Rules can contain any arbitrary data under the metadata key . We use this for example to mark the OWASP and CWE vulnerability categories that the rule scans for.