Custom SAST Rules

Overview

Arnica allows customers to create, manage and edit their own custom SAST rules to identify specific risks across the company. This capability allows customers to override any of Arnica's default rules to improve accuracy, change the description or update the default risk severity. To simplify the process of creating and editing SAST rules, Arnica leverages the default open source SAST rule schema developed by Semgrep. Rules that are built and tested directly within Semgrep's rules playground can be pasted directly into Arnica's custom SAST rule builder.

Running custom rules

Arnica maintains a list of global and tenant-specific rules.

Tenant-specific rules

Each Semgrep execution collects the global rules in a form of a dictionary. If the rule identifier is unique, it is appended to the dictionary. However, if the rule identifier has the same name as one of the global rule identifiers, it will override the global rule.

If any of the global rules need to be adjusted to your specific use case, create a custom rule and name it similarly as the global rule identifier. It can be useful to suppress certain rules across the enterprise, if needed.

How to configure custom SAST rules

Adding a new rule

  1. Work on the rule and test it in the Semgrep Playground

  2. Navigate to the policies page and expand Code Risks and then SAST.

  3. Click on Add and paste the rule from the Semgrep Playground.

At this point, Arnica will automatically classify the risk severity on the top right corner and add a name based on the rule ID. The severity is determined by the severity property in the rule.

Best Practice: Introduce new rules over time and without merge blocking applied Logic in newly added rules will be applied in the next source code scan and may produce new findings within default branches.

  1. Ensure that the checkbox indicates that the rule is valid and click on OK.

  2. Click on Save at the bottom of all policies.

Override an existing rule

  1. Copy the rule ID that needs to be overridden from the SAST finding details or from other sources. Ensure it has the full identifier, such as javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection

  2. Follow the steps from the Add a new rule section above.

The changes will be reflected the next time full source code scan is performed (daily on paid plans) or in the next event triggered by the code risk policy, such as a code push or a pull request.

PreviousStatic Application Security Testing (SAST)NextSoftware Composition Analysis (SCA)

Last updated