Agent RulesAgent Rules
JU

Julia Security

Julia security practices covering dependency auditing, input validation, and safe serialization

Julia
Security
Use in BuilderAll Julia Options

Details

Language / Topic
juliaJulia
Category
Security

Rules

balanced
- Never deserialize untrusted data with `Serialization.deserialize` — it executes arbitrary Julia code. Use `JSON3.jl` or `MsgPack.jl` instead.
- Avoid `eval(Meta.parse(user_input))` — parsing and evaluating user-supplied strings is equivalent to remote code execution.
- Use `Pkg.audit()` (Julia 1.11+) to scan installed dependencies for known vulnerabilities before deployment.
- Validate and sanitize all external inputs (HTTP parameters, file paths, environment variables) before passing them to Julia functions.
- Use `HTTP.jl`'s built-in TLS support — never disable certificate verification with `require_ssl_verification=false` in production.
- Store secrets in environment variables accessed via `ENV["SECRET_KEY"]` — never hardcode credentials in source files or `Project.toml`.
- Use `Base.SecretBuffer` for in-memory sensitive data — it zeros memory on finalization to reduce secret exposure in heap dumps.