HOME

TheInfoList



Click Here for Items Related To - Semgrep
OR:
Semgrep on:   [Wikipedia]   [Google]   [Amazon]

semgrep or Semgrep CLI is a free
open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
static code analysis tool developed by Return To Corporation (usually referred to as r2c) and open-source contributors. It has stable support for Go, Java, JavaScript,
JSON JSON (JavaScript Object Notation, pronounced ; also ) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other ser ...
, Python, and Ruby. It has experimental support for eleven other languages, as well as a language agnostic mode. The name is a combination of
semantic Semantics (from grc, σημαντικός ''sēmantikós'', "significant") is the study of reference, meaning, or truth. The term can be used to refer to subfields of several distinct disciplines, including philosophy, linguistics and comput ...
and grep, referring to semgrep being a text search command-line utility that is aware of source code semantics.


Services

To complement semgrep, r2c provides a continuous integration service (called Semgrep CI) and maintains a rule library (called Semgrep Registry). Basic individual use of these services are offered for free while paid tiers cover team and commercial use-cases. Compared to other popular
static application security testing Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers ...
(SAST) tools, Semgrep CI is the only one with an open source engine which is able to run on private codes for free.


History

Semgrep CLI was based on sgrep which was an open source tool part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by
Coccinelle Jacqueline Charlotte Dufresnoy (23 August 1931 – 9 October 2006), better known by her stage name Coccinelle, was a French actress, entertainer and singer. She was transgender, and was the first widely publicized post-war gender reassignment ca ...
, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle joined r2c in 2019. sgrep was forked by r2c from pfff. In 2020 r2c's sgrep fork was renamed to semgrep to avoid name collisions with existing projects. Redpoint Ventures and
Sequoia Capital Sequoia Capital is an American venture capital firm. The firm is headquartered in Menlo Park, California, and specializes in seed stage, early stage, and growth stage investments in private companies across technology sectors. , Sequoia's total a ...
backed r2c in an unannounced seed round and later also funded a Series A round with $13 million in 2020. The company's product portfolio consisted only of Semgrep and its ecosystem at the time. The Open Web Application Security Project ( OWASP) listed Semgrep in its source code analysis tools list. As of 2021 February, Semgrep has 41 contributors and 2900 stars on GitHub. From Docker Hub it was pulled more than a million times.


Usage

Semgrep can be installed with
Homebrew Homebrewing mainly refers to small-scale, non-commercial manufacture of a drink, typically beer. Homebrew or home brew may also refer to: Computing * Homebrew Computer Club * Homebrew (package manager), for macOS and Linux * Homebrew (video game ...
or pip. Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by r2c and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.


See also

* Static analysis tool * List of tools for static code analysis *
Semantics (computer science) In programming language theory, semantics is the rigorous mathematical study of the meaning of programming languages. Semantics assigns computational meaning to valid strings in a programming language syntax. Semantics describes the processes a ...


References

{{reflist


External links


Semgrep website

Semgrep repository on GitHub

Pfff repository on GitHub

Medium post on Semgrep by Isaac Evans, CEO of r2c
Static program analysis tools Software review Free software testing tools