Custom Rules

Custom rules let you encode organization-specific patterns alongside the community ruleset — internal API misuse, deprecated helpers, banned crypto, secret formats unique to your stack. Each rule has a mode that controls whether it raises findings, fails CI, or stays disabled.

Rule modes

Mode	Behavior
Monitor	Findings appear in the dashboard. CI passes (exit 0). The default for all rules.
Block	Findings appear in the dashboard. CI fails (exit 1) when the rule fires.
Disabled	Rule is not included in scans. No findings generated.

Switch modes from the Rules page; bulk operations let you flip many rules at once.

Authoring rules

Custom rules use OpenGrep’s YAML format. Three ways to add them:

• In the dashboard — paste YAML into the create-rule form.
• Import from git — point Vygl at a repository containing rule files; the platform polls and re-imports on a schedule.
• Upload a file — drop a .yml or .yaml file directly.

A minimal rule:

rules:
  - id: internal.deprecated-auth-helper
    languages: [python]
    severity: WARNING
    message: |
      The deprecated_auth() helper is being removed in 2026.
      Migrate to AuthContext.from_request(...).
    pattern: deprecated_auth(...)

Community rules

Community rules — bundled with the engine — can be enabled, disabled, or moved to Block mode, but not edited or deleted. To override community-rule behavior, duplicate it as a custom rule, edit the duplicate, and disable the original.

SAST only

Custom rules apply to OpenGrep (SAST) only. SCA findings come from the OSV database; Secrets findings come from Gitleaks; IaC from Checkov. Adding custom patterns for those engines isn’t currently supported.

Recommended workflow

1. Author a new rule with mode Monitor.
2. Wait one or two scan cycles to confirm the rule fires only where expected (no false positives).
3. Promote to Block so the rule starts gating CI.
4. If the rule turns out noisy, demote back to Monitor or Disabled — no code changes needed.