semgrep-rules
| branch | using semgrep docker image | test status |
|---|---|---|
master |
returntocorp/semgrep:latest |
 |
develop |
returntocorp/semgrep:develop |
 |
This repository is the “standard library” for Semgrep rules, but there are many more written by r2c and other contributors available in the Semgrep Registry.
Contributing
If you want to create your own collection of Semgrep rules, feel free to make your own repository and then make a PR adding it to the list of repositories with Semgrep rules. This list automatically gets pulled into the Semgrep Registry so that lots of Semgrep users can find your rules!
We also welcome rule contributions directly to this repository! Since this repo is maintained by r2c, there are some extra benefits—for example, if there are bug reports for your rule, we’ll also take responsibility to help fix it. If you are submitting to the semgrep-rules repo (rather than your own, separate repository as mentioned above) we’ll ask you to make r2c a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows r2c to license these contributions to other Semgrep Registry users pursuant to the LGPL 2.1 under the Commons Clause. Check out the Contributing Guidelines to get started.
If you have more questions, please see the FAQ section in the Semgrep docs.
Security Coverage
Semgrep features security rules that target common weaknesses and OWASP categories. security rules in this repository should have metadata fields for cwe (and owasp when applicable). OWASP coverage for rules in this repository, organized by language, is shown below.
Running Rules in CI/Pre-Commit/Developer Workflow
If you want run these rules rather than write them, see the CI instructions on the Semgrep Registry (click through to any rule pack). That website is a convenient frontend for this repository.
Help
Join slack for the fastest answers to your questions! Or contact the team at semgrep@r2c.dev.
Github Action To Run Tests
If you fork this repo or create your own, you can add a special semgrep-rules-test Github Action to your workflow that will automatically test your rules by running make test using the latest version of semgrep.
See ours here
Benchmarks
The benchmark job runs every weekend. It uploads a few artifacts, which can be downloaded. If you download the test logs, there are two relevant pieces of information in there: the benchmark table, which roughly shows the performance of every rule that completes in under 60 seconds, and any failed tests are rules that did not complete within 60 seconds.
To run benchmark tests locally, do the following from the root of semgrep-rules:
pipenv shell
pipenv install --dev
export PYTHONPATH=.
pytest --timeout=60 --rule-directory=[path_to_rule_directory] --git-repo=[git_URL] tests/performance/test_public_repos.py
If you omit --git-repo from the pytest command, it will run the provided benchmark repo.