-
Notifications
You must be signed in to change notification settings - Fork 114
Writing Rules
DevSkim's detection logic is based on regular expressions (using JavaScript/C# RegEx syntax) and can trigger additional patterns for further refinement after an initial match. Writing rules for a language not currently supported is possible.
Rules files are written in JSON. They consist of a high level rule object containing an array of pattern objects, which define regular expressions used for an initial match.
Patterns may also define an array of condition objects with additional patterns that must all be satisifed to verify a finding.
Lastly, patterns may define fix_its which contain logic to convert vulnerable code into safe code.
The built in rules that are published with DevSkim can be found in the DevSkim repository.
See Sample Rule for a detailed explanation of one of DevSkim's default rules.