⬆️ Upgrade to Semgrep v0.45.0
New in Semgrep:
- Homebrew: $ brew upgrade semgrep
- PyPI: $ python -m pip install --upgrade semgrep
- Docker: $ docker pull returntocorp/semgrep:latest
Update your CLI to v0.45.0 to get the latest and greatest! You can watch for releases here.
- YAML support: write rules to scan and find patterns in YAML code
- --json-time flag reports runtimes for (rule, target file)
- Numeric equivalences: match by values, e.g., the pattern 8 now matches code like x = 0x8
- Ignore findings via inline nosemgrep comments in HTML ( nosem comments still work, too)
- Squashing of myriad bugs!
New alpha support for YAML lets you scan Kubernetes configs, CI/CD workflow files, and essentially anything YAML—even Semgrep rules themselves!
Scan and enforce code patterns in YAML
Behind the scenes: adding YAML support to Semgrep →
❇️ Add Semgrep to CI in a few clicks
Simplified project configuration lets you add a project and assign a policy in a few clicks. Simply find your repository in the projects page and click “Commit file.” That’s it! — the Semgrep App takes care of creating the workflow YAML file, committing it to your repository, and triggering the first scan for you.
Add a project →
John Melton wrote and released an IntelliJ plugin for Semgrep. This means the VS Code Semgrep extension now has a cousin for IntelliJ IDEA. Thanks for sharing your work, John!
IntelliJ plugin for Semgrep
Get the IntelliJ plugin →
Plugins are so hot right now. Semgrep’s new --vim flag outputs results in Vim single-line format, so you can see Semgrep results and syntax highlighting in Vim.
Vim users, unite!
Get the Vim plugin →
You get a plugin! And you get a plugin! Everyone gets a plugin! 🤗
GolangCI-Lint for Semgrep
@azuline developed and released a plugin, too! This one’s for GolangCI-Lint. Thanks, @azuline!
Get the GolangCI-Lint plugin →
📺 Spreading security across the SDLC
At the Open Security Summit a few weeks ago, John Melton presented on how security can be spread across the SDLC. Check out all the videos from the Open Security Summit on their YouTube channel.
Got a question? Want to chat about Semgrep patterns, writing rules, or how to enforce code standards in your organization? Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help 🤗!
The r2c team