Small wording wording change and regenerated SKILL.md with apex language mapping

Author: thomas-bartlett

skills/software-security/SKILL.md

@@ -29,6 +29,7 @@ When writing or reviewing code:
 
 | Language | Rule Files to Apply |
 |----------|---------------------|
+| apex | codeguard-0-input-validation-injection.md |
 | c | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-data-storage.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-safe-c-functions.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | cpp | codeguard-0-safe-c-functions.md |
 | d | codeguard-0-iac-security.md |

skills/software-security/rules/codeguard-0-input-validation-injection.md

@@ -57,7 +57,7 @@ SOQL and SOSL are query/search languages (no SQL-style DDL/DML). Data changes ar
 - Primary risk: data exfiltration by bypassing intended query filters/business logic; impact is amplified when Apex runs with elevated access (system mode) or when CRUD/FLS aren't enforced.
 - Second-order risk (conditional): if queried records are passed to DML, injection can broaden the record set and cause unintended mass updates/deletes.
 - Prefer static SOQL/SOSL with bind variables: `[SELECT Id FROM Account WHERE Name = :userInput]` or `FIND :term`.
-- For dynamic SOQL, use `Database.queryWithBinds()`; for dynamic SOSL, use `Search.query()`. Allowlist any dynamic identifiers. If concatenation is unavoidable, escape string values with `String.escapeSingleQuotes()`.
+- For dynamic SOQL, use `Database.queryWithBinds()`; for dynamic SOSL, use `Search.query()`. Allow‑list any dynamic identifiers. If concatenation is unavoidable, escape string values with `String.escapeSingleQuotes()`.
 - Enforce CRUD/FLS with `WITH USER_MODE` or `WITH SECURITY_ENFORCED` (don't combine both). Enforce record sharing with `with sharing` or user-mode operations. Use `Security.stripInaccessible()` before DML.
 
 ### LDAP Injection Prevention

sources/core/codeguard-0-input-validation-injection.md

@@ -1,7 +1,7 @@
 ---
-description: Input validation and injection defense (SQL/LDAP/OS), parameterization,
-  prototype pollution
+description: Input validation and injection defense (SQL/SOQL/LDAP/OS), parameterization, prototype pollution
 languages:
+- apex
 - c
 - go
 - html
@@ -50,6 +50,16 @@ pstmt.setString( 1, custname);
 ResultSet results = pstmt.executeQuery( );
 ```
 
+### SOQL/SOSL Injection (Salesforce)
+
+SOQL and SOSL are query/search languages (no SQL-style DDL/DML). Data changes are performed via Apex DML or Database methods. Note: SOQL can lock rows via `FOR UPDATE`.
+
+- Primary risk: data exfiltration by bypassing intended query filters/business logic; impact is amplified when Apex runs with elevated access (system mode) or when CRUD/FLS aren't enforced.
+- Second-order risk (conditional): if queried records are passed to DML, injection can broaden the record set and cause unintended mass updates/deletes.
+- Prefer static SOQL/SOSL with bind variables: `[SELECT Id FROM Account WHERE Name = :userInput]` or `FIND :term`.
+- For dynamic SOQL, use `Database.queryWithBinds()`; for dynamic SOSL, use `Search.query()`. Allow‑list any dynamic identifiers. If concatenation is unavoidable, escape string values with `String.escapeSingleQuotes()`.
+- Enforce CRUD/FLS with `WITH USER_MODE` or `WITH SECURITY_ENFORCED` (don't combine both). Enforce record sharing with `with sharing` or user-mode operations. Use `Security.stripInaccessible()` before DML.
+
 ### LDAP Injection Prevention
 - Always apply context‑appropriate escaping:
   - DN escaping for `\ # + < > , ; " =` and leading/trailing spaces