Custom rules for secure guardrails

Prerequisites

An understanding of secure guardrails.
Knowledge of the basic Semgrep rule structure is helpful. See Rule syntax and Pattern syntax documentation.
Enabling Code search (beta) is useful in verifying that your rule matches what you want it to match within your repositories.

Create a custom Semgrep rule.

Verify and test that the rule matches the code you want to detect.

Optional: Set the custom Semgrep rule as a secure default.

Deploy the rule as a guardrail in the following developer interfaces: IDE, PR or MR comments, or pre-commit.

The following table lists the relevant documentation for each step:

Steps	References and notes
Create a custom rule	In addition to the required fields of a Semgrep rule, the following metadata fields are useful: `category` `confidence` `likelihood` `impact` `subcategory` Filling out `confidence` and `impact` in particular is useful for filtering rules within the Semgrep web app. Read the metadata reference documentation.
Verify that the rule matches as intended	See Testing rules. Enable Code search (beta) to test the rule on live repositories.
Optional: Set the rule as a secure default	When creating a custom secure default, you must use `category: security` and `subcategory: secure default` values in your rule (see Secure default snippet).
Deploy the rule as a guardrail	For PR or MR comments: Ensure that PR or MR comments have been set up correctly. Set the rule to Comment or Block mode. For IDEs: Require developers to install the Semgrep extension for their IDE. For `pre-commit`: Install and configure Semgrep for `pre-commit`.

When creating a custom secure default, you must use category: security and subcategory: secure default values in your rule:

rules:
  - id: some-custom-default
    ...
    metadata:
      category: security
      subcategory:
        - secure default
    ...