Semgrep is a lightweight static analysis tool for many languages. Find and block bug variants with rules that look like source code.

โฌ†๏ธ Upgrading Semgrep (new version every week!)

  • Homebrew:  $ brew upgrade semgrep 
  • PyPI:  $ python -m pip install --upgrade semgrep 
  • Docker:  $ docker pull returntocorp/semgrep:latest 
Weโ€™re now on Semgrep v0.25! Recent release highlights include:
  • New metavariable-regex operator, which filters findings by metavariable value against a Python re.match compatible expression
  • Support for typed metavariables in Go and Java
  • Beta support for Ruby and JSX (React)
  • A whole bunch of performance improvements and bug fixes
We ship a new version every week. Watch for releases here.


๐Ÿ”Ž Enforce security standards with Semgrep Community

Want to scan code in CI and enforce security standards across your projects?
With Semgrep Community, you can make a rule, add it to a policy, and enforce the policy at CI time in 54 seconds!

Semgrep rule written, added to a policy, and enforced in CI

๐Ÿค– Build a static analysis security bot in GitLab

Abhay Bhargav, CEO of we45, wrote a post describing how he built a static analysis security bot in GitLab, running Nodejsscan only on the changed code of each merge request.

Integrating static analysis into a GitLab CI workflow


๐Ÿ““ โ€œSemgrep: A Practical Introductionโ€

Rohit Salecha, a security consultant at NotSoSecure, wrote, โ€œSemgrep โ€” A Practical Introduction.โ€ In it, Rohit walks through how to pinpoint potential SQL injections, identify use of insecure cryptography, check for enforcement of security best practices, and lots more!


๐Ÿ“บ #PLTalk Twitch stream

On Jean Yang and Hongyi Huโ€™s #PLTalk Twitch series we discussed, โ€œSemantic Grep and the Future of Static Analysis.โ€ Catch the weekly programming languages stream with Jean and Hongyi every Friday afternoon at 3pm PT.

PLTalk: Semantic Grep and the Future of Static Analysis


๐Ÿ“ข Feedback

Please donโ€™t hesitate to reach out for support or discussion via Slack or Weโ€™re here to help!

Happy coding,
The r2c team
Follow r2c on Twitter
r2c, makers of Bento
Copyright ยฉ 2020 r2c, All rights reserved.

Want to change how you receive these emails?
You can subscribe or unsubscribe from this list.