Semgrep is static analysis at ludicrous speed. Find bugs and enforce code standards.

⬆️ Upgrade to Semgrep v0.45.0

  • Homebrew:  $ brew upgrade semgrep 
  • PyPI:  $ python -m pip install --upgrade semgrep 
  • Docker:  $ docker pull returntocorp/semgrep:latest 
New in Semgrep:
  • YAML support: write rules to scan and find patterns in YAML code
  •  --json-time  flag reports runtimes for (rule, target file)
  • Numeric equivalences: match by values, e.g., the pattern  8  now matches code like  x = 0x8 
  • Ignore findings via inline  nosemgrep  comments in HTML ( nosem  comments still work, too)
  • Squashing of myriad bugs!
Update your CLI to v0.45.0 to get the latest and greatest! You can watch for releases here.


 Scan and enforce code patterns in YAML

New alpha support for YAML lets you scan Kubernetes configs, CI/CD workflow files, and essentially anything YAML—even Semgrep rules themselves!

Behind the scenes: adding YAML support to Semgrep → 


❇️ Add Semgrep to CI in a few clicks

Simplified project configuration lets you add a project and assign a policy in a few clicks. Simply find your repository in the projects page and click “Commit file.” That’s it! — the Semgrep App takes care of creating the workflow YAML file, committing it to your repository, and triggering the first scan for you.

Add a project →


 IntelliJ plugin for Semgrep

John Melton wrote and released an IntelliJ plugin for Semgrep. This means the VS Code Semgrep extension now has a cousin for IntelliJ IDEA. Thanks for sharing your work, John!

Get the IntelliJ plugin →


 Vim users, unite!

Plugins are so hot right now. Semgrep’s new  --vim  flag outputs results in Vim single-line format, so you can see Semgrep results and syntax highlighting in Vim.

Get the Vim plugin →


 GolangCI-Lint for Semgrep

You get a plugin! And you get a plugin! Everyone gets a plugin! 🤗
@azuline developed and released a plugin, too! This one’s for GolangCI-Lint. Thanks, @azuline!

Get the GolangCI-Lint plugin →


📺 Spreading security across the SDLC

At the Open Security Summit a few weeks ago, John Melton presented on how security can be spread across the SDLC. Check out all the videos from the Open Security Summit on their YouTube channel.


📢 Feedback

Got a question? Want to chat about Semgrep patterns, writing rules, or how to enforce code standards in your organization? Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help 🤗!

Happy coding,
The r2c team
Follow r2c on Twitter
r2c, makers of Bento
Copyright © 2021 r2c, All rights reserved.

Want to change how you receive these emails?
You can subscribe or unsubscribe from this list.