Rule

Overview

A rule describes how matched parts for a pattern should be treated. It mainly consists of:

an ID
one or more patterns
a target language name of the pattern
a message related to the pattern
rule constraints (optional)
one or more rewrite patterns (optional)

A rule set is a set of rules with Shisho's version information. Here's an example ruleset:

version: '1'
rules:
  - id: sample-policy
    language: hcl
    pattern: |
      size = :[X]
    message: |
      here comes your own message
    rewrite: size = 20

Properties

This section explains basic properties.

id

You can set an id whatever you want. However, we recommend:

Unique
Meaningful
Easy to understand the policy

language

This is a target language and currently available languages are:

hcl
go
dockerfile

Last Update: 10/21/2021

message

A message is displayed when it matches pattern block.

pattern and patterns

A pattern describes what parts are searched and you can select single pattern OR multiple patterns.

Single Pattern

A below example is a fundamental usage. This searches the part auto_recovery = false in resource "foobar".

pattern: |
  resource "foobar" :[NAME] {
    :[...X]
    auto_recovery = false
    :[...Y]
  }

📝 Tips: what is :[...X] and :[...Y]?
These are metavariables. Please review the section, Metavariable on the page Pattern.

Multiple Patterns

Multiple patterns are available for complex searches. For instance, the below patterns search the parts to meet either case, risk_level is 1 OR 2.

patterns:
  - pattern: |
      resource "foobar" :[NAME] {
        :[...X]
        risk_level = 1
        :[...Y]
      }
  - pattern: |
      resource "foobar" :[NAME] {
        :[...X]
        risk_level = 2
        :[...Y]
      }

Invalid Pattern Expression

You can select either single or multiple patterns. Your rule cannot have both expressions.


// This is an invalid example because the code has both `pattern` and `patterns`.
// You need explicitly select either one. 
pattern: | 
  resource "foobar" :[NAME] {
    :[...X]
    risk_level = 1
    :[...Y]
  }
patterns:
  - pattern: | 
      resource "foobar" :[NAME] {
        :[...X]
        risk_level = 2
        :[...Y]
      }
  - pattern: |
      resource "foobar" :[NAME] {
        :[...X]
        risk_level = 3
        :[...Y]
      }

rewrite and rewrite_options

If the parts match a pattern block, it is transformed by a rewrite block. You can utilize a single rewrite option with the rewrite block in a rule OR multiple rewrite options with a rewrite_options block. Please check the further details on the page one or more rewrite patterns.

Pattern

Rule Constraint