Semgrep

Last updated
Semgrep, Inc
Formerlyr2c
Industry Computer Security
Founded2017
Founder
  • Isaac Evans
  • Luke O'Malley
  • Drew Dennison
Website semgrep.dev   OOjs UI icon edit-ltr-progressive.svg
Semgrep OSS
Developer(s) Semgrep, Inc.
Initial releaseFebruary 6, 2020;4 years ago (2020-02-06) [1]
Stable release
1.70.0  OOjs UI icon edit-ltr-progressive.svg / April 24, 2024; 36 days ago [2]
Repository
Written in OCaml (core) and Python (CLI)
Type Static program analysis
License LGPL v2.1
Website semgrep.dev   OOjs UI icon edit-ltr-progressive.svg

Semgrep, Inc. (formerly r2c [3] ) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform (a commercial offering for SAST, SCA, and secrets scanning) and actively maintains the open-source static code analysis tool semgrep OSS.

Contents

Semgrep has stable support for over 30 languages including C#, C, C++, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. Language support on semgrep OSS is community driven and does not support interprocedural or interfile analysis [4] .

The name is a combination of semantic and grep , referring to semgrep being a text search command-line utility that is aware of source code semantics. [5]

Services

Semgrep, Inc. provides a continuous integration service (called Semgrep CI), rule-writing tools (called the Semgrep Playground and editor), and a rule library (called Semgrep Registry) free of charge for both commercial and open source users. [6]

Semgrep rules are similar to source code and do not require knowledge of a domain specific language to write. Both open source and commercial rules can be forked and customized to a user's codebase, however only commercial users are able to customize commercial rules. All users are free to fork and modify open source (community) rules. [7]

History

Semgrep was based on sgrep, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle, joined r2c in 2019. [8] [9] [10] sgrep was forked from pfff by r2c, and in 2020 the sgrep fork was renamed semgrep to avoid name collisions with existing projects. [11] [12] [13]

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a $13 million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time. [14] [15]

Semgrep, Inc. announced in 2023 that it had raised a $53 million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including their Series C financing. [3]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list. [16] As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub. [17] From Docker Hub the Docker image has been pulled more than 60 million times. [18]

Usage

Semgrep can be installed with Homebrew [19] or pip. [20] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available. [21] [22]

See also

Related Research Articles

<span class="mw-page-title-main">Markdown</span> Plain text markup language

Markdown is a lightweight markup language for creating formatted text using a plain-text editor. John Gruber created Markdown in 2004, in collaboration with Aaron Swartz, as a markup language that is intended to be easy to read in its source code form. Markdown is widely used for blogging and instant messaging, and also used elsewhere in online forums, collaborative software, documentation pages, and readme files.

OpenGrok is a source code cross-reference and search engine. It helps programmers search, cross-reference, and navigate source code trees to aid program comprehension.

The following tables list notable software packages that are nominal IDEs; standalone tools such as source-code editors and GUI builders are not included. These IDEs are listed in alphabetic order of the supported language.

Google Code Search was a free beta product from Google which debuted in Google Labs on October 5, 2006, allowing web users to search for open-source code on the Internet. Features included the ability to search using operators, namely lang:, package:, license:, and file:.

Azure DevOps Server, formerly known as Team Foundation Server (TFS) and Visual Studio Team System (VSTS), is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. It covers the entire application lifecycle and enables DevOps capabilities. Azure DevOps can be used as a back-end to numerous integrated development environments (IDEs) but is tailored for Microsoft Visual Studio and Eclipse on all platforms.

In FOSS development communities, a forge is a web-based collaborative software platform for both developing and sharing computer applications.

<span class="mw-page-title-main">GitHub</span> Hosting service for software projects

GitHub is a developer platform that allows developers to create, store, manage and share their code. It uses Git software, providing the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project. Headquartered in California, it has been a subsidiary of Microsoft since 2018.

Coccinelle is an open-source utility for matching and transforming the source code of programs written in the C programming language.

<span class="mw-page-title-main">Opa (programming language)</span>

Opa is an open-source programming language for developing scalable web applications.

<span class="mw-page-title-main">OpenShift</span> Cloud computing software

OpenShift is a family of containerization software products developed by Red Hat. Its flagship product is the OpenShift Container Platform — a hybrid cloud platform as a service built around Linux containers orchestrated and managed by Kubernetes on a foundation of Red Hat Enterprise Linux. The family's other products provide this platform through different environments: OKD serves as the community-driven upstream, Several deployment methods are available including self-managed, cloud native under ROSA, ARO and RHOIC on AWS, Azure, and IBM Cloud respectively, OpenShift Online as software as a service, and OpenShift Dedicated as a managed service.

<span class="mw-page-title-main">Vagrant (software)</span> Software for portable virtual development environments

Vagrant is a source-available software product for building and maintaining portable virtual software development environments; e.g., for VirtualBox, KVM, Hyper-V, Docker containers, VMware, Parallels, and AWS. It tries to simplify the software configuration management of virtualization in order to increase development productivity. Vagrant is written in the Ruby language, but its ecosystem supports development in a few other languages.

<span class="mw-page-title-main">Travis CI</span> Service to build and test software projects

Travis CI is a hosted continuous integration service used to build and test software projects hosted on GitHub, Bitbucket, GitLab, Perforce, Apache Subversion and Assembla.

<span class="mw-page-title-main">Windows Package Manager</span> Official open-source package manager for Windows 10/11

The Windows Package Manager is a free and open-source package manager designed by Microsoft for Windows 10 and Windows 11. It consists of a command-line utility and a set of services for installing applications. Independent software vendors can use it as a distribution channel for their software packages.

Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first released in 2013 and is developed by Docker, Inc.

<span class="mw-page-title-main">Atom (text editor)</span> Free and open-source text and source code editor

Atom is a free and open-source text and source-code editor for macOS, Linux, and Windows with support for plug-ins written in JavaScript, and embedded Git control. Developed by GitHub, Atom was released on June 25, 2015.

<span class="mw-page-title-main">Visual Studio Code</span> Source code editor developed by Microsoft

Visual Studio Code, also commonly referred to as VS Code, is a source-code editor developed by Microsoft for Windows, Linux, macOS and web browsers. Features include support for debugging, syntax highlighting, intelligent code completion, snippets, code refactoring, and embedded version control with Git. Users can change the theme, keyboard shortcuts, preferences, and install extensions that add functionality.

<span class="mw-page-title-main">Eclipse Che</span> Developer workspace server software

Eclipse Che is an open-source, Java-based developer workspace server and online IDE. It includes a multi-user remote development platform. The workspace server comes with a flexible RESTful webservice. It also contains a SDK for creating plug-ins for languages, frameworks or tools. Eclipse Che is an Eclipse Cloud Development (ECD) top-level project, allowing contributions from the user community.

Sourcegraph Inc. is a company developing code search and code intelligence tool that semantically indexes and analyzes large codebases so that they can be searched across commercial, open-source, local, and cloud-based repositories.

<span class="mw-page-title-main">Netdata</span> Open-source system monitor software

With Netdata Users can monitor their servers, containers, and applications,in high-resolution and in real-time. Netdata is an open source tool designed to collect real-time metrics, such as CPU usage, disk activity, bandwidth usage, website visits, etc., and then display them in low-latency dashboards. The tool is designed to visualize activity in the greatest possible detail, allowing the user to obtain an overview of what is happening and what has just happened in their system or application.

References

  1. "Release – sgrep 0.4.0 – returntocorp/semgrep". Github.com. Retrieved 2021-02-03.
  2. "Release 1.70.0". 24 April 2024. Retrieved 30 April 2024.
  3. 1 2 Miller, Ron (2023-04-18). "Semgrep (formerly r2c) lands $53M investment to grow code security platform". TechCrunch. Retrieved 2023-04-19.
  4. "Supported languages | Semgrep". semgrep.dev. 2024-05-22. Retrieved 2024-05-29.
  5. Nagy, Bence. "Detect complex code patterns using semantic grep" (PDF). owasp.org (Presentation). p. 2. Retrieved 2021-02-02.
  6. "Write custom rules | Semgrep". semgrep.dev. 2024-05-16. Retrieved 2024-05-29.
  7. "Write custom rules | Semgrep". semgrep.dev. 2024-05-16. Retrieved 2024-05-29.
  8. Lauerman, Alex (2020-10-29). "A Brief Introduction to Semgrep (part 1)". TrustFoundry.
  9. "Previous version of Semgrep's README.md file on GitHub". GitHub . Retrieved 2021-02-02.
  10. "Semgrep: Lightweight static analysis for many languages". Hacker News . Retrieved 2021-02-02.
  11. "Pull request of Semgrep on GitHub". GitHub . Retrieved 2021-02-02.
  12. "Previous version of Semgrep's README.md on GitHub". GitHub . Retrieved 2021-02-02.
  13. Salecha, Rohit (2020-08-13). "Semgrep A Practical Introduction". NotSoSecure.com.
  14. "Redpoint and Sequoia are backing a startup to copyedit your shit code". TechCrunch.com. 2020-10-29. Retrieved 2021-02-02.
  15. "Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy". Forbes.com. 2020-12-27. Retrieved 2021-02-02.
  16. "OWASP Source Code Analysis Tools". Owasp.com. Retrieved 2020-02-02.
  17. "Semgrep on GitHub". GitHub .
  18. "Semgrep on Docker Hub" . Retrieved 2023-04-19.
  19. "Semgrep on Homebrew Formulae" . Retrieved 2021-02-03.
  20. "Semgrep on pypi.org". Python Package Index . Retrieved 2021-02-03.
  21. "Semgrep Documentation – Getting started". semgrep.dev. Retrieved 2021-02-02.
  22. Lancini, Marco (2020-12-12). "Semgrep for Cloud Security". marcolancini.it.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.