280 lines
8.5 KiB
YAML
280 lines
8.5 KiB
YAML
bashToolPatterns:
|
|
- pattern: '\brm\s+(-[^\s]*)*-[rRf]'
|
|
reason: rm with recursive or force flags
|
|
- pattern: '\brm\s+-[rRf]'
|
|
reason: rm with recursive or force flags
|
|
- pattern: '\brm\s+--recursive'
|
|
reason: rm with --recursive flag
|
|
- pattern: '\brm\s+--force'
|
|
reason: rm with --force flag
|
|
- pattern: '\bsudo\s+rm\b'
|
|
reason: sudo rm
|
|
- pattern: '\brmdir\s+--ignore-fail-on-non-empty'
|
|
reason: rmdir ignore-fail
|
|
- pattern: '\bchmod\s+(-[^\s]+\s+)*777\b'
|
|
reason: chmod 777 (world writable)
|
|
- pattern: '\bchmod\s+-[Rr].*777'
|
|
reason: recursive chmod 777
|
|
- pattern: '\bchown\s+-[Rr].*\broot\b'
|
|
reason: recursive chown to root
|
|
- pattern: '\bgit\s+reset\s+--hard\b'
|
|
reason: git reset --hard (use --soft or stash)
|
|
- pattern: '\bgit\s+clean\s+(-[^\s]*)*-[fd]'
|
|
reason: git clean with force/directory flags
|
|
- pattern: '\bgit\s+push\s+.*--force(?!-with-lease)'
|
|
reason: git push --force (use --force-with-lease)
|
|
- pattern: '\bgit\s+push\s+(-[^\s]*)*-f\b'
|
|
reason: git push -f (use --force-with-lease)
|
|
- pattern: '\bgit\s+stash\s+clear\b'
|
|
reason: git stash clear (deletes ALL stashes)
|
|
- pattern: '\bgit\s+reflog\s+expire\b'
|
|
reason: git reflog expire (destroys recovery mechanism)
|
|
- pattern: '\bgit\s+gc\s+.*--prune=now'
|
|
reason: git gc --prune=now (can lose dangling commits)
|
|
- pattern: '\bgit\s+filter-branch\b'
|
|
reason: git filter-branch (rewrites entire history)
|
|
- pattern: '\bgit\s+checkout\s+--\s*\.'
|
|
reason: Discards all uncommitted changes
|
|
ask: true
|
|
- pattern: '\bgit\s+restore\s+\.'
|
|
reason: Discards all uncommitted changes
|
|
ask: true
|
|
- pattern: '\bgit\s+stash\s+drop\b'
|
|
reason: Permanently deletes a stash
|
|
ask: true
|
|
- pattern: '\bgit\s+branch\s+(-[^\s]*)*-D'
|
|
reason: Force deletes branch (even if unmerged)
|
|
ask: true
|
|
- pattern: '\bgit\s+push\s+\S+\s+--delete\b'
|
|
reason: Deletes remote branch
|
|
ask: true
|
|
- pattern: '\bgit\s+push\s+\S+\s+:\S+'
|
|
reason: Deletes remote branch (old syntax)
|
|
ask: true
|
|
- pattern: '\bmkfs\.'
|
|
reason: filesystem format command
|
|
- pattern: '\bdd\s+.*of=/dev/'
|
|
reason: dd writing to device
|
|
- pattern: '\bkill\s+-9\s+-1\b'
|
|
reason: kill all processes
|
|
- pattern: '\bkillall\s+-9\b'
|
|
reason: killall -9
|
|
- pattern: '\bpkill\s+-9\b'
|
|
reason: pkill -9
|
|
- pattern: '\bhistory\s+-c\b'
|
|
reason: clearing shell history
|
|
- pattern: '\baws\s+s3\s+rm\s+.*--recursive'
|
|
reason: aws s3 rm --recursive (deletes all objects)
|
|
- pattern: '\baws\s+s3\s+rb\s+.*--force'
|
|
reason: aws s3 rb --force (force removes bucket)
|
|
- pattern: '\baws\s+ec2\s+terminate-instances\b'
|
|
reason: aws ec2 terminate-instances
|
|
- pattern: '\baws\s+rds\s+delete-db-instance\b'
|
|
reason: aws rds delete-db-instance
|
|
- pattern: '\baws\s+cloudformation\s+delete-stack\b'
|
|
reason: aws cloudformation delete-stack (deletes infrastructure)
|
|
- pattern: '\baws\s+dynamodb\s+delete-table\b'
|
|
reason: aws dynamodb delete-table
|
|
- pattern: '\baws\s+eks\s+delete-cluster\b'
|
|
reason: aws eks delete-cluster
|
|
- pattern: '\baws\s+lambda\s+delete-function\b'
|
|
reason: aws lambda delete-function
|
|
- pattern: '\baws\s+iam\s+delete-role\b'
|
|
reason: aws iam delete-role
|
|
- pattern: '\baws\s+iam\s+delete-user\b'
|
|
reason: aws iam delete-user
|
|
- pattern: '\bgcloud\s+projects\s+delete\b'
|
|
reason: gcloud projects delete (DELETES ENTIRE PROJECT)
|
|
- pattern: '\bgcloud\s+compute\s+instances\s+delete\b'
|
|
reason: gcloud compute instances delete
|
|
- pattern: '\bgcloud\s+sql\s+instances\s+delete\b'
|
|
reason: gcloud sql instances delete
|
|
- pattern: '\bgcloud\s+container\s+clusters\s+delete\b'
|
|
reason: gcloud container clusters delete (GKE)
|
|
- pattern: '\bgcloud\s+storage\s+rm\s+.*-r'
|
|
reason: gcloud storage rm -r (recursive delete)
|
|
- pattern: '\bgcloud\s+functions\s+delete\b'
|
|
reason: gcloud functions delete
|
|
- pattern: '\bgcloud\s+iam\s+service-accounts\s+delete\b'
|
|
reason: gcloud iam service-accounts delete
|
|
- pattern: '\bgcloud\s+run\s+services\s+delete\b'
|
|
reason: gcloud run services delete (deletes Cloud Run service)
|
|
- pattern: '\bgcloud\s+run\s+jobs\s+delete\b'
|
|
reason: gcloud run jobs delete (deletes Cloud Run job)
|
|
- pattern: '\bgcloud\s+services\s+disable\b'
|
|
reason: gcloud services disable (disables GCP APIs)
|
|
- pattern: '\bgcloud\s+iam\s+roles\s+delete\b'
|
|
reason: gcloud iam roles delete (deletes IAM role)
|
|
- pattern: '\bgcloud\s+iam\s+policies\b'
|
|
reason: gcloud iam policies (modifies IAM policies)
|
|
ask: true
|
|
- pattern: '\bfirebase\s+projects:delete\b'
|
|
reason: firebase projects:delete (deletes entire project)
|
|
- pattern: '\bfirebase\s+firestore:delete\s+.*--all-collections'
|
|
reason: firebase firestore:delete --all-collections (wipes all data)
|
|
- pattern: '\bfirebase\s+database:remove\b'
|
|
reason: firebase database:remove (wipes Realtime DB)
|
|
- pattern: '\bfirebase\s+hosting:disable\b'
|
|
reason: firebase hosting:disable
|
|
- pattern: '\bfirebase\s+functions:delete\b'
|
|
reason: firebase functions:delete
|
|
- pattern: '\bvercel\s+remove\s+.*--yes'
|
|
reason: vercel remove --yes (removes deployment)
|
|
- pattern: '\bvercel\s+projects\s+rm\b'
|
|
reason: vercel projects rm (deletes project)
|
|
- pattern: '\bvercel\s+env\s+rm\b'
|
|
reason: vercel env rm (removes env variables)
|
|
- pattern: '\bvercel\s+rm\b'
|
|
reason: vercel rm (removes deployment)
|
|
- pattern: '\bvercel\s+remove\b'
|
|
reason: vercel remove (removes deployment)
|
|
- pattern: '\bvercel\s+domains\s+rm\b'
|
|
reason: vercel domains rm (removes custom domain)
|
|
- pattern: '\bnetlify\s+sites:delete\b'
|
|
reason: netlify sites:delete (deletes entire site)
|
|
- pattern: '\bnetlify\s+functions:delete\b'
|
|
reason: netlify functions:delete
|
|
- pattern: '\bwrangler\s+delete\b'
|
|
reason: wrangler delete (deletes Worker)
|
|
- pattern: '\bwrangler\s+r2\s+bucket\s+delete\b'
|
|
reason: wrangler r2 bucket delete
|
|
- pattern: '\bwrangler\s+kv:namespace\s+delete\b'
|
|
reason: wrangler kv:namespace delete
|
|
- pattern: '\bwrangler\s+d1\s+delete\b'
|
|
reason: wrangler d1 delete (deletes database)
|
|
- pattern: '\bwrangler\s+queues\s+delete\b'
|
|
reason: wrangler queues delete
|
|
- pattern: 'DELETE\s+FROM\s+\w+\s*;'
|
|
reason: DELETE without WHERE clause (will delete ALL rows)
|
|
- pattern: 'DELETE\s+\*\s+FROM'
|
|
reason: DELETE * (will delete ALL rows)
|
|
- pattern: '\bTRUNCATE\s+TABLE\b'
|
|
reason: TRUNCATE TABLE (will delete ALL rows)
|
|
- pattern: '\bDROP\s+TABLE\b'
|
|
reason: DROP TABLE
|
|
- pattern: '\bDROP\s+DATABASE\b'
|
|
reason: DROP DATABASE
|
|
- pattern: '\bDROP\s+SCHEMA\b'
|
|
reason: DROP SCHEMA
|
|
- pattern: '\bDELETE\s+FROM\s+\w+\s+WHERE\b.*\bid\s*='
|
|
reason: SQL DELETE with specific ID
|
|
ask: true
|
|
|
|
zeroAccessPaths:
|
|
- ".env"
|
|
- ".env.local"
|
|
- ".env.development"
|
|
- ".env.production"
|
|
- ".env.staging"
|
|
- ".env.test"
|
|
- ".env.*.local"
|
|
- "*.env"
|
|
- "~/.ssh/"
|
|
- "~/.gnupg/"
|
|
- "~/.aws/"
|
|
- "~/.config/gcloud/"
|
|
- "*-credentials.json"
|
|
- "*serviceAccount*.json"
|
|
- "*service-account*.json"
|
|
- "~/.azure/"
|
|
- "~/.kube/"
|
|
- "kubeconfig"
|
|
- "*-secret.yaml"
|
|
- "secrets.yaml"
|
|
- "~/.docker/"
|
|
- "*.pem"
|
|
- "*.key"
|
|
- "*.p12"
|
|
- "*.pfx"
|
|
- "*.tfstate"
|
|
- "*.tfstate.backup"
|
|
- ".terraform/"
|
|
- ".vercel/"
|
|
- ".netlify/"
|
|
- "firebase-adminsdk*.json"
|
|
- "serviceAccountKey.json"
|
|
- ".supabase/"
|
|
- "~/.netrc"
|
|
- "~/.npmrc"
|
|
- "~/.pypirc"
|
|
- "~/.git-credentials"
|
|
- ".git-credentials"
|
|
- "dump.sql"
|
|
- "backup.sql"
|
|
- "*.dump"
|
|
|
|
readOnlyPaths:
|
|
- /etc/
|
|
- /usr/
|
|
- /bin/
|
|
- /sbin/
|
|
- /boot/
|
|
- /root/
|
|
- ~/.bash_history
|
|
- ~/.zsh_history
|
|
- ~/.node_repl_history
|
|
- ~/.bashrc
|
|
- ~/.zshrc
|
|
- ~/.profile
|
|
- ~/.bash_profile
|
|
- "package-lock.json"
|
|
- "yarn.lock"
|
|
- "pnpm-lock.yaml"
|
|
- "Gemfile.lock"
|
|
- "poetry.lock"
|
|
- "Pipfile.lock"
|
|
- "composer.lock"
|
|
- "Cargo.lock"
|
|
- "go.sum"
|
|
- "flake.lock"
|
|
- "bun.lockb"
|
|
- "uv.lock"
|
|
- "npm-shrinkwrap.json"
|
|
- "*.lock"
|
|
- "*.lockb"
|
|
- "*.min.js"
|
|
- "*.min.css"
|
|
- "*.bundle.js"
|
|
- "*.chunk.js"
|
|
- dist/
|
|
- build/
|
|
- .next/
|
|
- .nuxt/
|
|
- .output/
|
|
- node_modules/
|
|
- __pycache__/
|
|
- .venv/
|
|
- venv/
|
|
- target/
|
|
|
|
noDeletePaths:
|
|
- ~/.claude/
|
|
- CLAUDE.md
|
|
- "LICENSE"
|
|
- "LICENSE.*"
|
|
- "COPYING"
|
|
- "COPYING.*"
|
|
- "NOTICE"
|
|
- "PATENTS"
|
|
- "README.md"
|
|
- "README.*"
|
|
- "CONTRIBUTING.md"
|
|
- "CHANGELOG.md"
|
|
- "CODE_OF_CONDUCT.md"
|
|
- "SECURITY.md"
|
|
- .git/
|
|
- .gitignore
|
|
- .gitattributes
|
|
- .gitmodules
|
|
- .github/
|
|
- .gitlab-ci.yml
|
|
- .circleci/
|
|
- Jenkinsfile
|
|
- .travis.yml
|
|
- azure-pipelines.yml
|
|
- Dockerfile
|
|
- "Dockerfile.*"
|
|
- docker-compose.yml
|
|
- "docker-compose.*.yml"
|
|
- .dockerignore
|