Write custom rules with the new Playground

by Milan Williams on June 14, 2022

Overview

Every organization has its own set of security challenges. Your security tolerance, technical infrastructure, and valuable data all factor into a company’s security posture - and what is important to them when using a SAST tool.

Semgrep recognizes this challenge and offers a powerful solution - custom rules. Custom rules are security checks tailored to your organization.

If you want to

  • enforce an internal sanitization function over sensitive data?
  • ban all instances of a vulnerable function or import
  • raise/lower the priority of a rule
  • significantly reduce false positives

then you should write a custom rule!

Custom rules in practice

This isn’t theoretical - custom rules have helped users catch vulnerabilities, prevented new ones from entering, and reduced the number of false positives.

Reducing noise alone can save at least 25% of your time each week - freeing you and your security team to focus on real threats facing your organization.

One of our customers recently wrote a custom rule and it prevented a major security incident. It saved them several hours of response time and company money.

New Playground

If I’ve convinced you that custom rules improve your security posture, then visit the Playground - it’s the best place to write your first custom rule. The Playground has always been the place to experiment with new custom rules - you can start a rule, test it on a code snippet, and see what it flags all in one place.

With our latest improvements to the Playground, you can write a rule in under 10 minutes.

Don’t know where to start? Fork a rule from the Registry. Build on top of the existing rules written by our world-renowned security research team to create an all-star rule.

alt_text Figure 1: Start by forking a rule

Can’t get the right match? View docs while you’re writing to brush up on your pattern syntax, and ensure you’re using the proper pattern keys for your use case.

alt_text Figure 2: View docs to help with rule-writing

Want to collaborate with others? Send a rule link to others in the security community, or create a private rule and share it only with members of your organization.

alt_text Figure 3: Share rules privately or publicly

Ready for prime time? Add your rule to your Rule Board ‘Monitor’ column, it’ll start running on your repositories code base, and you can track the results from the App.

alt_text Figure 4: Add a rule to your Rule Board

Conclusion

Our goal with the Playground is to make rule-writing simple, fast, and flexible! If you’d like to try out the Playground yourself, visit it here. And if you’d like some support, join our Community Slack - we’re always happy to help!