---

name: semgrep description: Static analysis with Semgrep - pattern-based security scanning and custom rule creation.

Semgrep Static Analysis

When to Use Semgrep

Ideal scenarios:

• Quick security scans (minutes, not hours)
• Pattern-based bug detection
• Enforcing coding standards and best practices
• Finding known vulnerability patterns
• Single-file analysis without complex data flow
• First-pass analysis before deeper tools

Consider CodeQL instead when:

• Need interprocedural taint tracking across files
• Complex data flow analysis required
• Analyzing custom proprietary frameworks

Installation

Copy# pip
pip install semgrep

# Homebrew
brew install semgrep

# Docker
docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config auto /src

Core Workflow

1. Quick Scan

Copysemgrep --config auto .                    # Auto-detect rules
semgrep --config auto --metrics=off .      # Disable telemetry

2. Use Rulesets

Copysemgrep --config p/<RULESET> .             # Single ruleset
semgrep --config p/security-audit --config p/trailofbits .  # Multiple

3. Output Formats

Copysemgrep --config p/security-audit --sarif -o results.sarif .  # SARIF
semgrep --config p/security-audit --json -o results.json .    # JSON
semgrep --config p/security-audit --dataflow-traces .         # Show data flow

Writing Custom Rules

Basic Structure

Copyrules:
  - id: hardcoded-password
    languages: [python]
    message: "Hardcoded password detected: $PASSWORD"
    severity: ERROR
    pattern: password = "$PASSWORD"

Pattern Syntax

Pattern Operators

Combining Patterns

Copyrules:
  - id: sql-injection
    languages: [python]
    message: "Potential SQL injection"
    severity: ERROR
    patterns:
      - pattern-either:
          - pattern: cursor.execute($QUERY)
          - pattern: db.execute($QUERY)
      - pattern-not:
          - pattern: cursor.execute("...", (...))
      - metavariable-regex:
          metavariable: $QUERY
          regex: .*\+.*|.*\.format\(.*|.*%.*

Taint Mode (Data Flow)

Taint mode tracks data through assignments and transformations:

Copyrules:
  - id: command-injection
    languages: [python]
    message: "User input flows to command execution"
    severity: ERROR
    mode: taint
    pattern-sources:
      - pattern: request.args.get(...)
      - pattern: request.form[...]
      - pattern: request.json
    pattern-sinks:
      - pattern: os.system($SINK)
      - pattern: subprocess.call($SINK, shell=True)
      - pattern: subprocess.run($SINK, shell=True, ...)
    pattern-sanitizers:
      - pattern: shlex.quote(...)
      - pattern: int(...)

CI/CD Integration (GitHub Actions)

Copyname: Semgrep
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 1 * *'  # Monthly

jobs:
  semgrep:
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run Semgrep
        run: |
          if [ "${{ github.event_name }}" = "pull_request" ]; then
            semgrep ci --baseline-commit ${{ github.event.pull_request.base.sha }}
          else
            semgrep ci
          fi
        env:
          SEMGREP_RULES: >-
            p/security-audit
            p/owasp-top-ten
            p/trailofbits

Configuration

.semgrepignore

Copytests/
fixtures/
**/testdata/
generated/
vendor/
node_modules/

Suppress False Positives

Copypassword = get_from_vault()  # nosemgrep: hardcoded-password
dangerous_but_safe()         # nosemgrep

Rationalizations to Reject

Resources

• Registry: https://semgrep.dev/explore
• Playground: https://semgrep.dev/playground
• Docs: https://semgrep.dev/docs/
• Trail of Bits Rules: https://github.com/trailofbits/semgrep-rules

Attribution

Based on trailofbits/skills semgrep skill.