Write a rule
There are two ways to write a rule for Semgrep Secrets:- Create a YAML file.
- Use the Semgrep editor.
Create a YAML file
If you’re familiar with Semgrep’s rules syntax, including the validator syntax, you can create a YAML file containing your rules. When you’re done, publish your rules for use with your organization. If you want to keep your rules file local, you must pass in the--allow-untrusted-validators flag when calling semgrep ci from the CLI.
Use Semgrep Editor
The Semgrep Editor, available in Semgrep AppSec Platform, can help you write custom Semgrep Secrets rules. To pull up a sample rule that you can modify:1
Sign in to Semgrep AppSec Platform.
2
Go to Rules > Editor.
3
Click the + icon and, under Secrets, select HTTP validators.
INFOCustom validator rules are private to your organization. They are not available to the Semgrep Community.
1
Sign in to Semgrep AppSec Platform.
2
Go to Rules > Editor.
3
Open up your rule.
4
Click Add to and select your mode: Monitor, Comment, or Blocking.
5
In the CLI, start a scan by running
semgrep ci.Sample rule
The following sample rule detects a leaked GitHub personal access token (PAT):Subkeys under the metadata key
These subkeys provide context to both you and other end-users, as well as to
Semgrep.
Subkeys under the patterns key
These subkeys identify the token to analyze in a given match.
Subkeys under the validators and http keys
The validators key uses a list of keys to define the validator function. In
particular, the http key defines how the rule forms a request object and what
response is expected for valid and invalid states. Although some rules do not use a validators key, most Secrets rules use it.
Metavariable binding
Semgrep Secrets can use metavariables. Metavariables allow Semgrep Secrets to reuse matched information from your code in its validators. An example of a metavariable is as follows:$HELLO displays as This content is now reusable in validators. If this were a Secrets rule, Semgrep Secrets could use this to call the appropriate service to determine if the secret is active.
Differences between Semgrep Secrets rules and Semgrep Registry rules
The Semgrep Registry includes SAST rules that can detect secrets to a certain extent. You can run these rules in Semgrep Code (Semgrep’s SAST analyzer), or even write your own custom secret-detecting SAST rules, but with the following differences:- Semgrep Code does not run a validator function against these rules, resulting in less accurate results.
- Because the results are less accurate, these rules are not suitable as criteria to block a PR or MR.
- The UI for Semgrep Code is tailored to SAST triage and does not include filtering functions for valid or invalid tokens.
- Existing Semgrep Pro rules that detect secrets are transitioning from Semgrep Code to Semgrep Secrets. By transitioning these rules, improvements, such as validator functions, can be added to the rules when they are run in Semgrep Secrets.
- You can write your own custom validator functions and run them in Semgrep Secrets for custom services or use cases.