YAML Reference

Complete reference for policy configuration in YAML format.

Full Schema

# Required fields
id: string                    # Unique policy identifier
name: string                  # Human-readable name
description: string           # Detailed description

# Optional fields
severity: error | warning | info  # Default: error
enabled: boolean                  # Default: true
version: string                   # Policy version (semver)
extends: string                   # Parent policy ID

# Pattern matching
patterns:
  - type: regex | ast | semantic
    value: string               # Pattern definition
    message: string             # Violation message
    languages: [string]         # Limit to specific languages
    files: [string]             # Limit to file patterns

# Fix suggestions
suggestions:
  - string                      # Suggested remediation

# Auto-fix configuration
fix:
  type: replace | insert | delete
  pattern: string               # What to find
  replacement: string           # What to replace with

# File handling
ignore:
  - string                      # Glob patterns to skip

include:
  - string                      # Only check these patterns

# Metadata
tags:
  - string                      # Categorization tags

frameworks:
  - string                      # Related compliance frameworks

references:
  - url: string                 # External documentation
    title: string

Field Details

`id`

Unique identifier for the policy.

id: no-hardcoded-secrets

Requirements:

Lowercase letters, numbers, hyphens only
Must start with a letter
Maximum 64 characters
Must be unique in organization

`name`

Human-readable display name.

name: No Hardcoded Secrets

`description`

Detailed explanation of the policy.

description: |
  Detects hardcoded secrets, API keys, passwords, and other sensitive
  credentials in source code. These should be stored in environment
  variables or a secrets manager instead.

`severity`

Violation severity level.

severity: error    # Blocks merges
severity: warning  # Reports but allows
severity: info     # Informational only

`enabled`

Whether the policy is active.

enabled: true   # Active
enabled: false  # Disabled

`version`

Policy version for tracking changes.

version: "1.2.0"

`extends`

Inherit from another policy.

extends: no-hardcoded-secrets

# Override or add to inherited config
severity: warning
patterns:
  - type: regex
    value: "additional_pattern"

Pattern Configuration

Regex Patterns

patterns:
  - type: regex
    value: "password\\s*=\\s*['\"][^'\"]+['\"]"
    message: "Hardcoded password detected"
    flags: "i"  # Case-insensitive

Supported flags:

i - Case insensitive
m - Multiline
s - Dot matches newline
g - Global (find all matches)

AST Patterns

Abstract Syntax Tree patterns for language-aware matching:

patterns:
  - type: ast
    language: javascript
    value: |
      CallExpression[callee.name="eval"]
    message: "eval() usage detected"

Semantic Patterns

High-level semantic patterns:

patterns:
  - type: semantic
    value: "sql-string-concatenation"
    message: "Potential SQL injection vulnerability"

Language Filtering

Limit patterns to specific languages:

patterns:
  - type: regex
    value: "fmt\\.Print"
    languages:
      - go
    message: "Use structured logging instead of fmt.Print"

File Filtering

Limit patterns to specific files:

patterns:
  - type: regex
    value: "TODO"
    files:
      - "src/**/*.ts"
      - "!src/**/*.test.ts"
    message: "TODO comment found"

Fix Configuration

Replace Fix

fix:
  type: replace
  pattern: "console\\.log\\((.*)\\)"
  replacement: "logger.info($1)"

Insert Fix

fix:
  type: insert
  position: before  # or after
  pattern: "^import"
  content: "import { logger } from './logger';\n"

Delete Fix

fix:
  type: delete
  pattern: "console\\.log\\(.*\\);?\\n?"

File Handling

Ignore Patterns

ignore:
  - "**/*.test.ts"
  - "**/*.spec.ts"
  - "**/node_modules/**"
  - "**/dist/**"
  - "**/__mocks__/**"

Include Patterns

Only check matching files:

include:
  - "src/**/*.ts"
  - "lib/**/*.ts"

Metadata

Frameworks

Link to compliance frameworks:

frameworks:
  - nist-ssdf:PW
  - owasp-asvs:V14
  - cis-controls:16.4

References

External documentation:

references:
  - url: https://owasp.org/Top10/A03_2021-Injection/
    title: OWASP Top 10 - Injection
  - url: https://cwe.mitre.org/data/definitions/798.html
    title: CWE-798 - Hardcoded Credentials

Complete Example

id: no-sql-injection
name: No SQL Injection
description: |
  Detects potential SQL injection vulnerabilities from string
  concatenation or interpolation in SQL queries.

severity: error
enabled: true
version: "1.0.0"

patterns:
  - type: regex
    value: "(SELECT|INSERT|UPDATE|DELETE).*\\$\\{.*\\}"
    languages: [javascript, typescript]
    message: "SQL query with string interpolation detected"

  - type: regex
    value: "(SELECT|INSERT|UPDATE|DELETE).*\\+\\s*\\w+"
    languages: [javascript, typescript, java]
    message: "SQL query with string concatenation detected"

  - type: ast
    language: python
    value: |
      Call[func.attr="execute"][args[0].type="JoinedStr"]
    message: "SQL query with f-string detected"

suggestions:
  - "Use parameterized queries instead"
  - "Use an ORM or query builder"

fix:
  type: replace
  pattern: "\\$\\{(\\w+)\\}"
  replacement: "?"

ignore:
  - "**/*.test.*"
  - "**/migrations/**"

tags:
  - security
  - injection
  - owasp

frameworks:
  - nist-ssdf:PW
  - owasp-asvs:V5
  - cis-controls:16.4

references:
  - url: https://owasp.org/Top10/A03_2021-Injection/
    title: OWASP Top 10 - Injection

Get Started

Enforcement Layers

Dashboard & Account

Policy Authoring

Compliance

Enterprise

SCM Integrations

CI/CD Integration

API Reference

Troubleshooting

YAML Reference

YAML Reference

Full Schema

Field Details

`id`

`name`

`description`

`severity`

`enabled`

`version`

`extends`

Pattern Configuration

Regex Patterns

AST Patterns

Semantic Patterns

Language Filtering

File Filtering

Fix Configuration

Replace Fix

Insert Fix

Delete Fix

File Handling

Ignore Patterns

Include Patterns

Metadata

Tags

Frameworks

References

Complete Example

Get Started

Enforcement Layers

Dashboard & Account

Policy Authoring

Compliance

Enterprise

SCM Integrations

CI/CD Integration

API Reference

Troubleshooting

​YAML Reference

​Full Schema

​Field Details

​id

​name

​description

​severity

​enabled

​version

​extends

​Pattern Configuration

​Regex Patterns

​AST Patterns

​Semantic Patterns

​Language Filtering

​File Filtering

​Fix Configuration

​Replace Fix

​Insert Fix

​Delete Fix

​File Handling

​Ignore Patterns

​Include Patterns

​Metadata

​Tags

​Frameworks

​References

​Complete Example

YAML Reference

Full Schema

Field Details

`id`

`name`

`description`

`severity`

`enabled`

`version`

`extends`

Pattern Configuration

Regex Patterns

AST Patterns

Semantic Patterns

Language Filtering

File Filtering

Fix Configuration

Replace Fix

Insert Fix

Delete Fix

File Handling

Ignore Patterns

Include Patterns

Metadata

Tags

Frameworks

References

Complete Example