Semgrep, A SAST Tool

I don't spend as much time reviewing code nowadays as I would like to do, so when a colleague asked for a quick review of a tool he wrote, I decided to spend sometime checking it and figuring out if there is a good tool that can speed up such routine reviews.

The Tool

Semgrep is a fast, open-source, static analysis tool for finding bugs and enforcing code standards. It runs fully on your computer or build environment: your code is never sent anywhere. (Source)

The tool supports many languages (e.g. C, Java, TypeScript, C#, ...) and it also has support for analysing configuration files (currently in beta). (Supported Languages)

Installation

Installing Semgrep is super easy, one command, and you are good to go.

Installation Options (Image Source)

Usage

Similar to installation, usage is pretty straightforward. All you need is to pick which rules you would like to use, run the command and wait for the results. There are a lot of different rules packaged based on various different categories (standard, language, ...), you can find the complete list here.

For example, to scan some code for issues listed in OWASP Top 10, you can use the following command:

semgrep --config "p/owasp-top-ten" --output <filename.extension> source-code-directory/

You can write your own rules, integrate Semgroup into your CI/CD, contribute to the community rule sets, or build your own automations around it. The possibilities are wide open.