|Semgrep is a lightweight static analysis tool for many languages. Find and block bug variants with rules that look like source code.
⬆️ Upgrading Semgrep (new version every week!)
We’re now on Semgrep v0.25! Recent release highlights include:
- Homebrew: $ brew upgrade semgrep
- PyPI: $ python -m pip install --upgrade semgrep
- Docker: $ docker pull returntocorp/semgrep:latest
We ship a new version every week. Watch for releases here.
- New metavariable-regex operator, which filters findings by metavariable value against a Python re.match compatible expression
- Support for typed metavariables in Go and Java
- Beta support for Ruby and JSX (React)
- A whole bunch of performance improvements and bug fixes
🔎 Enforce security standards with Semgrep Community
Want to scan code in CI and enforce security standards across your projects?
With Semgrep Community, you can make a rule, add it to a policy, and enforce the policy at CI time in 54 seconds!
Semgrep rule written, added to a policy, and enforced in CI
🤖 Build a static analysis security bot in GitLab
Abhay Bhargav, CEO of we45, wrote a post describing how he built a static analysis security bot in GitLab, running Nodejsscan only on the changed code of each merge request.
Integrating static analysis into a GitLab CI workflow
Rohit Salecha, a security consultant at NotSoSecure, wrote, “Semgrep — A Practical Introduction.” In it, Rohit walks through how to pinpoint potential SQL injections, identify use of insecure cryptography, check for enforcement of security best practices, and lots more!
📺 #PLTalk Twitch stream
On Jean Yang and Hongyi Hu’s #PLTalk Twitch series we discussed, “Semantic Grep and the Future of Static Analysis.” Catch the weekly programming languages stream with Jean and Hongyi every Friday afternoon at 3pm PT.
PLTalk: Semantic Grep and the Future of Static Analysis
Please don’t hesitate to reach out for support or discussion via Slack or firstname.lastname@example.org. We’re here to help!
The r2c team