firmis validate — Validate Rule Files
A rule with a broken regex doesn’t fail loudly — it just stops matching. firmis validate catches typos, invalid patterns, and schema errors in your YAML rule files before they cause silent gaps in your coverage.
Run this before committing custom rules. Run it in CI to make sure your rule library stays healthy.
When to use this
Section titled “When to use this”- Before committing: You’ve written a new detection rule. Run
validateto confirm the regex compiles, the schema is correct, and the severity field is valid before pushing. - After editing rules: Tweaked a pattern to reduce false positives? Validate it first — a subtle regex typo can break the rule entirely.
- CI rule hygiene: Add
firmis validate --built-in --strictto your CI pipeline alongside your scans to catch any rule regressions introduced by contributors. - Debugging a missed detection: If a rule isn’t firing when you expect it to, validate the rule file — an invalid regex silently produces zero matches.
firmis validate [rules...] [options]Pass specific rule files or directories. If no arguments are given, Firmis validates all files in the default rules directory.
What gets checked
Section titled “What gets checked”Firmis validates:
- YAML syntax — the file parses without errors
- Schema compliance — required fields (
id,name,severity,patterns) are present and correctly typed - Regex compilation — every pattern in the rule compiles without throwing a JavaScript
RegExperror - Severity values — only
low,medium,high,criticalare valid - Rule ID uniqueness — duplicate IDs across files will cause silent overrides
In --strict mode, regex warnings (overly broad patterns, unnecessary flags) are promoted to errors.
Options
Section titled “Options”| Flag | Type | Default | Description |
|---|---|---|---|
--strict | boolean | false | Treat regex warnings as errors — recommended before shipping rules to production |
--built-in | boolean | false | Also validate Firmis’s 209 built-in rules — useful to confirm nothing broke after a version upgrade |
Examples
Section titled “Examples”Validate a custom rule file before committing
Section titled “Validate a custom rule file before committing”npx firmis validate rules/custom/my-rules.yamlValidate all rules in strict mode (recommended for CI)
Section titled “Validate all rules in strict mode (recommended for CI)”npx firmis validate --built-in --strictValidate a directory of custom rules
Section titled “Validate a directory of custom rules”npx firmis validate rules/custom/Validate before every scan in a script
Section titled “Validate before every scan in a script”npx firmis validate rules/ && npx firmis scan --config .firmisrcExample output
Section titled “Example output”Validating: rules/custom/my-rules.yaml
✓ my-rule-001 "Hardcoded Slack token" ✓ my-rule-002 "Overly permissive filesystem access" ✗ my-rule-003 Invalid regex: missing closing bracket in pattern /sk-[a-z0-9+/ ✓ my-rule-004 "Tool description injection pattern"
1 error found. Fix before running scans.Related
Section titled “Related”- Custom Rules — how to write your own YAML detection rules
- Rules Overview — how the rule engine evaluates patterns and assigns confidence scores