Operator Reference
Each operator defines how a field value is compared against a pattern string.
String operators
CONTAINS
Substring match. Case-sensitive.
IF command CONTAINS "rm -rf"
Matches: sudo rm -rf /tmp, rm -rf ., echo rm -rf
EQUALS
Exact string match.
IF tool EQUALS "Bash"
Matches only the exact string Bash.
STARTS_WITH
Prefix match.
IF command STARTS_WITH "git "
Matches: git status, git push. Does not match: echo git.
ENDS_WITH
Suffix match.
IF path ENDS_WITH ".env"
Matches: .env, src/.env. Does not match: .env.local.
Pattern operators
GLOB
Shell-style glob patterns.
IF path GLOB "src/**/*.test.ts"
*— matches any characters except/**— matches any characters including/?— matches a single character
REGEX
Regular expression (JavaScript syntax).
IF command REGEX "npm install\\s+\\S+@\\^"
Safety limits:
- Max pattern length: 500 characters
- Nested quantifiers blocked (ReDoS prevention)
- Invalid patterns fail-secure (match, triggering the rule)
WORD
Word-boundary match without regex overhead. O(n) linear scan.
IF command WORD "rm"
Matches rm -rf and sudo rm file but not format or inform.
Line-aware operators
These operators process the field value line-by-line and strip // comments before matching. Useful for code content analysis.
LINE_CONTAINS
Per-line substring match after stripping // comments.
IF content LINE_CONTAINS "console.log"
Matches console.log("hello") but not // console.log("debug").
LINE_REGEX
Per-line regex match after stripping // comments.
IF content LINE_REGEX "@ts-ignore"
Matches // @ts-ignore only if @ts-ignore appears in the non-comment portion. Strips // comments first, so // @ts-ignore as a standalone comment would be stripped to empty.
NOT modifier
All operators support negation:
IF command NOT CONTAINS "echo"
IF path NOT GLOB "*.test.ts"
IF tool NOT EQUALS "Read"
NOT inverts the match result. Useful for allowlists:
rule only-allow-echo {
DENY execution
IF command NOT STARTS_WITH "echo"
MESSAGE "Only echo commands allowed."
}