Semgrep is a lightweight, offline, open-source, static analysis tool. Run community rules or write your own in less than 5 minutes. Configure and run in 2 minutes.


⬆️ Upgrade to Semgrep v0.35.0

  • Homebrew:  $ brew upgrade semgrep 
  • PyPI:  $ python -m pip install --upgrade semgrep 
  • Docker:  $ docker pull returntocorp/semgrep:latest 
New in Semgrep CLI:
  • Ruby support is now in GA status
  • JavaScript rules now run on TypeScript files automatically
  • Select rules based on severity with the  --severity  flag. Thanks @kishorbhat!
  • Ignore findings with a // nosemgrep  comment instead of the original
     // nosem  comment (they behave identically)
  • JSON output now includes an attribute of findings named  is_ignored . This is  false  under regular circumstances, but running with  --disable-nosem  will return  true  for findings that normally would’ve been excluded by a  // nosem  comment.
New in Semgrep Community:
  • Automatic PR comments now available in beta
  • Over 1,000 rules are now available in the Semgrep Registry 🎉
Note: please update your CLI to v0.35 to get the latest and greatest! You can watch for releases here.

💬 Automatic PR comments

Automatic PR comments let Semgrep show rule findings and messages directly in GitHub pull request comments, showing timely results in the developer’s workflow. Automatic PR comments are currently in beta for Semgrep Community users.

Enable automatic PR comments →


🎓 Ruby support now in GA

Ruby is officially graduating from beta to GA status in Semgrep v0.35.0! Try out our latest Ruby rulesets: We also welcome your Ruby rule contributions at semgrep-rules/ruby!

Our Ruby journey began way back in July. With the help of the community we’ve since ironed out bugs, written many Semgrep rules, learned all about the dusty, rarely used corners of the language, and slowly but surely watched support mature. To learn more about language support tiers like beta and GA visit the supported languages docs.

1️⃣0️⃣0️⃣0️⃣ Over 1k rules now in the Semgrep Registry

Check out the Registry to grab rulesets that enforce secure guardrails, ensure code quality, perform security auditing, and more. You can filter down rules in the Registry by keyword, language, severity, or category.

Have Semgrep rules to share? Add your repository to the Awesome Rulesets list or contribute them directly to semgrep-rules, the “standard library” for Semgrep. Once the PR is merged, your rules will be available for anyone to use via the Semgrep Registry. Big thanks to the 40+ contributors who’ve already added rules to Registry!

Explore the Registry →


🔎 Scan Terraform files, server configs, or other structured data

A new experimental feature, generic pattern matching, allows Semgrep to match code patterns in configuration files, in structured data (e.g., HTML or XML), or in languages that don’t yet have a Semgrep parser. For example, you may want to find unwanted permissions enabled in Terraform files, insecure redirects in nginx, or misconfigured blog engine settings.

Learn about generic pattern matching →


📚 New, searchable documentation

Just what it says on the tin: quickly find answers to your Semgrep questions with our updated and searchable docs. In addition to references for Semgrep pattern and rule syntaxes, there’s also new data on per-language parse rate and support status, updated info on experimental features, and an FAQ. 

Read the docs →


📢 Feedback

Got a question? Want to chat about Semgrep patterns, writing rules, or how to enforce code standards in your organization? Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help 🤗!

Happy coding,
The r2c team
Follow r2c on Twitter
r2c, makers of Bento
Copyright © 2020 r2c, All rights reserved.

Want to change how you receive these emails?
You can subscribe or unsubscribe from this list.