diff --git a/copilot-instructions.md b/copilot-instructions.md index 085ff84..acfaccf 100644 --- a/copilot-instructions.md +++ b/copilot-instructions.md @@ -46,6 +46,18 @@ These instructions guide GitHub Copilot to suggest secure, intentional code patt - Always hash passwords with `PasswordHasher` or a vetted library β€” never store plaintext. - Use configuration providers like `Azure Key Vault`, `AWS Secrets Manager`, or environment-based secrets β€” avoid `appsettings.json` for secrets. +### 🐍 Python + +- Always validate and sanitize external input β€” use `pydantic`, `cerberus`, or `marshmallow` for structured validation. +- Prefer parameterized queries with libraries like `psycopg2`, `sqlite3`, or `SQLAlchemy` β€” avoid building SQL with string concat or f-strings. +- Use built-in escaping via `html.escape()` or templating engines like Jinja2 (autoescaping on!) to prevent XSS. +- Default to `secrets` or `cryptography` libs for key generation and secure token handling β€” never `random` for cryptographic use. +- Avoid dynamic code execution (`eval`, `exec`) β€” prefer explicit, safe alternatives. +- Don’t load YAML or pickle files without hardening β€” always use `safe_load()` and avoid untrusted input. +- Store secrets in secure vaults or env vars passed through orchestrators β€” avoid hardcoded strings or `.env` files in prod. +- Use logging filters to redact PII and secrets β€” avoid logging full request payloads or exception chains that include sensitive data. +- Always hash passwords with `bcrypt`, `argon2`, or `passlib` β€” never `md5`, `sha1`, or plain `hashlib`. + --- ## 🚫 3. Do Not Suggest @@ -77,6 +89,16 @@ These instructions guide GitHub Copilot to suggest secure, intentional code patt - Do not log full exception objects or HTTP request bodies without redacting PII. - Do not disable certificate validation (`ServerCertificateValidationCallback = delegate { return true; }`) in production. +### Python + +- Do not build SQL queries with string concat, f-strings, or `.format()` β€” always use parameterized queries. +- Do not use `eval`, `exec`, or dynamic imports on user input β€” these are unsafe unless tightly sandboxed. +- Do not log sensitive values (e.g. API keys, passwords) or full stack traces with PII. +- Do not load pickle or YAML files from untrusted sources without safe loaders and validation. +- Do not use insecure hash functions like `md5` or `sha1` for password storage β€” use a modern password hashing lib. +- Do not commit `.env` files or hardcode secrets β€” use secrets management infrastructure. + + --- ## 🧠 4. AI-Generated Code Safety