Software:Semgrep

From HandWiki
Revision as of 13:58, 9 February 2024 by OrgMain (talk | contribs) (update)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Open-source static analysis software tool
semgrep
Semgrep logo.svg
Developer(s)Semgrep, Inc.
Initial releaseFebruary 6, 2020; 4 years ago (2020-02-06)[1]
Written inOCaml (core) and Python (CLI)
TypeStatic program analysis
LicenseLGPL v2.1

semgrep or Semgrep CLI is a free open-source static code analysis tool developed by Semgrep, Inc. (formerly r2c[2]) and open-source contributors. It has stable support for C#, Go, Java, JavaScript, JSON, Python, PHP, Ruby, and Scala. It has experimental support for nineteen other languages, as well as a language agnostic mode.[3]

The name is a combination of semantic and grep, referring to semgrep being a text search command-line utility that is aware of source code semantics.[4]

Services

To complement semgrep, Semgrep, Inc. provides a continuous integration service (called Semgrep CI) with supply chain scanning.[5] It also maintains a rule library (called Semgrep Registry). Basic individual use of these services are offered for free while paid tiers cover team and commercial use-cases.[6]

Compared to other popular static application security testing (SAST) tools, Semgrep CI is the only one with an open source engine which is able to run on private codes for free.[7]

History

Semgrep CLI was based on sgrep which was an open source tool part of pfff, a program analysis library developed at Facebook in 2009. Pfff was inspired by Coccinelle, an open-source utility for programs written in C. Yoann Padioleau, the original author of sgrep and a contributor to Coccinelle joined r2c in 2019.[8][9][10] sgrep was forked by r2c from pfff. In 2020 r2c's sgrep fork was renamed to semgrep to avoid name collisions with existing projects.[11][12][13]

Redpoint Ventures and Sequoia Capital backed r2c in an unannounced seed round and later also funded a Series A round with $13 million in 2020. The company's product portfolio consisted only of Semgrep and its ecosystem at the time.[14][15]

Semgrep, Inc. announced in 2023 that it has raised $53 million for its Series C funding round with Lightspeed Venture Partners leading the investment and participation from previous investors Felicis Ventures, Redpoint Ventures, and Sequoia Capital. The company has raised a total of $93 million, including the funds raised in this round.[2]

The Open Web Application Security Project (OWASP) listed Semgrep in its source code analysis tools list.[16] As of 2023 April, Semgrep has 132 contributors and 8000 stars on GitHub.[17] From Docker Hub the Docker image was pulled more than 10 million times.[18]

Usage

Semgrep can be installed with Homebrew[19] or pip.[20] Additionally it can run without installation on Docker. Analysis can be done without the need of custom configuration, and by utilizing rulesets created by Semgrep Inc. and open source contributors. The tool also allows users to write their own patterns and rules through the CLI using a pattern language unique to semgrep. A free online rule editor and a tutorial are also available.[21][22]

See also

References

  1. "Release – sgrep 0.4.0 – returntocorp/semgrep". https://github.com/returntocorp/semgrep/releases/tag/0.4.0. 
  2. 2.0 2.1 Miller, Ron (2023-04-18). "Semgrep (formerly r2c) lands $53M investment to grow code security platform". https://techcrunch.com/2023/04/18/semgrep-formerly-r2c-lands-53m-investment-to-grow-code-security-platform/. 
  3. "Semgrep Documentation – Supported languages". https://semgrep.dev/docs/supported-languages/. 
  4. Nagy, Bence. "Detect complex code patterns using semantic grep". p. 2. https://owasp.org/www-chapter-dorset/assets/presentations/2020-10/OWASP%20Dorset%202020-10-08.pdf. 
  5. Berman, Adam. "It's time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain.". https://semgrep.dev/blog/2022/introducing-semgrep-supply-chain. 
  6. "Semgrep's pricing". https://semgrep.dev/pricing. 
  7. Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint Gibler. Youtube.com – OWASP DevSlop.
  8. Lauerman, Alex (2020-10-29). "A Brief Introduction to Semgrep (part 1)". https://trustfoundry.net/a-brief-introduction-to-semgrep-part-1/. 
  9. "Previous version of Semgrep's README.md file on GitHub". https://github.com/returntocorp/semgrep/commit/5c559e8e491248323544b1775f61531ca4b93c51?short_path=b335630#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5. 
  10. "Semgrep: Lightweight static analysis for many languages". https://news.ycombinator.com/item?id=23919313. 
  11. "Pull request of Semgrep on GitHub". https://github.com/returntocorp/semgrep/pull/486. 
  12. "Previous version of Semgrep's README.md on GitHub". https://github.com/returntocorp/semgrep/commit/bd7568428ef6a7baf71ceac3165ea973c9df7606. 
  13. Salecha, Rohit (2020-08-13). "Semgrep A Practical Introduction". https://notsosecure.com/semgrep-a-practical-introduction/. 
  14. "Redpoint and Sequoia are backing a startup to copyedit your shit code". 2020-10-29. https://techcrunch.com/2020/10/29/r2c-series-a/. 
  15. "Forbes Cybersecurity Awards 2020: Corellium, The Tiny Startup Driving Apple Crazy". 2020-12-27. https://www.forbes.com/sites/thomasbrewster/2020/12/27/forbes-cybersecurity-awards-2020-corellium-the-tiny-startup-driving-apple-crazy. 
  16. "OWASP Source Code Analysis Tools". https://www.owasp.org/index.php/Source_Code_Analysis_Tools. 
  17. "Semgrep on GitHub". https://github.com/returntocorp/semgrep. 
  18. "Semgrep on Docker Hub". https://hub.docker.com/r/returntocorp/semgrep. 
  19. "Semgrep on Homebrew Formulae". https://formulae.brew.sh/formula/semgrep. 
  20. "Semgrep on pypi.org". https://pypi.org/project/semgrep/. 
  21. "Semgrep Documentation – Getting started". https://semgrep.dev/docs/writing-rules/overview/. 
  22. Lancini, Marco (2020-12-12). "Semgrep for Cloud Security". https://www.marcolancini.it/2020/blog-semgrep-for-cloud-security/. 

External links