Custom Rules

rules:
  - id: custom-001
    name: Hardcoded Internal API
    description: Internal API URLs should use environment variables
    severity: high
    category: configuration
    
    patterns:
      - pattern: 'https?://internal\.company\.com'
        type: regex
        message: "Hardcoded internal API URL detected"
    
    paths:
      include: ["**/*.js", "**/*.ts"]
      exclude: ["**/*.test.*"]
    
    remediation: |
      Use environment variables:
      const API_URL = process.env.INTERNAL_API_URL;

rules:
  - id: custom-002
    name: Missing Authorization Check
    description: Public API endpoints must verify permissions
    severity: critical
    type: semantic
    
    rule_prompt: |
      Check if function is:
      1. API endpoint handler
      2. Publicly accessible
      3. Performs data modification
      4. Missing authorization checks
      
      Flag if all conditions met.

rules:
  - id: unique-rule-id
    name: Rule Name
    description: Description
    severity: critical | high | medium | low
    category: category-name
    type: pattern | semantic
    
    patterns: []        # For pattern rules
    rule_prompt: ""     # For semantic rules
    
    paths:
      include: []
      exclude: []
    
    remediation: ""