.github/helper/semgrep_rules/security.yml - Clicks/Forks/ERPNext - Gitiles

 rules:
 - id: frappe-codeinjection-eval
   patterns:
   - pattern-not: eval("...")
   - pattern: eval(...)
   message: |
     Detected the use of eval(). eval() can be dangerous if used to evaluate
     dynamic content. Avoid it or use safe_eval().
   languages: [python]
   severity: ERROR

 - id: frappe-sqli-format-strings
   patterns:
     - pattern-inside: |
         @frappe.whitelist()
         def $FUNC(...):
             ...
     - pattern-either:
         - pattern: frappe.db.sql("..." % ...)
         - pattern: frappe.db.sql(f"...", ...)
         - pattern: frappe.db.sql("...".format(...), ...)
   message: |
       Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines
   languages: [python]
   severity: WARNING
	rules:
	- id: frappe-codeinjection-eval
	patterns:
	- pattern-not: eval("...")
	- pattern: eval(...)
	message: \|
	Detected the use of eval(). eval() can be dangerous if used to evaluate
	dynamic content. Avoid it or use safe_eval().
	languages: [python]
	severity: ERROR

	- id: frappe-sqli-format-strings
	patterns:
	- pattern-inside: \|
	@frappe.whitelist()
	def $FUNC(...):
	...
	- pattern-either:
	- pattern: frappe.db.sql("..." % ...)
	- pattern: frappe.db.sql(f"...", ...)
	- pattern: frappe.db.sql("...".format(...), ...)
	message: \|
	Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines
	languages: [python]
	severity: WARNING