You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/Security-Focused-Guide-for-AI-Code-Assistant-Instructions.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ By keeping these points in mind, you can harness AI code assistants effectively
24
24
### TL;DR Sample Instructions
25
25
26
26
Here are sample instructions that you can copy and paste.
27
-
In most cases you should extract *from* this sample (for details see below):
27
+
In most cases you should **extract from** this sample (for details see below).
28
28
If you copy and paste irrelevant parts, the AI is more likely to generate
29
29
extraneous or even incorrect code as it attempts to compensate for
30
30
attacks that can't happen:
@@ -49,7 +49,7 @@ When suggesting dependency versions, prefer the latest stable release and mentio
49
49
Generate a Software Bill of Materials (SBOM) by using tools that support standard formats like SPDX or CycloneDX.
50
50
Where applicable, use in-toto attestations or similar frameworks to create verifiable records of your build and deployment processes.
51
51
Prefer high-level libraries for cryptography rather than rolling your own.
52
-
---
52
+
53
53
> When adding important external resources (scripts, containers, etc.), include steps to verify integrity (like checksum verification or signature validation) if applicable.
54
54
When writing file or OS-level operations, use safe functions and check for errors (e.g., use secure file modes, avoid temp files without proper randomness, etc.). If running as a service, drop privileges when possible.
55
55
Always include appropriate security headers (Content Security Policy, X-Frame-Options, etc.) in web responses, and use frameworks' built-in protections for cookies and sessions.
@@ -72,7 +72,7 @@ For Python, follow PEP 8 and use type hints, as this can catch misuse early.
72
72
For JavaScript/TypeScript, when generating Node.js code, use prepared statements for database queries (just like any other language) and encode any data that goes into HTML to prevent XSS.
73
73
For Java, when suggesting web code (e.g., using Spring), ensure to use built-in security annotations and avoid old, vulnerable libraries (e.g., use `BCryptPasswordEncoder` rather than writing a custom password hash).
74
74
For C#, Use .NET's cryptography and identity libraries instead of custom solutions.
75
-
---
75
+
76
76
> Never suggest turning off security features like XML entity security or type checking during deserialization.
77
77
Code suggestions should adhere to OWASP Top 10 principles (e.g., avoid injection, enforce access control) and follow the OWASP ASVS requirements where applicable.
78
78
Our project follows SAFECode's secure development practices – the AI should prioritize those (e.g., proper validation, authentication, cryptography usage per SAFECode guidance).
0 commit comments