mcp-server-semgrep/semgrep-rules/javascript/jsonwebtoken/security/jwt-hardcode.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: hardcoded-jwt-secret
  message: >-
    A hard-coded credential was detected. It is not recommended to store credentials in source-code,
    as this risks secrets
    being leaked and used by either an internal or external malicious adversary. It is recommended to
    use environment variables to securely provide credentials or retrieve credentials from a secure
    vault or HSM (Hardware Security Module).
  metadata:
    cwe:
    - 'CWE-798: Use of Hard-coded Credentials'
    references:
    - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
    owasp:
    - A07:2021 - Identification and Authentication Failures
    asvs:
      section: 'V3: Session Management Verification Requirements'
      control_id: 3.5.2 Static API keys or secret
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
      version: '4'
    category: security
    technology:
    - jwt
    - javascript
    - secrets
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - vuln
    likelihood: HIGH
    impact: MEDIUM
    confidence: HIGH
  languages:
  - javascript
  - typescript
  severity: WARNING
  mode: taint
  pattern-sources:
    - patterns:
        - pattern: |
            $X = '...' 
        - pattern: |
            $X = '$Y' 
    - patterns:
      - pattern-either: 
        - pattern-inside: |
            $JWT.sign($DATA,"...",...);
        - pattern-inside: |
            $JWT.verify($DATA,"...",...);
  pattern-sinks:
  - patterns:
    - pattern-either:
      - pattern-inside: |
          $JWT = require("jsonwebtoken")
          ...
      - pattern-inside: |
          import $JWT from "jsonwebtoken"
          ...
      - pattern-inside: |
          import * as $JWT from "jsonwebtoken"
          ...
      - pattern-inside: |
          import {...,$JWT,...} from "jsonwebtoken"
          ...
    - pattern-either:
      - pattern-inside: |
          $JWT.sign($DATA,$VALUE,...);
      - pattern-inside: |
          $JWT.verify($DATA,$VALUE,...);
    - focus-metavariable: $VALUE