Rule Naming & IDs
Sttor rules use stable, human-readable IDs (example: CODE-0001, CODE-0002). These IDs are designed to be:
- Stable over time (safe to reference in policies, suppressions, and audits)
- Searchable (UI + exports)
- Portable (works across tenants and deployment models)
Where Rule IDs Appear
Rule IDs Show Up in
- Issue Tracker list (filters like “Rule ID”)
- Issue details page (primary identifier)
- PR scan results and PR annotations
- Branch scan reports and exports
- Suppressions / False Positive / Acceptable Risk actions
- Compliance scoring and compliance reports (only “in-scope” issues count)
Recommended ID conventions (optional but strongly suggested)
If you want clearer separation by domain, you can keep CODE-0001 for SAST while introducing additional prefixes:
- CODE-#### → SAST
- PACKAGE-#### → SCA
- SECRET-#### → Secrets
- IAC-#### → IaC
- LICENSE-#### → License
This makes it easier for developers and auditors to understand the origin of a finding at a glance—without relying on tags.
How Rules are Documented in Sttor
Instead of creating a separate documentation page for each rule, Sttor documents rules as tables per category.
Standard rule table columns
Each rule is documented with the following fields
| Field | Meaning |
|---|---|
| ID | Stable rule identifier (for example, CODE-0001) |
| Title | Short, developer-friendly rule title |
| Description | Explains what the rule detects and why it is important |
| Remediation | High-level guidance on how to fix or mitigate the issue |
| Tags | Searchable labels (language, framework, weakness category, compliance mappings, etc.) |
Optional (highly useful) Enrichments you can add:
- Severity (Critical/High/Medium/Low)
- Applies To (language/framework/file type)
- Compliance Mapping (SOC2 / PCI / RBI / NIST controls)
- References (secure coding guides, vendor advisory links)
- Default Policy Action (warn / report / block)
Example rule row expanded (showing description + remediation + tags)