Skip to main content
Verify the version tags to ensure you are consuming the intended content or, complete the latest version.

Rule Security Analyzer tool

The Rule Security Analyzer tool identifies potential security risks in your applications that can introduce vulnerabilities to attacks, such as cross-site scripting (XSS) or SQL injection. 

These vulnerabilities typically arise only in non-autogenerated rules, such as stream rules (HTML, JSP, XML, or CSS) and custom Java or SQL statements. 

The Rule Security Analyzer scans non-autogenerated rules, comparing each line with a regular expression rule to find matches. The tool examines text, HTML, JavaScript, and Java code in function rules and individual activity Java method steps, as well as other types of information depending on the rule type. The Rule Types that the Rule Security Analyzer scans are HTML, Control, Harness, Section, HTML Fragment, Flow Action, Paragraph, Text File, Function, Activity, ListView, Correspondence Fragment, and Correspondence:

rule security analyzer

The Rule Security Analyzer searches for vulnerabilities in code by searching for matches to regular expressions (regex) defined in Rule Analyzer Regular Expressions rules. Several Rule Analyzer Regular Expression rules are provided as examples for finding common vulnerabilities. You can also create your Rule Analyzer Regular Expression rules to search for other patterns. 

The Rule Security Analyzer tool should be run as part of your regular development and testing process to ensure that your application is secure. It is recommended to run the tool several times, each time matching against a different regular expression rule. This will help you find and fix potential vulnerabilities effectively.

Caution: Use trained security IT staff to review the output of the Rule Security Analyzer tool. They are better able to identify false positives and remedy any rules that do contain vulnerabilities.

It is recommended to run the Rule Security Analyzer before locking a ruleset as it enables you to identify and correct issues in rules before they are locked. The Rule Security Analyzer takes a couple of minutes to run through the different regular expressions. 

For more information on the Rule Security Analyzer, review the following help documents: Analyzing security vulnerability, Implementing security guidelines for custom HTML, and Regular Expression rules.

Security excellence webinar

For additional details on security design, see the Security excellence webinar.

Check your knowledge with the following interaction:

This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice