Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/semgrep/semgrep-rules

Semgrep Community Edition rules, maintained by Semgrep and the community. Free to use under the Semgrep Rules License.
https://github.com/semgrep/semgrep-rules

grep-like program-analysis security security-scanner semgrep semgrep-registry semgrep-rules static-analysis

Last synced: about 1 month ago
JSON representation

Semgrep Community Edition rules, maintained by Semgrep and the community. Free to use under the Semgrep Rules License.

Awesome Lists containing this project

README 

        
# semgrep-rules



[![powered by semgrep](https://img.shields.io/badge/powered%20by%20semgrep-2ACFA6)](https://semgrep.dev/)



Join Semgrep community Slack




Welcome! This repository contains [Semgrep's](https://semgrep.dev/) Community Edition rules.



In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that offer additional language coverage, and unlock crossfile and deep dataflow analysis.



- Find rules: search for Community Edition and Pro rules through the [Semgrep registry search](https://semgrep.dev/r).

- Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login)

- Contribute to rules: see [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) for more information.



## Using the Semgrep rules repository



To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://semgrep.dev/learn) and [Writing rules](https://semgrep.dev/docs/writing-rules/overview/). Then, run existing and custom Semgrep rules locally with the [Semgrep command line interface (Semgrep CLI)](https://semgrep.dev/docs/getting-started/) or [continuously with Semgrep in CI while using Semgrep AppSec Platform](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/).



## Writing Semgrep rules



See [Writing rules](https://semgrep.dev/docs/writing-rules/overview/) for information including:



- Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables.

- Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators.



You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn).



## Contributing



We welcome Semgrep rule contributions directly to this repository! When submitting your contribution, you grant Semgrep, Inc. a license to use, modify, and distribute your contribution under the [Semgrep Rules License v. 1.0](https://semgrep.dev/legal/rules-license). This ensures your rule can be shared with other Semgrep Registry users.



To contribute, please review our  **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** guidelines.



You can also reach out to us at [email protected], and we will help import your rules for others to use!



## Additional information



### Help



Join [Slack](https://go.semgrep.dev/slack) for the fastest answers to your questions! Or contact the team at [email protected].



### GitHub action to run tests



If you fork this repository or create your own, you can add a GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test example](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml).



### Rulesets



Rulesets are groups of rules organized by purpose, language, or framework sourced from the Semgrep Registry. If you want to modify existing rulesets or create your own, please contact us at [email protected].