local-deep-research/bearer.yml

# Bearer SAST Scanner Configuration
# https://docs.bearer.com/reference/config/
#
# This configuration suppresses false positive alerts that don't apply
# to this codebase's security model.

rule:
  # Skip rules that are false positives in our context
  skip-rule:
    # Logger leak alerts (python_lang_logger)
    # -----------------------------------------
    # SAFE TO SKIP: All logs in this application go to SQLCipher-encrypted
    # per-user databases. Research queries and other logged data are protected by:
    # - SQLCipher encryption at rest (AES-256)
    # - Per-user database isolation (each user has their own encrypted DB)
    # - Password-protected access (only the authenticated user can decrypt)
    #
    # See: src/local_deep_research/utilities/log_utils.py (database_sink)
    # See: src/local_deep_research/database/encrypted_db.py (SQLCipher)
    - python_lang_logger

    # MD5 weak hash alerts (python_lang_weak_hash_md5)
    # -------------------------------------------------
    # SAFE TO SKIP: MD5 is used only for cache keys and content deduplication,
    # NOT for security purposes (passwords, signatures, etc.). MD5 is acceptable
    # for these non-cryptographic uses where collision resistance is not critical.
    #
    # Usage locations:
    # - research_service.py: Content deduplication hashes
    # - search_cache.py: Cache key generation
    # - benchmark_service.py: Test result identification
    - python_lang_weak_hash_md5  # DevSkim: ignore DS126858 - this is a rule name, not actual MD5 usage

    # Path traversal alerts (python_lang_path_traversal)
    # ---------------------------------------------------
    # SAFE TO SKIP: All filesystem operations use werkzeug's safe_join() via
    # PathValidator (src/local_deep_research/security/path_validator.py).
    #
    # The PathValidator class provides:
    # - validate_safe_path(): Uses safe_join() for path sanitization
    # - validate_local_filesystem_path(): Explicit traversal checks + safe_join()
    # - validate_config_path(): Validates config file paths
    # - validate_model_path(): Validates model file paths
    # - sanitize_for_filesystem_ops(): Re-sanitizes for static analyzer recognition
    #
    # All files doing path operations import from security/path_validator.py
    # and use these validation methods before any filesystem access.
    - python_lang_path_traversal

    # Weak random number generator alerts (python_lang_insecure_random)
    # -----------------------------------------------------------------
    # SAFE TO SKIP: random.random() is used only for non-security purposes:
    # - Jitter in scheduler timing (to avoid thundering herd)
    # - Sampling in profiling/telemetry
    # - Test data generation
    #
    # All cryptographic random needs use secrets module instead.
    - python_lang_insecure_random

    # Weak random number generator alerts (python_lang_weak_random)
    # --------------------------------------------------------------
    # SAFE TO SKIP: Same rationale as python_lang_insecure_random above.
    # Bearer may report this as an alternative rule name. All 14 instances
    # use random for jitter/scheduling/sampling — never for cryptography.
    - python_lang_weak_random

    # Gitleaks secret detection alerts (gitleaks)
    # ---------------------------------------------
    # SAFE TO SKIP: Bearer's built-in gitleaks rules flag placeholder URLs
    # (discord://YOUR_WEBHOOK_ID/YOUR_TOKEN), test credentials in CI workflows
    # (postgres:postgres), and example code in documentation files. All real
    # secrets are managed via environment variables and .env files (which are
    # gitignored). The standalone gitleaks scanner with .gitleaks.toml provides
    # more precise coverage.
    - gitleaks

    # JavaScript innerHTML/XSS alerts (javascript_lang_dangerous_insert_html)
    # -----------------------------------------------------------------------
    # REVIEW REQUIRED: Not globally skipped. XSS protection is implemented via:
    # - escapeHtml() function defined in xss-protection.js
    # - escapeHtml() inline fallbacks in component files
    # - All user data in HTML templates is escaped
    #
    # Files with XSS protection applied (January 2025):
    # - subscriptions.js: Uses escapeHtml() for all user data
    # - news.js: Uses escapeHtml() for all user data
    # - xss-protection.js: Provides global escapeHtml()
    #
    # Individual alerts may still need inline bearer:disable if they are
    # intentional HTML sanitization code or false positives.
    # DO NOT add javascript_lang_dangerous_insert_html here globally.

    # Manual HTML sanitization alerts (javascript_lang_manual_html_sanitization)
    # --------------------------------------------------------------------------
    # SAFE TO SKIP: All 21 instances are intentional escapeHtml sanitization
    # functions (xss-protection.js, details.js, etc.). Flagging the sanitizer
    # itself is circular — these functions ARE the security control. Deep search
    # found zero partial/incomplete escaping patterns across the codebase.
    - javascript_lang_manual_html_sanitization

    # Observable timing alerts (javascript_lang_observable_timing)
    # ------------------------------------------------------------
    # SAFE TO SKIP: No client-side secret comparisons exist. All auth is
    # server-side (Flask-WTF CSRF with hmac.compare_digest, SQLCipher decrypt).
    # Only theme names, URL hashes, and keyboard events are compared in JS.
    # Affected: theme.js:349, logpanel.js:272
    - javascript_lang_observable_timing

    # OS command injection alerts (python_lang_os_command_injection)
    # --------------------------------------------------------------
    # SAFE TO SKIP: 100% of subprocess calls use list syntax (not shell=True).
    # Zero shell=True in production code (7 files verified). All paths are
    # validated by PathValidator. Pattern enforced by existing security tests.
    # Affected: utils/__init__.py:89,97
    - python_lang_os_command_injection