Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Overview
  • Running custom rules
  • Tenant-specific rules
  • How to configure custom SAST rules
  • Adding a new rule
  • Override an existing rule

Was this helpful?

  1. Code Risks
  2. Static Application Security Testing (SAST)

Custom SAST Rules

PreviousStatic Application Security Testing (SAST)NextSoftware Composition Analysis (SCA)

Last updated 9 months ago

Was this helpful?

Overview

Arnica allows customers to create, manage and edit their own custom SAST rules to identify specific risks across the company. This capability allows customers to override any of Arnica's default rules to improve accuracy, change the description or update the default risk severity. To simplify the process of creating and editing SAST rules, Arnica leverages the default open source SAST rule schema developed by Semgrep. Rules that are built and tested directly within Semgrep's rules playground can be pasted directly into Arnica's custom SAST rule builder.

Running custom rules

Arnica maintains a list of global and tenant-specific rules.

Tenant-specific rules

Each Semgrep execution collects the global rules in a form of a dictionary. If the rule identifier is unique, it is appended to the dictionary. However, if the rule identifier has the same name as one of the global rule identifiers, it will override the global rule.

If any of the global rules need to be adjusted to your specific use case, create a custom rule and name it similarly as the global rule identifier. It can be useful to suppress certain rules across the enterprise, if needed.

How to configure custom SAST rules

Adding a new rule

  3. Click on Add and paste the rule from the Semgrep Playground.

At this point, Arnica will automatically classify the risk severity on the top right corner and add a name based on the rule ID. The severity is determined by the rule's severity, likelihood, confidence and impact properties, where provided.

If you are interested in overriding the severity, simply add the following property in the metadata section: 

arnica:
      risk-severity: critical | high | medium | low | info | unknown

Best Practice: Introduce new rules over time and without merge blocking applied Logic in newly added rules will be applied in the next source code scan and may produce new findings within default branches.

  1. Ensure that the checkbox indicates that the rule is valid and click on OK.

  2. Click on Save at the bottom of all policies.

Override an existing rule

  2. Follow the steps from the Add a new rule section above.

Work on the rule and test it in the

Navigate to the and expand Code Risks and then SAST.

Copy the rule ID that needs to be overridden from the or from other sources. Ensure it has the full identifier, such as javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection

The changes will be reflected the next time full source code scan is performed (daily on paid plans) or in the next event triggered by the , such as a code push or a pull request.

🎼
Semgrep Playground
policies page
code risk policy
SAST finding details
High level view of Semgrep rules structure in Arnica
New custom Semgrep rule