Overview
Every organization has its own set of security challenges. Your security tolerance, technical infrastructure, and valuable data all factor into a company’s security posture - and what is important to them when using a SAST tool.
Semgrep recognizes this challenge and offers a powerful solution - custom rules. Custom rules are security checks tailored to your organization.
If you want to
enforce an internal sanitization function over sensitive data?
ban all instances of a vulnerable function or import
raise/lower the priority of a rule
significantly reduce false positives
then you should write a custom rule!
Custom rules in practice
This isn’t theoretical - custom rules have helped users catch vulnerabilities, prevented new ones from entering, and reduced the number of false positives.
Reducing noise alone can save at least 25% of your time each week - freeing you and your security team to focus on real threats facing your organization.
One of our customers recently wrote a custom rule and it prevented a major security incident. It saved them several hours of response time and company money.
New Playground
If I’ve convinced you that custom rules improve your security posture, then visit the Playground - it’s the best place to write your first custom rule. The Playground has always been the place to experiment with new custom rules - you can start a rule, test it on a code snippet, and see what it flags all in one place.
With our latest improvements to the Playground, you can write a rule in under 10 minutes.
Don’t know where to start? Fork a rule from the Registry. Build on top of the existing rules written by our world-renowned security research team to create an all-star rule.
Figure 1: Start by forking a rule
Can’t get the right match? View docs while you’re writing to brush up on your pattern syntax, and ensure you’re using the proper pattern keys for your use case.
Figure 2: View docs to help with rule-writing
Want to collaborate with others? Send a rule link to others in the security community, or create a private rule and share it only with members of your organization.
Figure 3: Share rules privately or publicly
Ready for prime time? Add your rule to your Rule Board ‘Monitor’ column, it’ll start running on your repositories code base, and you can track the results from the App.
Figure 4: Add a rule to your Rule Board
Conclusion
Our goal with the Playground is to make rule-writing simple, fast, and flexible! If you’d like to try out the Playground yourself, visit it here. And if you’d like some support, join our Community Slack - we’re always happy to help!