Abstract
Static Application Security Testing (SAST) is an essential practice in modern software development, enabling early identification of vulnerabilities in source code before deployment. Semgrep, an open-source tool, provides a lightweight and developer-friendly approach to SAST. Unlike heavyweight enterprise platforms, Semgrep focuses on rule-based detection, flexibility, and integration with continuous integration/continuous delivery (CI/CD) workflows. This paper explores how Semgrep can be applied to any application, highlights its advantages and limitations, and presents a demo implementation to illustrate practical usage.
Introduction
Ensuring secure software requires embedding security checks early in the Software Development Life Cycle (SDLC). SAST tools support this by analyzing source code without executing it, reducing the risk of vulnerabilities reaching production.
Semgrep stands out because it is:
- Open-source and lightweight, requiring no server setup.
- Extensible, supporting community and custom rules.
- Cross-language, with support for over 30 languages.
This accessibility enables small teams, startups, and enterprises alike to benefit from automated security scanning.
Applying Semgrep to Applications
1. Installing Semgrep
Semgrep can be installed easily:
pip install semgrep
Or run directly via Docker:
docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config=p/ci
2. Example of a Vulnerable Application
Consider the following Python snippet containing a potential SQL Injection:
import sqlite3
import sys
def search_user(username):
conn = sqlite3.connect("users.db")
cursor = conn.cursor()
# ❌ Vulnerable query (concatenates user input directly)
query = "SELECT * FROM users WHERE name = '" + username + "';"
cursor.execute(query)
results = cursor.fetchall()
print(results)
conn.close()
if __name__ == "__main__":
search_user(sys.argv[1])
This function is insecure because user input is concatenated into the SQL statement without sanitization.
3. Detecting Vulnerability with Semgrep
We can use an existing community rule, or define a custom rule in YAML to catch unsafe execute calls with string concatenation.
rules:
- id: python-sql-injection
patterns:
- pattern: cursor.execute("..." + $VAR)
message: "Possible SQL Injection: avoid string concatenation in SQL queries."
languages: [python]
severity: ERROR
Running Semgrep with this rule:
semgrep --config=rules/sql-injection.yml vulnerable.py
Output:
vulnerable.py
7: cursor.execute(query)
Possible SQL Injection: avoid string concatenation in SQL queries.
4. Integration into GitHub Actions (Automation)
To ensure continuous protection, Semgrep can be integrated into CI/CD pipelines. Example workflow (.github/workflows/semgrep.yml):
name: Semgrep Scan
on: [push, pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: returntocorp/semgrep-action@v1
with:
config: "p/security-audit"
With this setup, every pull request is scanned automatically for vulnerabilities.
Strengths
Fast and developer-friendly: Results appear within seconds.
Flexible: Custom rules can reflect organization-specific policies.
Open ecosystem: Community-driven rule registry reduces setup time.
CI/CD native: Integrates seamlessly with GitHub, GitLab, and Jenkins.
Limitations
Writing advanced rules requires learning Semgrep’s pattern syntax.
Static analysis may generate false positives, requiring manual triage.
Some vulnerability types (e.g., runtime misconfigurations) are outside its scope.
Demo repository
👉 You can access the source code and configurations used in this article at the following link:
🔗 https://github.com/KrCrimson/semgrep-sast-demo.git
Conclusion
Semgrep demonstrates that SAST does not need to be heavyweight or enterprise-only. By applying Semgrep to any application, organizations can detect vulnerabilities early, enforce coding standards, and integrate security directly into developer workflows. Its lightweight nature, open-source model, and community-driven ecosystem make it a versatile option for modern software development teams.
Top comments (0)