- `patterns`: See the section below for the Pattern Syntax.
20
20
- `languages`: An array of the languages the rule applies to. Available values are: `ruby`, `javascript`
21
-
- `trigger`: Defines when the rule should raise a failure. Therearefourtriggertypes:
22
-
- `local`: Use this trigger when your rule directly relies on data type detections in the pattern. Some examples are sending data to a logger, or making an HTTP request that includes sensitive data.
23
-
- `global`: Some rules don’t match code with a data type directly, but you want them to trigger if Bearer finds any sensitive data types in the project. One example is password strength, where the rule only triggers if sensitive data types are found in the application.
24
-
- `presence`: Use this trigger when your rule isn’t related to a [data type](/reference/datatypes) detection but on the presence of a pattern. Examples include best practices such as configuration settings like forcing SSL communication.
25
-
- `absence`: Use this trigger when your rule isn’t related to a [data type](/reference/datatypes) detection but on the absence of a pattern (if we have been able to confirm the presence of an auxiliary pattern). Examples include best practices such as missing configuration like forcing SSL communication.
21
+
- `trigger`: Defines underwhichconditions the rule should raise a failure. Optional.
22
+
- `match_on`: Refers to the rule's pattern matches.
23
+
- `presence`: Triggers if the rule's pattern is detected. (Default)
24
+
- `absence`: Rule triggers on the absence of a pattern, but the presence of a `required_detection`. Examples include best practices such as missing configuration like forcing SSL communication. Note: rules that match on `absence` need a `required_detection` to be set.
25
+
- `required_detection`: Used with the `match_on: absence` trigger. Indicates which rule is required to activate the failure on the absence of the main rule.
26
+
- `data_types_required`: Sometimes we may want a rule to trigger only for applications that process sensitive data. One example is password strength, where the rule only triggers if sensitive data types are found in the application.
27
+
- `false`: Default. Rule triggers whether or not any data types have been detected in the application.
28
+
- `true`: Rule only triggers if at least one data type is detected in the application.
26
29
- `severity`: This sets the lowest severity level of the rule, by default at `low`. The severity level can automatically increase based on the data type categories (PHI, PD, PDS, PII) detected depending on the rule `trigger` type. A severity level of `warning`, however, will never increase. Bearer groups rule failures by severity, and you can configure the summary report to only fail on specific severity thresholds. Severity is set for each data type group, each of which takes a severity level of `warning`, `low`, `medium`, `high`, or `critical`. A severity level of `warning` won’t cause CI to fail.
27
30
- `metadata`: Rule metadata is used for output to the summary report, and documentation for the internal rules.
28
31
- `id`: A unique identifier. Internal rules are named `lang_framework_rule_name`. For rules targeting the language core, `lang` is used instead of a framework name. For example `ruby_lang_logger` and `ruby_rails_logger`. For custom rules, you may consider appending your org name.
skipped 5 lines
34
37
- `auxiliary`: Allows you to define helper rules and detectors to make pattern-building more robust. Auxiliary rules contain a unique `id` and their own `patterns` in the same way rules do. You’re unlikely to use this regularly. See the [weak_encryption]({{meta.sourcePath}}/blob/a55ff8cf6334a541300b0e7dc3903d022987afb6/pkg/commands/process/settings/rules/ruby/lang/weak_encryption.yml) rule for examples. (Optional)
35
38
- `skip_data_types`: Allows you to prevent the specified data types from triggering this rule. Takes an array of strings matching the data type names. Example: “Passwords”. (Optional)
36
39
- `only_data_types`: Allows you to limit the specified data types that trigger this rule. Takes an array of strings matching the data type names. Example: “Passwords”. (Optional)
37
-
- `trigger_rule_on_presence_of`: Used with the `absence` trigger. Indicates which rule is required to activate the failure on the absence of the main rule.