Semgrep Registry - Home of Semgrep's free, out-of-the-box rules (that is, security checks), written by r2c and the community.
These rules are grouped into "rulesets" that collect related functionality, like rules that check for secrets, target specific languages (e.g. javascript) or frameworks (e.g. django), or even entire vulnerability classes (e.g. xss or insecure
transport).
Note that the Registry has more rules than what's just in the returntocorp/semgrep-rules repo, as the Registry includes Semgrep rules from other community repos, like NodeJSScan or Go rules by Damian Gryski.
Semgrep Playground - Write and share Semgrep rules right from your browser, no installation required!
Rule Writing
There's a step by step rule writing tutorial here.
If you go to the Playground, you can also click the "Examples" button to view a number of illustrative built-in examples.
Semgrep has pretty extensive docs, which you can view here.
Of note:
Pattern syntax - All of the ways you can match code within one pattern.
Rule syntax - All of the ways you can combine Semgrep patterns to form more complex queries. For example, looking for code that matches this AND that, or this but NOT that, etc.
Community
Feel free to join the r2c community Slack to ask questions (we're super responsive!) or reach out to us on Twitter (@r2cdev), or send us an email at support@r2c.dev.
This issue collects various links to useful Semgrep resources and documentation in one place so you can reference it if you ever get stuck.
returntocorp/semgrep-rules
repo, as the Registry includes Semgrep rules from other community repos, like NodeJSScan or Go rules by Damian Gryski.Rule Writing
There's a step by step rule writing tutorial here.
If you go to the Playground, you can also click the "Examples" button to view a number of illustrative built-in examples.
And of course, you can also review the over 1,000 rules in @returntocorp/semgrep-rules.
Docs
Semgrep has pretty extensive docs, which you can view here.
Of note:
this
ANDthat
, orthis
but NOTthat
, etc.Community
Feel free to join the r2c community Slack to ask questions (we're super responsive!) or reach out to us on Twitter (@r2cdev), or send us an email at support@r2c.dev.