Skip to content
develop
Go to file
Code

Latest commit

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Semgrep logo

Lightweight static analysis for many languages.
Find and block bug variants with rules that look like source code.

Getting Started · Examples · Resources
Usage · Contributing · Commercial Support

Homebrew PyPI Issues welcome! Issues welcome! 1500+ GitHub stars

Semgrep tl;dr:

  • A simple, customizable, and fast static analysis tool for finding bugs
  • Combines the speed and customization of grep with the precision of traditional static analysis tools
  • No painful domain-specific language; Semgrep rules look like the source code you’re targeting
  • Batteries included with hundreds of existing community rules for OWASP Top 10 issues and common mistakes
  • Runs in CI, at pre-commit, or in the editor
  • Runs offline on uncompiled code

Semgrep supports:

Go Java JavaScript JSON Python Ruby (beta) C (alpha) OCaml (alpha)

Semgrep is proudly supported by r2c. Learn more about a hosted version of Semgrep with an enterprise feature set at r2c.dev.

Getting Started

The best place to start with Semgrep and rule writing is its Quick Start. For a more in-depth introduction to its syntax and use cases visit the Semgrep Tutorial.

Semgrep can be installed using brew, pip, or docker:

# For macOS
$ brew install semgrep

# On Ubuntu/WSL/linux, we recommend installing via `pip`
$ python3 -m pip install semgrep

# To try Semgrep without installation run via Docker
$ docker run --rm -v "${PWD}:/src" returntocorp/semgrep --help

To confirm installation and get an overview of Semgrep's functionality run with --help:

$ semgrep --help

Once installed, Semgrep can be run with single rule patterns or entire rule packs:

# Check for Python == where the left and right hand sides are the same (often a bug)
$ semgrep -e '$X == $X' --lang=py path/to/src

# Run a rule pack with rules for many languages
$ semgrep --config=https://semgrep.dev/p/r2c-CI path/to/src

Explore the Semgrep Registry of rules and CI integrations at semgrep.dev.

Examples

Use case Semgrep rule
Ban dangerous APIs Prevent use of exec
Search routes and authentiation Extract Spring routes
Enforce the use secure defaults Securely set Flask cookies
Enforce project best-practices Use assertEqual for == checks, Always check subprocess calls
Codify project-specific knowledge Verify transactions before making them
Audit security hotspots Finding XSS in Apache Airflow, Hardcoded credentials
Audit configuration files Find S3 ARN uses
Migrate from deprecated APIs DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs
Apply automatic fixes Use listenAndServeTLS

Resources

Learn more:

Get in touch:

Usage

Command Line Options

See semgrep --help for command line options.

Exit Codes

semgrep may exit with the following exit codes:

  • 0: Semgrep ran successfully and found no errors
  • 1: Semgrep ran successfully and found issues in your code
  • >=2: Semgrep failed to run

Upgrading

To upgrade, run the command below associated with how you installed Semgrep:

# Using HomeBrew
$ brew upgrade semgrep

# Using `pip`
$ python3 -m pip install --upgrade semgrep

# Using Docker
$ docker pull returntocorp/semgrep:latest

Contributing

Semgrep is LGPL-licensed, feel free to help out: CONTRIBUTING.

Semgrep is a frontend to a larger program analysis library named pfff. pfff began and was open-sourced at Facebook but is now archived. The primary maintainer now works at r2c. Semgrep was originally named sgrep and was renamed to avoid collisons with existing projects.

Commercial Support

Semgrep is supported by r2c. We're hiring!

Interested in a fully-supported, hosted version of Semgrep? Drop your email and we'll be in touch!

You can’t perform that action at this time.