Skip to main content

Overview

Custom rules let you define security policies in natural language that ZeroPath evaluates during every scan. Instead of writing complex pattern-matching rules, describe what you want to check and ZeroPath’s AI applies it across your codebase.

Creating Rules

From the Dashboard

  1. Navigate to Rules in the ZeroPath dashboard.
  2. Click “Create Rule”.
  3. Write your rule in natural language. For example:
    • “All API endpoints must require authentication”
    • “Database queries must use parameterized statements, never string concatenation”
    • “User input must be validated before being passed to file system operations”
    • “Sensitive data (PII, credentials) must not be logged”
  4. Optionally provide a name and description for the rule.
  5. Save the rule.

From the API

Rules can be managed via the v2 API: 
# Create a rule
curl -X POST https://zeropath.com/api/v2/rules/create \
  -H "Content-Type: application/json" \
  -H "X-ZeroPath-API-Token-Id: your-token-id" \
  -H "X-ZeroPath-API-Token-Secret: your-token-secret" \
  -d '{
    "organizationId": "your-org-id",
    "name": "Require Auth on API Endpoints",
    "description": "All API endpoints must require authentication",
    "rule": "All API endpoints must require authentication before processing requests"
  }'

How Rules Are Evaluated

During each scan, ZeroPath:
  1. Identifies applications in your repository (services, modules, entry points).
  2. Evaluates each custom rule against every application in context.
  3. Reports violations as findings alongside SAST, SCA, and other results.
Custom rule violations appear in the same findings stream as other scan results — with severity, confidence, affected file, and remediation guidance.

Rule Scope

Rules can be scoped at different levels:
ScopeApplies To
OrganizationAll repositories in the organization
TagAll repositories with a specific tag
RepositoryA single repository
Rules follow the same org → tag → repo inheritance cascade as scanner settings. Repository-level rules supplement (not replace) org and tag-level rules.

Managing Rules

From the dashboard or API, you can:
  • List all rules for your organization
  • View a rule’s definition, scope, and metadata
  • Update a rule’s name, description, or natural language definition
  • Delete rules that are no longer needed

Custom Rules Only Mode

For organizations that want to run only their custom rules (disabling all built-in SAST scanning), enable the useOnlyCustomRules setting in your scanner settings. When enabled, ZeroPath skips all built-in technical analysis and evaluates only your custom rules.

Best Practices

  1. Be specific — “All API endpoints must validate the user’s session token before processing” is better than “APIs should be secure”.
  2. One policy per rule — create separate rules for separate concerns so violations are actionable.
  3. Start broad, then refine — begin with high-level policies and add detail based on the violations you see.
  4. Use tags for team-specific rules — different teams may have different security requirements; scope rules using tags.