Semgrep

Add links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Conan (talk | contribs) at 13:19, 28 December 2021 (Aready in Category:Software review, WP:SUBCAT). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

semgrep
Developer(s)Return To Corporation
Initial releaseFebruary 6, 2020; 4 years ago (2020-02-06)[1]
Stable release
1.70.0 Edit this on Wikidata / April 24, 2024; 7 days ago [2]
Repository
Written inOCaml (core) and Python (CLI)
TypeStatic program analysis
LicenseLGPL v2.1
Websitesemgrep.dev Edit this on Wikidata

semgrep or Semgrep CLI is a free open-source static code analysis tool developed by Return To Corporation (usually referred to as r2c) and open-source contributors. It has stable support for Go, Java, JavaScript, JSON, Python, and Ruby. It has experimental support for eleven other languages, as well as a language agnostic mode.[3]

The name is a combination of semantic and grep, referring to semgrep being a text search command-line utility that is aware of source code semantics.[4]

Services

To complement semgrep, r2c provides a continuous integration service (called Semgrep CI) and maintains a rule library (called Semgrep Registry). Basic individual use of these services are offered for free while paid tiers cover team and commercial use-cases.[5]

Compared to other popular static application security testing (SAST) tools, Semgrep CI is the only one with an open source engine which is able to run on private codes for free.[6]

History

Semgrep CLI was based on sgrep which was an open source tool part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle joined r2c in 2019.[7][8][9] sgrep was forked by r2c from pfff. In 2020 r2c's sgrep fork was renamed to semgrep to avoid name collisions with existing projects.[10][11][12]

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later also funded a Series A round with $13 million in 2020. The company's product portfolio consisted only of Semgrep and its ecosystem at the time.[13][14]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.[15] As of 2021 February, Semgrep has 41 contributors and 2900 stars on GitHub.[16] From Docker Hub it was pulled more than a million times.[17]

Usage

Semgrep can be installed with Homebrew[18] or pip.[19] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by r2c and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.[20][21]

See also

References

  1. ^ "Release – sgrep 0.4.0 – returntocorp/semgrep". Github.com. Retrieved 2021-02-03.
  2. ^ "Release 1.70.0". 24 April 2024. Retrieved 30 April 2024.
  3. ^ "Semgrep documentation". semgrep.dev. Retrieved 2021-02-02.
  4. ^ Nagy, Bence. "Detect complex code patterns using semantic grep" (PDF). owasp.org (Presentation). p. 2. Retrieved 2021-02-02.
  5. ^ "Semgrep's pricing". r2c.dev. Retrieved 2021-02-02.
  6. ^ Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint Gibler. Youtube.com – OWASP DevSlop.
  7. ^ Lauerman, Alex (2020-10-29). "A Brief Introduction to Semgrep (part 1)". TrustFoundry.
  8. ^ "Previous version of Semgrep's README.md file on GitHub". Retrieved 2021-02-02.
  9. ^ "Semgrep: Lightweight static analysis for many languages". Hacker News. Retrieved 2021-02-02.
  10. ^ "Pull request of Semgrep on GitHub". Retrieved 2021-02-02.
  11. ^ "Previous version of Semgrep's README.md on GitHub". Retrieved 2021-02-02.
  12. ^ Salecha, Rohit (2020-08-13). "Semgrep A Practical Introduction". NotSoSecure.com.
  13. ^ "Redpoint and Sequoia are backing a startup to copyedit your shit code". TechCrunch.com. 2020-10-29. Retrieved 2021-02-02.
  14. ^ "Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy". Forbes.com. 2020-12-27. Retrieved 2021-02-02.
  15. ^ "OWASP Source Code Analysis Tools". Owasp.com. Retrieved 2020-02-02.
  16. ^ "Semgrep on GitHub".
  17. ^ "Semgrep on Docker Hub". Retrieved 2021-02-02.
  18. ^ "Semgrep on Homebrew Formulae". Retrieved 2021-02-03.
  19. ^ "Semgrep on pypi.org". Python Package Index. Retrieved 2021-02-03.
  20. ^ "Semgrep Documentation – Getting started". semgrep.dev. Retrieved 2021-02-02.
  21. ^ Lancini, Marco (2020-12-12). "Semgrep for Cloud Security". marcolancini.it.

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=Semgrep&oldid=1062439999"