Skip to content
Fleet CRA

Tutorial: Custom Rulesets

This tutorial shows how to fork the default CRA ruleset, add custom requirements, and assign it to a product.

Why Custom Rulesets?

Section titled “Why Custom Rulesets?”

The default ruleset covers all 401 CRA requirements. But your organization may need:

  • Additional industry-specific requirements (medical devices, automotive, finance)
  • Stricter thresholds than the CRA minimum
  • Internal security policies encoded as assessable requirements
  • Simplified rulesets for products with limited scope

Step 1: Export the Default Catalog

Section titled “Step 1: Export the Default Catalog”
Terminal window
cat catalog/compiled/catalog.json | jq '.' > my-ruleset.json

Step 2: Create a Custom Ruleset

Section titled “Step 2: Create a Custom Ruleset”

Upload it to the Fleet API:

Terminal window
curl -X POST /api/v1/assessment/rulesets \
  -H "Authorization: Bearer $FLEET_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "acme-corp-ruleset",
    "version": "1.0.0",
    "description": "ACME Corp CRA ruleset with additional HIPAA requirements",
    "catalog_json": '"$(cat my-ruleset.json)"'
  }'

Note the returned id — you’ll need it to assign the ruleset.

Step 3: Modify the Catalog

Section titled “Step 3: Modify the Catalog”

Edit my-ruleset.json to add a custom requirement. For example, adding a HIPAA data encryption requirement to the Storage category:

{
  "id": "STOR-HIPAA-01-R1",
  "risk_id": "STOR-HIPAA-01",
  "text": "The product shall encrypt all PHI at rest using AES-256 or stronger",
  "assessment_method": "Config review + code review",
  "evidence_type": "Semi"
}

Add it to the appropriate feature’s requirements array, and add the corresponding risk to the risks array:

{
  "id": "STOR-HIPAA-01",
  "description": "Protected Health Information exposure",
  "annex_ref": "I.3(d) - stored data protection + HIPAA 164.312(a)(2)(iv)"
}

Step 4: Publish the Ruleset

Section titled “Step 4: Publish the Ruleset”

Create a new version with the modifications:

Terminal window
curl -X POST /api/v1/assessment/rulesets \
  -d '{
    "name": "acme-corp-ruleset",
    "version": "1.1.0",
    "description": "Added HIPAA PHI encryption requirement",
    "catalog_json": '"$(cat my-ruleset.json)"'
  }'


# Publish it
curl -X POST /api/v1/assessment/rulesets/{id}/publish

Step 5: Assign to a Product

Section titled “Step 5: Assign to a Product”
Terminal window
curl -X POST /api/v1/assessment/products \
  -d '{
    "name": "acme-health-portal",
    "version": "2.0.0",
    "ruleset_id": "uuid-of-published-ruleset"
  }'

Now when you scan and upload results, findings are assessed against your custom ruleset.

Step 6: Override Requirements Per-Product

Section titled “Step 6: Override Requirements Per-Product”

Even with a shared ruleset, individual requirements can be overridden:

Terminal window
# Mark a requirement as not applicable for this specific product
curl -X POST /api/v1/assessment/products/{id}/overrides \
  -d '{
    "requirement_id": "HW-PHY-01-R1",
    "override_type": "false_positive",
    "justification": "Pure SaaS product with no hardware components",
    "created_by": "compliance-team"
  }'