Rules in RootCause

Rules are at the core of RootCause. They define what issues to look for in your code and configurations by specifying patterns, conditions, and messages.

What types of rules exist?

RootCause supports different rule types to cover various analysis scenarios:

YAML Rules

Primary format for detecting simple code and configuration patterns.

JSON Rules

Serialised format ideal for programmatic generation and configuration validation.

Semgrep Rules

For complex patterns with semantic analysis and advanced combinations.

Taint Mode

Data-flow rules: track untrusted data from sources to sinks.

OPA/WASM Rules

For complex policy logic using Rego compiled to WebAssembly.

Where are rules loaded from?

RootCause loads rules from multiple locations:

Default location

Linux/macOS: ~/.config/rootcause/rules
Windows: %APPDATA%\rootcause\rules

Custom configuration

You can specify additional directories in the config.toml file:

toml

[rules]
rule_dirs = [
    "/home/user/.config/rootcause/rules",
    "./custom-rules",
    "./project-rules"
]

Scan command

You can also specify a rules directory directly:

bash

rootcause scan . --rules ./my-rules-directory

Rule management

View installed rules

bash

rootcause rules list

Install a rule set

bash

rootcause rules install https://example.com/rules.tar.gz

Verify rules

bash

rootcause rules verify ./rules

Inspect a specific rule

bash

rootcause rules inspect py.subprocess-shell

Supported formats

RootCause supports multiple rule formats:

YAML: Primary and most readable format
JSON: Alternative format
Semgrep: Compatible with Semgrep rules
OPA WASM: WebAssembly modules for complex rules

Basic rule structure

All rules follow a common structure:

yaml

rules:
  - id: "python.security.no-eval"
    severity: "HIGH"
    description: "Avoid using eval()"
    message: "Do not use eval() with untrusted input"
    category: "python"
    # ... type-specific configuration

Severity levels

Level	Description	Use
LOW	Informational	Deprecated functions, suggestions
MEDIUM	Potential issue	Non-optimal configurations
HIGH	Action required	Insecure functions, vulnerabilities
CRITICAL	Severe issue	Plain-text passwords, critical failures

Recommended organisation

rules/
├── python/
│   ├── security/
│   │   ├── no-eval.yaml
│   │   └── subprocess-shell.yaml
│   └── best-practices/
│       └── no-unused-imports.yaml
├── docker/
│   ├── security/
│   └── best-practices/
└── yaml/
    └── security/

Next steps

First Steps - Get started with RootCause
First Scan - Run your first scan
Rules CLI - List, verify and inspect rules

Rules in RootCause ​

What types of rules exist? ​

YAML Rules ​

JSON Rules ​

Semgrep Rules ​

Taint Mode ​

OPA/WASM Rules ​

Where are rules loaded from? ​

Default location ​

Custom configuration ​

Scan command ​

Rule management ​

View installed rules ​

Install a rule set ​

Verify rules ​

Inspect a specific rule ​

Supported formats ​

Basic rule structure ​

Severity levels ​

Recommended organisation ​

Next steps ​

Rules in RootCause

What types of rules exist?

YAML Rules

JSON Rules

Semgrep Rules

Taint Mode

OPA/WASM Rules

Where are rules loaded from?

Default location

Custom configuration

Scan command

Rule management

View installed rules

Install a rule set

Verify rules

Inspect a specific rule

Supported formats

Basic rule structure

Severity levels

Recommended organisation

Next steps