Before you contribute start with a bit of research. Check if there are any rules for what you're about to add.
You can see the entire rules set under /rules/<engine>/<language>/<framework>/, If no rule is found, let's get started.
[Important] Do not plagiarise other sources. While it's useful to read blogs and look at what others are doing, plagiarism will not be accepted.
Our rules repo is set to hold rules to multiple different open-source engines. As such, the hierarchy we use to store the rules starts on the engine, followed by langauge, and framework (when applicable) each rule should be located in the folder of the framework it is written for. Make sure the name you pick for the rule is as descriptive as possible, this will make it easier for others to find that such a rule already exists.
e.g. for a detailed rule name, if you want to create rules for insecure issues related to the httponly attribute from a cookie when using cookie-parser in the express javascript framework using the semgrep engine one of your rule names can be nodejs-express-cookie-parser-cookie-no-httponly and it should be located under
|-- rules
| -- semgrep <-- Same as the engine you chose
| -- javascript <-- The language you're writting the rule for
| -- nodejs <-- The framework you're writting the rule for
| -- express <-- In this case, the rule is for a framework of a framework so adding another layer
as we encourage contributors to write rules that not only detect issues but can also fix them, you may have multiple rules for similar vulnerabilities to address different contexts and formatting styles. In these cases, you should re-use the message and metadata in the different rules.
When creating the rule, follow the guidelines provided for the open-source engine you want to use. It is very important to include a description of the problem and how to fix it with references to external resources such as a CWE and OWASP categorization.
Each rule should also include at least one good and one bad code samples for testing. You can take a look at this rule and code for example.
Once your rule is ready, you can simply submit it for review using a pull request. Our team will review the rule to see that it is original content (remember plagiarism is not cool), accurate, well-described, and overall good performance. As with any other pull request you made before, if we have any issues or suggestions, we will respond via GitHub, and if not, we will merge your code into the main branch.