Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
LOG_LEVEL
(as well as PYTEST_LOG_LEVEL
) is
no longer consulted by Semgrep to determine the log level. Only
SEMGREP_LOG_LEVEL
is consulted. PYTEST_SEMGREP_LOG_LEVEL
is also
consulted in the current implementation but should not be used outside of
Semgrep's Pytest tests. This is to avoid accidentally affecting Semgrep
when inheriting the LOG_LEVEL
destined to another application. (gh-10044)semgrep ci
without being logged in to clarify that --config
is used with semgrep scan
. (gh-9485)Pro only: taint-mode: Added experimental at-exit: true
option for sinks, that
makes a sink spec only apply on the "exit" instructions/statements of a function.
That is, the instructions after which the control-flow exits the function. This is
useful for writing rules to find "leaks", such as checking that file descriptors
are being closed within the same function where they were opened.
For example, given this taint rule:
pattern-sources:
- by-side-effect: true
patterns:
- pattern: $FILE = open(...)
- focus-metavariable: $FILE
pattern-sanitizers:
- by-side-effect: true
patterns:
- pattern: $FILE.close(...)
- focus-metavariable: $FILE
pattern-sinks:
- at-exit: true
pattern: |
def $FUN(...):
...
Semgrep will report a finding in the code below since at print(content)
, after
which the control flow reaches the exit of the function, the file
has not yet
been closed:
def test():
file = open("test.txt")
content = file.read()
print(content) # FINDING
``` (pa-3266)
--historical-secrets
flag for running Semgrep Secrets regex rules on git
history (requires Semgrep Secrets). This flag is not yet implemented for
--experimental
. (scrt-531)Files with the .phtml
extension are now treated as PHP files. (gh-10009)
[IMPORTANT] Logged in users running semgrep ci
will now run the pro engine by default! All semgrep ci
scans will run with our proprietary languages (Apex and Elixir), as well as cross-function taint within a single file, and other single file pro optimizations we have developed. This is equivalent to semgrep ci --pro-intrafile
. Users will likely see improved results if they are running semgrep ci
and did not already have additional configuration to enable pro analysis.
The current default engine does not include cross-file analysis. To scan with cross-file analysis, turn on the app toggle or pass in the flag --pro
. We recommend this unless you have very large repos (talk to our support to get help enabling cross-file analysis on monorepos!)
To revert back to our OSS analysis, pass the flag --oss-only
(or use --pro-languages
to continue to receive our proprietary languages).
Reminder: because we release first to our canary image, this change will only immediately affect you if you are using semgrep/semgrep:canary
. If you are using semgrep/semgrep:latest
, it will affect you when we bump canary to latest. (saf-845)
Fixed a parsing error in Kotlin when there's a newline between the class name and the primary constructor.
This could not parse before
class C
constructor(arg:Int){}
because of the newline between the class name and the constructor.
Now it's fixed. (saf-899)
yield
keyword in Python. The Pro
engine now detects taint findings from taint sources returned by the yield
keyword. (saf-281)osemgrep --remote will no longer clone into a tmp folder, but instead the CWD (cdx-remote)
[IMPORTANT] Inter-file differential scanning is now enabled for all Pro users.
Inter-file differential scanning is now enabled for all Pro users. While it may
take longer than intra-file differential scanning, which is the current default
for pro users, it offers deeper analysis of dataflow paths compared to
intra-file differential scanning. Additionally, it is significantly faster
than non-differential inter-file scanning, with scan times reduced to
approximately 1/10 of the non-differential inter-file scan. Users who
enable the pro engine and engage in differential PR scans on GitHub or
GitLab may experience the impact of this update. If needed, users can
revert to the previous intra-file differential scan behavior by configuring
the --no-interfile-diff-scan
command-line option. (saf-268)
ci
: Updated logic for informational message printed when no rules are sent to
correctly display when secrets is enabled (in additional to
when code is). (scrt-455){ body: { param } }
in the LHS of an assignment. Now given { body: { param } } = tainted
Semgrep
will correctly mark param
as tainted. (flow-68)metavariable-regex
can now match on metavariables of interpolated
strings which use variables that have known values. (saf-865)semgrep ci
scans now reflect a custom SEMGREP_APP_URL, if one is set. (saf-353)