hamid-k / semgrep Goto Github PK

Getting Started · Examples · Resources
Usage · Contributing · Commercial Support

Semgrep tl;dr:

• A simple, customizable, and fast static analysis tool for finding bugs
• Combines the speed and customization of grep with the precision of traditional static analysis tools
• No painful domain-specific language; Semgrep rules look like the source code you’re targeting
• Batteries included with hundreds of existing community rules for OWASP Top 10 issues and common mistakes
• Runs in CI, at pre-commit, or in the editor
• Runs offline on uncompiled code

Semgrep supports:

Semgrep is proudly supported by r2c. Learn more about a hosted version of Semgrep with an enterprise feature set at r2c.dev.

The best place to start with Semgrep and rule writing is its Quick Start. For a more in-depth introduction to its syntax and use cases visit the Semgrep Tutorial.

Semgrep can be installed using brew, pip, or docker:

# For macOS
$ brew install semgrep

# On Ubuntu/WSL/linux, we recommend installing via `pip`
$ python3 -m pip install semgrep

# To try Semgrep without installation run via Docker
$ docker run --rm -v "${PWD}:/src" returntocorp/semgrep --help

To confirm installation and get an overview of Semgrep's functionality run with --help:

$ semgrep --help

Once installed, Semgrep can be run with single rule patterns or entire rule packs:

# Check for Python == where the left and right hand sides are the same (often a bug)
$ semgrep -e '$X == $X' --lang=py path/to/src

# Run a ruleset with rules for many languages
$ semgrep --config=https://semgrep.dev/p/r2c-CI path/to/src

Explore the Semgrep Registry of rules and CI integrations at semgrep.dev.

Give some rule packs a spin by running on known vulnerable repositories:

# juice-shop, a vulnerable Node.js + Express app
$ git clone https://github.com/bkimminich/juice-shop
$ semgrep -f https://semgrep.dev/p/r2c-security-audit juice-shop

# railsgoat, a vulnerable Ruby on Rails app
$ git clone https://github.com/OWASP/railsgoat
$ semgrep -f https://semgrep.dev/p/r2c-security-audit railsgoat

# govwa, a vulnerable Go app
$ git clone https://github.com/0c34/govwa
$ semgrep -f https://semgrep.dev/p/r2c-security-audit govwa

# vulnerable Python+Flask app
$ git clone https://github.com/we45/Vulnerable-Flask-App
$ semgrep -f https://semgrep.dev/p/r2c-security-audit Vulnerable-Flask-App

# WebGoat, a vulnerable Java+Sprint app
$ git clone https://github.com/WebGoat/WebGoat
$ semgrep -f https://semgrep.dev/p/r2c-security-audit WebGoat

Learn more:

• Live Editor
• Semgrep Registry
• Documentation
• r2c YouTube channel for more videos.

Get in touch:

• Submit a bug report
• Join the Semgrep Slack to say "hi" or ask questions

See semgrep --help for command line options.

semgrep may exit with the following exit codes:

• 0: Semgrep ran successfully and found no errors
• 1: Semgrep ran successfully and found issues in your code
• >=2: Semgrep failed to run

To upgrade, run the command below associated with how you installed Semgrep:

# Using HomeBrew
$ brew upgrade semgrep

# Using `pip`
$ python3 -m pip install --upgrade semgrep

# Using Docker
$ docker pull returntocorp/semgrep:latest

Semgrep is LGPL-licensed, feel free to help out: CONTRIBUTING.

Semgrep is a frontend to a larger program analysis library named pfff. pfff began and was open-sourced at Facebook but is now archived. The primary maintainer now works at r2c. Semgrep was originally named sgrep and was renamed to avoid collisons with existing projects.

Semgrep is supported by r2c. We're hiring!

Interested in a fully-supported, hosted version of Semgrep? Drop your email and we'll be in touch!