Semgrep is an open-source static analysis tool designed to find vulnerabilities, bugs, and enforce code quality standards across multiple programming languages.
- Core Feature: It uses abstract syntax tree (AST) pattern matching, allowing it to detect issues based on the structure of code rather than simple text patterns.
- Fast and Flexible: Performs static analysis quickly and can be adapted to various codebases.
- Precision: Detects vulnerabilities that might be missed by traditional text-based tools.
- Customizability: Allows users to write their own rules or use pre-defined ones from the Semgrep Registry.
- Security and Quality: Helps identify security vulnerabilities (e.g., SQL injection, XSS) and improve code quality by enforcing best practices.
- Supported Languages: Semgrep supports several popular programming languages, including Python, JavaScript, Java, Go, and more.
- CI/CD Integration: Seamlessly integrates with CI/CD pipelines (e.g., GitLab, GitHub) for continuous static analysis, making it an excellent tool for DevSecOps teams.
- Automating code review to detect vulnerabilities early.
- Enforcing code style guidelines.
- Integrating into the security testing pipeline for proactive vulnerability detection.
pip install semgrep
semgrep --versionhttps://github.com/semgrep/semgrep-rules
stages:
- test
test:
image: semgrep/semgrep
script:
- semgrep --config=python-security --path=./my-python-project/tips : in offline mode we should download all rules from this repo or use pro rule that upload above.
semgrep scan --config="RULESET-ID" --config=PATH/TO/MYRULE.YAML PATH/TO/SRC
semgrep scan -config=/ProRules/ PATH/TO/sourcecodewe can login to https://semgrep.dev/orgs/-/settings to use semgrep portal, we upload localy project to semgrep portal and we can use pro rule and some sca !
python3 -m pip install --upgrade semgrep
semgrep login
semgrep install-semgrep-pro
semgrep --config auto --pro
go to root of git repo and run
semgrep cihttps://semgrep.dev/learn
https://semgrep.dev/playground/new
- Example 1: Detecting Hardcoded Passwords in Python
# hardcoded_password_rule.yml
rules:
- id: python-hardcoded-password
pattern: |
password = "$PASSWORD"
message: "Hardcoded password detected. Avoid hardcoding sensitive information."
severity: WARNING
languages: [python]
metadata:
category: security- Example 2: Detecting Use of eval in Python (Potential Security Risk)
# use_of_eval_rule.yml
rules:
- id: python-use-of-eval
pattern: |
eval($EXPR)
message: "Avoid using eval(). It can lead to code injection vulnerabilities."
severity: ERROR
languages: [python]
metadata:
category: security- Example 3: find xss in commnet
# xss_commnet.yml
rules:
- id: xss-i
message: "possible xss in commnet"
severity: WARNING
languages: [generic]
metadata:
category: security
patterns:
- pattern: -comment ...
- pattern-not: -comment-list ...
- Example 4: find sqli injection in sqlkata
# sqli_sqlkata.yml
rules:
- id: sqli_sqlkata
message: "possible sqli in sqlkata library via WhereRaw query"
severity: WARNING
languages: [generic]
metadata:
category: security
pattern-either:
- pattern: WhereRaw(...) ...
- pattern: FromSqlRaw(...) ...
- pattern: OrWhereRaw(...) ...
- Example 4: find unauth endpoint via controller
# unauth.yml
rules:
- id: unauth
message: "possible unauth endpoint via controller"
severity: WARNING
languages: [generic]
metadata:
category: security
patterns:
- pattern: class $M ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
- pattern-regex: (HttpPost|HttpGet)
- metavariable-regex:
metavariable: '$M'
regex: '.*(ExternalController).*'