diff --git a/src/becwright/becs/README.md b/src/becwright/becs/README.md index 58c22f3..0de6734 100644 --- a/src/becwright/becs/README.md +++ b/src/becwright/becs/README.md @@ -20,5 +20,6 @@ becwright add # install one, e.g. `becwright add no-token-in-logs` | `no-console-log-js` | Warns about `console.log(...)` in JS/TS | `warning` | | `no-debug-go` | Blocks `fmt.Println()` and `panic()` in Go | `blocking` | | `no-debug-rust` | Blocks `dbg!()` and `println!()` in Rust | `blocking` | +| `no-set-x-left-in` | Blocks `set -x` tracing left enabled in shell scripts | `blocking` | The Python BECs use `paths: ["src/**/*.py"]`, the JS/TS ones `["**/*.js", "**/*.ts"]`, the Go bundles use `["**/*.go"]`, and the Rust bundles use `["**/*.rs"]`. After installing, adjust `paths` in your `.bec/rules.yaml` if your code lives elsewhere. \ No newline at end of file diff --git a/src/becwright/becs/no-set-x-left-in.bec.yaml b/src/becwright/becs/no-set-x-left-in.bec.yaml new file mode 100644 index 0000000..0812527 --- /dev/null +++ b/src/becwright/becs/no-set-x-left-in.bec.yaml @@ -0,0 +1,19 @@ +becwright_bec: 1 +exported_from: https://github.com/DataDave-Dev/becwright +rule: + id: no-set-x-left-in + intent: > + Do not leave `set -x` (shell command tracing) enabled in shipped scripts. + why_it_matters: > + `set -x` echoes every executed command, including expanded variables, to + stdout/stderr before it runs. In CI logs or captured output, that means + secrets, tokens, and other sensitive values passed as arguments get + printed in plaintext — a common accidental leak vector in shell scripts + that were debugged locally and never cleaned up before commit. + paths: + - "**/*.sh" + severity: blocking +check: + kind: builtin + module: forbid + args: "--pattern 'set\\s+-x'"