Semgrep is a lightweight static analysis tool for many languages. Find bugs and enforce code standards.

Introducing Semgrep Fix Rate

A major new Semgrep App release adds fix rate: it measures if developers actually fix Semgrep issues. Log in to see what your fix rate looks like, and read our co-founder Luke’s blog post on whether it’s a good idea to ban random(). We’ve also added a setup button that makes it much faster to add Semgrep to many projects.


⬆️ Upgrade to Semgrep v0.39.1

  • Homebrew:  $ brew upgrade semgrep 
  • PyPI:  $ python -m pip install --upgrade semgrep 
  • Docker:  $ docker pull returntocorp/semgrep:latest 
New in Semgrep CLI:
  • TypeScript and Ruby moved from beta to full (GA) support!
  • Improved intraprocedural dataflow: see a live example
  • pattern-not-regex to filter findings using a regular expression
  • Typed metavariables can now match field access when Semgrep can propagate a field’s type
  • Constant propagation for Java final fields (using this.field syntax)
  • Experimental Semgrep rule (meta)linter
Note: please update your CLI to v0.39.1 to get the latest and greatest! You can watch for releases here.


🧰 Executable XSS cheat sheets

Run these to check for code patterns of potential XSS (cross site scripting) in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in these cheat sheets (for Django, Flask, Java/JSP, and Ruby on Rails) pave a safe road for developers that mitigates the possibility of XSS in your code.

Get the cheat sheets →


🛡 Appsec Development: Keeping it together at scale

Clint Gibler (r2c) and Jacob Salassi (Snowflake) share tons of details, actionable insights, and a few spot-on memes in this article on threat modeling.

Read the post →


🧯 A short lesson from Huawei’s source code

If developers don’t believe in code hardening ideas, things can go wrong in amusing ways. Isaac Evans, r2c’s CEO, illustrates this through the lens of a review of Huawei source code.

Read the post →


📢 Feedback

Got a question? Want to chat about Semgrep patterns, writing rules, or how to enforce code standards in your organization? Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help 🤗!

Happy coding,
The r2c team
Follow r2c on Twitter
r2c, makers of Bento
Copyright © 2021 r2c, All rights reserved.

Want to change how you receive these emails?
You can subscribe or unsubscribe from this list.