Skip to main content
Core Functionalities
Add Custom SAST & IaC Rules

Add Custom SAST & IaC Rules


With these custom rules you can make Aikido scan for specific risks in your codebase, especially those risks that are particularly relevant for your environment. This way you can detect vulnerabilities that broader SAST or IaC rules might overlook.

Step-by-Step Guide

Step 1: Go to the repositories checks page.

Step 2: Click on "Create Custom Rule" in the SAST section

Step 3: Enter the following details for your rule:

  • Opengrep rule: Define the rule Aikido will search for. Tip: Use the Opengrep playground to test your rule's effectiveness before saving.

  • Title: Name your rule for easy identification.

  • TL;DR: Provide a concise description of the issue. This will show up in the sidebar.

  • How to fix it: Let your team know the best way to fix this issue.

  • Language: Specify the programming language.

  • Aikido Score: Set the priority level for issue reporting in the main Feed.

Step 4: Once you're satisfied with the rule's configuration, click "Save" to add it to your Aikido SAST checks. Your custom rule is now active and will be automatically applied in future scans.

Extra Info

  • Overall, the language attribute in the semgrep rule will always prevail. This can be helpful when you are looking to implement a custom rule that needs to be applied to all languages and files at once.

  • If you want to create IaC rules, you can do this by setting the language to yaml/terraform/...


  • SAST Rule: Looking for use of the weak MD5 hashing algorithm in javascript.

      - id: md5-used
        message: It looks like MD5 is used 
          - javascript
        severity: WARNING
          - pattern: $CRYPTO.createHash("md5")
          - pattern: CryptoJS.MD5(...)

  • IaC Rule: A custom rule for detecting lambda functions that might be dangerous.

       - id: CUSTOM-RULE-530
           - hcl
         severity: WARNING
         message: >
           A Lambda function was found with the "type:monitored" tag, but without a "service" tag.
           - pattern: |-
               resource "aws_lambda_function" $ANYTHING {
                 tags = {..., type = "monitored", ...}
           - pattern-not: |-
               resource "aws_lambda_function" $ANYTHING {
                 tags = {..., service= "...", ...}