Semgrep is a fast, open-source, static analysis tool for modern languages.
With over 14,100 GitHub stars and 203 contributors, Semgrep has become one of the most popular SAST tools in the developer community.
What is Semgrep?
A fast, open-source, static analysis tool for finding bugs and enforcing code standards at the editor, commit, and CI time.
The tool runs locally by default and code is never uploaded, making it suitable for organizations with strict data handling requirements.
Its rules look like the code you already write; no abstract syntax trees or regex wrestling.
Supports 17+ languages.
Semgrep allows us to define custom rules for identifying vulnerabilities, thus helping us run a contextual scan on our code.
Additionally, Semgrep offers a public registry of such custom rules that can be used.
Semgrep is extremely fast and is the most suitable to be introduced in a DevOps pipeline.
It spools a well-formatted and stable JSON output.
It is extremely lightweight and has an easy to install binary.
Can also be run using Docker.
Most importantly, Semgrep supports Python, JavaScript, Java, Go, C and JSON syntaxes!
How to install Semgrep?
For macOS:
brew install semgrep
For Ubuntu, Windows through Windows Subsystem for Linux (WSL), Linux, macOS:
python3 -m pip install semgrep
To try Semgrep without installation run through Docker:
docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config=auto
Semgrep extends beyond SAST to function as a comprehensive scan engine capable of detecting Docker and configuration file misconfigurations.