SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

How custom rules work

Query language

Snyk Code custom rules use a proprietary declarative query language based on logic programming, more specifically, Datalog.

The goal is to create useful queries that will surface valuable and actionable results, helping security teams and developers focus on the most important vulnerabilities within their code.

Components

Query templates

The templates are abstract pre-built constructs created to provide a quicker and easier way to build queries.

Overview of Query Templates.
Query Templates

Query predicates

The predicate is a symbolic representation of a relationship between objects or properties that evaluates true or false. Snyk provides an exhaustive list of predefined predicates.

For example, all cross-site scripting (XSS) sinks as PRED:XssSink. You can extend these or define your own.

Overview of Query Predicates.
Query Predicates

Source

Sources are entry points for data input and can potentially be controlled by a user or an environment. In many cases, the source should be assumed as tainted.

Sanitizer

Sanitizers are used to sanitize data input from users or environments, ensuring the data is not tainted. By performing this sanitization, you remove the risk of tainted data being consumed by a sink.

Sink

Sinks are points where data is consumed. If the consumed data is tainted it could result in a vulnerability within your application.

Hosting rules

Custom rules will utilize the .snyk file - whenever a repository is imported, this file will be picked up as part of the regular caching process.

Given a .snyk file has custom rules within it, whenever a scan is run - these rules will run adjacent to the regular Snyk in-house rules and provide results as any other rules would.

Custom rules behavior

Snyk Code custom rules work as any other rule. Snyk Code parses your code to create an Abstract Syntax Tree (AST), which is analyzed to create an Event Graph.

All Snyk Code rules, including custom rules, run against the Event Graph, where any match is considered a vulnerability and surfaced to your developers or security teams.

A vulnerability is removed and added to the resolved issues section within the reporting tab when it has been addressed.

🔗 The .snyk file

Suggestive AI support

Snyk Code offers a user-friendly development environment that uses AI technology to simplify the process of defining and testing rules. The AI acts as an intuitive assistant, providing helpful suggestions for queries based on the code you are testing.

For example, you can use the DataFlowsInto query template if you need to locate a method that data flows into. The AI will then suggest methods within your code where data flows into them based on the Event Graph. This streamlines the process of creating rules and may also spark new query ideas.

Suggestive AI support
Suggestive AI support

PreviousCustom rules (beta)NextGetting started with custom rules

Last updated

Was this helpful?

#4707: More info: Update pricing plans page

Change request updated