Skip to main content

Cyberstrike is now open source! AI-powered penetration testing for security professionals. Star on GitHub

On this page

Permission Patterns

Permission patterns provide fine-grained control over which operations are allowed or denied.

📸 SCREENSHOT: permission-patterns.png

Permission pattern configuration

Pattern Syntax

Basic Format 

Tool(argument-pattern)

Examples 

Bash(npm test)           # Specific command
Write(*.md)              # File extension
Read(src/**/*)           # Directory glob
Edit(config.json)        # Specific file

Tool Patterns

Bash Patterns 

{
  "allow": [
    "Bash(npm *)",
    "Bash(git status)",
    "Bash(git log *)",
    "Bash(ls *)",
    "Bash(cat *)"
  ],
  "deny": [
    "Bash(rm -rf *)",
    "Bash(sudo *)",
    "Bash(dd *)",
    "Bash(mkfs *)"
  ]
}

Write Patterns 

{
  "allow": [
    "Write(reports/**)",
    "Write(*.md)",
    "Write(src/**/*.ts)"
  ],
  "deny": [
    "Write(.env*)",
    "Write(*.pem)",
    "Write(~/.ssh/*)"
  ]
}

Read Patterns 

{
  "allow": [
    "Read(**)"
  ],
  "deny": [
    "Read(~/.aws/credentials)",
    "Read(*.key)"
  ]
}

Edit Patterns 

{
  "allow": [
    "Edit(src/**)",
    "Edit(tests/**)"
  ],
  "deny": [
    "Edit(package-lock.json)",
    "Edit(yarn.lock)"
  ]
}

Glob Patterns

Wildcards

PatternMatches
*Any characters except /
**Any characters including /
?Single character
[abc]Character set
[a-z]Character range
{a,b}Alternatives

Examples 

*.ts          → file.ts, index.ts
**/*.ts       → src/file.ts, deep/nested/file.ts
src/*         → src/file (not src/dir/file)
src/**        → src/file, src/dir/file, src/a/b/c
test?.ts      → test1.ts, testA.ts
[abc].ts      → a.ts, b.ts, c.ts
*.{ts,js}     → file.ts, file.js

Command Patterns

Exact Match 

{
  "allow": [
    "Bash(npm test)",
    "Bash(npm run lint)"
  ]
}

Prefix Match 

{
  "allow": [
    "Bash(npm *)",
    "Bash(git *)"
  ]
}

Complex Commands 

{
  "allow": [
    "Bash(npm run *)",
    "Bash(docker build *)",
    "Bash(kubectl get *)"
  ]
}

Piped Commands 

{
  "allow": [
    "Bash(cat * | grep *)",
    "Bash(ls * | head *)"
  ]
}

File Path Patterns

Relative Paths 

{
  "allow": [
    "Write(src/**)",
    "Write(tests/**)",
    "Write(docs/**)"
  ]
}

Absolute Paths 

{
  "deny": [
    "Write(/etc/*)",
    "Write(/var/*)",
    "Read(/etc/shadow)"
  ]
}

Home Directory 

{
  "deny": [
    "Write(~/.ssh/*)",
    "Write(~/.aws/*)",
    "Read(~/.gnupg/*)"
  ]
}

Current Directory 

{
  "allow": [
    "Write(./**)"
  ],
  "deny": [
    "Write(../**)"
  ]
}

Priority Rules

Order of Evaluation

  1. Explicit deny patterns (highest priority)
  2. Explicit allow patterns
  3. Default behavior (lowest priority)

Example 

{
  "allow": [
    "Write(**)"
  ],
  "deny": [
    "Write(.env*)"
  ]
}

Result: All writes allowed except .env files.

More Specific Wins 

{
  "allow": [
    "Write(config/*)"
  ],
  "deny": [
    "Write(config/secrets.json)"
  ]
}

Result: config/secrets.json is denied (more specific).

Negation Patterns

Exclude from Allow 

{
  "allow": [
    "Write(src/**)",
    "!Write(src/vendor/**)"
  ]
}

Exclude from Deny 

{
  "deny": [
    "Bash(rm *)",
    "!Bash(rm node_modules)"
  ]
}

Environment-Specific Patterns

Development 

{
  "permissions": {
    "allow": [
      "Bash(*)",
      "Write(**)"
    ]
  }
}

Production 

{
  "permissions": {
    "mode": "plan",
    "allow": [
      "Read(**)"
    ]
  }
}

CI/CD 

{
  "permissions": {
    "mode": "auto",
    "allow": [
      "Bash(npm *)",
      "Bash(docker *)",
      "Write(reports/**)"
    ],
    "deny": [
      "Bash(rm -rf *)",
      "Write(.env*)"
    ]
  }
}

Security Patterns

Common Deny Patterns 

{
  "deny": [
    "Bash(rm -rf /)",
    "Bash(rm -rf ~)",
    "Bash(rm -rf /*)",
    "Bash(:(){ :|:& };:)",
    "Bash(dd if=/dev/zero *)",
    "Bash(mkfs *)",
    "Bash(chmod -R 777 *)",
    "Bash(curl * | bash)",
    "Bash(wget * | sh)",
    "Write(.env*)",
    "Write(*.pem)",
    "Write(*.key)",
    "Write(**/secrets/*)",
    "Write(**/credentials/*)",
    "Read(~/.ssh/id_*)",
    "Read(~/.aws/credentials)",
    "Read(/etc/shadow)"
  ]
}

Security Testing Patterns 

{
  "allow": [
    "Bash(nmap *)",
    "Bash(nuclei *)",
    "Bash(sqlmap *)",
    "Bash(ffuf *)",
    "Bash(gobuster *)",
    "Write(reports/**)",
    "Write(findings/**)"
  ]
}

Testing Patterns

Verify Pattern

Terminal window
cyberstrike config test-pattern "Bash(npm test)"

List Active Patterns

Terminal window
cyberstrike config get permissions.allow
cyberstrike config get permissions.deny

Debug Pattern Matching

Terminal window
cyberstrike --debug
# Shows pattern matching decisions

Common Configurations

Web Development 

{
  "permissions": {
    "allow": [
      "Bash(npm *)",
      "Bash(yarn *)",
      "Bash(pnpm *)",
      "Write(src/**)",
      "Write(public/**)",
      "Edit(*.{ts,tsx,js,jsx,css,html})"
    ],
    "deny": [
      "Write(node_modules/**)"
    ]
  }
}

Security Testing 

{
  "permissions": {
    "allow": [
      "Bash(nmap *)",
      "Bash(nuclei *)",
      "Bash(ffuf *)",
      "Bash(curl *)",
      "Write(reports/**)"
    ]
  }
}

Documentation 

{
  "permissions": {
    "allow": [
      "Write(docs/**)",
      "Write(*.md)",
      "Edit(*.md)",
      "Bash(npm run docs:*)"
    ]
  }
}

Tip

Start with restrictive patterns and expand as needed. It’s easier to allow more than recover from unintended changes.

Related Documentation