Skip to main content
VulHunt rules are written in Lua; however, you don’t need to be proficient in Lua to write rules. Lua is used primarily as a container format, and the language is extended with functions that simplify rule creation. VulHunt rules are collections of fields, as defined in the following table:
FieldDescriptionCategoryRequired
authorAuthor of the ruleMetadataYes
nameName of the ruleMetadataYes
platformTarget platformFilteringYes
architectureTriplet defining the architecture where the rule should be executedFilteringYes
conditionsConditions under which the rule should be executedFilteringNo
typesType library used by the engine for matching and decompilationDetectionNo
signaturesSignature files used to identify functions in binaries without symbolsDetectionNo
extensionsSpecifies any extension needed by this ruleDetectionNo
scopesDefines the list of scopes used to identify a vulnerabilityDetectionYes
These rule fields can be roughly divided into three categories:
  1. Metadata: Includes information such as the author and rule name, providing context about the rule itself.
  2. Filtering: Defines the conditions under which the rule should be executed, such as the target platform or architecture.
  3. Detection: Specifies the core logic of the rule, including signatures, types, and scopes used to identify a vulnerability in a binary file.

Example

The following example shows a sample value for each of the rule fields. A comprehensive overview and the valid values for the fields can be found in the VulHunt Reference.
examples/rule-fields.lua
author = "Your Name"
name = "CVE-2025-0001"
platform = "posix-binary"
architecture = "x86:*:*"
conditions = {name_with_prefix = {"library-name.so"}}
types = "path/to/type-library"
signatures = "path/to/signature-library"
extensions = "decompiler"
scopes = {scope:functions{...}}