Skip to content
/ semgrep-search Public

Semgrep-search enables you to create custom rulesets for Semgrep from multiple sources

License

GPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hnzlmnn/semgrep-search

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github/workflows
.github/workflows
 
 
sgs
sgs
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Semgrep-search

Did you ever want to search for semgrep rules from the registry and test your codebase against rules from the all search results? semgrep-search allows you to search for languages, categories and severities and outputs a single YAML file that you can use with semgrep.

The database powering semgrep-search is automatically built continuously and published to ghcr.io through oras via this project.

Installation

The easiest installation method is by using pip or pipx

For example using pip, semgrep-search can be installed by executing pip install semgrep-search

Usage

Creating rulesets

For example to search for all rules that test csharp code and are categorized as security-relevant run:

sgs -l csharp -c security

By default, semgrep-search will create a file rules.yaml in your current working directory. Using -O you can specify a different path instead. If the provided filename is -, semgrep-search write to STDOUT.

Updating rules

If semgrep-search does not find the database locally, the database will automatically be downloaded when the tool runs. However, from time to time, there might be new rules added to the registry. To update the rules, run semregp-search with --update, shorthand -u, and the current state of the registry will be downloaded before searching for any rules.

Using the ruleset with semgrep

Use the ruleset with semgrep as follows semgrep -c rules.yaml src/

Known issues

The tool found more rules than the website

It appears as if semgrep.dev renamed cs (C# in the YAML files) to csharp, however some old rules seem to exist as duplicates prefixed with cs however their web search filters these out. I'm not quite sure why the JSON export still contains these and which other languages have been renamed in the past.

During database generation, languages will be normalized according to the table of languages from the Semgrep documentation.

The registry shows more rules when filtering for a language

There seems to be at least one language (C#) that is being used with two different names. Therefore, semgrep-search contains a list of programming language aliases that the semgrep registry allows. If you happen to be missing a rule, please check the language specified in the rule or open a ticket with details about the missing rule.

About

Semgrep-search enables you to create custom rulesets for Semgrep from multiple sources

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v1.1.0 Latest
Mar 4, 2024
+ 1 release

Languages