Semgrep

Last updated
semgrep
Developer(s) Semgrep, Inc.
Initial releaseFebruary 6, 2020;4 years ago (2020-02-06) [1]
Stable release
1.61.1  OOjs UI icon edit-ltr-progressive.svg / February 14, 2024; 14 days ago [2]
Repository
Written in OCaml (core) and Python (CLI)
Type Static program analysis
License LGPL v2.1
Website semgrep.dev   OOjs UI icon edit-ltr-progressive.svg

semgrep or Semgrep CLI is a free open-source static code analysis tool developed by Semgrep, Inc. (formerly r2c [3] ) and open-source contributors. It has stable support for C#, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. It has experimental support for nineteen other languages, as well as a language agnostic mode. [4]

Contents

The name is a combination of semantic and grep , referring to semgrep being a text search command-line utility that is aware of source code semantics. [5]

Services

To complement semgrep, Semgrep, Inc. provides a continuous integration service (called Semgrep CI) with supply chain scanning. [6] It also maintains a rule library (called Semgrep Registry). Basic individual use of these services are offered for free while paid tiers cover team and commercial use-cases. [7]

Compared to other popular static application security testing (SAST) tools, Semgrep CI is the only one with an open source engine which is able to run on private codes for free. [8]

History

Semgrep CLI was based on sgrep which was an open source tool part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle joined r2c in 2019. [9] [10] [11] sgrep was forked by r2c from pfff. In 2020 r2c's sgrep fork was renamed to semgrep to avoid name collisions with existing projects. [12] [13] [14]

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later also funded a Series A round with $13 million in 2020. The company's product portfolio consisted only of Semgrep and its ecosystem at the time. [15] [16]

Semgrep, Inc. announced in 2023 that it has raised $53 million for its Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including the funds raised in this round. [3]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list. [17] As of 2023 April, Semgrep has 132 contributors and 8000 stars on GitHub. [18] From Docker Hub the Docker image was pulled more than 10 million times. [19]

Usage

Semgrep can be installed with Homebrew [20] or pip. [21] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available. [22] [23]

See also

Related Research Articles

OCaml is a general-purpose, high-level, multi-paradigm programming language which extends the Caml dialect of ML with object-oriented features. OCaml was created in 1996 by Xavier Leroy, Jérôme Vouillon, Damien Doligez, Didier Rémy, Ascánder Suárez, and others.

<span class="mw-page-title-main">Xcode</span> IDE including tools for developing software for Apple platforms

Xcode is Apple's integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, tvOS, and visionOS. It was initially released in late 2003; the latest stable release is version 15, released on September 18, 2023, and is available free of charge via the Mac App Store and the Apple Developer website. Registered developers can also download preview releases and prior versions of the suite through the Apple Developer website. Xcode includes command-line tools that enable UNIX-style development via the Terminal app in macOS. They can also be downloaded and installed without the GUI.

<span class="mw-page-title-main">GitHub</span> Hosting service for software projects

GitHub is a developer platform that allows developers to create, store, manage and share their code. It uses Git software, providing the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project. Headquartered in California, it has been a subsidiary of Microsoft since 2018.

PVS-Studio is a proprietary static code analyzer on guard of code quality, security, and code safety supporting C, C++, C++11, C++/CLI, C++/CX, C# and Java.

Coccinelle is an open-source utility for matching and transforming the source code of programs written in the C programming language.

<span class="mw-page-title-main">Opa (programming language)</span>

Opa is an open-source programming language for developing scalable web applications.

<span class="mw-page-title-main">OpenShift</span> Cloud computing software

OpenShift is a family of containerization software products developed by Red Hat. Its flagship product is the OpenShift Container Platform — a hybrid cloud platform as a service built around Linux containers orchestrated and managed by Kubernetes on a foundation of Red Hat Enterprise Linux. The family's other products provide this platform through different environments: OKD serves as the community-driven upstream, Several deployment methods are available including self-managed, cloud native under ROSA, ARO and RHOIC on AWS, Azure, and IBM Cloud respectively, OpenShift Online as software as a service, and OpenShift Dedicated as a managed service.

<span class="mw-page-title-main">Brackets (text editor)</span> Editor for web development

Brackets is a source code editor with a primary focus on web development. Created by Adobe Inc., it is free and open-source software licensed under the MIT License, and is currently maintained on GitHub by open-source developers. It is written in JavaScript, HTML and CSS. Brackets is cross-platform, available for macOS, Windows, and most Linux distributions. The main purpose of Brackets is its live HTML, CSS and JavaScript editing functionality.

<span class="mw-page-title-main">Windows Package Manager</span> Official open-source package manager for Windows 10/11

The Windows Package Manager is a free and open-source package manager designed by Microsoft for Windows 10 and Windows 11. It consists of a command-line utility and a set of services for installing applications. Independent software vendors can use it as a distribution channel for their software packages.

Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first released in 2013 and is developed by Docker, Inc.

CodeXL was an open-source software development tool suite which included a GPU debugger, a GPU profiler, a CPU profiler, a graphics frame analyzer and a static shader/kernel analyzer.

Perforce Software, Inc. is an American developer of software used for developing and running applications, including version control software, web-based repository management, developer collaboration, application lifecycle management, web application servers, debugging tools and agile planning software.

The Open Container Initiative (OCI) is a Linux Foundation project, started in June 2015 by Docker, CoreOS, and the maintainers of appc to design open standards for operating-system-level virtualization. At launch, OCI was focused on Linux containers and subsequent work has extended it to other operating systems.

Buddy is a web-based and self-hosted continuous integration and delivery software for Git developers that can be used to build, test, and deploy web sites and applications with code from GitHub, Bitbucket, and GitLab. It employs Docker containers with pre-installed languages and frameworks for builds, alongside DevOps, monitoring and notification actions.

Sourcegraph Inc. is a company developing code search and code intelligence tool that semantically indexes and analyzes large codebases so that they can be searched across commercial, open-source, local, and cloud-based repositories.

<span class="mw-page-title-main">ESLint</span> JavaScript code analysis software

ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code. It was created by Nicholas C. Zakas in 2013. Rules in ESLint are configurable, and customized rules can be defined and loaded. ESLint covers both code quality and coding style issues. ESLint supports current standards of ECMAScript, and experimental syntax from drafts for future standards. Code using JSX or TypeScript can also be processed when a plugin or transpiler is used.

<span class="mw-page-title-main">Netlify</span> American cloud computing company

Netlify is a remote-first cloud computing company that offers a development platform that includes build, deploy, and serverless backend services for web applications and dynamic websites. The platform is built on open web standards, making it possible to integrate build tools, web frameworks, APIs, and various web technologies into a unified developer workflow.

<span class="mw-page-title-main">ZeroTier</span> Software company based in California

ZeroTier, Inc. is a software company with a freemium business model based in Irvine, California. ZeroTier provides proprietary software, SDKs and commercial products and services to create and manage virtual software-defined networks. The company's flagship end-user product ZeroTier One is a client application that enables devices such as PCs, phones, servers and embedded devices to securely connect to peer-to-peer virtual networks.

<span class="mw-page-title-main">Netdata</span> Open-source system monitor software

With Netdata Users can monitor their servers, containers, and applications,in high-resolution and in real-time. Netdata is an open source tool designed to collect real-time metrics, such as CPU usage, disk activity, bandwidth usage, website visits, etc., and then display them in low-latency dashboards. The tool is designed to visualize activity in the greatest possible detail, allowing the user to obtain an overview of what is happening and what has just happened in their system or application.

References

  1. "Release – sgrep 0.4.0 – returntocorp/semgrep". Github.com. Retrieved 2021-02-03.
  2. "Release 1.61.1". 14 February 2024. Retrieved 20 February 2024.
  3. 1 2 Miller, Ron (2023-04-18). "Semgrep (formerly r2c) lands $53M investment to grow code security platform". TechCrunch. Retrieved 2023-04-19.
  4. "Semgrep Documentation – Supported languages". semgrep.dev. Retrieved 2023-04-19.
  5. Nagy, Bence. "Detect complex code patterns using semantic grep" (PDF). owasp.org (Presentation). p. 2. Retrieved 2021-02-02.
  6. Berman, Adam. "It's time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain". Semgrep.dev blog. Retrieved 2023-04-19.
  7. "Semgrep's pricing". Semgrep.dev. Retrieved 2023-04-19.
  8. Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint Gibler. Youtube.com – OWASP DevSlop.
  9. Lauerman, Alex (2020-10-29). "A Brief Introduction to Semgrep (part 1)". TrustFoundry.
  10. "Previous version of Semgrep's README.md file on GitHub". GitHub . Retrieved 2021-02-02.
  11. "Semgrep: Lightweight static analysis for many languages". Hacker News . Retrieved 2021-02-02.
  12. "Pull request of Semgrep on GitHub". GitHub . Retrieved 2021-02-02.
  13. "Previous version of Semgrep's README.md on GitHub". GitHub . Retrieved 2021-02-02.
  14. Salecha, Rohit (2020-08-13). "Semgrep A Practical Introduction". NotSoSecure.com.
  15. "Redpoint and Sequoia are backing a startup to copyedit your shit code". TechCrunch.com. 2020-10-29. Retrieved 2021-02-02.
  16. "Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy". Forbes.com. 2020-12-27. Retrieved 2021-02-02.
  17. "OWASP Source Code Analysis Tools". Owasp.com. Retrieved 2020-02-02.
  18. "Semgrep on GitHub". GitHub .
  19. "Semgrep on Docker Hub" . Retrieved 2023-04-19.
  20. "Semgrep on Homebrew Formulae" . Retrieved 2021-02-03.
  21. "Semgrep on pypi.org". Python Package Index . Retrieved 2021-02-03.
  22. "Semgrep Documentation – Getting started". semgrep.dev. Retrieved 2021-02-02.
  23. Lancini, Marco (2020-12-12). "Semgrep for Cloud Security". marcolancini.it.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.