Jit- announcement icon

How can AppSec teams empower development orgs to deliver more secure code? We asked 150 developers.

Read the survey report

In this article

Announcing Jit's Customizable SAST Rulesets: Detect Security Issues Unique to Your Environment

Customize SAST analysis to your tech stack arisk mitigation strategy

By Jit

Published March 18, 2025.

a clipboard with a magnifying glass next to it

We’re excited to announce Jit's Customizable SAST Rulesets, a powerful new feature that allows AppSec and DevOps teams to create and manage custom Semgrep rules tailored to their specific security needs. 

With Jit orchestrating Semgrep scans across the entire codebase and continuously analyzing every code change, teams can now ensure security gaps are identified and addressed before they reach production.

Traditional Static Application Security Testing (SAST) tools come with out-of-the-box rulesets designed to detect common vulnerabilities. However, many organizations have unique security requirements based on their codebase, infrastructure, and compliance needs. Generic SAST rules can't always catch environment-specific risks—leaving gaps in security coverage and allowing critical vulnerabilities to slip through undetected.

Now, Jit customers can close those gaps by building their own SAST rulesets. Jit users can also integrate with Semgrep Pro, which provides extensive out-of-the-box rulesets in addition to the free version, while also enabling customized SAST rule development and implementation.

How Customizable SAST Rulesets Help Our Customers

Defining and managing custom Semgrep rules is simple with Jit. Here’s how our customers can benefit:

  • Tailored Security Coverage: Easily add, edit, and manage Semgrep rules to detect vulnerabilities that matter most to your organization.

  • Seamless YAML Validation: YAML files with syntax errors are automatically flagged, ensuring your rules work as expected.

  • Flexible Rule Management: Rules can be managed in the Jit SaaS platform or as-code in a centralized repo within your GitHub or GitLab environment.

  • Future Enhancements: Soon, you'll be able to create and manage rules directly in a structured table view within Jit's SaaS platform—no YAML editing required.

  • Expanding Beyond SAST: In the future, custom rules will apply across all Jit scanners, including secrets detection, Software Composition Analysis (SCA), Infrastructure-as-Code (IaC) scanning, and container security.

How It Works

Setting up custom Semgrep rules in Jit is straightforward:

Navigate to the Semgrep Settings Page

  • Go to the "Settings" menu in Jit’s platform.

  • Click on "Sales Tools," then select "Semgrep."

Build and manage Your Semgrep Configurations

View, edit, or upload your custom Semgrep YAML configuration file

a screenshot of a computer screen showing the settings


When uploading your YAML, make sure to include the following configurations:

  • id: name the rule

  • patterns: create a pattern to detect specific code security weaknesses

  • message: describe the issue and any other information developers or AppSec team members should see when the code issue is detected

  • severity: Typically, this is "critica", "high", "medium", or "low"

  • languages: specify the programming language the rule applies to

a screenshot of a computer screen with a black background




Hit "Save" to apply the new ruleset to all of your SAST scans

  • Once saved, your custom rules will automatically be enforced across all Jit-powered Semgrep scans.

  • These scans include full codebase analyses (daily scans) and continuous scans on every pull request or merge request.

Alternatively, manage your Semgrep rulset as code your Jit centralized repository

  • This configuration can also be added and managed as code with your GitHub or GitLab environment

Prioritization with Jit’s Context Engine

  • Security findings detected by Semgrep will be automatically prioritized based on runtime and business context, ensuring that teams focus on the most critical vulnerabilities first.

Strengthen Your Code Security with Custom SAST Rules

Jit's Customizable SAST Rulesets empower security and development teams to go beyond generic security scanning. By making it easy to define and enforce custom rules, organizations can gain deeper visibility into security issues specific to their environment—without disrupting developer workflows.

This feature is now generally available for all Jit customers. Start customizing your SAST rules today! Not yet a Jit customer? Start a free trial.