Skip to content

Writing Rules

Gabe Stocco edited this page Dec 9, 2024 · 28 revisions

DevSkim's detection logic is based on regular expressions (using JavaScript/C# RegEx syntax) and can trigger additional patterns for further refinement after an initial match. Writing rules for a language not currently supported is possible.

Basic Rule Anatomy

Rules files are written in JSON. They consist of a high level rule object containing an array of pattern objects, which define regular expressions used for an initial match.

Patterns may also define an array of condition objects with additional patterns that must all be satisifed to verify a finding.

Lastly, patterns may define fix_its which contain logic to convert vulnerable code into safe code.

Advanced Rule Features

Additional Authoring Documentation

Additional rule authoring documentation is available in the Application Inspector wiki. The format used is nearly identical other than additional DevSkim features like fixes.

DevSkim Specific Rule Features compared with Application Inspector

Fixes

DevSkim rules can contain fixes that can be applied when pattern matches are detected either with the CLI fix command or the IDE extensions.

Rule Level Confidence

DevSkim rules have a Confidence field at the Rule object level in addition to the Confidence values at the Pattern object level. It is not recommended to use this field for new rule authoring, and it may be removed in a future release as the Confidence value more closely maps to the Pattern level as there may be multiple patterns of varying Confidence within a single Rule.

Suppressions

DevSkim rules can be suppressed via comments in source code.

Default Rules

The built in rules that are published with DevSkim can be found in the DevSkim repository.

Sample Rule

See Sample Rule for a detailed rule sample.

Severity Levels

DevSkim supports the following severity levels in rule configuration.

  • Critical - Indicates a high risk security issue that should be highly prioritized
  • Important - Indicates a medium risk security issue that should be prioritized
  • Moderate - Indicates a lower risk security issue
  • BestPractice - Indicates a code hygiene issue or coding practice that can be improved but is not necessarily a security issue
  • ManualReview - Indicates an issue that cannot be deterministically determined by DevSkim to be actionable or not. Requires the DevSkim user or an analyst reviewing the results to review if the finding applies in the particular case identified.
  • Unspecified - If the severity is not specified properly on the rule object specification, findings for that rule will be reported as Unspecified. This should not be the case for any default rules that ship with DevSkim. If you encounter such a finding from a built-in rule, please report it as a rule related bug.

Sarif Severity Levels

The Sarif format uses a different set of severity levels. These are calculated from the DevSkim severity for an issue as follows:

DevSkim Level Sarif Level
Critical Error
Important Error
Moderate Warning
BestPractice Note
ManualReview Note
Unspecified None

In addition, the original DevSkim severity level is included in the properties object for each result in the sarif output.

Reference