Building Detectors

A detector is a combination of one or more building blocks, such as test_regex (in the example below), and a workflow building block, such as pattern_group (in the example below), that consists of logic, patterns, machine learning The process of using mathematical models to predict outcomes versus relying on a set of instructions. This is made possible by identifying patterns within data, building an analytical model, and using it to make predictions and decisions. Machine learning bears similarity to how humans learn, in that increased experience can increase accuracy. and statistical tests.

Copy

rules:
  id: HELO001
  pattern_group:
    aggregate: or
    patterns:
    - pattern: "hello (.*)"
      test_regex:
      - on: 1
        pattern: universe|world
    - pattern: "namaste (.*)"
      test_regex:
      - on: 1
        pattern: bramhaand|vishv

Code Security optimizes:

Extreme performance - Built with Rust's zero-overhead principles and low-level optimization.
Security - Code Security is built with safe-only code and sandboxes detectors.
Productivity - Code Security detectors are programming language agnostic there's no need to understand Java to scan Java; or any other programming language.
Rapid detector building - No manual compilation, code and run. Code Security compiles and optimizes each detector automatically.
Declarative over programmatic - Specify what you want to find, and Code Security finds it.
Automatic fingerprinting and tracking - Code Security analyzes each finding and automatically create a secure irreversible and detectable fingerprint.

Detecting Sensitive Files or a Hardcoded JWT Secret in your Codebase

You can build a detector to find SSH-related sensitive files.

Run:

Copy

$ cd my-project
$ $HOME/.spectral/spectral init

Create a file in .spectral/rules/my-rules.yaml:

To detect a sensitive file:

Copy

rules:
  - id: SENS001
    applies_to:
      - "(?i).*_(rsa|dsa|ed25519|ecdsa)$"
    description: An SSH related sensitive file was found
    name: Sensitive SSH file
    recommendation_template: Please add sensitive files to your .gitignore
    severity: error
    tags:
      - base
      - sensitive-files
    pattern_group:
      aggregate: or
      patterns:
        - pattern: "."
          match_on_path: true
          pattern_type: single

To find a hardcoded JWT secret in your codebase:

Copy

rules:
  - id: SEC001
    description: A JWT (JSON Web Token) has been found to be hardcoded
    name: Sensitive JWT (JSON Web Token)
    recommendation_template: Please remove the hardcoded token, report it to SecOps for rotation, and fix with using .env 
    severity: error
    tags:
    - base
    - secrets
    pattern_group:
      aggregate: or
      patterns:
      - pattern: "=\\s+(.*)" # assignment
        pattern_type: multi
        test_jwt:
        - on: 1
          is: true

Run a scan:
- For interactive sessions, use $ $HOME/.spectral/spectral run --nosend
- To perform a scan in your CI, use$ $HOME/.spectral/spectral scan
To test the detector with a dummy file, run:

$ echo 'x' > id_rsa
Run $HOME/.spectral/spectral run to view new detections.

Detector Item	Description
`rules:`	Indicates that it is a detector rules file.
`SENS001`	Detector ID that appears in the Code Security.
`applies_to`	Detect against the full file path. You also can use `applies_not_to` in combination.
`base`	Adds it to the base ruleset of Code Security. It is run by default with all other detectors.
`pattern_group`	Sets a pattern group of a element with a logical OR relationship between elements. You can add more patterns.
`match_on_path`	Rewires the engine to look at the file path as the tested content.
`pattern_type: single`	Attempts only once to find a match (no multiple results in same file here).
`pattern: "."`	Matches any character on the path.

Detecting an Actual Secret

You can ensure your codebase does not contain a well-known, organization-specific secret, such as:

Development team credit card number
Private network domains
Internal server addresses
Vendor and customer secrets

You can use fingerprinting to hide such sensitive information even in the detector rule.

Run:

Copy

$ cd my-project
$ $HOME/.spectral/spectral init
$ $HOME/.spectral/spectral fingerprint --text sekr3t
[fingerprint text]

Create a file in .spectral/rules/my-rules.yaml:

Copy

rules:
  - id: PRIV001
    description: A private organization secret is found hardcoded in files
    name: Private secret
    recommendation_template: Please remove the hardcoded secret, report it to SecOps for rotation, and fix with using .env 
    severity: error
    tags:
    - base
    - secrets
    pattern_group:
      aggregate: or
      patterns:
      - pattern: "(:?key|token|secret|password|pwd|passwd)=(.*)" # assignment
        pattern_type: multi
        test_fingerprints:
        - on: 1
          fp: [fingerprint text]
          is: true

Run $ $HOME/.spectral/spectral run --nosend

Detector Item	Description
`rules:`	Indicates that it is a detector rules file.
`SENS001`	Detector ID that appears in the Code Security.
`applies_to`	Detect against the full file path. You also can use `applies_not_to` in combination.
`base`	Adds it to the base ruleset of Code Security. It is run by default with all other detectors.
`pattern_group`	Sets a pattern group of a element with a logical OR relationship between elements. You can add more patterns.
`match_on_path`	Rewires the engine to look at the file path as the tested content.
`pattern_type: multi`	Attempts multiples to find a match.
`pattern: "."`	Matches any character on the path.
`on: 1`	If `(:? .. )` is ignored, it scans in the first capture group.
`test_fingerprints`	Scans for the fingerprints.
`is: true`	The fingerprint scan returned a match.