Custom rule packs
Vulkro ships a large built-in detector set, but you can add your own detection patterns without waiting on a release. Custom rules are written in YAML, run alongside the built-in detectors on every scan, and can encode organisation-specific concerns: an internal token format, a banned API, a framework convention your team enforces.
Two pattern modes
Each rule matches one of two ways:
regex: a file-glob filter plus a regular expression. Cheap, matches on raw bytes, good for secret formats and simple text patterns.ast: a tree-sitter language plus a node type and identifier match. Higher precision, requires the file to parse, good for "this specific call in this specific language".
rules:
- id: corp-internal-token
severity: critical
owasp: SecurityMisconfiguration
confidence: high
message: "Internal corp token committed to source"
remediation: "Rotate the token and read it from an environment variable instead."
pattern:
regex: "intsk_[A-Za-z0-9]{32}"
file_globs:
- "src/**/*.{ts,js,py,go}"
- "**/.env*"
- id: deny-eval-react
severity: high
owasp: ServerSideRequestForgery
confidence: high
message: "eval() in a React component: potential XSS sink"
remediation: "Parse the input instead, for example JSON.parse for JSON-shaped data."
pattern:
ast:
language: typescript
node: "call_expression"
callee_identifier: "eval"
file_globs:
- "src/**/*.{tsx,jsx}"
Duplicate rule IDs are an error at load time, so keep IDs unique across every file that a scan loads.
Where rules come from
A scan merges rules from these sources:
- A
vulkro-rules.yamlfile at the project root is auto-discovered. No flag is needed. vulkro scan . --rules <PATH>adds an extra rule file or a directory of rule files for that run.- Installed rule packs under
~/.vulkro/rule-packs/<author>/<name>/<version>/participate in every subsequent scan.
Test a rule locally
Point a scan at a small fixture project and iterate until each rule fires where you expect and stays quiet where you do not:
vulkro scan ./test-project --rules ./my-rules.yaml
Keep a directory of positive and negative fixtures next to your rules so you can re-run them as a regression check when you edit a pattern.
Rule packs from the registry
A rule pack is a versioned bundle of rules published under an
<author>/<name> id. Manage packs with vulkro rules:
vulkro rules list # available packs in the registry index
vulkro rules add acme/api-security # fetch, verify signature, install
vulkro rules installed # what is installed locally
vulkro rules verify acme/api-security # re-check the on-disk signature
vulkro rules remove acme/api-security # uninstall every version
vulkro rules update # refresh the registry index
Packs are signed, and add installs a pack only after its signature verifies
against the trust roots the binary ships with. verify re-checks an installed
pack at any time. Pin a version with vulkro rules add acme/[email protected];
the default is the latest published version.
Reuse existing Semgrep rules
If you already maintain Semgrep rules, convert one into Vulkro's format:
vulkro rules import-semgrep my-semgrep-rules.yaml
The importer writes a vulkro-rules.yaml next to the input, which a later
vulkro scan auto-discovers with no extra flag. Translation is best-effort:
simple patterns become regexes, and compound shapes (pattern-either,
pattern-not, patterns:) are skipped with a warning per rule, so review the
output before relying on it. Exit code is 0 on success, 2 on a read or parse
error.
Related
vulkro rules- the full command reference.- Suppressions - silence a finding you have accepted.
- Air-gap: signing and trust roots - the same trust-root model the CVE bundle uses.