This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

SAST Rules

Endor Labs uses Semgrep compatible rules for SAST scans. Endor Labs includes hundreds of rules for various languages, including rules created by Endor Labs and vetted third-party rules. To this end, Endor Labs reviews existing open source rules and complements them with Endor Labs rules to cover additional technologies or vulnerabilities types.

You can edit existing rules in your tenant to make modifications specific to your environment. You can also create new custom rules with the rule designer based on your requirements. You can also use the rule designer to add any Semgrep rules as a custom rule.

Refer to Semgrep Rules Documentation for more information on how to write a rule.

From the left sidebar, navigate to Policies and Rules and select SAST RULES to view all SAST rules in the system.

SAST rules

You can use the toggle against a rule to enable or disable the rule during the scan.

You can search for rules based on various parameters like rule name, languages, CWE, and tags.

Rule Permissions

You can create SAST rules in your tenants, and can edit, delete, or propagate them to child namespaces. But you cannot edit rules that are marked as Endor Labs or 3rd Party. You can choose to disable the rule to not apply them during scanning or clone them to modify the rules.

1 - Clone a SAST rule

You can clone an existing SAST rule and use that as a base to build your own rule.

Cloning a rule provides the following benefits:

  • You can make changes to a rule and review the results instead of directly editing an existing rule.
  • You can create a clone of a rule that you do not have permission to edit and make your changes.

To clone a SAST rule:

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.

  2. Click on the three dots menu next to a rule and select Clone.

    A copy of the rule appears in the list of rules with the rule name in the format, <original rule name\>-\<number of the clone\>. For example, if you clone the rule Arbitrary Code Execution - Unsanitized inputs for the first time, a clone rule is created with the name, Arbitrary Code Execution - Unsanitized inputs-1.

    Clone SAST rule

  3. Click the edit button next to the cloned rule to edit the cloned rule according to your requirements.

    See Edit a SAST Rule for more information.

2 - Create a SAST rule

To create a rule:

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.
  2. Click Create SAST Rule.
  3. Enter the SAST rule in the yaml format. Create SAST rule
  4. Click Save to save the rule.

3 - Edit a SAST rule

You can edit only the custom SAST rules. You cannot edit or delete Endor Labs or third-party rules.

To edit a SAST rule:

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.

  2. Click the edit button of a rule and select Edit Rule.

    Edit SAST rule

  3. After you complete the edits, click Save to save the rule. You can also delete or disable a rule from the Edit SAST Rule screen.

4 - Import SAST rules

You can import Semgrep-compatible SAST rules that you create as yaml files. The files must have yaml or yml extensions and the rules should be inside a gzip or tar archive.

Import SAST rules through the user interface

You can bulk import rules through the user interface.

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.

  2. Click Import.

    Import SAST rule

  3. Click Browse and select the archive file that contains the rules.

  4. Enter the version of the rule, if required.

    If you do not enter a version and the rules already exist in the system, the rule upload may fail.

Import SAST rules with endorctl

You can bulk import a number of rules using the following command.

endorctl rule-set import --file-path <file> --rule-version <version> -n namespace

Option Description
-n, --namespace Namespace of the project with which you are working. Mandatory.
—-file-path The path to the file that contains the rule set that should be imported. Supported file types are .tar and .gz.
—rule-version The semantic version that applies to all the rules in the set. The command fails if there are any rules that exist with this version.