Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Watching but Not Breaking the Build
Sometimes there are code changes you want to know about, but they're not strictly a bug or vulnerability; that is, you don't want to break the build if they occur.
For example, when you see code:
is_admin()
functionSemgrep policies make it easy to have fine-grained control over how you want scan results to be handled:
Rolling out in notify only mode is a great way to test new rules, to build your confidence in them before rolling them out in PR commenting or blocking mode.
Intermediate Rule Writing
Here's a few quick tips, but again, see the Issue for links to the full docs.
Compose Patterns via "or is" (
pattern-either
)Want your rule to match multiple things? Click the
+
and select"or is"
one or more times.These patterns will be considered like a boolean OR - if any match, the Semgrep rule as a whole will match. (docs)
Metavariables in messages
When a metavariable (e.g.
$X
) you use in a pattern matches a piece of target code, you can reuse that metavariable in themessage
field.This way you a can give developers (or you) a more useful, actionable, contextual message, by referencing, for example, the function names or variables involved and why there's an issue.
Filter Matches via "and is not" (
pattern-not
)Like "or is" (
pattern-either
), you can combine multiplepattern-not
clauses to filter out multiple sets of code patterns you don't want to match (docs).One common way to approach rule writing is to:
pattern
orpattern-either
clauses that match a broad set of code snippets you're interested in.pattern-not
clauses to filter out common "false positives," that is, code you don't want to match.⌨️ Activity: Auditing Routes
We're going to start simple, matching just a few routes, and then we'll iteratively improve our rule to make it more precise.
Your rule will largely be the same each time (with some improvements). The reason I'm providing different links in each is because I've changed the comment annotations to make it clear which lines you should and shouldn't be matching.
app.get()
).app.use
, but only when the first argument is a string literal (the path). Include the matched path for any route, regardless of HTTP verb, in the return message.security.denyAll()
,security.isAuthorized()
, orsecurity.isAccounting()
.Comment on this Pull Request once you're done.