Writing Rules

Rules in DevSkim are fairly simple, relative to other analysis engines. The detection logic is a regular expression (based on JavaScript/C# based RegEx syntax - there is a translation layer in the sublime plugin to translate capture groups and other discrepancies for its Python based engine), with the ability to then trigger additional patterns after an initial match to get further refinement.

Rules files are in JSON, and consist of a high level Rule object, that in turn contains an array of one or more Pattern object (which defines the regular expression used for an initial match), and optionally contains arrays of one or more Condition objects (additional patterns that also need to be met) and Fix_it objects (logic to change a dangerous pattern into a safe one).

The built in rules that are published with DevSkim can be found in this Github repo, and for people who learn by looking at real world examples, that's a good place to start. For step by step details on writing a rule The Example Rule Wiki Entry is a good reference. It walks through creating a rule to spot a XSS code pattern in PHP.