DevSkim's detection logic is based on regular expressions (using JavaScript/C# RegEx syntax) and can trigger additional patterns for further refinement after an initial match. Writing rules for a language not currently supported is possible.
Rules files are written in JSON. They consist of a high level rule object containing an array of pattern objects, which define regular expressions used for an initial match.
Patterns may also define an array of condition objects with additional patterns that must all be satisifed to verify a finding.
Lastly, patterns may define fix_its which contain logic to convert vulnerable code into safe code.
Additional rule authoring documentation is available in the Application Inspector wiki. The format used is nearly identical other than additional DevSkim features like fixes.
DevSkim Specific Rule Features compared with Application InspectorDevSkim rules can contain fixes that can be applied when pattern matches are detected either with the CLI fix command or the IDE extensions.
DevSkim rules have a Confidence field at the Rule object level in addition to the Confidence values at the Pattern object level. It is not recommended to use this field for new rule authoring, and it may be removed in a future release as the Confidence value more closely maps to the Pattern level as there may be multiple patterns of varying Confidence within a single Rule.
DevSkim rules can be suppressed via comments in source code.
The built in rules that are published with DevSkim can be found in the DevSkim repository.
See Sample Rule for a detailed rule sample.
DevSkim supports the following severity levels in rule configuration.
Critical - Indicates a high risk security issue that should be highly prioritizedImportant - Indicates a medium risk security issue that should be prioritizedModerate - Indicates a lower risk security issueBestPractice - Indicates a code hygiene issue or coding practice that can be improved but is not necessarily a security issueManualReview - Indicates an issue that cannot be deterministically determined by DevSkim to be actionable or not. Requires the DevSkim user or an analyst reviewing the results to review if the finding applies in the particular case identified.Unspecified - If the severity is not specified properly on the rule object specification, findings for that rule will be reported as Unspecified. This should not be the case for any default rules that ship with DevSkim. If you encounter such a finding from a built-in rule, please report it as a rule related bug.The Sarif format uses a different set of severity levels. These are calculated from the DevSkim severity for an issue as follows:
DevSkim Level Sarif LevelCritical Error Important Error Moderate Warning BestPractice Note ManualReview Note Unspecified None
In addition, the original DevSkim severity level is included in the properties object for each result in the sarif output.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4