Can I use DevSkim to detect and flag based not on file content but file name, file extension, existence or other file metadata?

[JaneX8]

I am wondering if I can flag files based on file name or extension? And preferably in combination with other files. Example use-case:

The scan folder contains an '.exe' file. I want to flag that exe file with the warning that pre-build files should not be part of the repository as it makes it harder to audit and verify the source code.

Preferably in combination with other files or folders. Such as, only flag the .exe file when the scan directory also contains a .git folder (not unlikely and indicating it's a git repo).

Or flag any blob for that matter. Perhaps files without file extension.

Or on any other metadata like, binaries unsinged by a trusted certificate etc.

[gfs]

There's a difficult here introduced with that the target is exes - which naturally are not really going to play nice with text matching. But conceptually only surfacing matches if other matches to other rules exist in the result set is supported via Tags and the Depends On Tags field documented here: https://github.com/microsoft/ApplicationInspector/wiki/3.7-Depends-On-Tags. This intrinsically operate on a folder based basis - but you can scope the scan to the folder in question - you'd then have a rule that sets the "HasAGitFolder" tag, and another rule with dependsOnTags set for that tag.

I haven't explicitly tested what kind of match pattern might work against an exe file, because the content itself is going to be binary offhand I'm not positive there should be a few ways to write an 'always match these files' rule and just filter it by extensions using the AppliesToFileRegex https://github.com/microsoft/ApplicationInspector/wiki/3.1.-Rule-Object-Schema#applies_to_file_regex or probably even better by Defining the custom File type for exes by extension and using that.

Its tougher when you want to just detect blobs but not based on file extension and for the last portion of the question, DevSkim doesn't have the capability to dig into binaries to check signatures and construct rules on that basis. This sort of sounds in the wheelhouse of AttackSurfaceAnalyzer https://github.com/microsoft/attacksurfaceanalyzer but the workflow/intended use and rule format is pretty different.