Semgrep

Semgrep is a matching pattern tool for applicative codebase. Very security oriented, it is compatible with CI/CD pipeline tools.

Semgrep CLI

Install the CLI tool

python3 -m pip install semgrep

Use the CLI

# Local scan auto configuration
semgrep --config=auto .
# Docker run with auto configuration
docker run --rm -v "${PWD}:/src" returntocorp/semgrep --config=auto

Rules packages

Semgrep community release a lot of rules packages available on the semgrep public registry.

AppSec

• OWASP Top10
• Runtime/Logic
• Stack security
• Command injection
• XSS injection
• Insecure transport
• JWT bad practices
• Hard code secrets
• PHP security audit

Containers

• Dockerfile
• Docker-Compose
• K8s

Component configuration

• Nginx

Ignore

To exclude some files from the analyses, we can create a .semgrepignore file using the same pattern as .gitignore.