-
Notifications
You must be signed in to change notification settings - Fork 114
Writing Rules
DevSkim's detection logic is based on regular expressions (using JavaScript/C# RegEx syntax) and can trigger additional patterns for further refinement after an initial match. Writing rules for a language not currently supported is possible.
Rules files are written in JSON. They consist of a high level rule
object containing an array of pattern
objects, which define regular expressions used for an initial match.
Patterns may also define an array of condition
objects with additional patterns that must all be satisifed to verify a finding.
Lastly, patterns may define fix_its
which contain logic to convert vulnerable code into safe code.
Additional rule authoring documentation is available in the Application Inspector wiki. The format used is nearly identical other than additional DevSkim features like fixes.
DevSkim rules can contain fixes that can be applied when pattern matches are detected either with the CLI fix
command or the IDE extensions.
DevSkim rules have a Confidence
field at the Rule
object level in addition to the Confidence
values at the Pattern
object level. It is not recommended to use this field for new rule authoring, and it may be removed in a future release as the Confidence
value more closely maps to the Pattern
level as there may be multiple patterns of varying Confidence
within a single Rule
.
DevSkim rules can be suppressed via comments in source code.
The built in rules that are published with DevSkim can be found in the DevSkim repository.
See Sample Rule for a detailed rule sample.
DevSkim supports the following severity levels in rule configuration.
-
Critical
- Indicates a high risk security issue that should be highly prioritized -
Important
- Indicates a medium risk security issue that should be prioritized -
Moderate
- Indicates a lower risk security issue -
BestPractice
- Indicates a code hygiene issue or coding practice that can be improved but is not necessarily a security issue -
ManualReview
- Indicates an issue that cannot be deterministically determined by DevSkim to be actionable or not. Requires the DevSkim user or an analyst reviewing the results to review if the finding applies in the particular case identified. -
Unspecified
- If the severity is not specified properly on the rule object specification, findings for that rule will be reported as Unspecified. This should not be the case for any default rules that ship with DevSkim. If you encounter such a finding from a built-in rule, please report it as a rule related bug.
The Sarif format uses a different set of severity levels. These are calculated from the DevSkim severity for an issue as follows:
DevSkim Level | Sarif Level |
---|---|
Critical |
Error |
Important |
Error |
Moderate |
Warning |
BestPractice |
Note |
ManualReview |
Note |
Unspecified |
None |
In addition, the original DevSkim severity level is included in the properties
object for each result in the sarif output.