mcp-server-semgrep/semgrep-rules/rust/lang/security/args.yml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
  - id: args
    message: >-
      args should not be used for security operations. From the docs:
      "The first element is traditionally the path of the executable, but it
      can be set to arbitrary text, and might not even exist. This means this
      property should not be relied upon for security purposes."
    pattern: "std::env::args()"
    metadata:
      references:
        - https://doc.rust-lang.org/stable/std/env/fn.args.html
      technology:
        - rust
      category: security
      cwe: "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
      confidence: HIGH
      likelihood: LOW
      impact: LOW
      subcategory: audit
    languages: [rust]
    severity: INFO