Skip to main content
Create custom security rules tailored to your organization’s policies and coding standards.

Rule Types

Pattern-Based Rules

Simple regex and AST pattern matching for common anti-patterns. 
rules:
  - id: custom-001
    name: Hardcoded Internal API
    description: Internal API URLs should use environment variables
    severity: high
    category: configuration
    
    patterns:
      - pattern: 'https?://internal\.company\.com'
        type: regex
        message: "Hardcoded internal API URL detected"
    
    paths:
      include: ["**/*.js", "**/*.ts"]
      exclude: ["**/*.test.*"]
    
    remediation: |
      Use environment variables:
      const API_URL = process.env.INTERNAL_API_URL;

Semantic Rules

AI-powered rules that understand code context. 
rules:
  - id: custom-002
    name: Missing Authorization Check
    description: Public API endpoints must verify permissions
    severity: critical
    type: semantic
    
    rule_prompt: |
      Check if function is:
      1. API endpoint handler
      2. Publicly accessible
      3. Performs data modification
      4. Missing authorization checks
      
      Flag if all conditions met.

Rule Structure

rules:
  - id: unique-rule-id
    name: Rule Name
    description: Description
    severity: critical | high | medium | low
    category: category-name
    type: pattern | semantic
    
    patterns: []        # For pattern rules
    rule_prompt: ""     # For semantic rules
    
    paths:
      include: []
      exclude: []
    
    remediation: ""

Best Practices

  • Start with simple pattern-based rules
  • Provide clear remediation guidance
  • Test rules thoroughly before deploying
  • Store rules in version control
  • Review and update quarterly

Next Steps

Project Settings

Configure project settings

API Reference

Manage rules via API