|Semgrep is a lightweight static analysis tool for many languages. Find and block bug variants with rules that look like source code.
Welcome to the first Semgrep newsletter!
tl;dr: upgrade to get regex compatibility and faster performance, use pre-built rules from the Semgrep Registry, and fine-tune your rules with some handy CLI flags.
⬆️ Upgrading Semgrep
We ship a new version every week and you can watch for releases here.
- Homebrew: $ brew upgrade semgrep
- PyPI: $ python -m pip install --upgrade semgrep
- Docker: $ docker pull returntocorp/semgrep:latest
📦 Semgrep Registry
Exploring the Registry is the easiest way to start using Semgrep. It includes curated rules that scan your code for security, correctness, and performance issues.
New JWT rules for Node.js scan your code for mistakes commonly made when using the JWT standard. Read more about hardcoded secrets, unverified tokens, and other common JWT mistakes on the r2c blog.
You can run any of the Registry’s rule packs via $ semgrep --config <rule pack url> . Get the semgrep command for a rule pack from the rule pack page:
Run any rule pack on a GitHub repo, on the command line, or in CI.
✍ Live editor enhancements
The live editor lets you quickly prototype Semgrep rules and iterate. The new step-by-step debugger breaks down Semgrep’s matching so you can fine-tune your patterns and pinpoint exactly the code you want to match.
Step-by-step debugging in the live editor
🧰 Semgrep CLI
Recent improvements to the Semgrep CLI include:
- pattern-regex : this operator searches for a Python re -compatible expression (see this example)
- include and exclude files or paths using --include INCLUDE or --exclude EXCLUDE
- inline whitelisting capabilities via nosem comments and the --disable-nosem flag
Please don’t hesitate to reach out for support or discussion via Slack or email@example.com. We’re here to help!
The r2c team