| 12345678910111213141516171819 |
- DEFAULT_INVARIANT_POLICY = """from invariant.detectors import semgrep, secrets, CodeIssue
- raise "Disallow secrets in bash commands [risk=medium]" if:
- (call: ToolCall)
- call is tool:cmd_run
- any(secrets(call.function.arguments.command))
- raise "Vulnerability in python code [risk=medium]" if:
- (call: ToolCall)
- call is tool:ipython_run_cell
- semgrep_res := semgrep(call.function.arguments.code, lang="python")
- any(semgrep_res)
- raise "Vulnerability in bash command [risk=medium]" if:
- (call: ToolCall)
- call is tool:cmd_run
- semgrep_res := semgrep(call.function.arguments.command, lang="bash")
- any(semgrep_res)
- """
|
