Semgrep is an open-source static analysis tool designed to find vulnerabilities, bugs, and enforce code quality standards across multiple programming languages.
- Core Feature: It uses abstract syntax tree (AST) pattern matching, allowing it to detect issues based on the structure of code rather than simple text patterns.
- Fast and Flexible: Performs static analysis quickly and can be adapted to various codebases.
- Precision: Detects vulnerabilities that might be missed by traditional text-based tools.
- Customizability: Allows users to write their own rules or use pre-defined ones from the Semgrep Registry.
- Security and Quality: Helps identify security vulnerabilities (e.g., SQL injection, XSS) and improve code quality by enforcing best practices.
- Supported Languages: Semgrep supports several popular programming languages, including Python, JavaScript, Java, Go, and more.
- CI/CD Integration: Seamlessly integrates with CI/CD pipelines (e.g., GitLab, GitHub) for continuous static analysis, making it an excellent tool for DevSecOps teams.
- Automating code review to detect vulnerabilities early.
- Enforcing code style guidelines.
- Integrating into the security testing pipeline for proactive vulnerability detection.
pip install semgrep
semgrep --version
https://github.com/semgrep/semgrep-rules
stages:
- test
test:
image: semgrep/semgrep
script:
- semgrep --config=python-security --path=./my-python-project/
tips : in offline mode we should download all rules from this repo or use pro rule that upload above.
semgrep scan --config="RULESET-ID" --config=PATH/TO/MYRULE.YAML PATH/TO/SRC
semgrep scan -config=/ProRules/ PATH/TO/sourcecode
we can login to https://semgrep.dev/orgs/-/settings to use semgrep portal, we upload localy project to semgrep portal and we can use pro rule and some sca !
python3 -m pip install --upgrade semgrep
semgrep login
semgrep install-semgrep-pro
semgrep --config auto --pro
go to root of git repo and run
semgrep ci
https://semgrep.dev/learn
https://semgrep.dev/playground/new
- Example 1: Detecting Hardcoded Passwords in Python
# hardcoded_password_rule.yml
rules:
- id: python-hardcoded-password
pattern: |
password = "$PASSWORD"
message: "Hardcoded password detected. Avoid hardcoding sensitive information."
severity: WARNING
languages: [python]
metadata:
category: security
- Example 2: Detecting Use of eval in Python (Potential Security Risk)
# use_of_eval_rule.yml
rules:
- id: python-use-of-eval
pattern: |
eval($EXPR)
message: "Avoid using eval(). It can lead to code injection vulnerabilities."
severity: ERROR
languages: [python]
metadata:
category: security