Formerly | r2c |
---|---|
Industry | Computer Security |
Founded | 2017 |
Founder |
|
Website | semgrep |
Developer(s) | Semgrep, Inc. |
---|---|
Initial release | February 6, 2020 [1] |
Stable release | |
Repository | |
Written in | OCaml (core) and Python (CLI) |
Type | Static program analysis |
License | LGPL v2.1 |
Website | semgrep |
Semgrep, Inc. (formerly r2c [3] ) is a cybersecurity company based in San Francisco. The company develops the Semgrep AppSec Platform (a commercial offering for SAST, SCA, and secrets scanning) and actively maintains the open-source static code analysis tool semgrep OSS
.
Semgrep has stable support for over 30 languages including C#, C, C++, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. Language support on semgrep OSS
is community driven and does not support interprocedural or interfile analysis. [4]
The name is a combination of semantic and grep
, referring to semgrep
being a text search command-line utility that is aware of source code semantics. [5]
Semgrep, Inc. provides a continuous integration service (called Semgrep CI), rule-writing tools (called the Semgrep Playground and editor), and a rule library (called Semgrep Registry) free of charge for both commercial and open source users. [6]
Semgrep rules are similar to source code and do not require knowledge of a domain specific language to write. Both open source and commercial rules can be forked and customized to a user's codebase, however only commercial users are able to customize commercial rules. All users are free to fork and modify open source (community) rules. [7]
Semgrep was based on sgrep
, an open source part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep
and a contributor to Coccinelle, joined r2c in 2019. [8] [9] [10] sgrep
was forked from pfff by r2c, and in 2020 the sgrep
fork was renamed semgrep
to avoid name collisions with existing projects. [11] [12] [13]
Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later funded a $13 million Series A round in 2020. The company's product portfolio consisted only of Semgrep OSS and its ecosystem at the time. [14] [15]
Semgrep, Inc. announced in 2023 that it had raised a $53 million Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including their Series C financing. [3]
The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list. [16] As of 2023 April, Semgrep has 132 contributors and over 9000 stars on GitHub. [17] From Docker Hub the Docker image has been pulled more than 60 million times. [18]
Semgrep can be installed with Homebrew [19] or pip. [20] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available. [21] [22]
Markdown is a lightweight markup language for creating formatted text using a plain-text editor. John Gruber created Markdown in 2004 as an easy-to-read markup language. Markdown is widely used for blogging and instant messaging, and also used elsewhere in online forums, collaborative software, documentation pages, and readme files.
Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.
The following tables list notable software packages that are nominal IDEs; standalone tools such as source-code editors and GUI builders are not included. These IDEs are listed in alphabetic order of the supported language.
Google Code Search was a free beta product from Google which debuted in Google Labs on October 5, 2006, allowing web users to search for open-source code on the Internet. Features included the ability to search using operators, namely lang:, package:, license:, and file:.
Azure DevOps Server, formerly known as Team Foundation Server (TFS) and Visual Studio Team System (VSTS), is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. It covers the entire application lifecycle and enables DevOps capabilities. Azure DevOps can be used as a back-end to numerous integrated development environments (IDEs) but is tailored for Microsoft Visual Studio and Eclipse on all platforms.
GitHub is a developer platform that allows developers to create, store, manage and share their code. It uses Git software, which provides distributed version control of access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project. Headquartered in California, it has been a subsidiary of Microsoft since 2018.
Coccinelle is an open-source utility for matching and transforming the source code of programs written in the C programming language.
PyCharm is an integrated development environment (IDE) used for programming in Python. It provides code analysis, a graphical debugger, an integrated unit tester, integration with version control systems, and supports web development with Django. PyCharm is developed by the Czech company JetBrains and built on their IntelliJ platform.
Opa is a programming language for developing scalable web applications. It is free and open-source software released under a GNU Affero General Public License (AGPLv3), and an MIT License.
OpenShift is a family of containerization software products developed by Red Hat. Its flagship product is the OpenShift Container Platform — a hybrid cloud platform as a service built around Linux containers orchestrated and managed by Kubernetes on a foundation of Red Hat Enterprise Linux. The family's other products provide this platform through different environments: OKD serves as the community-driven upstream, Several deployment methods are available including self-managed, cloud native under ROSA, ARO and RHOIC on AWS, Azure, and IBM Cloud respectively, OpenShift Online as software as a service, and OpenShift Dedicated as a managed service.
Vagrant is a source-available software product for building and maintaining portable virtual software development environments; e.g., for VirtualBox, KVM, Hyper-V, Docker containers, VMware, Parallels, and AWS. It tries to simplify the software configuration management of virtualization in order to increase development productivity. Vagrant is written in the Ruby language, but its ecosystem supports development in a few other languages.
Travis CI is a hosted continuous integration service used to build and test software projects hosted on GitHub, Bitbucket, GitLab, Perforce, Apache Subversion and Assembla.
The Windows Package Manager is a free and open-source package manager designed by Microsoft for Windows 10 and Windows 11. It consists of a command-line utility and a set of services for installing applications. Independent software vendors can use it as a distribution channel for their software packages.
Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first released in 2013 and is developed by Docker, Inc.
Atom is a free and open-source text and source-code editor for macOS, Linux, and Windows with support for plug-ins written in JavaScript, and embedded Git control. Developed by GitHub, Atom was released on June 25, 2015.
Visual Studio Code, also commonly referred to as VS Code, is an integrated development environment developed by Microsoft for Windows, Linux, macOS and web browsers. Features include support for debugging, syntax highlighting, intelligent code completion, snippets, code refactoring, and embedded version control with Git. Users can change the theme, keyboard shortcuts, preferences, and install extensions that add functionality.
Eclipse Che is an open-source, Java-based developer workspace server and online IDE. It includes a multi-user remote development platform. The workspace server comes with a flexible RESTful webservice. It also contains a SDK for creating plug-ins for languages, frameworks or tools. Eclipse Che is an Eclipse Cloud Development (ECD) top-level project, allowing contributions from the user community.
Sourcegraph Inc. is a company developing code search and code intelligence tool that semantically indexes and analyzes large codebases so that they can be searched across commercial, open-source, local, and cloud-based repositories.
Burp Suite is a proprietary software tool for security assessment and penetration testing of web applications. It was initially developed in 2003-2006 by Dafydd Stuttard to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium. Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, and enterprise version of this product are available.