JSON Rules
JSON rules provide the same functionality as YAML rules but in a serialised format, ideal for programmatic generation.
Basic structure
json
{
"rules": {
"config": {
"no_default_password": {
"description": "Detect use of the default password 'admin'",
"severity": "HIGH",
"query": {
"type": "yaml",
"path": "database.password",
"value": "admin",
"message": "Default password 'admin' used",
"remediation": "Set a secure password"
}
}
}
}
}Fields
| Field | Description |
|---|---|
description | Rule description |
severity | Level: CRITICAL, HIGH, MEDIUM, LOW |
query.type | File type (yaml, json) |
query.path | JSONPath within the file |
query.value | Exact value to search for |
query.message | Message shown to the user |
query.remediation | Suggested remediation |
Real example
json
{
"rules": {
"config": {
"no_default_password": {
"description": "Detect use of the default password 'admin' in YAML configurations",
"severity": "HIGH",
"query": {
"type": "yaml",
"path": "database.password",
"value": "admin",
"message": "Default password 'admin' used",
"remediation": "Set a secure password instead of the default value"
}
}
}
}
}Use cases
Database configurations
json
{
"rules": {
"config": {
"insecure_db_config": {
"description": "Detect insecure database configurations",
"severity": "HIGH",
"query": {
"type": "yaml",
"path": "database.ssl",
"value": false,
"message": "Database connection not using SSL",
"remediation": "Enable SSL for database connections"
}
}
}
}
}Environment variables
json
{
"rules": {
"config": {
"debug_mode_production": {
"description": "Detect debug mode enabled in production",
"severity": "MEDIUM",
"query": {
"type": "yaml",
"path": "app.debug",
"value": true,
"message": "Debug mode enabled in production",
"remediation": "Disable debug mode in production"
}
}
}
}
}Advantages
✅ Perfect for:
- Programmatic generation
- CI/CD tool integration
- Configuration validation
- Verification of specific values
❌ Limitations:
- Exact values only (no complex patterns)
- No conditional logic
- Structured files only (JSON/YAML)
Differences from YAML
| Aspect | YAML | JSON |
|---|---|---|
| Readability | ✅ More readable | ❌ Less readable |
| Generation | ❌ Manual | ✅ Programmatic |
| Comments | ✅ Supported | ❌ Not supported |
| Tooling | ❌ Limited | ✅ Broad ecosystem |
Next steps
- YAML Rules - More readable format
- Semgrep Rules - For complex patterns
- OPA Rules - For advanced logic