Skip to content

sfc-gh-spandey/semgrep-rules

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

521 Commits

.github

.github

 
 

c/lang

c/lang

 
 

contrib

contrib

 
 

go

go

 
 

java

java

 
 

javascript

javascript

 
 

python

python

 
 

ruby

ruby

 
 

tests

tests

 
 

trusted_python

trusted_python

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Makefile

Makefile

 
 

Pipfile

Pipfile

 
 

Pipfile.lock

Pipfile.lock

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

matrixify.py

matrixify.py

 
 

matrixify_graph.py

matrixify_graph.py

 
 

template.yaml

template.yaml

 
 

Repository files navigation

semgrep-rules

powered by semgrep r2c community slack

branch using semgrep docker image test status
master returntocorp/semgrep:latest semgrep-rules-test
develop returntocorp/semgrep:develop semgrep-rules-test-develop

This is an repository containing rules written for semgrep, organized by language. Go to the main semgrep documentation for details on semgrep and the syntax for the yaml files in this repository. You can also browse these rules online.

Security Coverage

semgrep features security rules that target common weaknesses and OWASP categories. Each security rule in this repository has metadata fields for cwe (and owasp when applicable). OWASP coverage for rules in this repository, organized by language, is shown below.

Contributing

We welcome contributions to this repo! Please fork and make a pull request; we'll contact you about signing our CLA.

Rule Namespacing

The namespacing format for contributing rules is <language>.<framework>.<category>.$MORE. If a framework isn't applicable, use lang instead.

category is one of:

  • security
  • correctness
  • best-practice
  • maintainability
  • performance

If a security rule is discouraging the use of a bad pattern (such as formatted SQL strings), it is recommended to append audit to your namespace. This distinguishes it from a security rule that is specifically aiming to detect a vulnerability.

semgrep.live rule namespace

Running Rules in CI/Pre-Commit/Developer Workflow

If you want run these rules rather than write them, check out the easy-to-use bento.dev

Help

Join slack for the fastest answers to your questions! Or contact the team at semgrep@r2c.dev.

Testing Rules

A testing system is available which can be used to check the rules against example source code files. It requires semgrep from semgrep

If you wrote a rule in a yaml named eqeq-bad.yaml with a rule id named my-eqeq-bad, you could put a file in the same directory named eqeq-bad.py (it just needs to have the same name except for the extension as eqeq-bad.yaml). Then:

# ruleid:my-eqeq-bad
x == x

Running make test will execute the test suite, and if my-eqeq-bad does not fire on the line below the comment, your rule will fail.

If you have a rule that is not working, but you want to commit it soo it's documented but not fail the tests, use #todoruleid:...:

# todoruleid:my-eqeq-bad
x != x

Github Action To Run Tests

If you fork this repo or create your own, you can add a special semgrep-rules-test Github Action to your workflow that will automatically test your rules by running make test using the latest version of semgrep.

See ours here

About

semgrep rules registry

semgrep.live/registry

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 38.6%
  • JavaScript 26.5%
  • Java 18.4%
  • Go 14.5%
  • Ruby 1.2%
  • C 0.7%
  • Makefile 0.1%