Semgrep is a lightweight static analysis tool for many languages. Find and block bug variants with rules that look like source code.
 

Welcome to the first Semgrep newsletter!
tl;dr: upgrade to get regex compatibility and faster performance, use pre-built rules from the Semgrep Registry, and fine-tune your rules with some handy CLI flags.

 

⬆️ Upgrading Semgrep

  • Homebrew:  $ brew upgrade semgrep 
  • PyPI:  $ python -m pip install --upgrade semgrep 
  • Docker:  $ docker pull returntocorp/semgrep:latest 
We ship a new version every week and you can watch for releases here.

 

📦 Semgrep Registry

Exploring the Registry is the easiest way to start using Semgrep. It includes curated rules that scan your code for security, correctness, and performance issues.

New JWT rules for Node.js scan your code for mistakes commonly made when using the JWT standard. Read more about hardcoded secrets, unverified tokens, and other common JWT mistakes on the r2c blog.

You can run any of the Registry’s rule packs via  $ semgrep --config <rule pack url> . Get the  semgrep command for a rule pack from the rule pack page:


Run any rule pack on a GitHub repo, on the command line, or in CI.

 

✍ Live editor enhancements

The live editor lets you quickly prototype Semgrep rules and iterate. The new step-by-step debugger breaks down Semgrep’s matching so you can fine-tune your patterns and pinpoint exactly the code you want to match.


Step-by-step debugging in the live editor

 

🧰 Semgrep CLI

Recent improvements to the Semgrep CLI include:
  •  pattern-regex : this operator searches for a Python  re  -compatible expression (see this example)
  • include and exclude files or paths using  --include INCLUDE  or  --exclude EXCLUDE 
  • inline whitelisting capabilities via  nosem  comments and the  --disable-nosem  flag
 

📢 Feedback

Please don’t hesitate to reach out for support or discussion via Slack or support@r2c.dev. We’re here to help!


Happy coding,
The r2c team
GitHub
Follow r2c on Twitter
r2c, makers of Bento
Copyright © 2020 r2c, All rights reserved.


Want to change how you receive these emails?
You can subscribe to this newsletterupdate your preferences, or unsubscribe from this list.