Lightweight static analysis for many languages.
Find and block bug variants with rules that look like source code.
Getting Started
·
Examples
·
Resources
Usage
·
Contributing
·
Commercial Support
Semgrep tl;dr:
- A simple, customizable, and fast static analysis tool for finding bugs
- Combines the speed and customization of
grep
with the precision of traditional static analysis tools - No painful domain-specific language; Semgrep rules look like the source code you’re targeting
- Batteries included with hundreds of existing community rules for OWASP Top 10 issues and common mistakes
- Runs in CI, at pre-commit, or in the editor
- Runs offline on uncompiled code
Semgrep supports:
Go | Java | JavaScript | JSON | Python | Ruby (beta) | JSX (beta) | C (alpha) | OCaml (alpha) |
---|
Semgrep is proudly supported by r2c. Learn more about a hosted version of Semgrep with an enterprise feature set at r2c.dev.
The best place to start with Semgrep and rule writing is its Quick Start. For a more in-depth introduction to its syntax and use cases visit the Semgrep Tutorial.
Semgrep can be installed using brew
, pip
, or docker
:
# For macOS
$ brew install semgrep
# On Ubuntu/WSL/linux, we recommend installing via `pip`
$ python3 -m pip install semgrep
# To try Semgrep without installation run via Docker
$ docker run --rm -v "${PWD}:/src" returntocorp/semgrep --help
To confirm installation and get an overview of Semgrep's functionality run with --help
:
$ semgrep --help
Once installed, Semgrep can be run with single rule patterns or entire rule packs:
# Check for Python == where the left and right hand sides are the same (often a bug)
$ semgrep -e '$X == $X' --lang=py path/to/src
# Run a ruleset with rules for many languages
$ semgrep --config=https://semgrep.dev/p/r2c-CI path/to/src
Explore the Semgrep Registry of rules and CI integrations at semgrep.dev.
Use case | Semgrep rule |
---|---|
Ban dangerous APIs | Prevent use of exec |
Search routes and authentiation | Extract Spring routes |
Enforce the use secure defaults | Securely set Flask cookies |
Enforce project best-practices | Use assertEqual for == checks, Always check subprocess calls |
Codify project-specific knowledge | Verify transactions before making them |
Audit security hotspots | Finding XSS in Apache Airflow, Hardcoded credentials |
Audit configuration files | Find S3 ARN uses |
Migrate from deprecated APIs | DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs |
Apply automatic fixes | Use listenAndServeTLS |
Give some rule packs a spin by running on known vulnerable repositories:
# juice-shop, a vulnerable Node.js + Express app
$ git clone https://github.com/bkimminich/juice-shop
$ semgrep -f https://semgrep.dev/p/r2c-security-audit juice-shop
# railsgoat, a vulnerable Ruby on Rails app
$ git clone https://github.com/OWASP/railsgoat
$ semgrep -f https://semgrep.dev/p/r2c-security-audit railsgoat
# govwa, a vulnerable Go app
$ git clone https://github.com/0c34/govwa
$ semgrep -f https://semgrep.dev/p/r2c-security-audit govwa
# vulnerable Python+Flask app
$ git clone https://github.com/we45/Vulnerable-Flask-App
$ semgrep -f https://semgrep.dev/p/r2c-security-audit Vulnerable-Flask-App
# WebGoat, a vulnerable Java+Sprint app
$ git clone https://github.com/WebGoat/WebGoat
$ semgrep -f https://semgrep.dev/p/r2c-security-audit WebGoat
Learn more:
- Live Editor
- Semgrep Registry
- Documentation
- r2c YouTube channel for more videos.
Get in touch:
- Submit a bug report
- Join the Semgrep Slack to say "hi" or ask questions
See semgrep --help
for command line options.
semgrep
may exit with the following exit codes:
0
: Semgrep ran successfully and found no errors1
: Semgrep ran successfully and found issues in your code- >=
2
: Semgrep failed to run
To upgrade, run the command below associated with how you installed Semgrep:
# Using HomeBrew
$ brew upgrade semgrep
# Using `pip`
$ python3 -m pip install --upgrade semgrep
# Using Docker
$ docker pull returntocorp/semgrep:latest
Semgrep is LGPL-licensed, feel free to help out: CONTRIBUTING.
Semgrep is a frontend to a larger program analysis library named pfff
. pfff
began and was open-sourced at Facebook but is now archived. The primary maintainer now works at r2c. Semgrep was originally named sgrep
and was renamed to avoid collisons with existing projects.
Semgrep is supported by r2c. We're hiring!
Interested in a fully-supported, hosted version of Semgrep? Drop your email and we'll be in touch!