Skip to content

Rules

The /rules page is where you manage scan policy — both the built-in rule catalog and your own custom rules, in one place.

Rules are grouped into sections by scan type — SAST, SCA, Secrets, IaC, Malware (malicious packages), and Container — and within each section by category (SQL injection, XSS, hardcoded secret, typosquat, install-script, and so on). Each rule shows its ID, title, severity, confidence, current mode, and how many open findings it has produced.

Every rule has a mode that controls how its findings behave:

ModeEffect
DisabledThe rule is skipped entirely — no findings.
MonitorThe rule produces findings, but they never fail CI.
BlockThe rule produces findings and trips the CI exit code via the fail-on mechanism.

Changing a mode takes effect on the next scan. See Severity Gates for how Block mode interacts with CI exit codes, and Merge Gating for blocking merges on managed SCM connections.

FilterEffect
SearchMatch by rule ID or title.
Modedisabled / monitor / block.
Severitycritical / high / medium / low / info.
SourceBuilt-in versus custom.
CategoryOne of the rule categories.
Has findingsShow only rules that have produced findings.
  1. Filter to the rules you want to change — for example, all SQL-injection rules.
  2. Select them.
  3. Pick a mode from the bulk action. Every selected rule updates at once.

A common rollout is to start new rules in Monitor, watch their true/false-positive ratio, then promote the trustworthy ones to Block.

You can import rules from a file and export the current rule configuration to CSV. Built-in rules are read-only — you can change their mode but not edit or delete them. Only custom rules are fully editable.

Click any rule to open its detail: full description, the pattern or metadata, example vulnerable code, remediation guidance, and its finding history.