# Run: semgrep --config semgrep.yml applepy
# Or: semgrep --config=p/python applepy

rules:
  - id: subprocess-with-shell-true
    languages: [python]
    severity: ERROR
    message: Avoid subprocess with shell=True (injection risk).
    pattern-either:
      - pattern: subprocess.run(..., shell=True, ...)
      - pattern: subprocess.Popen(..., shell=True, ...)
      - pattern: subprocess.call(..., shell=True, ...)