Skip to content

add YAML schema and autocomplete snippet for detections #3612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devhhu wants to merge 12 commits into from
Closed

add YAML schema and autocomplete snippet for detections #3612

devhhu wants to merge 12 commits into from

Conversation

@devhhu
Copy link

@devhhu devhhu commented Jul 18, 2025

Summary

Adds YAML schema and autocomplete snippets to simplify detection authoring and remove reliance on the baked in contentctl templates found when you run contentctl new.

Changes Included

  • Added detection.schema.json for detection rule validation.
  • Added detection-snippets.code-snippets to provide VSCode autocomplete.
  • Added settings.json for built-in YAML extension integration.
  • Added basic README guidance on enabling schema validation.

Why

  • Helps detection authors working in non-Windows environments (e.g., GCP, macOS) avoid contentctl hardcoding issues, which are found when you attempt to create a detection using contentctl new.
  • Reduces friction by providing in-editor autocomplete suggestions.

Notes

  • Files are under /docs/yaml-spec/schema.

@devhhu
feat: add YAML schema and autocomplete snippets for detection develop…
2d8827b 
…ment

-  .vscode/schemas/detection.schema.json for custom detection schema
- .vscode/settings.json for YAML schema validation
- Included detection-snippets.code-snippets for quick detection templates
- Improves consistency and ease of detection rule authoring within the repo
@devhhu devhhu changed the title feat: add YAML schema and autocomplete snippet for development add YAML schema and autocomplete snippet for development Jul 19, 2025
@devhhu devhhu changed the title add YAML schema and autocomplete snippet for development add YAML schema and autocomplete snippet for detections Jul 19, 2025
@devhhu
Copy link
Author

devhhu commented Jul 24, 2025

Hey team! Just a quick note:

This PR doesn’t change anything in the core content - it just adds some optional docs and some editor tips (YAML schema + VSCode autocomplete). We’ve started using it internally and found it super helpful for making detections more easily, especially outside the default workflow.

@patel-bhavin
Copy link
Contributor

patel-bhavin commented Oct 10, 2025

Hello @devhhu - First of all thank you for submitting this enhancement! As of right now, this schema is incomplete and needs frequent maintenance as the schema of these yamls evolve and change.

We encourage you to maintain this in your fork and are considering add official VS code schemas to help with this task!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devhhu @patel-bhavin