semgrep v0.75 releases: Fast and syntax-aware semantic code pattern search

by do son · Published June 17, 2020 · Updated November 24, 2021

Semgrep

Semgrep is a command-line tool for offline static analysis. Use pre-built or custom rules to enforce code and security standards in your codebase. You can try it now with our interactive live editor.

Semgrep combines the convenient and iterative style of grep with the powerful features of an Abstract Syntax Tree (AST) matcher and limited dataflow. Easily find function calls, class or method definitions, and more without having to understand ASTs or wrestle with regexes.

Motivation

Semgrep exists because:

Insecure code is easy to write
The future of security involves automatically guiding developers towards a “paved road” made of default-safe frameworks (i.e. React or Object-relational Mappers)
grep isn’t expressive enough and traditional static analysis tools (SAST) are too complicated/slow for paved road automation

The AppSec, Developer, and DevOps communities deserve a static analysis tool that is fast, easy to use, code-aware, multi-lingual and open source!

Overview

Semgrep is optimized for:

Speed: Fast enough to run on every build, commit, or file save
Finding bugs that matter: Run your own specialized rules or choose OWASP 10 checks from the Semgrep Registry. Rules match source code at the Abstract Syntax Tree (AST) level, unlike regexes that match strings and aren’t semantically aware.
Ease of customization: Rules look like the code you’re searching for, no static analysis Ph.D. required. They don’t require compiled code, only source, reducing iteration time.
Ease of integration. Highly portable and many CI and git-hook integrations already exist. Output –json and pipe results into your existing systems.
Polyglot environments: Don’t learn and maintain multiple tools for your polyglot environment (e.g. ESLint, find-sec-bugs, RuboCop, Gosec). Use the same syntax and concepts independent of language.

Language Support

Go · Java · JavaScript · JSX · JSON · Python · Ruby · TypeScript · TSX

Pattern Syntax Teaser

One of the most unique and useful things about Semgrep is how easy it is to write and iterate on queries.

The goal is to make it as easy as possible to go from an idea in your head to find the code patterns you intend to.

Example: Say you want to find all calls to a function named exec, and you don’t care about the arguments. With Semgrep, you could simply supply the pattern exec(…) and you’d match:

# Simple cases grep finds
exec("ls")
exec(some_var)

# But you don't have to worry about whitespace
exec (foo)

# Or calls across multiple lines
exec (
    bar
)

Importantly, Semgrep would not match the following:

Semgrep will even match aliased imports:

Play with this example in your browser here, or copy the above code into a file locally (exec.py) and run:

More example patterns:

Pattern	Matches
`$X == $X`	`if (node.id == node.id): ...`
`requests.get(..., verify=False, ...)`	`requests.get(url, timeout=3, verify=False)`
`os.system(...)`	`from os import system; system('echo semgrep')`
`$ELEMENT.innerHTML`	el.innerHTML = "<img src='x' onerror='alert(`XSS`)'>";
`$TOKEN.SignedString([]byte("..."))`	`ss, err := token.SignedString([]byte("HARDCODED KEY"))`

Changelog v0.75

Fixed

semgrep-ci relies on --disable-nosem still tagging findings with is_ignored
correctly. Reverting optimization in 0.74.0 that left this field None when said
flag was used