Rule Library
500+ built-in rules. Every one CWE-mapped.
OWASP A01–A10 coverage across 7 languages. Every finding includes a CWE ID and OWASP category — not a generic "high severity" label. Extend with custom YAML rules for your own codebase patterns.
512 rules
OWASP A01–A10
CWE-mapped
Python
JS/TS
Go
Java
Ruby
Rust
OWASP Top 10 coverage
What gets caught
| Category | OWASP | CWE | Rules | Python | JS/TS | Go | Java | Ruby | Rust |
|---|---|---|---|---|---|---|---|---|---|
| SQL Injection | A03 | CWE-89 | 48 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cross-Site Scripting | A03 | CWE-79 | 35 | ✓ | ✓ | ✓ | ✓ | ✓ | — |
| Path Traversal | A01 | CWE-22 | 29 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Hardcoded Credentials | A07 | CWE-798 | 61 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Insecure Deserialization | A08 | CWE-502 | 22 | ✓ | ✓ | ✓ | ✓ | ✓ | — |
| Broken Auth | A07 | CWE-306 | 44 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| SSRF | A10 | CWE-918 | 18 | ✓ | ✓ | ✓ | ✓ | — | — |
| Command Injection | A03 | CWE-78 | 31 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cryptographic Failures | A02 | CWE-327 | 26 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| XML External Entity | A05 | CWE-611 | 15 | ✓ | ✓ | — | ✓ | — | — |
Custom rules
Built-in rules cover OWASP. Custom rules cover your codebase.
Write YAML rules that encode your team's security conventions — internal auth patterns, custom ORM layers, domain-specific injection vectors. With taint tracking support, rules follow data flow rather than matching surface syntax.
1id: GRCD-CUSTOM-DB-001
2severity: medium
3language: python
4message: Direct DB call in view layer — use repository pattern
5paths:
6 include: ["**/views/**", "**/api/**"]
7pattern-either:
8 - pattern: cursor.execute(...)
9 - pattern: engine.execute(...)
CWE-mapped findings, inline in your PR.
Connect a repo and see your first scan results — with rule ID, severity, CWE, and suggested fix — in under 5 minutes.