Semgrep tl;dr:
- A simple, customizable, and fast static analysis tool for finding bugs
- Combines the speed and customization of
grepwith the precision of traditional static analysis tools - No painful domain-specific language; Semgrep rules look like the source code you’re targeting
- Batteries included with hundreds of existing community rules for OWASP Top 10 issues and common mistakes
- Runs in CI, at pre-commit, or in the editor
- Runs offline on uncompiled code
Semgrep supports:, Go, Java, JavaScript, JSON, Python, Ruby (beta), JSX (beta), C (alpha), OCaml (alpha), ---, ----, ----------, ----, ------, -----------, ----------, ---------, -------------, Semgrep is proudly supported by r2c. Learn more about a hosted version of Semgrep with an enterprise feature set at r2c.dev.
Getting Started
The best place to start with Semgrep and rule writing is its Quick Start. For a more in-depth introduction to its syntax and use cases visit the Semgrep Tutorial.
Semgrep can be installed using brew, pip, or docker:
# For macOS
$ brew install semgrep
# On Ubuntu/WSL/linux, we recommend installing via `pip`
$ python3 -m pip install semgrep
# To try Semgrep without installation run via Docker
$ docker run --rm -v "${PWD}:/src" returntocorp/semgrep --help
To confirm installation and get an overview of Semgrep's functionality run with --help:
$ semgrep --help
Once installed, Semgrep can be run with single rule patterns or entire rule sets:
# Check for Python == where the left and right hand sides are the same (often a bug)
$ semgrep -e '$X == $X' --lang=py path/to/src
# Run a ruleset with rules for many languages
$ semgrep --config=https://semgrep.dev/p/r2c-CI path/to/src
Explore the Semgrep Registry of rules and CI integrations at semgrep.dev.
Examples, Use case, Semgrep rule, :--------------------------------, :-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------, Ban dangerous APIs, Prevent use of exec, Search routes and authentiation, Extract Spring routes, Enforce the use secure defaults, Securely set Flask cookies, Enforce project best-practices, Use assertEqual for == checks, Always check subprocess calls, Codify project-specific knowledge, Verify transactions before making them, Audit security hotspots, Finding XSS in Apache Airflow, Hardcoded credentials, Audit configuration files, Find S3 ARN uses, Migrate from deprecated APIs, DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs, Apply automatic fixes, Use listenAndServeTLS, ### Try it out
Give some rulesets a spin by running on known vulnerable repositories:
# juice-shop, a vulnerable Node.js + Express app
$ git clone https://github.com/bkimminich/juice-shop
$ semgrep -f https://semgrep.dev/p/r2c-security-audit juice-shop
# railsgoat, a vulnerable Ruby on Rails app
$ git clone https://github.com/OWASP/railsgoat
$ semgrep -f https://semgrep.dev/p/r2c-security-audit railsgoat
# govwa, a vulnerable Go app
$ git clone https://github.com/0c34/govwa
$ semgrep -f https://semgrep.dev/p/r2c-security-audit govwa
# vulnerable Python+Flask app
$ git clone https://github.com/we45/Vulnerable-Flask-App
$ semgrep -f https://semgrep.dev/p/r2c-security-audit Vulnerable-Flask-App
# WebGoat, a vulnerable Java+Sprint app
$ git clone https://github.com/WebGoat/WebGoat
$ semgrep -f https://semgrep.dev/p/r2c-security-audit WebGoat
Resources
Learn more:
Get in touch:
- Submit a bug report
- Join the Semgrep Slack to say "hi" or ask questions
Usage
Command Line Options
See semgrep --help for command line options.
Exit Codes
semgrep may exit with the following exit codes:
0: Semgrep ran successfully and found no errors1: Semgrep ran successfully and found issues in your code- >=
2: Semgrep failed to run
Upgrading
To upgrade, run the command below associated with how you installed Semgrep:
# Using Homebrew
$ brew upgrade semgrep
# Using pip
$ python3 -m pip install --upgrade semgrep
# Using Docker
$ docker pull returntocorp/semgrep:latest
Contributing
Semgrep is LGPL-licensed and we welcome contributions.
To start contributing, first please make sure you read and agree with the Contributor Covenant Code of Conduct.
Then check out a few ways you can get involved:
- File an issue
- Fix a bug — pick from the good first issues or work on any of the currently open bugs
- Add a feature — see the enhancement issues for inspiration
- Update the docs
- Help each other in the community Slack
Please see the contribution guidelines for info about the development workflow, testing, and making PRs.
Commercial Support
Semgrep is a frontend to a larger program analysis library named pfff. pfff began and was open-sourced at Facebook but is now archived. The primary maintainer now works at r2c. Semgrep was originally named sgrep and was renamed to avoid collisons with existing projects.
Semgrep is supported by r2c. We're hiring!
Interested in a fully-supported, hosted version of Semgrep? Drop your email and we'll be in touch!