool:ipython_run_cell
|
|
semgrep_res := semgrep(call.function.arguments.code, lang="python")
|
|
any(semgrep_res)
|
|
|
|
raise "Vulnerability in bash command [risk=medium]" if:
|
|
(call: ToolCall)
|
|
call is tool:cmd_run
|
|
semgrep_res := semgrep(call.function.arguments.command, lang="bash")
|
|
any(semgrep_res)
|
|
"""
|