⬆️ Upgrade to Semgrep v0.35.0
New in Semgrep CLI:
- Homebrew: $ brew upgrade semgrep
- PyPI: $ python -m pip install --upgrade semgrep
- Docker: $ docker pull returntocorp/semgrep:latest
New in Semgrep Community:
- Ruby support is now in GA status
- Select rules based on severity with the --severity flag. Thanks @kishorbhat!
- Ignore findings with a // nosemgrep comment instead of the original
// nosem comment (they behave identically)
- JSON output now includes an attribute of findings named is_ignored . This is false under regular circumstances, but running with --disable-nosem will return true for findings that normally would’ve been excluded by a // nosem comment.
Note: please update your CLI to v0.35 to get the latest and greatest! You can watch for releases here.
- Automatic PR comments now available in beta
- Over 1,000 rules are now available in the Semgrep Registry 🎉
💬 Automatic PR comments
Automatic PR comments let Semgrep show rule findings and messages directly in GitHub pull request comments, showing timely results in the developer’s workflow. Automatic PR comments are currently in beta for Semgrep Community users.
Enable automatic PR comments →
🎓 Ruby support now in GA
Ruby is officially graduating from beta to GA status in Semgrep v0.35.0! Try out our latest Ruby rulesets:
We also welcome your Ruby rule contributions at semgrep-rules/ruby!
Our Ruby journey began way back in July. With the help of the community we’ve since ironed out bugs, written many Semgrep rules, learned all about the dusty, rarely used corners of the language, and slowly but surely watched support mature. To learn more about language support tiers like beta and GA visit the supported languages docs.
Check out the Registry to grab rulesets that enforce secure guardrails, ensure code quality, perform security auditing, and more. You can filter down rules in the Registry by keyword, language, severity, or category.
1️⃣0️⃣0️⃣0️⃣ Over 1k rules now in the Semgrep Registry
Have Semgrep rules to share? Add your repository to the Awesome Rulesets list or contribute them directly to semgrep-rules, the “standard library” for Semgrep. Once the PR is merged, your rules will be available for anyone to use via the Semgrep Registry. Big thanks to the 40+ contributors who’ve already added rules to Registry!
Explore the Registry →
🔎 Scan Terraform files, server configs, or other structured data
A new experimental feature, generic pattern matching, allows Semgrep to match code patterns in configuration files, in structured data (e.g., HTML or XML), or in languages that don’t yet have a Semgrep parser. For example, you may want to find unwanted permissions enabled in Terraform files, insecure redirects in nginx, or misconfigured blog engine settings.
Learn about generic pattern matching →
📚 New, searchable documentation
Just what it says on the tin: quickly find answers to your Semgrep questions with our updated and searchable docs. In addition to references for Semgrep pattern and rule syntaxes, there’s also new data on per-language parse rate and support status, updated info on experimental features, and an FAQ.
Read the docs →
Got a question? Want to chat about Semgrep patterns, writing rules, or how to enforce code standards in your organization? Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help 🤗!
The r2c team