DEV Community: Semgrep

Semgrep Newsletter | 30, 300, 3000, MCP, and Gartner

Jayson DeLancey — Wed, 29 Oct 2025 00:33:40 +0000

Hello friends, we’ve rounded up some news and updates from the Semgrep ecosystem to help ship features, not vulnerabilities.

Security Engineer’s Guide to MCP

MCP has rapidly become the API standard for AI coding agents. If you are generating code and want security scanning as part of your workflow we have an MCP server you can run directly from the command line and use in your Claude Code, Cursor, Windsurf, and other MCP compatible IDEs.

Follow the installation instructions for your IDE and then you’ll be able to run the MCP server with:

semgrep mcp

But what if you are building an agent? Our security research team compiled a security engineer's guide into how MCP agents can be vulnerable and what you should know about using and building them with an MCP Security Checklist. Check it out to learn more about line jumping, tool shadowing, and rug pulling.

2025 Gartner® Magic Quadrant™ for Application Security Testing

We’re thrilled to announce that for the first time, Semgrep has been recognized in the 2025 Gartner Magic Quadrant for Application Security Testing.

We’re honored to be named in the Gartner Magic Quadrant for Application Security Testing, but even more grateful for the partnerships with the community and customers that make Semgrep better every day. Read more and claim a complimentary copy of the report.

Yes We Scan Monorepos

Teams who follow a trunk-based development methodology consolidate a lot of code into a single monorepos. This typically presents scaling challenges for static analysis because it isn’t as easy to do horizontal scaling by chunking separate repo jobs to separate servers.

We’ve recently introduced a memory efficient model with multicore enabling parallel processing on a single device to better utilize cloud resources and see a 2x speed up in job completion time. It isn’t that we’re running faster, it's that we’ve added several more lanes and can get more throughput.

Run it now with:

semgrep config=auto --x-eio

This will be enabled by default next month, so keep an eye on our open source blog and release notes.

1 MILLION Weekly Scans

Actually, that’s old news and we’ve quickly scaled beyond that. During our beta program we worked closely with fast-growing startups to Fortune 500 enterprises to secure their code.

By our calculations using managed scanning can save over $25k in the first year with an annualized savings of $18k each year by using managed scanning. We share the math and a demo video for when you are ready to offload some of the headaches you may have of managing your own infrastructure for security testing.

Open Source Community Edition 30:300:3000

Semgrep Community Edition is the free open source static analysis engine with support for 30+ languages, 300+ releases to date, and over 3000+ community rules.

Some of the recent releases over the past few months include many beneficial improvements to the CLI (both commercial and open source):

Cross-platform for mac, linux, and windows environments
Parallel processing with shared memory to be able to quickly handle large monorepos without slowing down dev teams
MCP server integrated into AI-assisted coding workflows

There are many small incremental improvements that may have helped your team as well from recognizing Containerfiles, metavariable-comparisons, and performance improvements to rule parsing.

Palo Alto Networks Cortex Cloud

Read about How Cortex Cloud and Semgrep are Redefining AI-Driven Application Security, combining static analysis with cloud insights.

LLM-Driven SAST-Genius

Independent research from Vaibhav Agrawal and Kiarash Ahi demonstrate a hybrid pipeline that combines Semgrep with a fine-tuned LLM for triage, exploit validation, and remediation.

Impressive results:

False positive reduction from 225 to 20 (11x improvement)
91% reduction in average triage time

Review the full research article: https://www.arxiv.org/pdf/2509.15433

Secure AI-generated Code Workshop In-Person and Virtual

We’re hosting a hands-on keyboard interactive workshop at OWASP Global AppSec to learn how to secure AI-generated code with Palo Alto Networks Cortex Cloud and Semgrep. This is open to the public even if you don’t have an event badge.

Save your seat in Washington DC Nov 5th

We’ll be hosting a follow-up virtual version of this workshop on Nov 20th. Register for the virtual session

IDOR

“Wait master, it might be dangerous… you go first.” –Igor in Young Frankenstein

Insecure Direct Object Reference (IDOR) is a security vulnerability that is an access control failure where a program exposes internal resources using identifiers that users can guess or manipulate to gain unauthorized access. If the system doesn’t check, it opens the door to abuse.

Learn more about IDOR and other common vulnerabilities like Code Injection, Command Injection, Cross-site Scripting, Insecure Deserialization and more in our new Learning Guides.

Happy Halloween and Security Awareness Month!

Getting Started with Semgrep

Are you new here? If so, we’ve lined up some helpful resources you can use to learn about Semgrep.

Semgrep AppSec Platform is the quickest way to create an account and scan in minutes.
Semgrep Community Edition has a new Getting Started Guide to run your first scan.

If you have questions, feedback, or stories about your success with Semgrep you want to share, hop onto the community slack and let’s chat or add questions in the comments for me here.

Semgrep Newsletter | AI Code Assistant Research, Security Alerts, Quarterly Release and More

Jayson DeLancey — Tue, 23 Sep 2025 17:11:14 +0000

Hello friends, we’ve rounded up some news and updates from the Semgrep ecosystem to help you ship features, not vulnerabilities.

If you need a Semgrep account, sign up for free and get started with the Quick Start on any project with fewer than ten (10) contributors.

Research on Claude Code and OpenAI Codex

Our Security Research team explored AI coding agents which can frequently help find real vulnerabilities – but they can be noisy.

Using 11 real-world Python apps, Claude Code surfaced 46 vulnerabilities (14% true positive rate) strongly identifying IDOR issues. Codex found 21 vulnerabilities (18% TPR) with strength in finding path traversal issues.

Unfortunately, repeated runs were non-deterministic so in the case of one app the agent found 3, then 6, then 11 distinct findings using the same identical prompt.

Dive more into the data, prompts, and methodology from the full write up and data tables: Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex.

Security Alerts | Nx and NPM

The widely used Nx build tool was compromised recently in a way that allowed malware to steal ssh keys, wallets, api tokens, and other secret credentials.

From the official Nx security advisory the root cause was a workflow that was executing code.

Semgrep is designed to help teams scan for and catch these types of code execution patterns. Specifically, this vulnerability is categorized as a run-shell-injection. It implemented a pattern that executes a command in a shell where the attacker can subvert the call and run their own supplied commands instead.

Take a look at our Security Research blog posts for additional insights. In particular, the post-install script was sending a prompt to any locally installed Claude or Gemini CLIs to help gather credentials. You can learn more about it and our response from our blog post.

Quarterly Release Update

We’ve bundled up releases from the past few months into a Quarterly Release page to help share some of the highlights of what’s changed and what’s new.

Watch the Webinar Replay or Download the Release Kit.

Finding Vulnerabilities in the First 30 Days

This story warms our cold, secure heart that Semgrep is trusted and can show results so quickly. Our friends at Trail of Bits Blog shared a story from one of their excellent new hires:

In my first month at Trail of Bits as an AI/ML security engineer, I found two remotely accessible memory corruption bugs in NVIDIA’s Triton Inference Server during a routine onboarding practice.

He shared: “My approach was straightforward: point our standard static analysis tools at the codebase… one of the tools we rely on for this initial reconnaissance is Semgrep.”

A full breakdown of the findings, Semgrep rules and links to CVEs can be found in the blog post Uncovering memory corruption in NVIDIA Triton

Connecting Code Scans to Cloud Consequences

Through an exciting partnership with Sysdig, we’ve connected Sysdig’s runtime insights for what’s exploitable in the cloud to the code, file, and developer behind it to help put build-time context with run-time insight.

Learn more about our shared vision that security should enable speed and not slow down development or teams.

Shipping Value, Not Just AI for AI-Sake

We don’t think that users care that AI is used for features, they care about the impact it makes.

Wealthsimple shared how they are leveraging Semgrep’s LLM-powered memories feature noting:

“A system that learns from our security decisions and applies that knowledge to future scans. The implementation is remarkably simple. All it takes is clicking 'new memory' and adding a description rule of the context or pattern you want the system to recognize.”

They quickly created twelve active memories to analyze 630+ security findings and reduced the backlog by 397 likely false positives (62% improvement). That's the impact we want to see.

Read more from the Wealthsimple Engineering Blog.

Model Context… Propaganda

Dr. Katie Paxton-Fear and Drew Dennison had a conversation about MCP (Model Context Protocol) and integrating tools into your AI-development workflows.

Watch their conversation and learn some tips for how to accelerate your secure development workflows.

It’s always rewarding when we see fans who share their success with Semgrep. Sean Kochel listed Semgrep among the 5 Claude Code MCP Servers You Need To Be Using.

Try Semgrep MCP with Cursor.

Celebrating 1M Code Scans Per Week

Our managed scans crossed a new milestone. If you are managing your own workload, talk to our team about managed scans so we can help keep you covered.

We also have a Managed Scan Quickstart Guide to get you up and running quickly.

How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.

The Semgrep AppSec Platform helps enterprises who prioritize their security risks. Visit https://semgrep.dev/signup and try the Quick Start for free on any project with fewer than ten (10) contributors.

If you have any questions, feedback, or stories to share about using Semgrep, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.

Make Faster and Better GitHub PRs With This Graphite Workflow

Martin Jambon — Fri, 19 Sep 2025 00:15:24 +0000

If you're not sure how to take advantage of Graphite but your colleagues are raving about it, here's what I wish I was told from the beginning when we started experimenting with Graphite at Semgrep. I propose a workflow that makes it easy to revise previous commits, reduces conflicts, and avoids having unrelated changes in the same PR.

The promise

easier conflict resolution thanks to fewer commits that affect a given piece of code;
easier code reviews thanks to more focused, smaller pull requests;
easily rework earlier commits without creating new ones;
each commit message becomes a meaningful pull request description;
less upfront planning, you can start working on prerequisites after starting working on a feature.

A stack of what?

A stack of pull requests isn't really a stack of pull requests, it should be treated as a queue of editable changes. Even though technically each change in the stack ends up being a GitHub pull request as we know it, a stack of changes functionally is the equivalent of one large traditional GitHub pull request implementing a new feature in multiple steps.

Here's how to think of a stack:

A Graphite stack should be thought of as a sequence of changes necessary to deliver a new feature.
Each change should be a single Git commit that gets amended over and over again.

change: a logical change in the code base. For Git, it's a single-commit branch with a description of the changes. For GitHub, it's a branch and a pull request (PR). For Graphite, it's a stacked PR. The requirement that each change have only one Git commit is ours.
queue of changes: a sequence of changes to be merged in a particular order. Each change in the queue is editable at will. New changes are added to the end of the queue normally or inserted anywhere within the queue. For Git, it's a sequence of commits where each commit also has a branch name. For GitHub, it's a collection of branches where each branch is associated with a pull request. For Graphite, it's a stack of pull requests.

Recommended flow

Creating a stack

Set the current branch to your repository's main branch as you would before when creating a branch destined for a pull request:

$ git checkout main

Then make changes to your code until it's mergeable or until you want to back it up. It's ok if it's not finished.

Then, commit your code as the first set of changes:

$ gt create

Useful options include -a to add all files, -m to set a commit message. The branch name can be specified as an argument if you don't like the name assigned by Graphite.

Resuming work on the last change

Say you finished your day of work by committing a change with gt create. The next day, you'll resume the work by making edits until you're happy with your code. Now, instead of adding a new commit, you're going to modify the last commit by adding your new changes. Graphite offers the modify command to do this conveniently:

$ gt modify -a

That's it. The main idea is that we keep each meaningful change as one Git commit that can be revised later.

Adding another change

Now, assume you need to make another preliminary change before delivering your feature. As before, you modify your code as usual. You then commit it as one Git commit. This commit will also be technically its own Git branch later associated with its own pull request. We will treat it as a change that we're free to revise later. The command, like earlier, is gt create:

$ gt create -a -m 'Another preliminary change'

Use gt rename to change the Git branch name if you want.

Editing an earlier change

At this point, you may have figured out that Graphite is based heavily on editing the Git history. This is what we're doing here. From Git's perspective, a stack of changes is a branch of a branch of a branch... From Graphite's perspective, it's a stack or sequence of changes that are meant to be reviewed and revised later in any order. Inspect the stack and your position in the stack with:

$ gt ls

Navigate the stack i.e. change the current git branch/commit with gt up and gt down until the current branch is the one corresponding to the change you want to edit. For example, go to the previous change with:

$ gt down

Now, edit your code and commit it as described previously, not by introducing a new commit, but by amending the commit:

$ gt modify -a

With this command, Graphite modifies the current commit and updates the subsequent changes using git rebase under the hood.

Inserting a preliminary change you hadn't planned for

Planning ahead has its limits and we often find ourselves in the middle of implementing a feature only to realize that a preliminary change should have been made. The traditional solution is to extend the current branch with a new commit, resulting in a mixed-bag pull request and an annoyed code reviewer telling us "this could have been a separate pull request". To insert a preliminary change before the current branch, use this approach:

Navigate the stack with gt ls, gt down, gt up as needed to select the Git branch you want to use as a base.
Edit the code to implement your new change.
Insert the new code as a new change in the queue using gt create --insert -am <DESCRIPTION>. See the help with gt create --help for details on --insert.

Graphite takes care of the git rebase commands needed to update the subsequent commits, making the operation much easier and safer than if we had to do it manually.

In the following example, we inserted change #137 as the first change in the queue even though it was created after #135 and #136:

Pushing the work to save it

As a backup measure, it's a good idea to push your code to GitHub or equivalent once in a while. You would do this for all the changes in the stack at once with

$ gt submit

This will create a pull request for each change in the stack, sending you to Graphite's Web interface. However, these pull requests are not definitive. If you're not ready to send them to review, you can either save them but not press the Publish button or you can publish them but mark some of them as drafts. There are buttons for these things. The draft feature is the same as GitHub's draft feature.

Reviewing and merging the stack

A stack of changes translates to a sequence of pull requests that can be reviewed either on Graphite's Web app or on GitHub. On GitHub, there's a CI check that sort of prevents the reviewer from merging a PR if its dependent PRs corresponding to changes down the stack haven't been merged yet.

Synchronizing with the main branch

To import the latest changes of the main branch into your stack, use

$ gt sync

It's equivalent to a Git rebase for each of your changes. You'll have to resolve conflicts the usual way, by following the instructions. This is where it helps to have just one commit per logical change in the stack.

Running other Git operations

You can still use the usual Git commands but some are deprecated when working on a Graphite stack. git commit can be fine but unnecessary since you'd usually use gt create or gt modify instead. git push may be fine too but gt submit will push all the branches corresponding to your stack at once. Rewriting history with git rebase is probably best avoided if you're working on a Graphite stack. git merge and git pull should also be avoided since gt sync will handle synchronization and conflict resolution for the whole stack.

Read-only operations such as git log are of course fine and recommended in the same situations as with traditional Git/GitHub workflows.

Clean-up

Graphite will offer spontaneously to delete merged branches (unlike Git when merging a branch on GitHub with squash-and-merge).

Important take-aways

Don't worry about planning your work ahead of time. You don't have to. Keep editing your code by amending the last commit with gt modify until your code works and you're comfortable moving on to something else... which will be a new change in the stack. You can always go back and edit earlier changes down the stack later.
Embrace editing the Git history. gt ls/gt up/gt down/gt modify does it for you.
Minimize the number of commits to facilitate conflict resolution. This is achieved by the recommended flow above where you go extend previous commits.

The benefits that you should get out of this approach are:

easier conflict resolution due to having fewer commits
easier code reviews due to having one pull request per meaningful change

Open questions

Review multiple changes separately but merge them as one?

CI checks will need to pass for each change/commit/PR in the stack. Often, it makes sense for two changes to be reviewed separately even though they need each other for the software to work. Since merging only one of these commits would break the build and fail CI checks, is there a way to submit these two changes for review separately but require them to be merged as one?

Why is it called a stack?

In computer science, a stack or last-in-first-out (LIFO) container is a collection of elements where only the most recently added element is meant to be accessed. This is not exactly the meaning used by Graphite which can be confusing to some of us. Even to ordinary pancake enjoyers, the notion of a stack implies that modifying elements inside the stack is difficult and unusual*. Graphite makes it easy and pleasant to modify the items in the stack, making it feel less like a stack.

*a solution to add butter to each pancake before they get cold involves reversing the stack rather than trying to insert butter between pancakes.

Disclaimer

I'm still new to this. Expect some inaccuracies and oversights.

Protecting Yourself from Spear Phishing Attacks Such as the One Targeting NPM Maintainers with 2FA Update

Jayson DeLancey — Mon, 08 Sep 2025 22:52:26 +0000

If you are a package maintainer of software used by others, you may not be a target like journalists or government officials but a target nonetheless. Earlier today one maintainer fell victim to something that could have impacted any overworked software engineer, a message that was a well disguised spear phishing campaign. See: Security Alert | chalk, debug and color on npm compromised in new supply chain attack

This is a reminder that whether you deploy libraries on npm, pypi, cargo, and many more to stay vigilant.

Spear Phishing

Spear phishing is a more targeted version of phishing which is what makes it so effective. Instead of a random email blast to thousands of college students, stay-at-home parents and busy professionals -- its tailored to target and trick you specifically. The maintainers of packages in a repository is not kept secret. They are often kindly sharing their work for the benefit of the community at large. That means an attacker can discover names, contact info, and nature of the work of popular packages without a lot of effort.

The message they send isn’t “Meet singles in your area,” it’s more like “Update your security settings before you lose access.” That small difference is why people fall for it because it is appropriate and sparks a sense of urgency.

What makes this dangerous for open source maintainers is that trust extends beyond the individual. If your account is compromised, the attacker potentially gains access to publish new versions of your package. Any downstream consumers, CI/CD systems, or even enterprises could unknowingly install malware. One cracked maintainer account can cascade into a supply chain incident like we saw today.

Security Notice: Two-Factor Authentication Update Required

A rather official looking message was sent to maintainers of packages hosted on npmjs.com that they were overdue for a two-factor update.

The message came from a domain that closely resembled the official NPM registry:

Date: Mon, 08 Sep 2025 00:30:21 +0000
From: npm <support@npmjs.help>
Subject: Two-Factor Authentication Update Required

It was free of typos and other errors typically found in spam messages:

As part of our ongoing commitment to account security, we are requesting that 
all users update their Two-Factor Authentication (2FA) credentials. Our records 
indicate that it has been over 12 months since your last 2FA update.

To maintain the security and integrity of your account, we kindly ask that you 
complete this update at your earliest convenience. Please note that accounts 
with outdated 2FA credentials will be temporarily locked starting September 10, 
2025, to prevent unauthorized access.

[Update 2FA Now]

If you have any questions or require assistance, our support team is available to help. You 
may contact us through this link.

Spotting Red Flags in Phishing Emails

Many major corporations have annual mandatory training on how to spot issues like this. This doesn't mean every maintainer does.

Domain Lookalikes

The domain npmjs.help was chosen because it looks like npmjs.com and attackers will often purchase similar domains or TLDs.

Urgent Call to Action

For something like a 2FA reset, chances are you will have been notified multiple times. If you've ignored earlier warnings it may be time to read more closely, but if its the first time you've seen a message to reset your password or credentials there is reason to be suspicious.

Links Behind Buttons

Double check that you trust any URL that a link or button will take you to. If you disable images displayed from unknown senders or more stoically just read text-only rather than HTML emails you may already have a leg up for inspection.

Final Thoughts

I have sympathy for any individuals who are compromised from a coordinated campaign like this. It was executed really well from a social engineering perspective, even if the malware was ineffective The Largest Supply Chain Attack Stole 5 Cents it can happen to any maintainer.

Hacker Summer Camp 2025 Edition | Semgrep Newsletter

Jayson DeLancey — Wed, 30 Jul 2025 00:39:56 +0000

We’ve rounded up some news and updates from the Semgrep ecosystem to help ship features, not vulnerabilities.

If you need a Semgrep account, sign up for free and get started with the Quick Start for free on any project with fewer than ten (10) contributors.

Hacker Summer Camp

It’s that time of year when the weather gets hot and we take a break to meet and compare notes with our colleagues from across the security industry. You’ll find us all week at events including The Diana Initiative, BSidesLV, Black Hat, and DEF CON.

We are taking over Omega Mart on 8/5 for an exclusive event for our customers and the security community. Just us, no tourists. If you’ve never been it is a delightful and immersive art experience filled with puzzles, stories and will make for a memorable experience. We are also hosting a LAN tournament on 8/7 at an arcade bar which will be a fun way to unwind from the day.

We’ve got something happening every day so check the event page to learn more about our conference talks, free book signings, and other appearances.

Join us for Hacker Summer Camp 2025

Shared Context for Build and Runtime

Cloud-Native Application Protection Platforms (CNAPP) like Sysdig are a key ingredient to an AppSec strategy. When sharing that runtime context with a build-time tool like Semgrep can be more effective.

Was this code deployed and if so which environment?
Prioritize findings that have production relevance and exposure
Link alerts to specific file, function, and team that introduced a risk

The end result is fewer alerts, faster response, and better collaboration between teams.

Learn more about the Sysdig + Semgrep integration

Evaluating a Security Tool’s Sensitivity

The sensitivity of a tool is determined as the likelihood of over-reporting or under-reporting security findings.

Security Research firm Doyensec evaluated the benefits of graduating from Semgrep Community Edition to the Pro Engine. They saw between a 50% and 71% true positive rate accuracy boost.

Read the Report

What is Variant Analysis?

Securing software requires a comprehensive plan to find, fix, and prevent bugs that matter before build-time. Eugene Lim shared an excerpt from his upcoming book how to take a CVE and write Semgrep rules for finding variations in code implementations that might otherwise be missed.

In a blog post, Eugene walks through an example of a CVE that impacted Expat, a C library used to parse XML files which demonstrates a pattern that can be used for any vulnerability disclosure.

Read the Excerpt

Restoring Confidence in Secure Development

“The guidance wasn’t just accurate, it was built into our workflow, right where developers needed it. That made all the difference... Both developers and security engineers now have greater confidence in our shared process.”

– Chris Holman, DevSecOps Engineer, Glasswall

Read how Glasswall didn’t just replace one tool with another but instead matured their AppSec program from reactive to streamlined, developer-first, and future-ready.

Read the Case Study

Leverage Static Analysis for Detection

From our friends at Trail of Bits, a senior security engineer discussed how he looked for exploit patterns in Go’s JSON, XML, and YAML parsers.

Additionally, he provided public rules to detect these patterns:

semgrep -c r/trailofbits.go.unmarshal-tag-is-dash
semgrep -c r/trailofbits.go.unmarshal-tag-is-omitempty

Read the post Unexpected security footguns in Go’s parsers to learn more.

PHP Reachability

We now have reachability coverage for PHP for all critical issues since 2017 and high-severity issues since May 2022! These rules are available for all PHP projects and further extends the supply chain reachability coverage from C#, Go, Java, JavaScript, Kotlin, Python, TypeScript, JSX, Ruby, Scala, and Swift.

AI Assistant Memories

If we can’t tell you what to fix, we won’t show it to you. Your time is too valuable. Development teams need clear, step-by-step remediation guidance. (AI Assistant) helps with prioritizing and with remediation guidance.

Semgrep Assistant allows you to customize with Memories so that policy decisions help tune results for higher accuracy over time.

Learn more about AI Memories

How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.

If you have any questions or feedback, hop onto the Community Slack and let’s chat (I’m @j12y)! If you want to talk to us virtually or see us in-person, check out the events page to see where we’ll be.

AI Code Assistant Memories, PHP Reachability, CVE Policies, and Benchmarking

Jayson DeLancey — Tue, 24 Jun 2025 19:43:34 +0000

I've rounded up some news and updates about Semgrep to make it easier to ship features, not vulnerabilities.

Some of the stories captured include:

Memories as in applied AI that remembers your security decisions, as a way of storing policies for faster resolution time of vulnerabilities.
Reachability to help prioritize vulnerable supply chain dependencies that are executed rather than panic over vulnerabilities that are not called.
Benchmarking as a way of comparing performance release over release, whether for speed, coverage, accuracy, or other important metrics when choosing a solution.

Continue to learn more...

A Security Tool That Learns

Identify Memories using Semgrep Assistant and the AI model improves. The platform gets smarter about YOUR specific environment and policies. This effect compounds to make development teams more efficient by reducing false positives.

Read more in the blog post Is Zero False Positives a Reality?

PHP Reachability Analysis

Reachability analysis dramatically reduces the noise from SCA alerts, by up to 98%. We’re excited to introduce the industry’s first reachability analysis for PHP, marking the 11th language with this capability.

For additional coverage, see the docs about language support.

Vibe Coding and AI Security with MCP

"There's a viber born every minute."
-- P.T. Barnum (likely)

We can’t always trust the output of code generated by AI. When combined with security scanning, such as using the Semgrep MCP server, we can better manage risk with tools like Cursor – watch the demo.

Replit takes the security of their customers seriously and has integrated Semgrep into their Security Scanner.

Graduating to Semgrep AppSec Platform

We proudly sponsor continued support for Semgrep Community Edition which is why it continues to be a top performing free SAST tool used by:

Security researchers
Pentesters
Consultants
Open-source developers
Hobbyists

For Application Security Engineers and Development Teams that take security seriously, you may need more. The updated Semgrep Pricing page clarifies where to find the features you need.

Quarterly Release Summary

Our Quarterly Release page pulls together highlights from the past few months of releases to Code (SAST), Supply Chain (SCA), and Secrets (detection).

Use CVE as a Supply Chain Policy

Want to block or comment for a specific set of CVEs crucial to your product? Choose from a list of CVEs generated from findings, or input a known CVE ID -- dependency search is available by CVE ID or rule name.

Benchmarking Source Code Scanning Speed

If source-code scanning and static analysis slows down development, engineering teams won’t adopt it. Is Semgrep fast? Yes it is.

Learn how we think about performance at Semgrep in this blog post: Benchmarking Semgrep Performance Improvements.

Find this update and more open-source improvements in 20+ releases so far this year.

Customizable PR / MR Comments

Many developers review security findings directly as comments left in merge or pull requests. In the Semgrep Platform settings tab, teams can customize these to add company-specific instructions, links to resources, or other helpful notes.

See the PR / MR Comments documentation for setting up Azure, GitHub, GitLab, or Bitbucket for examples of custom comments.

SoSafe Case Study

“We treat engineers as partners, not just stakeholders. Semgrep helps us meet them where they are.”
– Mubasher Chaudhary, Application Security Engineer, SoSafe

Learn more about how SoSafe evaluated tools for their security program in the SoSafe Case Study.

How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.

The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.

Replit GenAI Security Scans and Shadow AI

Jayson DeLancey — Tue, 27 May 2025 17:10:36 +0000

A roundup of recent headlines about Semgrep in the past month.

$ grep -rh -A 5 -m 10 “<h1>” semgrep-news.html | more

Replit Partners with Semgrep for AI Security Scans

Replit is an AI-powered platform that lets you create and deploy apps from a browser. This is great for dev teams to enable quick product development cycles. For security teams, well… like other LLM tools, this can introduce risks. Replit turned to Semgrep to power its security scanning, directly within the Replit IDE.

Learn more in the blog post about the Replit + Semgrep partnership.

RSAC Industry Leader Interviews

The team had a great show at RSA and BSidesSF this year. We had a chance to turn the camera on and have a chat with some friends:

Phil Venables, Partner at Ballistic Ventures, shared his insights with Clint Gibler (Semgrep Head of Security Research) about the things he’s learned from senior security research roles at companies like Deutsche Bank, Goldman Sachs, Google, and more. Watch the video interview.
Cristin Flynn Goodwin, Consultant with Good Harbour, shared her experiences for a legal perspective on cybersecurity with Tanya Janca (Semgrep Developer Advocate). Watch the video interview.

Other interviews include Jason Haddix (Arcanum), Nariman Aga-Tagiyev (SecureHabits.nl), and more.

Shadow AI Scan for Unauthorized Usage

Unaccounted for AI usage can lead to compliance violations, sensitive data exposure (including secret keys!), and many other GenAI security risks when not using a proper approval process. We’ve built a new ruleset to detect unauthorized use of AI and LLM libraries including OpenAI, Anthropic Claude, LangChain, HuggingFace, Grok, Gemini, Deepseek, and more.

See the Semgrep Shadow AI page from RSAC to learn more.

Scaling Security and AI with AWS

Cameron Smith, Sr. Security Solutions Architect at AWS, joined Jack Moxon, Staff Product Manager, to talk about rapid development and cloud-native deployment at speed. Video interview on Youtube.

Semgrep Rulez for Vibe Code

We’ve partnered with Replit to incorporate Semgrep rules directly in a Security Scanner for AI generated code. This puts users of Replit one step ahead so that this doesn’t happen to you:

For everybody else, the Semgrep MCP server provides a path for any technology team to incorporate Semgrep security scans into their LLM generated source-code production workflows. This enables a secure-by-default AI solution. View the README.md for setup instructions usable with tools like Anthropic, OpenAI, Cursor, Windsurf, Lovable, etc.

Rulesets for Customizing Security Checks

Want to improve your security posture by writing custom Semgrep rules for your organization?

Watch the Rule Writing 101 (video) and Rule Writing 201 (video) to learn how step-by-step. The documentation for writing rules goes into more detail on the pattern and rule syntax which you can test interactively in the Playground. The Custom Rules course from Semgrep Academy goes even more in depth.

Visit the semgrep-rules github repository to see examples or if you built rules that you are willing to share like Trail of Bits and Gitlab have contributed.

FinTech and the Role of AI in Security

What is different about security engineering in a FinTech context? Industry security veterans Rinki Sethi (BILL) and Lee Laslo (Alloy) share their perspective.

Watch the video interview.

AppSec for Builders: A Manifesto

Luke O'Malley was interviewed at RSA about his manifesto for builders and the future of artificial intelligence.

“If you want to empower your builder, you need to give them agency... it’s not about control, it’s about empowerment. We want to notify them if they’re doing something risky and provide a guardrail and nudge them back onto the paved road—a safer path that still lets them move fast.”

Watch the video or read the blog post with highlights from the session.

Community Headlines

It is fascinating to see all the ways other community projects are using Semgrep!

DeepWiki uses AI to generate documentation, including the semgrep/semgrep open-source project. Helpful for those who want to contribute.
Replit’s perspective on The Safest Place for Vibe Coding.
Watch the recording of the Fireside Chat with Tanya Janca and Laura Bell Main, founder of SafeStack.
Meta’s PurpleLlama CyberSecEval project includes tools like CodeShield and Insecure Code Detector (ICD) to identify insecure coding practices such as LLM output and has built some custom rules as part of the project.
Anthropic Case Study: How Semgrep delivers AI-powered code security with Claude in Amazon Bedrock

Have a Semgrep story? Share it with us!

How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.

Product Engineers Should Ship Fast AND Secure Vibe Generated Code

Jayson DeLancey — Fri, 23 May 2025 21:16:20 +0000

It’s one thing to be embarrassed by the first version of your product capabilities and quite another to ship something for early feedback only to realize you embarrassed your company, your now lost customer, and your own reputation. A Product Engineer is a Software Engineer who also takes on Product Owner/Product Manager responsibilities. Product Engineers are being asked to do more tasks in less time, so turn to using tools like GenAI to vibe code the way to an MVP.

“If you are not embarrassed by the first exploit of your product, you’ve launched too late.” –Henry Ford (while vibe coding probably)

LLM coding assistants like Replit, Cursor, Lovable, V0, Bolt, Windsurf, Retool, Devin and more can be used to crank out code faster than any security expert can keep up. Automated application security scans while developing are the solution to this problem.

Data and Model Poisoning of LLM-Generated Code

Let’s consider the problem.

Most software engineers familiar with secure coding are aware of cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. Even many LLMs will get these right because they are common enough, but large language models (LLMs) may also innocently use incorrectly implemented code when training or more sinisterly, be subject to data poisoning.

Training Data Poisoning refers to intentionally manipulating training data to introduce vulnerabilities and exploitable patterns that LLMs will consume. It's a constantly moving problem, unfortunately, and LLMs will continue to evolve as do the attacks and newly discovered vulnerabilities.

How do we move forward with secure-by-default approaches to code generated by AI?

Semgrep Secure Scanning with Replit

Semgrep is a fast static analysis tool to identify security vulnerabilities in source code before shipping to production. Replit recently introduced a Security Scanner to analyze dependencies and source-code for vulnerabilities as a step before deployment. The findings from Semgrep are used by the Replit Agent to fix the vulnerabilities right away.

Replit is using the open-source community edition of Semgrep rules for standard vulnerability detection such as:

SQL Injection
Insecure Dependencies
Cross-site Scripting (XSS)
Hard-coded Credentials (Secrets)
and more…

Does this make Replit the Safest Place for Vibe Coding? Their approach to beefing up security with App History, Replit Auth, Rollback previews, and Semgrep Secure Scans is a sensible approach for rapid development and deployment.

Secure scanning is available on certain plans using your Replit account.

Semgrep Agentic AI Approach with a Cursor MCP Server

Taking a similar approach, Cursor can support a Model Context Protocol (MCP) server that plugs in to the development environment. Then, any generated code can be combined with a Semgrep scan to identify vulnerabilities and then immediately acted upon. In this way, the IDE acts like an agent, running the Semgrep source code scan on its own generated results and then applying fixes.

Source code for the server is available from the Github repo semgrep/mcp after you sign up for a Semgrep account.

Shift-Left for Product Engineers

Product Managers must understand all the business requirements, both functional and non-functional like security. They also must prove their ideas quickly and iteratively, so low-code generative solutions are an effective strategy. It took the industry a long time to recognize and begin shifting security concerns left to put up some guardrails.

LLMs are accelerating development and evolving quickly. Our approach to secure-by-default artificial intelligent agents should be to always scan and then act on the findings.

It isn't just the scan though, its the team of security researchers who are watching and updating the rules to protect us from exploitation and put in place those safeguards while still allowing innovating on product.

For more information, check out some of these resources.

Semgrep maintains the open-source static application security testing (SAST) engine and continuously improves upon the professional security rules to keep pace with the latest security concerns.

RSA Plans, Vibe Coding, AppSec Industry Survey, Anthropic and a CVE for vLLM

Jayson DeLancey — Mon, 21 Apr 2025 21:30:00 +0000

This is another installment of the top ten things happening at Semgrep recently that I think you will want to know about.

Let Them Build

Luke O’Malley, one of the founders of Semgrep shared his vision for how secure software starts with the builders who write it. Read the AppSec for Builders Manifesto and share where you agree and where you don’t. Post on social media and tag us with #LetThemBuild.

Reduce the Risks of Vibe Coding

Vibe coding has moved from a meme to the reality many security teams face when reducing risk from AI-generated source code. We’ve built an MCP server to help integrate security guardrails into the development workflow. Visit the semgrep/mcp repository for instructions and source code. See how it works with this video demo of a Cursor integration.

RSA and BSides SF

If you are coming to San Francisco please visit and find out about the latest AI advancements at Semgrep. Visit our RSA event page to learn where we’ll be and when. We’re hosting an exclusive Pre-BSides SF + RSA Party, an Alice & Bob Learn Secure Coding book signing with Tanya Janca, special dinners, and more.

Review the schedule
Getting Ready for RSA 2025 Webinar
Schedule an on-site demo and get a custom hat

I’m looking forward to seeing you all at BSides SF and RSA in-person.

Take the Free AppSec Survey and Course

Want to get some advice on your application security program? Take this interactive survey that will give you some tips & tricks to level-up your AppSec program.

From a review on the Application Security Foundations Course:

“What I love about this course is that it gave me a refresher of foundations of appsec, goals, and tools that I can recommend to incorporate” –Recent Reviewer

Share the free security course with your team.

CVE-2025-29783 for vLLM

We’ve added a CVE to our trophy case. Recently, CVE-2025-29783 was created with credit going to an AI Security Researcher at Nvidia who uncovered the AI attack surface while using Semgrep.

The python.lang.security.deserialization.pickle.avoid-pickle rule was the clue.

One Typo Away from a Really Bad No Good Day

A software library as a dependency can quickly become a trojan horse to more malicious intentions. A developer is one typo away from a malicious dependency entering the code base. An approach to malicious dependency detection relies on Supply Chain SCA and reachability analysis.

"Modern AppSec programs, like Figma's, rely on a paved road with secure guardrails for fast and safe development."
-- Devdatta Akhawe, Head of Security, Figma

Check out the docs on malicious dependencies to learn more about the 30,000 new rules and supported ecosystems.

Click Into Dashboard Metrics

False positives are a problem and they get in the way of addressing true vulnerabilities while eroding trust. The Fix Rate, number of findings fixed in development relative to the number identified, can be a helpful north star metric for AppSec teams to evaluate triage and remediation when using Semgrep.

New in private beta, we’re providing a preview of clickable charts that allow for deeper reviews into metrics like backlog totals, guardrail activities, etc. so that you can review AI Assistant findings more quickly to understand why, share wins, and demonstrate progress.

Book a demo to chat more about these upcoming dashboard improvements.

Community News

We love hearing about some of the novel things the community is doing with Semgrep. Have you done something that is helping you secure your development team’s workflow? Let us know. Reply to this email or DM me on Semgrep Community Slack so we can highlight and share what you’ve learned.

Trail of Bits shares updates to their community rules which can be found in the Semgrep Registry.
GuardDog is an OpenSSF project which recently shared how they use Semgrep rules to uncover complex behavior patterns in supply chain security
Semgrep is featured in an Anthropic case study about AI Assistant capabilities

Mastering Security Headers

Scott Helme, founder of Security Headers and Tanya Janca will be diving deep into mastering security headers in a webinar on April 22. Join live to ask questions and get additional insights. You should also consider sharing the free security headers course with your team.

There are also other upcoming webinars including Scaling Security for FinTech when dealing with regulatory compliance. Elliot Colquhoun, VP of Information Security and IT at Airwallex will join to share perspectives.

How to Get Started with Semgrep

If you've only just learned about Semgrep, here's some ways to get started:

The Semgrep Community Edition is free open-source software that powers many teams with basic functionality.
The Semgrep AppSec Platform capabilities are available to test on any project with fewer than ten (10) contributors for free. Just hop over to semgrep.dev, sign up, and follow the Quick Start.

If you have any questions or feedback, hop onto the Community Slack and let’s chat!

SAST vs SCA: Choosing the Right Source Code Security Scanning Tools

Jayson DeLancey — Thu, 17 Apr 2025 18:23:30 +0000

Engineering teams want to satisfy security teams. Security teams want to be seen as value-added and not a nuisance or distraction to development. The threat from not addressing application security is real and can be scary, so everybody needs to work together to solve the problem. Two essential approaches are foundational pillars of an integrated software development process. Static Application Security Testing (SAST) and Software Composition Analysis (SCA).

What’s the difference between these approaches and which should you use?

Understanding Static Code Scanning Tools: What is SAST?

A Static Application Security Testing (SAST) tool can analyze your code without executing it, scanning for potential security vulnerabilities, bugs, and code quality issues early in the development process. SAST tools examine source code acting as an automated security expert, reviewing each line of code. This doesn’t replace a Security Engineer but helps accelerate the discovery of vulnerabilities and the confidence in code being ready for release.

Some key features of a good SAST tool:

Source Code Static Analysis: An engine to parse and interpret the syntax across files and functions of a proprietary code base to uncover risks.
Language Support: Coverage for any programming languages and frameworks used during development should be supported by the SAST tool and appropriate for your environment(s).
Integration with Dev Environment: Work seamlessly with any existing developer tooling like IDEs, PR/MR comments, CI/CD pipelines, etc.
Customization: An internal application requires different security considerations than a massively popular financial application. Customizing security policies to address relevant threats for a specific context is more valuable than generic standards.
Taint Tracking: Analysis of the flow of tainted data such as untrusted user input and any expressions that operate upon it that may be exploited.

It is one thing to find vulnerabilities, but remediation guidance is also important to provide sample code for how to address an issue. Some common issues like SQL injection, cross-site scripting (XSS), or insecure authentication patterns may be common knowledge, but there are many obfuscated ways somebody might be able to exploit logic in software that isn’t immediately obvious to every developer.

What About Software Composition Analysis (SCA)?

While SAST tools focus on the first-party code you’ve written, Software Composition Analysis (SCA) tools examine any third-party dependencies used in the application. This software supply chain often includes open-source dependencies that in turn rely on additional open-source dependencies. Some estimates say that dependencies alone account for over 80% of the source code that is being executed as part of an application.

What matters for SCA tools:

Dependency Scanning: At a minimum, identify vulnerabilities in any third-party libraries and packages. Even if a library was fine yesterday doesn’t mean a new issue wasn’t discovered and being exploited today.
SBOM Generation: A Software Bill of Materials (SBOM) is often required for compliance reasons to track all components. Some build tools create lockfiles or manifests, but that is not guaranteed. A good SCA tool shouldn’t rely only on lockfiles to detect vulnerabilities.
License Compliance: Certain open-source licenses may require open-sourcing proprietary code if they are integrated or modified. For this reason and many more, some organizations have limitations around acceptable licensing that must be enforced across the organization.
Vulnerability Advisories: An extensive database of common vulnerabilities and exposures (CVE) is an important place to start. Visibility into exploit prediction scoring (EPSS) can help with prioritizing where to place effort.
Reachability Analysis: Simply importing a package could be an issue with certain malicious software, but in most cases vulnerabilities may only exist in specific functions. If you don’t use those functions you aren’t at risk. Prioritizing security issues that are reachable over updates that don’t have as much immediate benefit can be helpful context for prioritizing return on effort. Transitive Reachability is a consideration for not just direct dependencies, but dependencies of your dependencies, and so on.

Prioritization of dependencies becomes important. On many projects, you might get a bot message about all the compromised versions of software, but the upgrade path may not be clear because it might require code changes. Remediation advice that helps prioritize critical issues from the noise is super helpful and will save you a lot of time.

SAST vs. SCA: Why You Need Both

It isn’t a “SAST vs SCA” debate, the approaches to discovering security risks are complementary. Without a SAST tool, you are unaware of vulnerabilities in your codebase. Without SCA, you’re ignoring risks from compromised third-party code you may not be as familiar with, but can still cause significant harm.

For code coverage, a SAST checks your code and SCA checks any third-party dependencies (the code you did not write).

All vulnerabilities are important, but there are only so many hours in the day so dev teams must ruthlessly prioritize and choose where to focus attention.

SAST and SCA: A Complete Platform Approach

Security-aware teams need platforms that address both static analysis and software composition analysis.

Use Semgrep (SAST) to scan any code developed by you and your team. Semgrep’s Community Edition is open-source and remains a free SAST solution that is accessible to small teams. A subscription is necessary for larger code bases with many contributors and enterprise-grade security needs.
Layer on Semgrep Supply Chain (SCA) to audit coverage for all the code your team did not write. When combined with step 1, now you've analyzed 100% of the code that will run.
Integrate both into a CI/CD pipeline or use managed scanning for quick continuous protection.

The best security platform is the one that isn’t painful for development teams to actually use. A focus on speed, ease of use, and developer experience should be the evaluation criteria when making any tooling choices so that security is a natural part of the development process, not an obstacle to shipping.

Learn more about Semgrep and best practices for rolling it out to software teams by scheduling a demo or signing up for a free account to evaluate it yourself.

Vibe Check: Securing AI-Generated Code Using MCP

Jayson DeLancey — Mon, 14 Apr 2025 17:00:00 +0000

Using generative artificial intelligence is a boon for the experimental nature that comes from building software. The unfortunate truth is that AI-generated code suffers from some of the same issues a software developer often faces, rapid prototyping of new features prioritizes fast delivery over securely implementing new features. This is a great use case for tools like Semgrep that are purpose-built to catch security vulnerabilities by scanning source code.

Let’s start by getting some terminology out of the way and then below is a video demo for how the workflow all comes together when integrated so that a source code scanning tool like Semgrep can add security checking to the AI-generated code from a tool like Cursor.

What is Vibe Coding

What started as a social media meme has become synonymous with an iterative workflow using an AI assistant to rapidly generate source code. This approach is accessible to many regardless of experience as a software developer by using an LLM and natural language prompts.

A key challenge is that the source-code generated by this approach is easy for hackers and mischief-makers to exploit security vulnerabilities.

What is Cursor

Cursor has been gaining momentum as an integrated development environment fork of Visual Studio Code that has been optimized for the type of iterative vibe coding development workflow. Cursor has built-in AI chat and code generation that supports a vibe coding workflow.

What is Semgrep Used For

Semgrep is a fast, powerful static analysis tool that uses a rule-based engine to scan source-code and identify security vulnerabilities, bugs, and other code quality issues. It is used by many enterprises and developers as part of a traditional software development lifecycle. There is a free open-source community edition that can be used for scanning individual source code listings as well as a managed platform and services for more sophisticated and professional development teams and workflows.

Semgrep supports most popular programming languages with semantically aware searches to ensure a high signal to noise ratio when it comes to identifying security flaws.

What is MCP Used For

Similar to design patterns that have been used when architecting web applications, MCP provides an open standard for controlling how AI Models behave. It defines a set of APIs that act as a bridge or intermediary between web services and an application.

The reason this is important is that it creates a standardized protocol for AI models to interact with web services, database instances, local tools, etc. that can provide additional data sources that provide context to the model without the model itself needing to build a custom integration with each one.

The end-user who is vibe coding with Cursor doesn’t need to fully understand how MCP works, it is the context service and the IDE that are using it as an intermediary. While the subsequent example uses Cursor, the value of MCP is it also can be used with Copilot, Windsurf, Claude Desktop, OpenAI, or any MCP client. It also lets us integrate services like Semgrep into the LLM context.

Setting Up a Security-Aware Semgrep MCP Server

When this all comes together, the Cursor IDE will use any configured MCP integrations as additional context for working with the LLM. To accomplish this, you’ll host a small server that can handle the protocol to interact with Semgrep.

There are complete instructions and troubleshooting tips in the semgrep/mcp repository README.

1. Access Your Semgrep API Key

You’ll need to sign in or sign-up for a Semgrep.dev account in order to get an API Token.

Example for ~/.cursor/mcp.json but any method of setting the environment will work:

"env": {
  "SEMGREP_APP_TOKEN": "<token>"
}

2. Run the Semgrep MCP Server

The semgrep-mcp server is written in Python so can be installed with a package manager like uv. There is also a docker container that can be pulled:

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

3. Integrate the Server with Cursor

You’ll also modify the ~/.cursor/mcp.json to include instructions for running semgrep:

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

4. Give it a try

That’s it, just three steps. The semgrep-mcp server is open-source if you want to learn more about how it works.

Demo of a Semgrep Cursor MCP Workflow

If all goes well, your experience should be similar to this video recording:

For additional information, questions about the project, or any trouble getting the demo working…

Drop into the community slack
Schedule time for a demo
Open an issue or pull request at semgrep/mcp
Read more about Giving AppSec a Seat at the Vibe Coding Table

Getting Started with SAST and Semgrep CLI

Jayson DeLancey — Fri, 11 Apr 2025 23:30:00 +0000

Securing software is difficult and not always top of mind when developing an application. A security engineer at a large bank once told our team that if its development stopped, he calculated it would still take over 100 years for them to get through their vulnerability backlog using traditional Static Application Security Testing (SAST) tools. Semgrep solves this problem by understanding the semantics and cutting through the noise.

What is Semgrep?

Semgrep is used to find application security vulnerabilities through enforced guardrails and coding standards. Semgrep Community Edition is a fast, open-source, static code analysis engine at the heart of the services. While a common tool like grep can search with regular expressions to match exact strings, Semgrep understands the semantics of source code to identify patterns and data flow which helps remove false positives.

For example, a search for 2 with grep would find many false positives, but with semgrep, a rule can more precisely match pattern expressions including variations like: x = 1; y = x + 1.

A few reasons security-conscious teams added Semgrep to their development pipeline:

Support for 30+ programming languages
Simple rule syntax that allows for customization and extensibility without DSLs, managing abstract syntax trees, or regex wrangling
Can run locally in a command line interface (CLI), integrated with your favorite integrated development environment (IDE), as a source control pre-commit hook, in continuous integration and delivery (CI/CD) pipelines, or as a managed platform service.

Semgrep rules exist to help find everything from logic errors, code smells, and security vulnerabilities such as SQL injection, cross-site scripting, secrets leaking, and much much more by analyzing the source code itself.

Installing Semgrep

A typical first step is to look at findings for an individual file using the CLI.

Installation for macOS:

brew install semgrep

Installation for Linux/BSD/macOS:

python3 -m pip install semgrep

Can also be run from a Docker container on Windows:

docker run -it -v “${PWD}:/src” semgrep/semgrep

To test that installation was successful and that semgrep can be found in your path try:

semgrep –h

Run a Code Scan for Vulnerabilities on a Python File

All CLI processing is done locally on your computer or build environment, not uploaded to a service for analysis.

To try this for yourself, you can use your own existing project or start with a simple test project.

$ ls
foo.py
bar.js

For example, this code:

import sys
import subprocess

input = “ “.join(sys.argv[1:])

print(“Python is easy”)
subprocess.run(input, shell=True)

Of course, you would never write code like this, but is that true for everybody on your team?

From the root directory of your project, run:

semgrep scan –config auto

The CLI will pull down rules from the rule registry to test your source code.

The output may look similar to this:

Scanning 2 files (only git-tracked) with:

✔ Semgrep OSS
  ✔ Basic security coverage for first-party code vulnerabilities.

✔ Semgrep Code (SAST)
  ✔ Find and fix vulnerabilities in the code you write with advanced scanning and expert security rules.

✘ Semgrep Supply Chain (SCA)
  ✘ Find and fix the reachable vulnerabilities in your OSS dependencies.

Supply Chain (SCA) and Secrets rules are only available when you sign up at semgrep.dev. When using the free Community Edition you’ll only have access to a subset of the total rules. Here’s our results:

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    foo.py
   ❯❯❱ python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
          Found 'subprocess' function 'run' with 'shell=True'. This is dangerous because this call will spawn
          the command using a shell process. Doing so propagates current shell settings and variables, which 
          makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.         
          Details: https://sg.run/J92w                                                                       

           ▶▶┆ Autofix ▶ False
            7┆ subprocess.run(input, shell=True)

The finding was triggered by the rule python.lang.security.audit.subprocess-shell-true.subprocess-shell-true which you can learn more about in the Rule Registry.

Run a Semgrep Code Scan on JavaScript with a Custom Pattern

You can create custom rules or even run one-off checks such as finding any output you forgot to remove.

$ semgrep -e ‘console.log(...)’ –lang=js ./bar.js

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    bar.js
            1337┆ console.log("DEBUG: remove this later");
┌──────────────┐
│ Scan Summary │
└──────────────┘

Ran 1 rule on 1 file: 1 finding.

These were quick Python and JavaScript examples, but Semgrep tools have the motto yes we scan with support for: Apex, Bash, C, C++, C#, Clojure, Dart, Dockerfile, Elixir, HTML, Go, Java, JavaScript, JSX, JSON, Julia, Jsonnet, Kotlin, Lisp, Lua, OCaml, PHP, Python, R, Ruby, Rust, Scala, Scheme, Solidity, Swift, Terraform, TypeScript, TSX, YAML, XML, etc.

Scaling Semgrep to Development Team Workflows

The point of all this is that while we may try to be security conscious when developing software, there are lots of gotchas to know about and when collaborating with other software developers it can be difficult to know if everybody on the team is as well versed on security best practices for every language in use.

For more complex projects, you also need to be able to find cross-file issues, supply chain attacks, and prevent secrets from leaking before they are committed. For these use cases, there is more information in the Semgrep Docs or by joining a webinar or book a demo to learn more about setting up more complex team workflows.