PeriDex rule format
All Cybrium tools share the same YAML rule format. This is the schema that the AI generates and that the validator checks.
Base schema
id: TOOL-PREFIX-NNN
name: Human readable name
description: What this rule detects
severity: critical|high|medium|low|info
category: category-name
match:
# Tool-specific match criteria (see below)
metadata:
cve: [CVE-YYYY-NNNNN]
references:
- https://example.com/advisory
fix:
description: How to fix this issue
terraform: |
resource "aws_s3_bucket" "example" {
# fixed configuration
}
aws_cli: |
aws s3api put-bucket-encryption ...
Tool-specific match blocks
Cyweb (DAST)
match:
path: /admin/login
method: GET
status: 200
body_contains: "Default password"
header_contains:
Server: "Apache/2.4.49"
Cyscan (SAST)
match:
pattern: "eval\\(.*\\$_GET"
language: php
Cyprobe (OT)
match:
protocol: modbus
function_code: 43
device_id_contains: "Schneider"
Cysense (network)
match:
protocol: tcp
port: 502
payload_pattern: "\\x00\\x00\\x00"
Auto-generated rule IDs
PeriDex assigns IDs with an AUTO prefix:
CYWEB-AUTO-0001throughCYWEB-AUTO-9999CYSCAN-AUTO-0001throughCYSCAN-AUTO-9999
These are distinct from manually authored rules and can be filtered in the platform UI.
Validation criteria
A rule must pass these checks before publishing:
| Check | Threshold |
|---|---|
| YAML syntax valid | Required |
| Required fields present (id, name, description, severity, match) | Required |
| Severity is valid value | Required |
| ID prefix matches tool | Required |
| Precision (against test corpus) | >= 0.8 |
| Recall (against test corpus) | >= 0.5 |