Custom rules for secure guardrails
You can create custom Semgrep rules and deploy them as guardrails to enforce your organization's secure coding conventions.
Prerequisites
- An understanding of secure guardrails.
- Knowledge of the basic Semgrep rule structure is helpful. See Rule syntax and Pattern syntax documentation.
- Enabling Code search (beta) is useful in verifying that your rule matches what you want it to match within your repositories.
General steps
- Create a custom Semgrep rule.
- Verify and test that the rule matches the code you want to detect.
- Optional: Set the custom Semgrep rule as a secure default.
- Deploy the rule as a guardrail in the following developer interfaces: IDE, PR or MR comments, or
pre-commit.
The following table lists the relevant documentation for each step:
| Steps | References and notes |
|---|---|
| Create a custom rule | In addition to the required fields of a Semgrep rule, the following metadata fields are useful:
confidence and impact in particular is useful for filtering rules within the Semgrep web app.Read the metadata reference documentation. |
| Verify that the rule matches as intended |
|
| Optional: Set the rule as a secure default | When creating a custom secure default, you must use category: security and subcategory: secure default values in your rule (see Secure default snippet). |
| Deploy the rule as a guardrail | For PR or MR comments: For IDEs: Require developers to install the Semgrep extension for their IDE. For |
Secure default snippet
When creating a custom secure default, you must use category: security and subcategory: secure default values in your rule:
rules:
- id: some-custom-default
...
metadata:
category: security
subcategory:
- secure default
...
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.