Coraza Coreruleset is a Go package meant to provide the OWASP CRS in an easy and consumable way to be embedded in a Go application. Alongside the unmodified CRS, the Coraza configuration file is also provided.
In order to use CRS, you need to load the coreruleset FileSystem:
import "github.com/corazawaf/coraza-coreruleset/v4"
func main() {
// ...
waf, err := coraza.NewWAF(
coraza.NewWAFConfig().
WithDirectives("Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf").
WithRootFS(coreruleset.FS),
)
// ...
}You can also combine both CRS and your local files by combining the filesystems:
import (
"github.com/corazawaf/coraza-coreruleset/v4"
"github.com/jcchavezs/mergefs"
"github.com/jcchavezs/mergefs/io"
)
// ...
func main() {
// ...
waf, err := coraza.NewWAF(
coraza.NewWAFConfig().
WithDirectives(`
Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
Include my/local/rule.conf
`).
WithRootFS(mergefs.Merge(coreruleset.FS, io.OSFS)),
)
// ...
}- Update the
crsVersionandcorazaVersionconstants inversion.gowith the wished CRS and Coraza commit SHA or tags. - Run
go run mage.go downloadDeps. - Double check the changes made under the
/rulesand/testsdirectories. - Commit your changes.