# Custom SAST Rules

## Overview

Arnica allows customers to create, manage and edit their own custom SAST rules to identify specific risks across the company. This capability allows customers to override any of Arnica's default rules to improve accuracy, change the description or update the default risk severity.\
\
To simplify the process of creating and editing SAST rules, Arnica leverages the default open source SAST rule schema developed by Semgrep and maintained by Opengrep. Rules that are built and tested directly within Opengrep's rules playground can be pasted directly into Arnica's custom SAST rule builder.

## Running custom rules

Arnica maintains a list of global and tenant-specific rules.

<div align="left"><figure><img src="https://4035514934-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMxc1Ek3qoIZi5t2Sx7do%2Fuploads%2Fgit-blob-5a850b290a695f8963236654401b7a6d8238321c%2FCustom%20Semgrep%20Rules.png?alt=media" alt=""><figcaption><p>High level view of Opengrep rules structure in Arnica</p></figcaption></figure></div>

### Tenant-specific rules

Each Opengrep execution collects the global rules in a form of a dictionary. If the rule identifier is unique, it is appended to the dictionary. However, if the rule identifier has the same name as one of the global rule identifiers, it will override the global rule.

{% hint style="info" %}
If any of the global rules need to be adjusted to your specific use case, create a custom rule and name it similarly as the global rule identifier. It can be useful to suppress certain rules across the enterprise, if needed.
{% endhint %}

## How to configure custom SAST rules

### Adding a new rule

1. Work on the rule and test it in the [Opengrep Playground](https://github.com/opengrep/opengrep-playground)
2. Navigate to the [policies page](https://app.arnica.io/#/admin/policy-v2) and expand `Code Risks` and then `SAST`.
3. Click on `Add` and paste the rule from the Opengrep Playground.

<div align="left"><figure><img src="https://4035514934-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMxc1Ek3qoIZi5t2Sx7do%2Fuploads%2Fgit-blob-55827602d0dff79dc1faedb520a02fa1e8dc86ca%2Fimage.png?alt=media" alt=""><figcaption><p>New custom Semgrep rule</p></figcaption></figure></div>

{% hint style="info" %}
At this point, Arnica will automatically classify the risk severity on the top right corner and add a name based on the rule ID. The severity is determined by the rule's `severity,` `likelihood`, `confidence` and `impact` properties, where provided.

If you are interested in overriding the severity, simply add the following property in the `metadata` section:

```
arnica:
      risk-severity: critical | high | medium | low | info | unknown
```

{% endhint %}

{% hint style="success" %}
Best Practice: Introduce new rules over time and without merge blocking applied\
\
Logic in newly added rules will be applied in the next source code scan and may produce new findings within default branches.
{% endhint %}

4. Ensure that the checkbox indicates that the rule is valid and click on `OK`.
5. Click on `Save` at the bottom of all policies.

### Override an existing rule

1. Copy the rule ID that needs to be overridden from the [SAST finding details](https://docs.arnica.io/arnica-documentation/code-risks/static-application-security-testing-sast/..#description) or from other sources. Ensure it has the full identifier, such as `javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection`
2. Follow the steps from the `Add a new rule` section above.

{% hint style="info" %}
The changes will be reflected the next time full source code scan is performed (daily on paid plans) or in the next event triggered by the [code risk policy](https://docs.arnica.io/arnica-documentation/code-risks/code-risk-policy-settings), such as a code push or a pull request.
{% endhint %}