# Cryptography Rules
# ==================

cryptography_rules:
  - id: SEC-041
    name: Strong hashing algorithms
    severity: error
    description: >
      Use bcrypt, argon2, scrypt for passwords.
      Use SHA-256 or stronger for general hashing.
      Never use MD5 or SHA1.

  - id: SEC-042
    name: Secure random generation
    severity: error
    description: >
      Use the secrets module for security-sensitive randomness.
      Never use random module for tokens or keys.

  - id: SEC-043
    name: No hardcoded encryption keys
    severity: error
    description: >
      Encryption keys must come from environment variables
      or secret management services.

  - id: SEC-044
    name: Strong encryption algorithms
    severity: error
    description: >
      Use AES-256 or ChaCha20. Never use DES, 3DES, or RC4.

  - id: SEC-045
    name: Proper IV/nonce usage
    severity: error
    description: >
      Encryption IVs and nonces must be randomly generated
      and unique per encryption.

  - id: SEC-046
    name: TLS version requirements
    severity: warning
    description: >
      Enforce TLS 1.2 or higher.
      Disable SSLv2, SSLv3, TLS 1.0, TLS 1.1.

  - id: SEC-047
    name: Certificate verification
    severity: error
    description: >
      Always verify SSL certificates.
      Never disable verification in production.

  - id: SEC-048
    name: Key derivation for passwords
    severity: warning
    description: >
      When deriving encryption keys from passwords,
      use PBKDF2 with 100K+ iterations, Argon2, or scrypt.

  - id: SEC-049
    name: Secure key storage
    severity: info
    description: >
      Encryption keys should be stored in environment variables,
      secret management, or HSMs.

  - id: SEC-050
    name: Key rotation support
    severity: info
    description: >
      Implement key rotation with multiple key versions.