# Rules

### What is a Rule?

In Gomboc, a **rule** is the executable unit that:

* **Finds** issues in the Code 
* **Applies** a concrete fix to the code

Rules are implemented in **ORL** and stored in the Gomboc [**Rules Service**](https://docs.gomboc.ai/orl/publish/orl-rule-service-api).

#### The data model has three key objects:

1. **Rule**\
   A rule-like object with:
   * `name` - unique internal identifier
   * `shortName` - display name 
   * `annotations` - key/value tags (e.g., provider, framework, risk)
   * `metadata` - extra details (for ORL rules: priority, language, etc.)
   * `body` / `data` - the ORL rule itself (audit + remediation logic)
2. **Classification**\
   Arbitrary groupings of rules (e.g., “Encryption at Rest”)\
   Classifications are how we:
   * Group rules into higher-level concepts (policies & frameworks)
   * Tag rules with framework mappings and other metadata
3. **Channel**\
   A named saved search that returns a set of rules.
   * Example: `<tenant-id>/default`, or `<tenant-id>/ruleset/hardening`
   * Gomboc workspaces/scans refer to channels to decide *which rules to run*

### Publish Rules

Learn here how to [publish custom rules](https://docs.gomboc.ai/orl/publish).

### Browsing Rules

The Advanced tab displays the individual rules that make up a policy. This is useful for understanding the granular checks that Gomboc performs.

#### **Rule Information**

Each rule in the Advanced view shows:

<table><thead><tr><th width="213.4296875">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Severity</strong></td><td>The severity level of the rule (Low, Medium, High, Critical)</td></tr><tr><td><strong>Risk</strong></td><td>The risk level if the rule is violated</td></tr><tr><td><strong>Rule</strong></td><td>The full rule name and description</td></tr><tr><td><strong>Rule ID</strong></td><td>A unique identifier for the rule (e.g., <code>gomboc-ai/api_key_authentication_for_hashicorp__aws-resources-aws_appsync_graphql_api</code>)</td></tr><tr><td><strong>Provider / Resource</strong></td><td>The infrastructure stack this rule applies to</td></tr></tbody></table>

#### **Expanding Rules**

Click on any rule row to expand it and view:

* **Code Sample**: A fixed code example specific to that rule
* **Resource**: The exact resource type the code applies to

The expandable rows allow you to quickly review multiple rules and their corresponding remediation code.

#### **Example Rule Structure**

<figure><img src="https://3084082483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9X3GhAYjoqbnAMyhHhAr%2Fuploads%2FvKZryuRzis1ceH92efQG%2FScreenshot%202026-03-19%20at%205.15.55%E2%80%AFPM.png?alt=media&#x26;token=2bcc47ca-7b89-4294-9f9f-3c519688bef4" alt=""><figcaption></figcaption></figure>